Cyber breaches occur on a daily basis. Or at least it seems like they do…but consider the breaches that we don’t hear about.
Companies’ fears that their brands could be adversely impacted by reports of cyber breaches mean that we rarely hear about them when they happen. What we do hear about are the very widespread, high profile breaches at large companies where there has been a failure protect a customer’s personal information.
What we often fail to consider is that any entity, commercial or non-profit, public or private, can fall victim to a cyber breach. Certainly, commercial businesses would be expected to insure against such risks. But what about governmental entities? Here’s one example.
The state of Oregon is investigating whether two state agencies violated the Oregon Consumer Identity Theft Protection Act. Each year thousands of Oregonians become victims of identity theft. According to the Federal Trade Commission, Oregon is ranked 13th in the nation for this crime. In response, both Oregon businesses and government have clear direction and expectations under the Act to ensure the safety of the personal identifying information they maintain. Personal information includes a consumer’s name in combination with a Social Security number, Oregon drivers license number or Oregon identification card, financial, credit or debit card number along with a security or access code or password that would allow someone access to a consumer’s financial account. Specific protections under the Act are detailed on the website of Oregon government’s Division of Finance and Corporate Securities (DFCS) , and include the following:
The roads traveled by non-profit entities have never been easy ones to negotiate.Indeed, the time, expense and, dare I say, risk of doing good deeds and raising capital has been fraught with potholes and impediments from the get-go. Now, that road has become even more treacherous for non-profits and their cyber/tech insurers alike.
1. An Overview of Massachusetts’ New Data Security Law
Effective March 1, 2010, a new data security breach law will become effective in the Commonwealth of Massachusetts. Described by some as the toughest data security law in the U.S., the law and corresponding regulations applies to all entities, including non-profits, that employ or serve Massachusetts residents and which store, own or license “personal information” about a Massachusetts resident. Here is the Press Release from the Office of Consumer Affairs and Business Regulation. Here is the Final Version of The Regulations.
2. What is Meant by “Personal Information”?
The term “personal information is defined in the law to mean a Massachusetts resident’s first and last name, or first initial and last name, together with:
The resident’s driver’s license number or state identification card;
Bank/financial account or credit/debit account number; or
Social Security number.
In other words, personal information will, generally speaking, include anything uniquely identifiable about a Massachusetts resident.
In the security industry there is a generally accepted philosophy that no system or network is completely secure – a competent attacker with enough time, patience and resources will eventually find a way into a target.
We may have gotten a good chuckle out of the various messages that were left on the Twitter accounts for Barack Obama, Britney Spears, and Bill O’Reilly, but the implications are serious; with every new technology comes new risk. Viruses can permanently erase an entire system, sensitive system files can be accessed and altered by intruders, computer networks can be infiltrated and used to attack others and credit card information can be absconded and used to make unauthorized purchases.
“Cybersecurity” refers to the protection of that information by preventing, detecting and responding to attacks. Although there may be a tendency to consider cybersecurity to be a technical issue with technical solutions, it may also be useful to think of cybersecurity as an economic issue…with economic solutions.
This is the message that the Internet Security Alliance (“ISA”) has made in a landmark report issued earlier today, December 3, 2009. The ISA is a trade association which represents a gamut of corporate interests ranging from Defence and Aerospace, Banking & Financial, Food Service, Entertainment, Telecommunications and Manufacturing industries. In its report, entitled “Implementing the Obama Cyber Security Strategy via the ISA Social Contract Model,”the ISA emphasizes thatcybersecurity is an economic rather than a technical issue and that both the U.S. government and private industry need to revisit their assessments of cybersecurity by creating economic incentives and other programs to foster broader, and more enhanced, cybersecurity efforts and systems.
At present, the government has been relying on regulations to ostensibly improve cybersecurity. The ISA suggests that this method is not only outdated, but also ineffective in dealing with a 21st Century problem. The report sets forth a number of proposed economic solutions, many of which focus on encouraging companies to educate their executives about the economic and social benefits of cybersecurity. Key among these proposals is the suggestion that businesses should create risk management programs that educate their executives about the growing problem of cyber theft and abuse, and assist them incorporating cybersecurity solutions in their corporate business plans (rather than ceding such responsibilities to computer “geeks” in their IS or IT, as is typically the case today).
The report concludes that most companies underfund their investments in cybersecurity, and suggests that economic and other incentives are needed to prompt businesses to improve their cybersecurity. ISA’s report also suggests that the insurance industry become actively involved in providing a methodology by which returns on securities investments are quantified.
Among the ISA’s recommendations designed to encourage investment is a proposal that cyber insurance be used to promote the development of standards and practices and assist companies in quantifying and managing their cyber risks. At the same time, the ISA proposes that the government create limited liability protections for certified products and processes and recognized industry best practices. Alternatively, liability might be assigned on a sliding scale (comparative liability) such as limiting punitive damages while allowing actual damages and providing affirmative defenses with reduced standards (preponderance of evidence vs. clear and convincing etc.).
The report is long (over 70 pages) and quite detailed. For those interested in reading it, the report can be found here. Irrespective of whether readers choose to take the time to read the entire report, they should familiarize themselves with its purpose and intent, as it is a major step forward in promoting dialogue on the ever-growing problem of cyber crime. At a minimum, insurance underwriters and cyber professionals should study the report and perhaps incorporate some of the ISA’s recommendations in their own due diligence processes to compliment, for example, their existing NetDiligence® cyber risk assessment service (used by many leading US & UK insurers). Only through joint and collaborative efforts can the billion dollar problem of cyber crime be mitigated. It is incumbent on the insurance industry to be among the leaders in these efforts. We can begin by collecting comments on the ISA’s proposal and submitting them to its members, including those representing the insurance industry. Please feel free to comment below. As appropriate, we will forward them to the ISA with the author’s name and contact information, if so authorized.
So you want to get production of documents from Facebook to assist you in your civil case. How do you go about it? We asked and Facebook answered.
Well, first off, you are going to need a court order (subpoena) to obtain the information. In the U.S., Facebook users’ data is protected by the Electronic Communications Privacy Act (“ECPA”). See 18 USC section 2701 et. seq. ECPA is a federal statute that prohibits Facebook from producing any “content” without notarized user consent or a Search Warrant. Facebook’s Law Enforcement Response Team has advised that, with regard to civil matters:
State Court Subpoenas must issue from a court within California or must be issued pursuant to the proper California court commission.
Federal Civil Subpoenas seeking the production of documents must issue from the court in the district where the production is to be made.
Facebook states that it requires a $150 processing fee per User ID. Checks can be made payable to Facebook, Inc. and can be sent to the attention of Facebook Security at 1601 S. California Ave., Palo Alto, CA, 94304, bearing the name and number of the case for which the fees are paid.
In addition to a valid subpoena, Facebook advises that as much of the following information as possible should be provided in order to expedite a request:
Your full contact information (name, physical address, phone and email)
Response date due (please allow 2-4 weeks for processing)
Full name of user(s)
Full URL to Facebook profile
Known email addresses
IM account ID
Period of activity (specific dates will more likely expedite your request)
It takes Facebook approximately 2-4 weeks to respond to questions from law enforcement agencies or legal representaives about the status of these requests. If Facebook is informed and has a good faith belief that the matter is an emergency regarding potential threat of serious bodily harm or threat to life (see Title 18 United States Code section 2702(b)), they generally respond within 24 hours.
Facebook advises that if you are not a member of a Law Enforcement Agency or Legal Department, you will have to contact Facebook through their Help Page or have your local law enforcement or legal representative contact them. Some other helpful Facebook links are as follows: