Think about breach notification laws for a second. Which of the following is a breach:
- A criminal breaks into your network and steals your customer database
- A disgruntled employee copies all of your data onto a thumb drive and walks out
- A laptop or tablet, with unencrypted data is stolen from an employees car
- A backup tape falls out of the truck on its way to off-site storage
- A stack of print-outs of customer data is set out next to the trash
All of them look like a breach, right?
Under the bulk of state data breach notification laws, paper documents may not be considered “data.” As an example, Indiana, Louisiana, and Texas all use the term “computerized data”, Michigan defines ‘data’ as electronic information, and Mississippi references “electronic files, media, databases or computerized data containing personal information.”
So, if I leave a laptop with data laying on the road next to the same data in a stack of papers, is only one considered a ‘data breach’ that requires notification?
I’m not sure I would be willing to risk the loss of customer trust or the PR fallout of relying on such a legal argument. Imagine your customers coming back saying their identities had been stolen and your response is “we didn’t really, legally have to tell you we set your PII in the recycling bin.” Probably not the best way to win over customers.
Wow! What a couple months it’s been. Obviously I’ve let this blog go a bit stale, so a little update.
I’m not going to go into a discussion of GDPR. If you don’t know what it is, take a look at the blog post I did in April 2017 (yes, over a year ago.)
The last few weeks have also been interesting with a couple volunteer groups. The Computer and Technology section of the State Bar of Texas met in Washington D.C. with Texas members of Congress. It was good to hear their strong support for security initiatives. The section also creates “Tech Bytes” which are 5-15 minute videos on numerous security topics. Take a look.
The American Bar Association’s Privacy and Computer Crime Committee is in the process of updating their International Guide to Cybersecurity. The original was published in 2004, so it is long overdue. If you are a InfoSec pro, you might want to take a look. It is pretty funny to see where we’ve come from where we started.
Those projects combined with a few speaking and panel presentations have made for a busy few months. It is good to be able to keep my head on work, so busy is good. .
UPDATE: Tom Scott posted a really great example of this on his YouTube channel. Please take a look.
Motherboard, an online technology magazine, recently posted an article (excuse the NSFW language) discussing the development of artificial intelligent (AI) to face-swap celebrities into pornographic videos.
Clearly there are significant ramifications to celebrities, who will now have numerous fake pornographic videos online. There is also a threat of blackmail of adults and kids with this new technology. All of this is very troubling.
Another concern, which should get everyone thinking, is that this technology will not be limited to pornography. Like many technologies, the porn industry leads the way. This technology will eventually find its way into the mainstream.
So what does this mean for the political world? Will “fake news” really become fake news? At what point will we no longer be able to trust our own eyes? Can we put Gandhi and Kim Kardashian into a meeting together discussing the benefits of Kobe beef?
It now seems clear that fake news had an influence on the 2016 elections. How will we be able to discern fake news when the video evidence is right in front of us? It will become easier and easier to perform the historical revisionism envisioned by Orwell or simply make up events and statements.
“Revenge porn” laws exist to protect individuals from malicious disclosure of intimate activities. Will AI assisted, fake pornography fall under the same protections? Will we be able to develop laws or protections that protect the citizenry from AI assisted fake news videos, or will those same videos fall under 1st amendment protections?
I don’t have an answer but, even if I did, would it really be from me…?
Yesterday Equifax (you know the folks that sell credit monitoring services) announced that they were breached. 143 million Americans (or 44% of all Americans) had their personal information exposed.
The 143 million Americans exposed by Equifax, the 22 million exposed in the 2015 OPM breach, the 1.5 billion records exposed by Yahoo would seem to indicate that there is no data left to breach. The chickens are out of the henhouse. So where do we go now?
Security is a series of layers. Physical protection, perimeter protection, system protection… Preventative, detective, and corrective controls… Compensating controls for when any of those fail. Security is hard. It is easier to tear something down than to build something up. The time I spent breaking into systems and networks was a lot easier (and more fun) than the time I spent trying to protect them.
So do the victims get a free pass? No! Because they aren’t the victims, we are. The information that is lost is ours. We entrust our personal information to these companies – in the case of Equifax and the other credit reporting companies we don’t have much say in the matter. They have a duty to protect our information from the threats we know are out there.
They need to do the hard work.
Hey, the good news is that Equifax is offering credit monitoring services for the people affected by the breach of their own systems. That certainly makes me feel more secure.