Category Archives: Federal Law

Federal legal issues

Breach notification laws: Better privacy or the 10th circle?

Today (April 19th) New Mexico became the 48th state to enact a data breach notification law.  Only Alabama and South Dakota do not have a notification law on the books.

On the one hand this is good news for the privacy on New Mexicans.  They are now ensured they will have notice of a breach of their personally identifying information.  They will have the opportunity to mitigate the damage resulting from such a personal exposure.

For security and privacy folks, though, there is a different perspective.  We now have 48 distinct regulations to track.  If I have a client that does business across the country, I have to ensure I am able to help them comply with 48 different (and sometimes contradictory) regulations.  As an example, assume I have a client doing business in Texas, Oklahoma, and Colorado:

  • In Texas and Oklahoma consider a drivers license an element of personally identifying information; Colorado does not.
  • Colorado requires notification to the credit reporting agencies (CRA) if more than 1000 records are breached.  CRA reporting is required in Texas if more than 10,000 records are breached.  Oklahoma does not require CRA reporting at all.
  • Oklahoma allows for electronic communications if the cost of written communication exceeds $50,000; in Texas and Colorado it is only allowable if the costs exceed $250,000.

Add the other 45 states to the mix and the mapping becomes complex.  I won’t comment on whether there is a “better” rule, but the hodgepodge of requirements makes it more difficult for everyone.   This is the type of conflict that is ripe for a federal rule to unify requirements.  Unfortunately the attempts to do so over the past few years have failed to garner much attention.

BTW:  For the curious, there are at least 89 different counties with breach or privacy laws.  A breach at a multi-national corporation can be very complex.

Data classification: Attempting to solve for x without knowing a, b, and c. has an interesting post on federal government security classifications and cloud provisioning.  The TLDR is that many federal agencies are paying too much, because they are classifying information incorrectly and vendors are happy to upsell protections.

In my experience in state government, the problem is very different.  To begin with few agencies have strong data classification policies.  In Texas, the Department of Information Resources published a data classification template that agencies can use to develop a classification scheme.  Personally, I think the template (and associate white paper) is a marvelous piece of work :).  It is unclear how many actually used the template, though.

The problem isn’t limited to Texas.  Based on discussion with the CISOs from other states, data classification is a difficult problem for many.

The issue raised is how to determine the appropriate protections for data when classification programs don’t exist.  The result is agencies will either over protect public data or under protect sensitive data.  Several states have a de facto policy of requiring all data to be hosted in the continental United States (conus).  While this is appealing, it also drives up prices for cloud services.

Many of the regulations that affect states (most recently CJIS) have dropped the conus requirements.  Requiring conus storage for “public” data is probably not the best use of taxpayer money.  Without a strong data classification program, though, it is hard to make informed decisions.

Backdoors, and clear text, and default credentials, oh my!

For years I’ve been warning people about insecure devices being added to their home networks.  It’s clear that the vendors haven’t really been listening because there are still consumer grade (and some enterprise grade) network devices that use clear text passwords, default credentials, and backdoor accounts.  Remember the movie War Games from 1983?  Joshua was a backdoor account.  Even IMDB knows that Falken left a backdoor!

So we cleared up the backdoors and default accounts waaaaayyyyy back in 1984 right?  Nope.

The FTC filed charges yesterday (5 Jan 2017) against D-link for inadequate security in its products.  Guess what the insecurity was (I’ll wait, guess)…

Yep, D-link use “’hard-coded’” login credentials integrated into D-Link camera software — such as the username “’guest’” and the password “’guest’” — that could allow unauthorized access to the cameras’ live feed . . .  [and] . . . leaving users’ login credentials for D-Link’s mobile app unsecured in clear, readable text on their mobile devices, even though there is free software available to secure the information.”

Read that again.  D-link hard-coded login credentials into the devices (that means that the consumer couldn’t change the password if they tried!).

It’s 2017 people, we have to do better than hard-coded credentials and clear text password.  We are putting these devices in our homes.  Having random strangers watching you probably isn’t a settling thought to most.

But hey, no one will find my IP enabled camera right?  Wrong:  Shodan has a large database of webcams that are open to the Internet.  Webcams are always on Shodan’s top searched list, so a lot of people are very interested in watching strangers.