Author Archives: Eddie Block

Does ‘data’ only mean electronic data?

Think about breach notification laws for a second.  Which of the following is a breach:

  • A criminal breaks into your network and steals your customer database
  • A disgruntled employee copies all of your data onto a thumb drive and walks out
  • A laptop or tablet, with unencrypted data is stolen from an employees car
  • A backup tape falls out of the truck on its way to off-site storage
  • A stack of print-outs of customer data is set out next to the trash

All of them look like a breach, right?

Under the bulk of state data breach notification laws, paper documents may not be considered “data.”  As an example, Indiana, Louisiana, and Texas all use the term “computerized data”, Michigan defines ‘data’ as electronic information, and Mississippi references “electronic files, media, databases or computerized data containing personal information.”

So, if I  leave a laptop with data laying on the road next to the same data in a stack of papers, is only one considered a ‘data breach’ that requires notification?

I’m not sure I would be willing to risk the loss of customer trust or the PR fallout of relying on such a legal argument.  Imagine your customers coming back saying their identities had been stolen and your response is “we didn’t really, legally have to tell you we set your PII in the recycling bin.”  Probably not the best way to win over customers.

OK, OK…

I know I’ve said this before but I am back.  New posts will be coming more regularly.  To kick it off I want to talk about a topic that has been near and dear to my heart for a long time and reared its ugly head again recently.

Over the past few weeks I’ve been involved with an incident response.  Once again, I’m reminded how important good logs are to the investigation.  There are a couple issues that I would like to point out.

  1. Verify the types and quantity of logs available from your cloud providers.  I won’t name names, but it rhymes with SicroMoft, have only certain logs available.  This post by CrowdStrike discusses logs that were available through the vendor’s API.  Unfortunately, SicroMoft closed that API shortly after it was made public.  So, during an investigation, the response team is limited by the type of logs they can review.
  2. To make matters even a little more complicated, while downloading the mailboxes involved in the investigation, SicroMoft appears to throttle the download speeds.  Your humble narrator was hitting peak speeds in the 3-4 Mbit range during the start of the download.  After a period of time those speeds dropped to the 300 kbit range.  This was confirmed by other sources who saw the same throttling.
  3. If you are logging on-premise, please test your ability to correlate your logs.  There are great tools available to help, but you must make sure silly things like timezone v. UTC are able to be reconciled.

Try this:  Can you determine when someone logged onto the network, logged into email, sent and deleted a specific email, and logged out?  Can you determine where all of this activity came from?  Don’t assume, try it.

If you don’t have adequate logging, you do yourself a disservice.  You are fighting with one hand tied behind your back.  Take time, while you aren’t fighting a fire, to make sure you can fight the fire when you need.

When is a fraud a “direct” result of computer use?

In an interesting case was brought to my attention today.  In Interactive Communications Int. v. Great American Ins. the court found that the insurance provider did not have to cover losses under Incomm’s “Computer Fraud” policy.

Incomm lost $11+ million when fraudsters were able to duplicate “chits” sold by Incomm.  The chits could then be converted to debit cards.  The fraud was perpetrated using Incomm’s IVR (Interactive Voice Response) computer system.

Now an IVR is a computer system, so a “Computer Fraud” policy should cover fraud perpetrated using a computer, right?  Not  so much…

The policy, according to its terms, covered “loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property…”

So we know that a computer was used in the fraud, but the word the court triggered on was “directly.”

The court accepted that “manipulation of InComm’s computers set into motion” the fraud.  BUT, and this is a BIG BUT, did not directly cause the loss.

Without going too deep into the inner-workings of Incomm’s process, they transferred money to a third-party to hold until the debit card was used at a merchant.  In the court’s opinion, Incomm still had control over the money until it was paid to the merchant, so the loss wasn’t ” immediately and without intervention or interruption” the cause of the loss.

This logic will seem crazy to some and completely sensible to others.  The big takeaway is to review your insurance coverage, talk to your insurance broker, work through an example like this one, and make sure you fully understand what your insurance actually covers.

Coming up for air…

Wow!  What a couple months it’s been.  Obviously I’ve let this blog go a bit stale, so a little update.

GDPR compliance advisory and counseling has been all consuming.  I knew that there would be organizations that were not compliant by the effective date of the GDPR.  What I wasn’t expecting was the sheer number of organizations that only learned about the GDPR in the last few days of May.  The best example of this was the crazy number of “new privacy policy” notices that spammed our inboxes the last couple days of May.

I’m not going to go into a discussion of GDPR.  If you don’t know what it is, take a look at the blog post I did in April 2017 (yes, over a year ago.)

The last few weeks have also been interesting with a couple volunteer groups.  The Computer and Technology section of the State Bar of Texas met in Washington D.C. with Texas members of Congress.  It was good to hear their strong support for security initiatives.  The section also creates “Tech Bytes” which are 5-15 minute videos on numerous security topics.  Take a look.

The American Bar Association’s Privacy and Computer Crime Committee is in the process of updating their International Guide to Cybersecurity.  The original was published in 2004, so it is long overdue.  If you are a InfoSec pro, you might want to take a look.  It is pretty funny to see where we’ve come from where we started.

Those projects combined with a few speaking and panel presentations have made for a busy few months.  It is good to be able to keep my head on work, so busy is good.  .