The Sound of Silence

Hey Everybody, just wanted to let you know that I’m making some long-term changes to the blog. We are going to be porting it over to my firm’s new website when it’s ready (which, I hope to be sometime this year), and we will be integrating the blog with the firm more.

When I first started this blog, it was separate from my employer’s website, which gave me more control over how to run it, and allowed for a more casual tone, which I think makes the thing more readable. Now that I started my own law firm though, I can post whatever I want and I’d like to offer a better connection between my blog posts, my permanent legal content, and my website copy.

That said, don’t worry. The goal here is to increase the value of the content I’m creating, not to monetize the content. I firmly believe that the best model for my business is to provide value and share my knowledge with others. Telling you about the CCPA is not likely to inspire you to handle it yourself, so, I think we’re good.

I hope everybody is hanging in there still. Looking forward to hugs and handshakes coming back into vogue.

Data Mapping: It’s A Spreadsheet.

There are few things that niche industries love more than developing their own lingo. Those of us old enough to remember the tech boom of the late-90s/early 2000s probably also remember hearing that everything was a “paradigm-shift.” Eventually, this phrase morphed into everything being a “gamechanger.” Today, business people love to talk about whether X “moves the needle” and it wasn’t so long ago that before elaborating on any topic, we would first announce that we are going to “add some color” to the issue. My suspicion has always been that this is a form of code-switching, designed to let the listener know that the speaker is with the “in” crowd. It comes from a place of insecurity, worst-case, or conformity, best-case. And look, I’m guilty of it too, which is why there is so much to unpack here (see what I just did?).

The cybersecurity world is no different, and in a lot of ways, worse, when it comes to having its own language. You would think that the best way to communicate already very complex ideas would be to simplify the language so that everyone could understand it. But, its pretty clear that a lot of people don’t want the language to be simple. They want it to be confusing, so they appear knowledgeable.

One of my goals with this blog is to break down intimidating cybersecurity concepts into plain language. Today’s lesson? The Data Map. Guess what. It’s a spreadsheet. Let’s take a look at what a data map looks like, which, hopefully will make more clear why they are important.

The data map really is the roadmap to your work in managing your cyber risk and the rosetta stone to responding to incidents involving your data. It is the product of all of the preparation and planning work you put in ahead of time, so that when an incident does occur (sorry, but chances are, it will eventually), you will have a game plan (a map, if you will) or how to proceed. That said, it is not, itself, the incident response plan (that is a different thing, which I will eventually cover in the future).

The Data Maps that I typically use includes the following fields, give or take:

  • Data Description
  • Category
  • Source
  • Metadata
  • Purpose
  • Lawful Reason
  • Handling
  • Disposal
  • Justification Inquiry
  • Who Has Access
  • Who is Responsible
  • What Laws Implicated
  • Risks
  • Compliance Notes

There you have it. The secret sauce. I’m not worried though, because you are still going to want a professional who can help guide you through this process.

Unfortunately, its not the fields that make your map useful, its the data that you put in it. One of the things that a good data map will do, is expand a team’s thinking about what data actually is. And one way this is accomplished is by categorizing your data. Is this data a record of contact information? login information? social security numbers? client info or employee info?

The more you start to think about how to describe and categorize your data, the more areas of your business will reveal themselves as important sources of data. For instance, you may start to realize that much of this data is located in your email server. Some of it is on employee devices, company laptops, usb’s on your desk, CDs in the file cabinet, etc., etc.

Ultimately, a lot of questions in your data map are about the process you undergo in answering them. Fact is, the actual answers are always changing. But it is the exercise of thinking about risk, and thinking about where data resides, and who has access to it, that is pivotal to what a data map does for your team. It also creates jumping off points for further inquiry.

So, how does this help us when a breach has occurred?

Glad you asked. Here is a thought experiment. Say you have a situation where you are contacted and told that three of your customers have reported recent suspicious activity on their credit cards. Visa thinks you are the source of a data breach. Step one is to investigate and stop the bleeding, right? Where do you begin?

If you’ve done a good job of working through these issues ahead of time, you can review your data map and clearly see 1) areas where this data is stored; 2) key personnel who are responsible for this data that you will want to call on to address the situation; 3) further information about the scope of the data you are storing; and 4) areas of concern where a breach in one place could signify other, as yet undiscovered, breaches on the system (particularly where you have multiple machines or are using SaaS vendors. The possibilities are endless in terms of creating shortcuts for incident responses.

In addition, you would use your data map to take proactive steps to secure this data. You identify weaknesses, areas that can be improved, people to bring into various efforts, etc. etc.,

By completing this work ahead of time, you are getting a head start at a time when a few minutes can literally cost you millions of dollars. Is that important enough for you?

So, now that you know what a data map is, and why they are important, what are you going to do to ensure you can leverage their usefulness?

Syracuse Startup Podcast

Hi Everybody. I launched a podcast called “Syracuse Startup” which interviews entrepreneurs in Syracuse to share insights, challenges, victories, etc. in our chosen fields. My first guest is a friend of mine, Eric Maley, of Upstate Agents, talking about how he got into real estate. Look out for new episodes approximately once a month. Please consider subscribing and leaving positive reviews.

If you are an entrepreneur in Syracuse and would like to be on the show, give me a shout. Techies are somewhat preferred, but its not a requirement.

Here is a link:

Ep. 8 – Kasey Almanzi, CPA – Bowers & Co. Syracuse Startup

In this episode, I have the good fortunate to speak to Kasey Almanzi of Bowers & Company. Kasey is a certified public accountant and a tax supervisor at Bowers & Company, which is a Central New York located accounting firm of approximately 90 accounting professionals.Kasey and I had a great conversation talking about some of the basic taxes issues to think about when starting a business or operating a small startup. I learned a lot myself, and anyone who is just getting started in building a business really needs to listen up here.Note that there some minor audio quality issues with this recording, as we did the podcast via zoom, and for reasons I never could figure out, I had to use my phone, rather than a computer mic to get it to work. Such is life I suppose.Anyway, thanks to Kasey for coming on the podcast. I really enjoyed it, and I appreciate the time and effort involved in providing this great tax information.
  1. Ep. 8 – Kasey Almanzi, CPA – Bowers & Co.
  2. Ep. 7 – Brandon Williams –
  3. Ep. 6 – Chris Dugan – Knowles Precision Electronics
  4. Ep. 5 – Jason Dean – Eget Liber
  5. Ep. 4 – Dr. Jamie Winders of the Autonomous Systems Policy Institute (ASPI)

Is Personal Information About my Adversary Protected Too?

One of the major challenges for lawyers in the digital age is keeping case data out of the wrong hands. It is a staple of law practice and has been so since the dawn of the profession . Even before anyone ever heard of cybersecurity, Model 1.6 of the Rules of Professional Conduct required that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

I wrote about this problem recently when discussing a data breach that affected a law firm’s famous clients and their sensitive information. The problem of how to avoid data breach when YOUR data isn’t really YOURS, is an important one. Failing to get it right can mean malpractice, loss of clients, and possible disciplinary action.

Yet, there is another issue that gets far less attention:

What about my adversary’s private information?

For example, its quite common to request social security numbers from an adversary in personal injury matters. There are good reasons for this, mostly having to do with verifying an individual’s identify, authenticating medical records, and complying with various federal reporting requirements when settling personal injury matters. However, through the lenses of the NY SHIELD Act, this gets to be a tricky issue.

Under the SHIELD Act, a person’s name and social security number, when kept together, is considered to be “private information.” This definition is important because the Act goes on to require that:

“Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, disposal of data.”

So, taking a step back, this means that any law firm (law firms are businesses), that owns computerized data (in your phone, laptop, cloud, etc.) which includes private information (e.g., a word document with someone’s name and social security number on it), shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information…”

So, what are “reasonable” safeguards??? Ah, the million dollar question (perhaps literally).

Here, the SHIELD Act defines what it considers reasonable, but creates a caveat that “small businesses” need only to maintain “reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”

For all others (those with at least: 50 employees, $3 million in annual revenue AND $5 million in assets), reasonable administrative safeguards are met by:

  • Designating one or more employees to coordinate the security program
  • Identifying reasonably foreseeable internal and external risks
  • Assessing the sufficiency of safeguards in place to control the identified risk
  • Training and managing employees in the security program practices and procedures
  • Verifying that the selection of service providers can maintain appropriate safeguards and requiring those safeguards by contract
  • Adjusting the security program in light of business changes or new circumstances

Reasonable technical safeguards are met by:

  • Assessing risks in network and software design
  • Assessing risks in information processing, transmission, and storage
  • Detecting, preventing, and responding to attacks or system failures
  • Regularly testing and monitoring the effectiveness of key controls, systems, and procedures

And reasonable physical safeguards are met by:

  • Assessing risks of information storage and disposal
  • Detecting, preventing, and responding to intrusions
  • Protecting against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information
  • Disposing of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed

In other words, mid-sided businesses and up must implement a bona fide data security program.

Small businesses are left to determine for themselves what is “reasonable” (until we see some caselaw on the subject). However, we can be certain that doing nothing is not going to cut it. Further, reasonableness for small business is going to be some sub-set of the enumerated safeguards mentioned above and will adjust depending on the context.

Herein lies one of the problems. There are few professions with more sensitive data than a law firm. So, what can we do about it?

There are a number of simple steps that go a lot way towards being reasonable here, especially when it comes to social security numbers. Here are a few ideas, as a starting point:

  1. Don’t collect the sensitive information until you actually need it.
  2. Dispose of the sensitive information quickly when you no longer need it.
  3. Do not store the sensitive information anywhere that is not encrypted and not protected with multi-factor authentication. (i.e., dont keep it on your harddrive if your harddrive isn’t appropriately protected)
  4. Do not email the sensitive information in an attachment.
  5. Practice “least privilege” by not allowing all users to access sensitive information.

Look, will these things, alone, constitute “reasonable safeguards” for a small business under NY SHIELD? I don’t know. No one does, yet. But, I can promise you that it is an excellent start while you are working on implementing your data security program.

Vendor Management

I just completed a whirlwind, virtual tour of New York bar associations (and boy are my arms tired… ) to teach CLEs regarding New York’s new SHIELD. (Thanks to the New York State Bar Association, the Broome County Bar Association, the Tompkins County Bar Association and the Onondaga County Bar Association!) One of the issues that comes up in these presentations is the topic of vendor management.

It’s not an easy issue, and here’s why… If you are a billion-dollar company, chances are you have enough leverage to have an arms-length negotiation with many of your vendors. You can explicitly require that they take certain steps to protect you both. Failure to comply is breach of contract, and is actionable. But the SHIELD Act is unique among state cybersecurity laws in that it requires businesses of all sizes to take proactive steps towards assuring “reasonable safeguards” of personal information. For contrast, in California, these proactive security requirements only apply to company who are taking in at least $25 million in annual revenue (or who are in the business of trading big data).

Meaning, if you are doing business in NY and you’ve got a five or six-figure annual revenue, you are in the uncomfortable position of having to vet your vendors to ensure the data you are sending them is being secured, while having no leverage to force most vendors to do so. An example of the type of vendor you might be using where this issue arises would be a credit card processor, who most certainly has your customers’ personal information. For an illustration of this problem, try calling up Google and tell them that you would like to negotiate the terms of your user agreement for gmail. Good luck.

There are a couple of approaches we can envision to address this issue. First, we can realize that these SHIELD Act requirements are for you to take “reasonable” safeguards. Small businesses are not required to take heroic measures to safeguard their information. We should not be bankrupting ourselves to accomplish data security. Second, we can dive into the vendor management process a little and identify areas where perhaps a small business can maneuver. Enter, the vendor questionnaire. Obviously, to fully execute on a program like this, you might want to retain an attorney who knows about this stuff.

The Vendor Questionnaire

The Vendor Questionnaire is rapidly becoming one of the primary means by which we can perform due diligence on our vendors. There are pluses and minuses. The more involved your vetting process, the more costly it becomes to retain vendors. Further, you are relying on their word. Be sure to follow up when you can. Ask for proof. Ask for referrals.

Not everyone is going to be willing to complete such a questionnaire, but the good news is that questionnaires have gained in popularity to an extent that they are becoming standardized. If questionnaires are standardized, there is a good chance that even larger potential vendors may be willing to share them with small firms.

For a review of standardized questions (which have the added benefit of being more cost-effective for small businesses), take a look at the CIS Top 20. This is a great starting point for the types of questions you should be asking of potential vendors. You can also look at NIST, SIG, and VSA. Some of these organizations even offer free questionnaires that you can use yourself. Of course, if you aren’t in a position to evaluate the answers, they may be difficult to use, but with more vendors addressing the same questionnaires, it is becoming easier for small businesses to get answers. You may still need someone to review the responses.

Here are some basic questions that you can ask, which will at least give you a starting point to evaluate. Remember to document the answers, which will be an important part of your compliance documentation generally:

Information security and privacy questions

  • Does your organization process personally identifiable information (PII) or protected health information (PHI)?
  • Does your organization have a security program?
  • What standards and guidelines does it follow?
  • Does your information security and privacy program cover all operations, services and systems that process sensitive data?
  • Who is responsible for managing your information security and privacy program?
  • What controls do you employ as part of your information security and privacy program?
  • Provide a link to your public information security and/or privacy policy.

Physical and data center security questions

  • Are you in a shared office?
  • Do you review physical and environmental risks?
  • Do you have procedures in place for business continuity in the event your office is inaccessible?
  • Do you have a written policy for physical security requirements for your office?
  • Is your network equipment physically secured?
  • What data center providers do you use if any?
  • How many data centers store sensitive data?
  • What countries are your data centers located in?

Web application security questions

  • Do you have a bug bounty program or other way to report vulnerabilities?
  • Does your application have a valid SSL certificate to prevent man-in-the-middle attacks?
  • Does your application require login credentials?
  • How do users get their initial password?
  • Do you have minimum password security standards?
  • How do you store passwords?
  • Do you offer single sign-on (SSO)?
  • How can users recover their credentials?
  • Does your application employ a defense in depth strategy? If so, what?
  • How you regularly scan for known vulnerabilities? 
  • How do you do quality assurance?
  • Do you employ pentesting?
  • Who can we contact for more information related to your web application security?

Infrastructure security questions

  • Do you have a written network security policy?
  • Do you use a VPN?
  • Do you employ server hardening?
  • How do you keep your server operating systems patched?
  • Do you log security events?
  • What operating systems are used on your servers?
  • Do you backup your data?
  • How do you store backups?
  • Do you test backups?
  • Who manages your email infrastructure?
  • How do they prevent email spoofing?
  • How do you protect employee devices from ransomware and other types of malware?
  • What operating systems do employee devices use?
  • Are employee devices encrypted?
  • Do you employ a third-party to test your infrastructure security?
  • Who can we contact in relation to infrastructure security?

Another vendor management guidepost to use is a security rating or certification. Especially if you are using a very large vendor, security ratings should be easily monitored and will provide a very basic reassurance that you are acting “reasonably”. There are a number of popular ratings companies, and there seems to be a battle for dominance in that field as of late. Here is one. SOC2 certification is also a good starting point when evaluating the security of a potential vendor.

In a later post, I will discuss more about security ratings, SOC2 and other certifications, as well as third-party monitoring and audits. Stay safe out there…

Who’s The Boss?

I like to talk a lot about how the NY SHIELD Act puts proactive requirements on every business that handles New Yorkers’ personal information. Meaning that the information businesses (like law firms) store about their clients is subject to the SHIELD Act.

No, literally. I just gave two presentations on this issue in the last couple weeks and am booked to present to the New York Bar Association tomorrow. (You can register here, wink). It’s hard to catch me not mentioning this multiple times per day.

But, it’s easy to forget that the reason for these requirements is to minimize your risk of data breach.

Who wants to be the guy who has to call “THE BOSS” (aka Bruce) and tell him that his personal information has been hacked?

Last week, Variety reported that entertainment law firm Grubman Shire Meiselas & Sacks was subjected to a major data breach of 756 gigabytes of documents regarding several well known music and entertainment figures, including: Lady Gaga, Madonna, Nicki Minaj, Bruce Springsteen, Mary J. Blige, Ella Mai, Christina Aguilera, Mariah Carey, Cam Newton, Bette Midler, Jessica Simpson, Priyanka Chopra, Idina Menzel and Run DMC.

The thing that I found interesting about this story was the firm’s statement to Variety: “We have hired the world’s experts who specialize in this area…” Notice they didn’t say, “we have implemented our incident response plan and our cybersecurity response team has been working on it as soon as they became aware of the issue.” Their response suggests they were caught flat footed, i.e., that their response was to hire someone. I would hate to have to explain to the Boss why they don’t already have a plan in place for this sort of thing. Perhaps if they had a plan in place, it might not have happened in the first place?

I wonder what kind of client list they will have next year.

How I Learned to Stop Worrying and Love Working from Home

I should preface this post by noting that it has almost nothing to do with cybersecurity…

What a strange time. 2020 has been, just… a really weird year so far. First of all, it’s hard to believe that we are about one-third of the way through the year. Next week it will be May. Most of us are living in this Groundhog Day-like situation where everyday is the same house, apartment, same haircut, same pants, same leftovers. The weather in Syracuse suggests it is closer to February 2nd than April 24th.

The little things that we took for granted are often not available to us any more. Like having places to go. And I’m sorely missing my jiu-jitsu gym. Frankly, that is really just putting a light-hearted spin on things, because there are a number of us out there losing loved ones, fighting for their lives, and fighting for their sanity while they work tirelessly to help others (thanks btw!).

But this is a blog, and while it is a professional blog (i.e., about cybersecurity law) it feels a little disingenuous to ignore the personal during this crazy time. Fact is, 2020 has been especially weird for me because I’ve actually been working from home since February, more than a month before COVID-19 really hit New York hard. Last year, I made the decision that I wanted to own the means of my production, and I began working in earnest to make that happen. I explored a number of options, and promised myself that I would make something happen by the end of the year. In January, an opportunity came up that would allow me to build something from scratch, and I can honestly say it has been one of the most important decisions of my life. Everything is about to change. It is a little early to say, but it may also turn out to be one of my best decisions as well.

It’s been a bit like a pendulum being here. My first month as a law firm owner was about getting my footing. I left a firm that, while it had a lot of problems, also had a lot of people that I cared about. I had hoped my benevolent overlords would understand where I was coming from when I told them I was considering going out on my own, but they didn’t. When I finally saw that, the decision got much easier.

At home, I set up a nice office in what used to be a guest bedroom. It was a rough start during Winter break with my kids. Little did I know the kids would be a fixture in this office for months. In the first week of March, I signed a lease to open the new firm’s office in downtown Syracuse, and while I’m thrilled about my new digs, the lease doesn’t start until June, leaving me, at home, whether the state tells me to or not.

Anyway, I began this process as one of a minority of Americans who work from home, to one of millions. I had worked from home previously, before my legal career, when I freelanced as web programmer. Between those times, and all that has gone on now, I’ve come away from a number of tips, tricks, and hints at staying sane. Hopefully you find some use here.

  1. Have a dress code. It doesn’t have to be anything fancy. If you get up and get dressed for the day, you are going to find that you feel more productive and more “yourself.” The temptation to sit on the couch in your jammies all day is strong, but it is a false idol.
  2. Have a routine. Apparently this is one of the first things they tell you in prison. I haven’t been to prison, but this lockdown has all of us learning a little about how to cope in confinement. I get up at the same time as I would if I was in the office. I work until “quittin time”, every weekday. Sure, I take a lunch break, sometimes talk a walk, but I keep regular office hours. Even when no one is looking.
  3. That goes for eating too. Eat three square meals, or whatever is “normal” for you. A lot of us started this thing with crazy stress eating. Understandable. But now that we are on month two of this thing, plan your meals. I’m not saying you need to diet. In fact, right now would be an extremely difficult time to start a diet. I’m just suggesting that second or third breakfast, and the dessert with lunch, is because you’re bored and stressed, not because you are hungry. Again, the reason to get into the routine is that you will feel better in short order.
  4. Get some exercise. Even if you aren’t the fit type, do something with your body. You will feel better. You don’t have to do anything crazy. Take walks. Lift something over your head. As I’m writing this, I’m in the middle of an online friendly contest to see who can do the most pushups in an 8 hour period. Even if you lose, you win. There are ton of good videos on youtube that you can get you going as well. I’m a big of Yoga with Adriene, especially if I’m feeling stressed.
  5. Find the silver lining. I designed a marketing plan on the March 21st SHIELD Act deadline in New York. But, by the time March 21st came, sure, I fresh off of some early victories in the launch of the firm, but with a brand new business, a family looking to me for financial support, the courts shutdown, and business grinding to a halt this new adventure was feeling pretty scary. I decided I could choose to look at this as a source of distress or as an opportunity. You can’t control this. All you can control is how you react. For me, the scary thing is that when you’re starting a new business, there is a lot to do, not a lot of resources to do it with and your competition can grind away and outperform you while you are just getting started. The mortgage comes due whether you make money or not. But, the opportunity here is that everyone else is kind of in the same position as me. In fact, I had an extra month to set up my home office and get into a routine. My home printer is just as good as everyone else’s. I have work to do (if this happened a month earlier, I’d probably be screwed.) Suddenly, the federal government is talking about supporting small business and help is available in a way that it wasn’t when I first launched. If anything, the system has changed to my advantage. Maybe those things don’t apply to you, but the point is to find the advantages here. Find the opportunities presenting themselves. If you are having a hard time finding the silver lining in your situation, check out this video. I go to it a lot when I’m feeling discouraged.
  6. Not every day is going to be a win. I’d be lying if I told you that I’m productive all day every day. I’m not. But the striving gets me a long way there. Could I do better? Probably. But, by staying focused on the goal, I’m getting where I need to be. Sometimes you gotta just take the “L” for the day and move on. New day, new grind. Go do it.
  7. Be compassionate. There is a lot of “together” time in a quarantined family of four. I was an only child. I like people a lot. I also like alone time. A lot. If I don’t get alone time, I get cranky. But guess what? My wife has requirements also. My kids do too. We all have little quirks. Don’t let things fester with your team. Have patience. Communicate. Be nice. Say “sorry” when you’ve been a jerk. I guarantee that in the last two months, at least once, we’ve all been jerks to someone.
  8. You have no excuses. This pandemic may be remembered as the golden age of memes. Here is one of my favorites:

The takeaway is that right now, you have no excuses not to make your dreams come true, or at least work towards them. Use this time to come out of this with a new skill, new hobby, or new experience. Think about all of things you told yourself you would do if you had time. Now go do them.

9. Productivity is good. I’m seeing a lot of articles out there talking about how expecting to be productive during this time is not reasonable. I think that is silly, and not especially helpful. First, I would note that those articles were all written by people who managed to get up out of bed and go write an article. More importantly, getting things done feels good. Sitting around and “waiting” is more likely to drive you nuts. Sure, this is a stressful time. Perhaps its not realistic to expect your productivity levels to remain the same as they were before all this. Like I said, don’t beat yourself up over it. But, finding meaning in what you do is the hallmark of a healthy life. Keep striving towards progress.

10. Your mileage may vary. Don’t compare yourself to others. The things I struggle with may come easy to you and visa-versa. Accept it, roll with it, and do your best.

The Big Day

This past Saturday, March 21st, was the day the New York SHIELD Act required all businesses with New Yorkers’ personal information to comply with new “reasonable safeguard” requirements, proportionate to the size and scope of the business.

My firm has been focused on this day for a while now. But the world feels, somehow, vastly different than it was just a month ago. Focus changes, priorities change.

In some ways, cybersecurity risks loom larger than ever. There are reports of cyberattacks on hospitals and U.S. agencies. There are warnings of a coming surge in fraud schemes and other malicious scams. On the other hand, all non-essential businesses are closed, including most of the legal profession and court system.

Here is what we know hasn’t changed. Bad actors have been attempting to take advantage of your personal data for a long time. That remains constant. With so many businesses working from home, or working on a system in which they are not yet fully comfortable, the opportunities for those bad actors to take advantage are clearer than ever.

Budgets change. Focus changes. Priorities change. But if you’ve got a business, you need to take steps NOW. Just like you don’t cancel your insurance policy when a storm is coming. I think we can all safely say, the cybersecurity storm is on its way.

My own view is that while compliance for the sake of avoiding state enforcement, is probably not your top priority for today, those “reasonable safeguards” required under the law are a MUST to avoid further business disruptions during and after the pandemic. Those interruptions could prove fatal to many businesses. So if you aren’t going to do it for THEM, do it for YOU.

Be safe out there.

#compliant #cybersecurity #insurance #computersecurity #infosec #cloudsecurity #atrisk #consumerprotection #confidential #informationtechnology #security #securityfirst #informationsecurity #cyberattack #cyberattacks #ransomware

Is Cybersecurity Insurance a Shield or a Sword?

Just some quick thoughts on cyber insurance. As insurers get more sophisticated in how they cover cyber incidents, businesses need to get more savvy as well. This isn’t a zero sum game. As a business owner, you NEED insurance. And as an insurer, the carrier wants to calculate the risk as accurately as possible. In the old days, cyber incidents might fall into traditional areas of coverage (e.g., business interruption). But, now we’ve got proactive security requirements coming out of the states. CCPA only applies to mid-size or larger businesses. However, here in New York, even if you are a small business you need to have SOME program in place (e.g., “reasonable safeguards” taking into account the size and scope of your business). Personally, I don’t think cybersecurity compliance has to be rocket science. But any way you slice it, doing nothing is not a smart option.

I think what you will find is that, going forward, doing nothing might also get your coverage pulled. At what point is non-compliance with SHIELD or CCPA going to be considered reckless, and therefore not insurable? I have a feeling we are going to start finding out the answer soon.

All your hospital are belong to us.

This morning, I ran across a 2014 article on, which goes on to explain that hospital medical devices and other related gadgets (what we would today call IoT or the “Internet of Things”), are shockingly easy to access via the wireless network, and vulnerable to abuse by would be hackers. For some reason, the article reminded me of an old meme from the early 2000s, hence the name of this post. I ended up down a bit of a rabbit hole, which I figured I’d share with you.

Back in 2014, they reported on a study that found “drug infusion pumps–for delivering morphine drips, chemotherapy and antibiotics–that can be remotely manipulated to change the dosage doled out to patients; Bluetooth-enabled defibrillators that can be manipulated to deliver random shocks to a patient’s heart or prevent a medically needed shock from occurring; X-rays that can be accessed by outsiders lurking on a hospital’s network; temperature settings on refrigerators storing blood and drugs that can be reset, causing spoilage; and digital medical records that can be altered to cause physicians to misdiagnose, prescribe the wrong drugs or administer unwarranted care….” as well as discovering “they could blue-screen devices and restart or reboot them to wipe out the configuration settings, allowing an attacker to take critical equipment down during emergencies or crash all of the testing equipment in a lab and reset the configuration to factory settings.”

I assumed that given the article was almost six years old, the security situation in hospitals would be markedly improved. My initial research has not borne that out exactly. By 2017, Wired was reporting that “Medical Devices are the Next Security Nightmare.” A little weird, if you ask me, since they identified the issue three years earlier, but I digress. Wired reported that while the FDA has begun providing guidance on cybersecurity concerns, they also noted that a significant percentage of medical devices were running on outdated operating systems or technology that is no longer supported with security patches, and has already gotten through FDA approval and into common useage. Instances of Windows XP (which was released in 2001, almost 20 years ago) were found running major hospital computers and connected to various devices (they cited an average of 10 to 15 connected devices per bed, with a large hospital having up to 5,000 beds). FDA certainly has stepped up its cybersecurity game since 2017, and they offer great cybersecurity resources for the medical community here.

Fast forward to 2019, Wired reported on a newly discovered vulnerability on devices that have been in use in hospitals for nearly 20 years. The problem, as put by one cybersecurity analyst, is that “once you identify what is vulnerable, how do you actually update these devices? Often the update mechanism is almost nonexistent or it’s such an analog process it’s almost like it’s with a screwdriver. It’s not something that can be done at scale. So I don’t know if it will ever be accomplished to update all of these machines.”

But its never enough to just identify the problem and put our hands in sky. HIPAA has long required notification for security breaches of personally identifiable health information. But newer data privacy laws like NY SHIELD, CCPA and GDPR take data security a step further by expanding the definition of protected private information. For instance, NY SHIELD considers a username and password combination to be protected private information that businesses are required to safeguard. For all of the efforts complying with HIPAA, healthcare organizations at risk of noncompliance (pronounced, “law enforcement”) in regards to state data privacy laws.

So, the good news is that the FDA is aware of the issue, and there appears to be somewhat less of a “wild west” attitude towards IoT medical device security. The bad news is that 2020 is predicted to be a banner year for ransomware and medical device cybersecurity concerns generally.