In his “Data Is a Toxic Asset” blog post, Bruce Schneier argues that data is a toxic asset and that the lesson all the recent data breaches are teaching us is that storing this asset is “dangerous,” because it makes companies vulnerable to hackers, the government, and employee error. Schneier suggests addressing data breaches through stronger regulation at every stage of the data lifecycle and through personal liability of corporate executives. “Data is a toxic asset,” concludes Schneier, “We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

Calling data a “toxic asset” sensationalizes the data-security conversation into alarmist territory. The term “toxic asset” has a certain meaning in financial circles and typically refers to assets that become illiquid when they no longer can be sold on a secondary market. This hardly applies to data, which is more of a lifeblood for corporations than toxic asset.
Continue Reading

The U.S. Financial Crimes Enforcement Network (FinCEN) and the China Anti-Money Laundering Monitoring and Analysis Center (CAMLMAC) recently signed a Memorandum of Understanding (MOU) to create a “framework to facilitate expanded U.S.-China collaboration, communication, and cooperation” between each agency’s financial intelligence units (FIUs). News Release (December 11, 2015).

In announcing the MOU, FinCEN Director Jennifer

In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days.
Continue Reading

With the recent uptick in the U.S. of lawsuits filed as a result of a data breaches, state legislators in the U.S. have been busy updating the many different state laws that dictate how a company must respond if they have been hacked and personal information has been compromised. With no comprehensive federal law that sets forth a uniform compliance standard, companies operating in the U.S. must comply with a patchwork of 47 different states laws that set forth a company’s obligations in the event of a data breach.

Additionally, the trend is to have more than just notice requirements. Now companies have to develop proactive steps they must take to avoid a data breach in the first place. We first saw this with the Massachusetts law, and the model is expanding.


Continue Reading

In any case involving a data breach of customer or employee information, the first line of defense for the defendant is to assert that the plaintiff(s) lack standing to bring suit. In Remijas v. Neiman Marcus Group, the Seventh Circuit became the first United States Court of Appeals to tackle the issue of standing in the context of data breach litigation since the Supreme Court’s pronouncement on standing in Clapper.
Continue Reading

Over the past few years, users have become increasingly aware of the inherent dangers of connecting to unsecured Wi-Fi networks. Unfortunately, existing security vulnerabilities in the underlying network hardware may still open a user’s computer to security issues.

Recently, Wired reported that security firm Cylance discovered a vulnerability in a specific brand of network routers deployed throughout many hotel chains throughout the world that could allow someone to install malware on guest’ computers, analyze and record data transferred over the network, and possibly access the hotel’s reservation and keycard systems. Researchers were able to locate 277 vulnerable routers in 29 different countries across and over 100 of them were located within the United States.
Continue Reading

With the FTC’s 2015 report “Internet of Things: Privacy & Security in a Connected World” (“Report”) the idea that more than just computers and phones are able to connect to the Internet. In fact, the Report states that the “IoT explosion is already around us.” This is true, and the Report goes on to describe some of the more interesting things that can be connected to the Internet which most of us don’t think about (e.g. smart health trackers, smoke detectors, and light bulbs). However, how vast is the actual IoT? And what does that mean to businesses?
Continue Reading

The plethora of security incidents in the news have once again put security front and center of the international agenda. Predictably, this has triggered a number of responses from governments around the world. Some of these responses seem to have been ill-considered. However, one of the more comprehensive responses came out of the US President’s address to the Federal Trade Commission last week. A series of laws were proposed to address the increasing risks which are confronting individual security and privacy rights.

The President’s remarks at the FTC gives some valuable insight into where the US regulatory environment may end up in the next year or so. As a part of this analysis, one should focus on two very different agendas: Privacy and Security. These issues, while similar, are very different. Case in point, the UK PM’s comment around banning encryption could well result in increased security. However, it will absolutely damage individual privacy (and arguably also damage commercial security).
Continue Reading

Cross Posted from Trading Secrets

The security breach news cycle continues. There remains a deluge of news stories about point-of-sale terminals being compromised, the ease of magnetic stripes being cloned, and the need for Chip and PIN technology being deployed on credit cards. The legal ramifications of all these events is just starting to become apparent – and it’s complicated. Individual liability is beginning to develop.
Continue Reading

Much has been written about Heartbleed and the significant impact it has on the security infrastructure of the internet. Articles and blog postings have taken both the “sky is falling” and “it’s not so bad” points of view. However, there is a more fundamental issue which has raised its ugly head – is the use of open source “commercially reasonable” in a security framework?
Continue Reading