The Chinese word for “crisis” is comprised of two characters. One represents “danger,” and the other represents “opportunity.” On Thursday, June 4, 2015, the United States was reminded of both the dangers and opportunities faced in the digital age after news broke that Chinese hackers allegedly breached government personnel records belonging to millions of current and former federal employees. In response, the Chinese government denied responsibility for the hack, and described any accusations as “irresponsible and unscientific.” Feel free to pause and collect yourself after such a surprising response.
The facts surrounding the hack and China’s involvement are still developing. Many questions remain unanswered: How did this happen? Why did this happen? What happens next? Likewise, many Americans have questions about what this hack means both for their own personal information and for our country’s standing in the world. The whole situation is terrifying because it is so easy to see the danger. But in addition to outlining the danger caused by the hack, this post also aims to reveal the opportunities for those of us wondering where we go from here.
»» Read More
»» Read More
June 8, 2015
Avoiding Checkmate: DOJ Releases Guidelines to Assist Companies in Formulating Preventative and Responsive Data Security Measures
Data security is like chess. A million strategies exist, and the best players are those that practice, plan, and react calmly. When you play chess against a strong opponent, you can expect that at least once your king is going to be placed in check. This does not mean you have lost the game, but it does mean that unless you act quickly, your king will be captured. Good chess players plan for WHEN the king is in check, and not IF the king is checked. Likewise, FIC has preached for years that companies should plan for WHEN a breach happens, not IF a breach happens. Last month, the United States Department of Justice echoed the chorus.
On April 29, 2015, the U.S. Department of Justice (“DOJ”) released fifteen pages of guidelines (“the Guidelines”) outlining best practices for victims, and potential victims, of data breaches. The document, entitled “Best Practices for Victim Response and Reporting of Cyber Incidents,” serves as a good start for any organization looking to prepare for, and prevent, a cyber-incident. But a good chess player knows that some strategies are richer than others, and likewise companies should go beyond the DOJ’s basic recommendation of planning and reacting. Instead, companies should strive to instill a culture of privacy protection that begins inside the boardroom and incorporates planning, advice of legal counsel, and constant diligence in testing and improving all preventative and responsive measures. Companies should view the Guidelines as the basis for their data security measures. The Guidelines will get you started on the right path: Plan Thoroughly, and Respond Swiftly.
June 3, 2015
When I was sixteen, the rule was that I could not drive a car until I knew how to change a tire. My dad always reminded me that it is dangerous just to drive, but not knowing how you plan to fix a flat could cause you a lot of unnecessary stress. Uber Technologies, the popular transportation app, is currently learning that while driving on the information super highway, companies should likewise know how they plan to address a data breach.
Uber disclosed on Friday, February 27, 2015 that it suffered a data breach nine months earlier on May 13, 2014 affecting approximately 50,000 of its current and former drivers. Many are criticizing Uber because although it discovered the breach on September 17, 2014, Uber waited 163 days to inform drivers whose identities and personal information are at risk. In other words, over five months passed before any of these drivers learned that their names and drivers licenses may be available to identity thieves.
March 24, 2015