Best Laid Plans. They say the devil is in the details. One might say that is most certainly the case with the recently advanced version of the Cybersecurity Information Sharing Act (“CISA”) that recently passed the U.S. Senate by a vote of 74-21. Indeed, many people might even say such a landslide vote indicates the bill is wanted by the American people, especially in view of the concerns tied to the seemingly endless parade of large-scale breaches at Sony, Neiman Marcus and Target. The Senate’s CISA somewhat mirrors legislation previously passed in the U.S. House. Although there are similarities in the bills, reconciliation of the two is not necessarily a slam-dunk (even though the President has said he would likely sign such a bill).
Generally speaking, the CISA is designed to help reduce the number of corporate data breaches by encouraging companies to share “cybersecurity risk” data with the Department of Homeland Security (“DHS”). Under the CISA, DHS would take any such provided information and pass it on to other law enforcement and security agencies, such as the FBI and NSA, respectively. The logical questions arise as to what cybersecurity risk information would trigger such a disclosure, what personally identifiable information (“PII”) is contained in such risk data, and how is that information being used. As with any sweeping legislative bill, there remain many questions. Many entities oppose the CISA, to include companies such as Apple and Twitter. Security experts have also questioned the real value of sharing information in fulfilling the Act’s legislative intent of stopping or stemming the tide of major security breaches in the U.S. And, as you might expect, numerous privacy advocacy organizations have formally opposed the bill. So, at a minimum, it is good to see there is a healthy debate about what security is really being achieved and, at what cost to privacy. In times past (see Patriot Act), such discussions were non-existent. So, going slowly here and considering all the consequences (intended and not so much) would be wise.
»» Read More
»» Read More
November 16, 2015
Data security has been a hot topic these last twelve months, with the Office of Personnel Management, Neiman Marcus, and Ashley Madison all making headlines. But there’s never been a week quite like September 27-October 3, 2015. In those seven days alone, cell phone carrier T-Mobile, investment firm Scottrade, and crowdfunding site Patreon all suffered data breaches. The breaches underscore the dangers to companies, and the steps that can be taken to guard against such breaches.
The breadth and depth of the data breaches from that week are stunning. T-Mobile’s customer data was compromised as a result of a breach of its credit processor, Experian. The names, addresses, phone numbers, and Social Security numbers of more than 15 million United States residents who applied to be T-Mobile customers between September 2013 and September 2015. The contact information and Social Security numbers of more than 4.6 million Scottrade customers were illegally accessed. Patreon’s breach was perhaps the scariest and most surprising. At first, it appeared that “only” 2.3 million names, mailing addresses, and email addresses of its donors. Yet just one day after the initial notification of the breach, Patreon’s entire 13.7 gigabyte database was posted online. The database included password data, donation records, and most worrying, the database’s source code.
November 11, 2015
Anyone watching the news over the past years and several months has heard about major data breaches at the federal government, Sony, Anthem, and Target Stores. Data breaches are often big news.
But data breaches can occur in small places too. Oldham County, Kentucky, is located twenty miles northeast of Louisville. Some of Louisville’s most remote suburbs are located there, but much of the county is rural. In 2010, only 60,000 people lived in the county, along with 4700 horses. North Oldham County High School is located in Goshen, Kentucky, a town of less than 1000 people. In September, a food service employee at North Oldham High School noticed that something was wrong with her work computer after clicking on a link sent in an email. She had tried to access the Internet and go to a particular website, but her browser took her to a different site instead. She called the school technology coordinator, and the coordinator found that there was an issue and notified the IT staff with the school district. The school district conducted an investigation and learned that an intruder had, in fact, gained access to the computer. Housed on the computer was a database consisting of the names, telephone numbers, Social Security Numbers, and dates of birth of approximately 2800 current and former students.
November 2, 2015