#DataPrivacy

Solar Winds Supply Chain Hack Wins Password Contest

In this picture, the Sun's surface is quite dark. A frame from a movie recorded on November 9th by the orbiting TRACE telescope, it shows coronal loops lofted over a solar active region. Glowing brightly in extreme ultraviolet light, the hot plasma entrained above the Sun along arching magnetic fields is cooling and raining back down on the solar surface.

Privacy and cybersecurity compliance issues are inextricably linked. In one sense, they are peas in a pod. A security breach can leak all sorts of information assets, from useless server logs to trade secrets to sensitive personally identifiable information, or PII. At the heart of many privacy compliance obligations is the recognition of a duty to make “reasonable” efforts to protect PII through technical and organizational means. Such balancing tests are necessarily a key aspect of enterprise risk management. The massive SolarWinds supply chain hack is a case in point. On January 12, 2021, security research company CrowdStrike reported discovery of a 3rd strain of malware named SUNSPOT that was deployed in September 2019 – that is 15 months before the first discovery of the hack by cybersecurity company FireEye on December 8, 2020. There are important questions to be answered about the scope and intent of the hack. Was it a massive penetration testing dry run? Can infected IT infrastructure be fully cleaned without burning it to the ground and rebuilding? Was it espionage on steroids or an act of war? How many more shoes will drop? News reports of the SolarWinds hack often speculate whether important PII was …

Read more

Eureka – Privacy Discovered in California?

The California Consumer Privacy Act of 2018 is a ballot initiative that has gained more than enough signatures to appear on the November 6, 2018 general election ballot. If approved by the voters, the Act will greatly expand privacy rights in California. It will apply to larger companies that do business in California as well as entities that collect substantial amounts of Personal Information from California residents. California has in the past led the US in various trends and regulations, good and bad. Freeways, Beach Boys, hippies, hipsters, car culture, bikers, early Burning Man, the music industry, and Hollywood helped define US culture. Well-known regulations and restrictions on air quality such as CARB (CA Air Resources Board), on “chemicals known to the state to cause cancer or reproductive toxicity” such as Proposition 65, and on offshore drilling have been very influential. Facebook, Google, Apple, AirBnB, Tesla, and yes, Theranos are all California companies. Beauty is in the eye of the beholder In 1976, a wealthy acquaintance in the Bel Air hills invited me for drinks to survey the skyline overlooking Los Angeles at dusk from his poolside perch. Like the successful Mr. McGuire in The Graduate urging Ben to steer his career towards the …

Read more

Boards and C-Level Executives Are Sailing in Dangerous Waters

Great White Shark

In 2005 the ABA Business Law Section published a short book titled, Sailing in Dangerous Waters: A Director’s Guide to Data Governance.  It warned in stark terms: Those Directors who defer or delegate to specialized personnel their understanding and command of data governance will be at increasing risk of incurring personal liability for failing to fulfill their fiduciary duty of care to ensure that their companies comply with rapidly emerging legal requirements concerning deficiencies in data governance.[i] To say that information is an asset to business enterprises is to recognize the obvious.  Certain intellectual property such as trade secrets and customer lists are universally considered to be assets and deserving of protection.  But, as enterprises have shifted to digital systems where work-flows, communications, collaboration systems, data analytics and other metrics now condition and drive business decisions, the value and integrity of these systems has become ever more fraught with risk.  Consider that the Ashley Madison hacking uncovered email correspondence between executives and legal counsel.  While Coca Cola might have been able to lock away a few copies of its secret formula in a steel safe a generation ago, today’s information assets, by their nature, must be widely distributed and available …

Read more