Stop the Bleeding: Why Heartbleed is the latest reminder about the basics of information security

Like clockwork or, dare I say, the regular beat of a heart, I am again fielding calls from friends and associates on what to do in response to the latest global threat to information security.  This time the web page encryption software bug called, “Heartbleed.” My response is not groundbreaking nor is it as resigned at the response I am generally seeing in the news: “Well, there is not a lot you can do.”  My response is that people do what they should have been doing all along:  not relying on any one tool to safeguard your information and most definitely not relying solely on any company or government entity to protect your information. My colleague, Ron Raether, has similarly commented publicly.

For starters, Heartbleed is a security bug, or vulnerability, in the open-source OpenSSL encryption software code used to encrypt sensitive information on websites via the Transport Layer Security (TLS).  The actual vulnerability is a missing “bounds check” in the handling of the TLS heartbeat extension.  More to the point, the vulnerability may allow someone to access your sensitive information from an affected server.  In effect, this security flaw renders useless the advice we always give about “looking for the lock,” or seeking “https” in the URL lookup to confirm a web page is encrypted before entering sensitive information has, in reality and to some degree, useless.  Well, at least until the patch released on April 7, 2014, is applied to the website.  It’s useless because of the way https encryption software works, meaning it can be tricked into giving out more information than it should, or doing so without encryption in place. Thus, information entered into these seemingly safe sites could wind up unencrypted and vulnerable to view or theft by the bad guys.

»» Read More

Posted by Scot Ganow
Data Security
April 15, 2014

What we can learn from the Target data breach and even more from its response?

Ron Raether, Jeff Knight and I attended the American Conference International’s 8th Annual Cyber and Data Risk Insurance in Chicago (Ron spoke), a topic of constant banter and reference was the  2013 Target data breach resulting in the disclosure of credit card information from over 1,700 of its stores.  The conference was attended by professionals in the insurance industry, data industry, legal field and technology sectors.  As our law firm counsels clients on various aspects of data breaches, one of the benefits of our counsel is serving as a breach coach often in partnership with insurance providers.  Indeed, many cyber policies cover such coaching as part of their policies.  Breach coaching can be extremely valuable, especially to a company with no experience in data breach.  You only get one chance to avoid many of the pitfalls in the chaos that follow a data breach.  Here are some thoughts that come to mind in view of the recent breach.

»» Read More

Posted by Scot Ganow
Data Security
March 27, 2014

The DATA Act: What the Current Battle Around Big Data Reiterates About the Basics of Privacy for Businesses

Last week, my colleague Chris Herman blogged about the recent panel at the mid‑year ABA meeting in Chicago.  The panel provided differing views on privacy from the regulator, industry and consumer perspective.  FI&C’s Ron Raether participated, as well.  In its discussion, the panel also provided some insight on how companies that use data and the regulators that monitor their activity on behalf of the consumers interact.  These various perspectives provide a framework for the manner in which a fast-moving compliance issue, like privacy, gets addressed:  from many pressure points within the free market place.

»» Read More

Posted by Scot Ganow
Data Security
February 28, 2014

Next Page »