Category Archives: Blog

All Blog posts

Interested in liability protections? Learn about the Safety Act.

The “Support Anti-terrorism by Fostering Effective Technologies Act of 2002 or Safety Act (no, I don’t know where the “Y” came from) seems to have flown under the radar for the past 15 years with few buyers or sellers of cybersecurity technologies taking advantage of the Act and its liability protections.

Passed in the wake of the terrorists attacks on September 11, 2001, the Act’s stated intent is to incentivize the development and deployment of Qualified Anti-Terrorism Technologies (QATT), including cybersecurity technologies, in a couple very specific ways.

First, the Act limits the Seller of a QATT’s financial liability to an amount determined by the Office of SAFETY Act within the Department of Homeland Security.  In exchange for carrying the required insurance, the seller’s liability is limited to the amount of that insurance (6 CFR Part §25.7(a)).  Additionally, no punitive, exemplary (§25.7(b)(1)), or noneconomic damages, “unless the plaintiff suffered physical harm” are available to the plaintiff (§25.7(b)(2)).

This is all great news for the Seller of a QATT, but what about their customers?  Section 25.7(d) extends these liability protections downstream:

“There shall exist only one cause of action for loss of property, personal injury, or death for performance or nonperformance of the Seller’s Qualified Anti-Terrorism Technology in relation to an Act of Terrorism. Such cause of action may be brought only against the Seller of the Qualified Anti-Terrorism Technology and may not be brought against the buyers, the buyers’ contractors, or downstream users of the Technology, the Seller’s suppliers or contractors, or any other person or entity. In addition, such cause of action must be brought in the appropriate district court of the United States.”

So putting it all together, any cause of action resulting from an Act of Terrorism regarding a QATT has exclusive federal jurisdiction, has a cap to awards, cannot include punitive, exemplary, or noneconomic (with exceptions) damages, and can only be brought against the Seller, not their subcontractors, suppliers or buyers.

What is an Act of Terrorism?  The determination of an Act of Terrorism is left to the Secretary of Defense (or their designee), but the requirements are that the Act:

  1. Is unlawful;
  2. causes harm; and
  3. uses methods designed or intended to cause mass destruction.

There is no requirement that the Act of Terrorism have a political basis.  Many attacks against public and private sector enterprises could fall under this umbrella.

Of course, this is a very high-level overview of a 10 page regulation, but with so many benefits for themselves and their customers, companies are tripping over themselves to get to the Office of Safety Act right?

Actually, according to the Approved Awards Search site only around a dozen companies have earned awards for cybersecurity related technologies.  In a world where over 300 vendors exhibited at the most recent BlackHat conference, it would seem that the ability to offer your customers any level of liability protection would make a great differentiator.

 

WOW! It’s been a while

It has been way to long since I’ve posted anything here.  For the diligent, thank you for sticking with me.  I’m back on the train and will get back to regular posts.

My practice has been picking up, so I’ve been a bit busy.  For those that don’t know, my legal practice is centered around cybersecurity issues.  Primarily:

  • Mergers and Acquisitions diligence
  • Risk Assessment
  • Security and privacy policy creation and review
  • Breach planning and response
  • Cyber-insurance
  • PCI-DSS, HIPAA HITECH, GDPR analysis and review
  • Negotiating Technology Agreements
  • Terms of Use
  • End User License Agreements
  • Helping startups address security issues
  • IT Counseling
  • Calling out Security “snake oil” salespeople

It is a fun and interesting way to spend my days.  I get to play with all the areas of my firm’s practices, I get to meet cool and interesting people, and I get to solve problems.

There is a great essay from Eric S. Raymond called “How to Become a Hacker“.  It is one of my favorite pieces of writing on what hackers are and the ethos.  I need to reread it every year or so to remind me that there are people like me and how I need to focus my attention.  Everyone should read the essay. The 5 attitudes ESR calls out, that have become my mantras are:

1. The world is full of fascinating problems waiting to be solved.

2. No problem should ever have to be solved twice.

3. Boredom and drudgery are evil.

4. Freedom is good.

5. Attitude is no substitute for competence.

My practice really does let me find “fascinating problems waiting to be solved” and I feel really enthused every time I get to find that solution.

Anyway, more to come.

Website accessibility under Title III

When I was in law school our assignment for mock trial in Legal Research and Writing was a debate regarding whether websites were “places of public accommodation” under title III of the Americans with Disabilities Act.

This was a fairly novel idea at the time.  Title III requires that places of public accommodation, like grocery stores, must make their stores accessible to disabled shoppers.  As with any law school mock trial assignment we had to argue both sides with equal fervor.

Over the last several years this debate has continued in real courtrooms across the country.  This month another court stepped into the fray.  In Juan Carlos Gil v. Winn-Dixie Stores, Inc., the judge ruled the Winn-Dixie grocery store must make its website accessible to the disabled.  Gil, the plaintiff, is legally blind and the Winn-Dixie website was incompatible with screen readers that he used to browse the website.

The Judge in this case did not specifically address whether a website is a place of public accommodation, but stated:

The Court need not decide whether Winn-Dixie’s website is a public accommodation in and of itself, because the factual findings demonstrate that the website is heavily integrated with Winn-Dixie’s physical store locations and operates as a gateway to the physical store locations.

This integration with the physical Winn-Dixie stores is more than just an advertising platform but

The services offered on Winn-Dixie’s website, such as the online pharmacy management system, the ability to access digital coupons that link automatically to a customer’s rewards card, and the ability to find store locations, are undoubtedly services, privileges, advantages, and accommodations offered by Winn-Dixie’s physical store locations.

Thus, the judge found that Winn-Dixie had violated the ADA Title III and issued an injunction which requires, among other provisions, that Winn-Dixie’s

website must be accessible by individuals with disabilities who use computers, laptops, tablets,
and smart phones

If you would like to test how your webpage renders on a screen reader, there is a chrome extension called ChromeVox, that will let you browse the web using a screen reader.  Anyone who doesn’t understand the reason why this is important should install this extension and browse the web for a half and hour with your eyes closed.  The experience should be quite enlightening.

We have to do better: Pacemaker security

Last week Billy Rios and Jonathan Butts published a research on the security of pacemakers.  In all they identified over 8000 vulnerabilities in third-party components within the subsystems of 4 major vendors’ physician programming and home monitoring devices.

These vulnerabilities exist primarily because vendors are able to cut development time by using commonly available libraries.  While the libraries may be considered secure when initially deployed, over time new vulnerabilities are discovered.  Unfortunately the patches for these vulnerabilities are not uniformly applied.

This is a common problem with embedded devices, internet-of-things things, and industrial control systems.  The use of public libraries makes sense to get a product to market, but many vendors don’t account for the update and patch process.

Additionally, as I’ve written about before, many vendors still use hardcoded or backdoor passwords.  The researches have been able to verify hardcoded credentials in three of the four devices tested.

We have to demand better from the vendors selling critical information technology, whether it is an industrial control system or medical equipment.  Simple vulnerabilities like insecure libraries, the inability to patch, and hardcoded credentials must be addressed by vendors.