Monday, November 5, 2018

Data Privacy Violation Settlement Money For The People!

Cy Pres settlements laughably but rightfully pronounced “Sigh” and “Pray”.

In a Cy Pres type of class action settlement, funds are distributed mainly to third parties and the plaintiff’s attorneys, as opposed to the class of plaintiffs themselves. 

In most cases, I feel people/consumers should receive the brunt of settlement money, not organizations (like mine).
The parties set to receive the brunt of the $8.5 million dollar Google settlement distribution are organizations that educate the public about internet privacy issues and the attorneys that represent the class of plaintiffs. KAI Partners trains and educates the public with a goal of strengthening the workforce and improving awareness of data privacy and cyber security issues (hyperlink to the next of my scheduled events); I am not a settlement recipient, but my opinion remains the same.

The way it works is, federal agencies such as the FTC have standing to file legal claims even before breach damages or a violation occurs. This is because of a 100-year-oldconsumer protection statuteon “unfair or deceptive acts or practices”. But Individuals and classes of plaintiffs generally have to allege damages as result of the violation. 
Damages must be particularized, injuries-in-fact to be legally recognized. To establish a prima faciecause of actionin tort law (elements of Negligence, Breach of Contract, or Unjust Enrichment claims differ), the plaintiffs must allege actual harm (generally, pure economic loss alone doesn’t cut it). That final element of damages in prima facie causes of action is problematic and controversial in data privacy violation cases.

The General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA) do help us identify which entities are covered by the laws, and to whom the entities owe a duty. The laws set standards as to what would constitute a breach of that duty. One way the laws differ is in whether they grant a private right of action to classes of individuals to sue when the standard is breached, or whether standing to sue exists only with regulatory bodies. 

The controversy lies in that the laws do not create a bright line rule as to whether failure to meet their data protection standards, consequently resulting in privacy violations or data breach, can constitute a valid cause of action for individuals, without anything more (i.e. proof of identity theft). The Google case highlighted in this article suggest NO, not for the consumers that the law was aimed to protect, but yes for federal regulatory bodies. 

With the current data privacy laws, the people (consumers, data subjects) may not get to see their day in court, and if/when they do, they are not a part of the settlement money distribution. We “sigh” and “pray” about this.

The postings on this site are my own and do not necessarily reflect the views of KAI Partners, Inc.

Twitter: @CyberSecurityL2

Tuesday, September 12, 2017

Equifax Data Breach: Laws - Framewors - Solutions


Equifax discovered unauthorized access on July 29th. 2 months later, the public was notified and the victims of breach (and potential victims of identity theft) are being offered monitoring services.
Each state has enacted Breach Notification statutes. California law, for example, requires notification at the most expedient time possible and without unreasonable delay. Notification can be delayed if law enforcement determines that notice would impede a criminal investigation (Cal. Civ. Code § 1798.82) But was a criminal investigation being impeded, and what factors were used to deem the determination reasonable?
An Amendment to the Breach Notification statute requires organizations to offer 12 months of monitoring services at no cost to the potential identity theft victim. (AB 1710)
It seems controversial that Equifax is offering their own monitoring service. If our homes are burglarized during use of a company’s home security system, should we accept a 12-month membership of home alert alarm system from the same company?
Anyone familiar with incident response will agree that it can be challenging to identify where to attribute the exploit, even after identifying how the exploit occurred. Equifax CEO, Richard Smith, believes that the Equifax exploit occurred via SQLI (structured query language injection). SQLI uses malicious code for backend database manipulation to access information that was not intended to be displayed. SQLI can be prevented or protected, should they occur.
WAF (web application firewalls) can prevent, but there is an issue with false-positive scripts getting blocked as well. However, this could impede operability of attractive functions of a company’s flagship product or service. The government generally does not insert itself into requiring this type of protective measure.
Data-Centric End-to-End Database Encryption can protect by making the data retrieved from SQLI valueless to the exploiter. Even in the event of a compromised Database Administrator’s account, the data viewable will still be encrypted. However, this can destroy data analytics and/or be cost prohibitive to implement in an organization. But the federal and state governments have inserted themselves by making encryption a legal requirement. FISMA (Federal Information Security Management Act) ratifies NIST (National Institute of Standards and Technology). NIST framework asks for encryption of data at rest, data in transit, and data in use (NIST 800-53 Rev.4 AC-3,4, MP-5(4), SC-8,28). HIPAA section 164.312(e)(I) is also federal law addressing encryption requirements as mandated technical safeguards.
What level of encryption was Equifax using, and what companies offer solutions that boast full compliance with the federal laws cited on encryption, or ability to eliminate the same threat for your organization that Equifax faced?

Wednesday, August 9, 2017

Tools to use to approach CISO strategy and how

A 10 step approach to identifying  critical pieces used to build a CISO’s strategic plan, and where to look for answers:

(Steps 1 through 9 prepare us for step 10.)

 1. Know your role

            (What to ask or what resources can help you find answers):

Job description, charter, org chart, who you report to, who reports to you, objectives, how your performance will be rated, what does this organization believe that the CISO role must achieve
2. Know your Audience

Who are the stakeholders, what are their backgrounds, what do they think is important, what do they think your role is, what do they think your role is not, do their perspectives require reshaping
3. Know your Organization

What sector(s), what flagship product or service, are they for profit, nonprofit, publicly traded, member owned, or government; what regulations govern their practices, who are their customers, where do their customers exist, CEO or board member’s vision

4. What’s your budget

Size of org, IT budget, IT Security budget, budget for HW, SW, outsourcing, training, cyber insurance policy, incident response reserves, cybersecurity premium and coverage
5. How many are on your team

The resources on your team and those who report to you are not necessarily the same answer. Projectized, functional or matrix-based organization?
6. Timelines/deadlines imposed upon you

Internal goals, litigation prep, DoD directive 8570.01 IAT proficiency levels of staff, PCI-DSS, new product delivery support, SDLC, EOL, fiscal year-end, new budget approval window, audits, ISO certifying deadlines
7. What do you have, how is it configured and where are the concerns

CMDB, Inventory, survey, assessment, policy, federated services, penetration testing

8. How are those concerns remediated and continuously monitored

Periodic reinvestigation, patch management plan, CMDB manager, change management logs, SIEM, SOC

9. What Protections/Defenses are in Place:

9a. How are your team of Admins and Security Professions securely managed

Privileged account management, Identity and Access Management, Multi-Factor Authentication, Change management, role overlap, checks and balances, mandatory vacations, monitoring and analysis of audit logs

9b. Tools, software, solutions, protective measures for:

Email; Web-Browser; Malware; Network Ports; Data Recovery Capability; Network Device settings; Boundary; Data Encryption; Multi-factor Authentication;  Wireless Access Points; Account Monitoring & Control; Application, Platform, OS-level software; Mobile Device Management, Policy, Threat Awareness & Training

9c. Penetration tests and red team exercises

9d. Incident Response Management Plan, and/or Cybersecurity Insurance
10. Where to harness efforts in the future

            This is the first place you begin to affirmatively plan after addressing 1-9, by putting pieces together to build a strategy that meets scope, budget, and time constraints unique to the organization. Once step 9 is reached, one will feel more self-assured and reliant that, “you know what you’re doing and where you’re  going with this.” Fact is, “how to build a strategy” is a question that is not answerable without first ascertaining these details. Failing to do so falls into the trap of beginning to offer solutions to problems that an organization either does not need solved, or is ill equipped to solve without reshaping of the answers to steps 1-9.

Bonus Step 11.

Do you really even want this job anymore? Are you going to be compensated appropriately to execute on the strategy formulated in step 10?

These ten steps assume that Risk is a function of vulnerability, threat, and consequences, divided by the controls in place.

They help posture toward adherence with CIS CSC, NIST, PCI, ISO or other frameworks, and help prepare for compliance with regulations that govern your organization. Steps 7-9 map directly to foundational CIS Critical Security Controls and NIST 800-53 Risk Management Framework, as ratified by FISMA law. The article conveys views and opinions but does not constitute legal advice.

You’ve likely followed these steps before, and many more. What’s your opinion on an approach to preparing CISO strategy?

Tuesday, July 25, 2017

CISA is actually a law now!

CISA is actually a law now!

 The Cybersecurity Information Sharing Act (CISA) was passed by Senate, House, and President. CISA is a law now. What is CISA? CISA incentivizes companies to share their cybersecurity threat indicators and defensive measures with the federal government. The incentives include providing legal protections such as limiting liability and from Freedom of Information Act (FOIA) disclosure requirements. The Department of Justice (DOJ) and Department of Homeland Security (DHS) could then share that information with eachother, local governments, and private entities. Previously, such sharing could put the sharer at risk of violating antitrust and privacy laws, or disclosure waiver of privilege under FOIA (applicable to gov. agencies such as DMV). All very costly violations of longstanding laws.

This is very controversial and has received heated backlash from some privacy advocacy groups and some corporations. While some corporations laud the idea of limiting their legal liabilities in exchange for sharing data.

There's more. Private organizations can now share with other non-federal entities as long as they justify that the information is directly related to and necessary to identify or describe a cybersecurity threat.

Is your organization taking advantage of this data sharing law? Why or why not? Some organizations are adamant that this enabled more of a Cyber Information Surveillance Act (CISA) than a CISA. Thoughts?


Thursday, March 24, 2016

Cyber-Negligence: Failure to implement CIS controls constitutes lack of reasonable security. Being unreasonable can lead to a negligence lawsuit.

Failure to implement CIS controls constitutes lack of reasonable security. Being unreasonable can lead to a negligence lawsuit.

California law states that businesses that collect personal information have a duty to implement reasonable security practices and procedures to protect the personal information. The standard for reasonable security is the Center for Internet Security (CIS) Critical Security Controls (CSC).  Failing to meet CIS CSC as a minimum level of information security is a failure to rise to a reasonable standard of care, which constitutes a breach of duty. If damages are caused as a proximate result of the business’s failure to meet the reasonable standard set by CIS CSC, then the business can be liable to compensate for those damages under a negligence claim in California civil courts. (The CIS Critical Security Controls for Effective Cyber Defense version 6,‐controls.cfm)

The National Governor’s Association, and California Attorney General, Kamala Harris, have concluded that CIS CSC is the baseline standard that all businesses that collect personal information must meet.  (

The current version 6 of the CIS CSC provides 94 pages of guidance on 20 different control areas. Each of the 20 security controls represents a cyber-security standard that must be met in order to avoid liability in legal claims for negligence cause of action.

I help businesses exceed these standards. Contact me if you’d like to discuss more or you’d like a copy of the CIS CSC today.

Wednesday, October 28, 2015

What does the new "Relevant Mobile Advertising" mean to you?

What does the new "Relevant Mobile Advertising" mean to you as a smartphone user, and what can you do if you disagree with it?

It's been said, if it is free to you, then you are the product. If you are not paying, then the business model of the service or website is likely business to business (B2B). But now, even though you are paying for mobile carrier or Internet Service Provider (ISP) services, you are also the product as well, in a B2B profit model between those companies and others.

Relevant Mobile Advertising allows third party partners and marketers to use a socioeconomic and demographic web of your information to advertise to you on your smartphone. The information belonging to you that they use includes:
  • where you live
  • where you travel to
  • where you shop
  • what websites you visit on your personal computer and phone.
  • email address and metadata in body of your emails
  • smartphone device make & model
  • gender, age, and interest indicators such as:
    • favorite sports team, pet owner, where you dine out, etc.
    • what you've typed into Google search engine on your personal computer and phone.
Cumulatively, this data amounts to your Unique Identifier Header (UIDH). We all have a UIDH which internet advertisers use to for targeted advertising campaigns. Now, the said campaigns have become more elaborate by including your smartphone use and by advertising to you on your mobile devices as well using your UIDH.
Customer Proprietary Network Information Settings (CPNI) are regulated and enforced by the Federal Communications Commission (FCC). All mobile carriers are supposed to protect our CPNI by law, but selling our UIDH is fair game. Relevant Mobile Advertising allows for a large playing field largely because of how tricky carriers get in their privacy policy disclosures. For example, many companies claim proudly to consumers that they do not share your personal information with third parties. But then they state that any external company that they are working with or doing business with is not a third party. This means you have no cognizance of where your personal information goes. While your CPNI is generally protected from hacking or dissemination, our UIDH is frequently sold away in a very profitable industry. As a result, the web of information described above is likely already in the hands of companies you have never done business.
You have rights to privacy, and the companies you choose to do business with have obligations to protect your personal information and uphold your rights to privacy. Neither large corporations nor the FCC expect the common consumer to know how to exercise their rights nor when those rights are being violated.
What can do about it? You can contact your service provider to opt out of personal data sharing from your mobile device. But this does not prevent companies from receiving, within your UIDH, your location or shopping habits gathered from other methods for instance. Your carrier or ISP privacy policy is publicly available to you, but written using terminology that is not generally understood by the public. If you are curious about the methods in which you’re socioeconomic and demographic web of personal information is gathered or what preventative measures can be taken, contact me.

Parents, do you believe in invading your children’s privacy?

I do, to an extent at least. I recall the motto, “give’em enough rope to hang themselves” because it allows them to learn from their mistakes.  So how about using nanny-cams and key loggers?
A nanny cam is a hidden camera in a common area of your home used to observe your children and babysitter. Some argue that if you even think about installing a nanny cam, you shouldn’t have the babysitter. You’ve got to have trust foremost. And then why not have some inside information also.
A key logger is software that tracks computer usage as precise to sites visited, username and passwords entered, screenshots of what is being viewed, and it logs it in a file accessible remotely or locally. I want to talk about key loggers.
Although it is prohibited to install key logging software on medical, government, or educational computers, it is perfectly legal to use such technology on your own personal laptop or desktop. If you own a law firm for example, as long as your employees receive notification upon logon that they are being monitored, then your firm can use key loggers as well.  Here is what a key logger can do for you:
1.       If your laptop is stolen, you can view the thief’s activity remotely and facilitate with the police report or homeowner’s insurance claim filing.
2.       If you want to keep tabs on your child, you can attain their passwords to their social networking sites, email inboxes, and see what videos they watch and when.  “Keylogger is your litmus test as a caring parent.” (
3.       For security on your personal computer to covertly monitor unauthorized activity for purposes of identifying download locations for virus protection.
When selecting a key logger, free is usually attractive, but there are privacy issues to be aware of for yourself.  Free software often earns its value for the author via either advertisements or data collection. I warn you about the latter regarding some free key logging software. When selecting a key logger, make sure that it does not do the very same thing to you that you intend to use it for. By that, I mean be sure that it does not open ports on your firewall, collect info about your data usage and pass it from your computer through the firewall back to the author of the free software.  You should be the only one accessing your logs, not the owners of the software. ( I find key loggers (and software that does not compromise your privacy in general) useful even if not used for invading your children’s privacy. Maybe it is a question of trust over transparency?
From a legal perspective, should any party other than yourself have any reasonable expectation of data privacy when accessing the internet from your computer? Maybe the next time you borrow a friend’s laptop to conduct a quick check of your bank account balance or respond to an urgent email, you might inquire if they use a key logger.