Cyberlaw, technology, insurance, social media, breaches and global regulation were under the microscope this past week at the ABA Cyberlaw Winter Meeting. Law geeks convened at the Nova Southeastern University Shepard Broad College of Law in Fort Lauderdale and over the course of three days, thoughtful discussion revealed a patchwork of dependent issues. Some of the topics are covered in this blog post, as they are timely. The ABA presentations were well researched and current, if you are a member, you can access them here:
Prof. Jon Garon, Dean of the hosting law school, delivered a colorful and revealing look at cyberlaw in 2015 including heinous events and sticky court rulings. His paper, “2015 Cyberlaw Year in Review – Seeking Security Over Privacy, Finding Neither” is available at: http://ssrn.com/abstract=2707756. His key takeaway was that global terrorism combined with state sponsored cyber attacks put the focus on security in 2015, not on enhancing privacy for individuals. What struck me was how much we are still living with events from 2015 or earlier and how they shape the current landscape. Dean Garon points to Snowden as the tipping point for the Safe Harbor rebuke by the EU Court of Justice as well as an impetus for hacktivists. He cites the attack on (whitehat?) spyware company Hacking Team, that released 400 gig of data and showed their ties to authoritarian regimes. Hacktivism not only exposed those claiming the moral high ground, Anonymous “released 9,200 ISIS Twitter accounts” being used in the ground war which enabled Twitter to shut them down (hacktivism for good?).
Dean Garon also links the Snowden impact to the Patriot Act successor the USA Freedom Act and notes the relatively modest changes that have resulted, after global outrage at the bulk telephone call collection by the NSA. The new Act prevents bulk collection unless the government has a “specific selection term, that specifically identifies a person, account, address or device in a way that limits to the greatest extent reasonably practicable, the scope of tangible things sought consistent with the purpose for seeking the tangible things.” That’s good, or better.
But, the NSA “will continue to make use of data collected by the phone companies [including] NSA collection of foreign internet content from US tech companies, which sweeps up lots of data.” Epic.org reports that the FBI issued over 14,000 National Security Letters (NSL’s) in 2013, seeking call records, email records, billing, credit and other data, all subject to a gag order. Security v. privacy, the balance shifts based on real world events.
The EU Court of Justice ruling in Schrems v. Data Protection Commissioner, exposes the rift in relations created by the Snowden disclosures. The rebuke of the Safe Harborrule for its lack of oversight to ensure the privacy of EU citizen data, leaves corporations to adopt Binding Corporate Rules or Model Contract Clauses, which are reviewed by an EU Data Protection Agency for approval. Dean Garon questions whether Notice and Choice which underpin the Safe Harbor, were illusory to begin with, “given the lack of transparency and the difficulty of opt-out schemes.” A balkanization of the internet is shaping up as nations require data centers be located in their country to hold the PII of their citizens.
Pointing to the violent attacks on French soil and the outward use of social media by ISIS to further their interests, Dean Garon suggests law enforcement monitoring and terrorist use of social media are here to stay, with “a reported 95% of police agencies” using the approach. We want to protect privacy but we shudder when we hear that the attackers are using our software tools and applications to wage war.
The passage of the General Data Protection Regulation in the EU maintains key elements of privacy and security: consent, transparency and data minimization. The EU will require notice of breaches across all member countries, something the US has yet to do. All of this regulation is designed to prevent a breach or minimize the damage when it occurs. We have seen the long tail of a breach and some notable incidents cited by Dean Garon express the breadth and ripple effect to unsuspecting recipients.
The Sony breach involved nation state actors, IP theft, company sensitive data, attempts at ‘hackback’ and NSA knowledge of the attack prior to its disclosure. We now have greater sharing of threat intel under the newly passed CSIA but would that have helped Sony? Threat intel sharing requires companies to operationalize knowledge in security operations, in an effective and timely manner. The CSIA removes liability for companies which may increase sharing but will that prevent breaches? Nation state hacks of IP and sensitive data, trade secrets, strip the US government and companies of a competitive edge. Stolen secrets could cost billions as competitors bring their product to market and as with Sony, create losses on existing investments.
The Office of Personnel Management (OPM) breach had millions of records lost combined with highly sensitive data on US operatives. The circle of data extends wide when a top secret clearance or higher is sought by an applicant, dragging friends and family sensitive records into the breach. Dean Garon noted that journalists with access to government officials were swept up in the hack. Further, he cites reports that discuss the ability of foreign governments to “cross reference employees in a government facility….anyone not in the OPM database could be presumed to be hired by the CIA.” The OPM breach created long term risk to many Americans for identity theft, financial crime and to our national security.
The Ashley Madison hack affected 37 million members of a tawdry online business. So many victims here beyond the members. Poorly encrypted passwords were downloaded and brute forced. Open source solutions like Pythia: https://testpypi.python.org/pypi/pythia/1.0 offer client and server password hardening to prevent such an attack. Even worse than the attack on the business is the unfortunate fallout on member families. Cyber crime is the king of cottage industry formation and within hours the blackmail began against member families.
Hackers downloaded the database and then began sophisticated, US Mail based blackmail campaigns citing family, friends and work address and emails. They attacked with impunity and suicides were reported after demands for upward of $4,000 were received to keep quiet. Remote, online blackmail leaves its victim with no assurances, especially here where many blackmailers could re-use the same data. This breach brought out the worst in everyone.
One last breach covered by Dean Garon was the VTech Holdings loss of five million adults and six million children (according to the HK based company). Names, chat logs, emails, passwords, mailing addresses, download histories and 2.3 million headshots were stolen with an SQL injection attack which enabled them to dump the database. Techcrunch reported that there was no encryption, no SSL anywhere, hard to believe. The VTech Kid Connect service falls under the COPPA legislation and could result in the highest fines ever, up to $16,000 per child under age 13 who had private information compromised.
VTech devices that are connected show us how the surface area is vastly expanded from an Internet of Things (IoT) attack. Our children’s credit history is clean and sought after by criminals trading such data. Devices used by children combined to online services (think earlier Sony Nintendo breach) can affect tens of millions in an instant. Dean Garon added another twist, what if Hello Barbie gets hacked? Mattel and ToyTalk have taken Barbie into the 21st century reports Forbes Magazine. Talking Barbies that record child input through a necklace microphone, upload the data to online servers, use AI to parse/process data and then provide a contextual response to the child. Its creepy to think of companies storing a child’s musings, a hacker will release those audio files and bring new meaning to the loss of innocence.
The internet speeds things along, making it hard to keep up with law, regulations and enforcement. Its obvious that keeping up with developing malware is a challenge, we only need to look at the ITRC daily breach blog to see all of the affected companies that didn’t make the headlines. Perhaps they managed their breach better or there is only so much room to lament the losses but chances are, one of your relationships close to home just had a breach.
We will continue to ask what seem obvious questions. Whose data is it? Are you a data contributor or a data steward? Does your company benefit from a stagnant data regulation process or new stringent rules for presence in a certain country? US based companies with data from a foreign country must navigate all of these issues at once and pay steep penalties if they falter along the way.
Thanks to the folks at the ABA Cyberlaw Committee, we are one step closer to the action and perhaps, some answers.