2013 Willis Fortune 500 Cyber Disclosure Study: Complying with the SEC’s 2011 Disclosure Guidance

Leave a reply

In 2011, the SEC issued guidance describing how companies should disclose their cyber risk and breach information to shareholders and the public.  Many Fortune 500 companies (about 80%) have been proactive in their approach to comply and be transparent.

The 2013 Willis Report takes a close look at Fortune 500 companies and how they are attempting to comply with the 2011 SEC guidance.  Many people think the SEC guidance is a precursor for a rule or regulation in this space.  They are probably right.  At some point in the near future mandatory disclosure will be the rule.  The question will be how much (and what) will need to be disclosed and to what detail.  Obviously, that will be the messy and risky part for companies who will have to attempt to strike a balance between being as transparent as possible while simultaneously protecting themselves, their customers, and their shareholders to the greatest extent possible.

 Here is a link to the report and the SEC Guidance for your review.

 

Why should I care about Prism when I don’t have anything to hide?

Leave a reply

by Pedro Pavon.

“If you don’t have anything to hide, then you don’t have anything to worry about” is a troubling approach to thinking about the issues raised in the PRISM program for a million reasons but one in particular stands out to me as most important.

When you are being watched, you behave differently.  This goes for parents, teachers, police, friends, strangers, relatives, spouses, and children.  When I know or suspect that any of these people are watching me, I change my behavior (whether voluntary or involuntary is irrelevant).  I don’t curse in front of children, I lower my voice when my parents are around, I keep my hands in clear view when a police officer stops me for a traffic violation and only answer in “yes” or “no”, and when my boss is watching–let’s not even get into it.

The point is that monitoring changes behavior and it almost always does so in a restrictive way.  It never expands the universe of outcomes it always shrinks it.  So in the case of online activity, the ubiquitous monitoring being suggested with the PRISM program will have the same effect but on a massive scale.  Maybe I spend less time online because I think all my activity is being logged by the government.  Maybe I don’t search on Google for certain things that I think might be interpreted out of context by law enforcement against my favor but which are in fact innocuous. Maybe, if I am a government contractor, I don’t keep a “private” online journal anymore where I am thinking through doubts about this or that related to my job out of fear of it being construed as a security threat or disloyalty.

I can give you a million examples but here’s the bottom line: surveillance for the sake of surveillance is usually bad and it can restrict all behavior not just the dangerous kind.  The government should be allowed a peephole into my affairs, as needed, and only for a limited time after identifying me as a potential valuable subject or suspect.  Widespread indiscriminate surveillance should probably not be used to identify suspects either.  In fact, in ordinary policing, it rarely is.  Most police surveillance is the result of a lead and not the source of it.

When a government program has the potential to have widespread impact on the behavior of all of its citizens it should receive the highest scrutiny.  This goes for tax policy that tries to change behavior i.e. tax incentives for buying hybrids, as well as surveillance programs that may be restrictive on speech and privacy.  There is nothing bad about debating and analyzing the reach and scope of intelligence programs to determine whether the harm they cause is greater than the value they add.  We should have these discussions frequently and in the open so we can make better decisions.

And finally, as a bit of an aside: if you think terrorists weren’t already aware that all their communications online were potentially being intercepted you are delusional.  OBL was bunkered in a house in Pakistan for years with no Internet or phone for a reason.  Only stupid terrorists and unsophisticated ones are going to turn to Google and search for “bomb.”  We will probably catch those guys anyway as they go to Home Depot and shoplift a box of nails or something.

What is PRISM and where do we draw the line? – Surveillance and Questions of Freedom

Leave a reply

by Pedro Pavon.

Like everyone else in the Universe, I’ve been watching closely as the PRISM story unfolds and information and misinformation is shared all over the place.  When the story was leaked on Thursday, I have to admit my first reaction was alarm and shock.  Then, as more information was revealed, and theories about how the program possibly works started circulating around the Internet and on television, my initial “shock” was replaced with equal parts confusion and consternation.

First, let me say that I am not completely clear on what PRISM is.  There are a million theories out there and a million I-told-you-so’s to match, but still there is no conclusive indication of what the PRISM program (if it is a program) really is and how it works.  POTUS defended PRISM a day after its existence was leaked and simultaneously warned that if the public sees the project as going too far, we would have to accept the risks of potentially unbridled terrorist communications. Essentially, he emphasized that PRISM protects us from terrorism and if we get rid of it, we are in increased danger.

Of course, POTUS failed to provide any evidence of PRISM increasing our safety, and we have yet to see any data from him or another government official that verifies this claim. I know that type of information is “classified,” but that’s part of the problem here, isn’t it?  With a program as controversial as this, you have to give the public something other than “we need this” in order to convince us that giving up the liberties that PRISM takes away is worth it.  I have my doubts about PRISM’s value and success in catching bad guys, as opposed to the old-fashioned way, but for now, let’s move on.

So, what is PRISM?  Who knows.  If you listen to Edward Snowden, the PRISM whistleblower who is now in Hong Kong, he characterizes the NSA’s ability to access every conversation as “an irrevocable net” capable of monitoring and saving every single digital conversation in real time.  Without really knowing what it is and how it works, some people are writing PRISM off as no big deal or are saying things like, “now we know what we suspected all along,” which is almost always followed with “if you’ve got nothing to hide, then…” Let me pose some questions to illustrate why that second line of thinking is particularly dangerous and misplaced.  If you thought your mother was listening or reading every one of your emails, would you change something you said or wrote?  If you thought your spouse was reading all of your emails or Google searches, would you change some of the things you said or searched for?  What if your boss could read every single text message or email you drafted (note I said drafted, not sent)?

Surveillance changes behavior. Teenagers behave differently in front of their parents; employees behave differently when the boss is around and if you see a police officer at the corner of an intersection, you brake a little more carefully and look both ways just to let him know you are a good safe driver. We act differently when under the microscope.  We don’t act like ourselves. We become projections seeking approval and avoiding confrontation or conflict. We are not ourselves when we know we are being watched, we act like whom we think the watcher wants to see and will approve of.  If you don’t immediately recognize the loss of freedom that comes along with that, quit reading this.

Now you might say that all this surveillance is good, overall; that the net gain is better than the net loss; that surveillance gets people to act and behave in more acceptable ways and society is left the better for it.  That may be true in the case of the police officer at the intersection, but I’d bet my supper that if the police officer were standing in your bedroom watching you, you wouldn’t be so nonchalant about it.

So the appropriate question is not whether surveillance is good or bad.  There are many ways in which it is very good and many ways it is very bad.  The proper question is how much surveillance is too much and just how much of our private lives should we be openly disclosing to the government and the corporate world.  That, my friends, is a legal inquiry, which will have to be hashed out, one way or the other.

The first step to any honest review of the legal and ethical standing of a program like PRISM, is to determine whether it is legal in the first place.  I think the answer to this will turn on whether the Supreme Court is willing to evaluate the constitutionality of the surveillance piece of the USA Patriot Act without allowing its analysis to be infected with terrorist hysteria or political sensationalism.  If they do so, the USA Patriot Act is probably in trouble.  The second step will be for the public to voice its concern or approval of such surveillance programs.  If the public outcry is on a large enough scale, politicians will respond accordingly—they always do.  This leads me to the final step: political action.  There are elected officials at every level of government from both parties who are concerned about widespread and pervasive government and corporate surveillance—whether they say it publicly or not.  In fact, in many ways, political careers rely on privacy to succeed and politicians know it.  Can you imagine how many political campaigns would be derailed by revealing just one email from, let’s say, a candidate to his doctor or between a candidate and his lawyer? Let’s also look at the IRS scandal.  If the IRS had the capability of accessing the information PRISM allegedly collects from the organizations it was improperly singling out for scrutiny, the possible abuses become too many to count.  And it goes on and on.  The stakes for politicians are in some ways greater than those for normal citizens but the stakes are high all around.

I, for one, am in a wait-and-see kind of mode.  I want to see how the narrative about this type of government activity develops.  I want to see how it affects the corporate world and business.  Two of the biggest companies implicated by the leak, Google and Microsoft, have outright denied any participation in such a program.  Soon the dust will settle and the real debate will begin and it will be time for us as a country to once and for all decide whether we want to protect a world that’s worth living in by limiting some of the protections we use or if we want to be goldfish and trade in the adventures and excitement of the wild for the safety and security of a fishbowl.

Google Glass Scrutinized by Congress for Privacy Concerns

Leave a reply

Larry Page, Google’s CEO, received a letter from Congress expressing concerns about Google Glass and how it affects individual privacy.  In the words of the eight members of Congress who signed the letter, they are “curious whether this new technology [Google Glass] could infringe on the privacy of the average citizen.  The letter contains eight questions for Google and Mr. Page and the members of Congress want a response by June 14th.

One of the questions asks Mr. Page to explain how Google plans to prevent Google Glass from unintentionally collecting data about users without their consent.  Another asks about facial recognition and the ability of the device to collect and share data about non-users without consent.

Google Glass seems like an interesting innovation but I am not convinced it will be the paradigm-shifting technology that Google hopes it is.  I cannot help but think of the Segway every time I see a photo online of someone wearing a pair (or is it called a set?) of Google Glass[es].  Maybe that’s just me.google_glass_grab-580-90

Nonetheless, privacy and security will be critical concerns for the device and will no doubt play a role in its success and widespread adoption.  For example, if a Google Glass user, due to privacy concerns, is required to ask permission before enabling the device in private or semi-private environments (think your office or a movie theater), than people may find the hassle of using (or wearing) Google Glass outweighs the benefits.  Additionally, if people perceive the device as “creepy”—a guy walks into a public restroom with Google Glass on his head, that’s creepy—or off-putting—you are talking to someone face-to-face but they aren’t really looking at you and you can’t tell if they are recording the conversation—I suspect Google Glass will be widely rejected.

Regardless of the future success or failure of Google Glass one thing is for sure: this letter from Congress is concrete evidence that Google will have to walk a fine line with Google Glass.  It will be interesting to see how Google responds to the Congressional inquiry.  I’ll keep you posted.

Ninth Circuit Provides Clarity and Eases Compliance for Telecom Service Providers

Leave a reply

On April 16, the Ninth Circuit Court of Appeals, in FayeLynn Sams v. Yahoo Inc., ruled that service providers need only to believe that a law enforcement request or subpoena for user information is legal to avoid liability. The Ninth Circuit further explained that as long as a subpoena appears valid on its face, service providers would not be legally liable for complying with the request under the Stored Communications Act.

Section 2707(e) of the Stored Communications Act (SCA) states that service providers are immune from claims of illegal disclosure of user records as long as they release the data in good faith and in reliance on a subpoena or other valid legal process. In this case, the Ninth Circuit has interpreted that language to mean that, as long as companies like Yahoo review each request in good faith, and the terms within the request appear legally sufficient, they will not be held liable for inadvertent impermissible disclosures.

This decision establishes a straightforward framework for service providers to use when deciding whether to turn over user data to law enforcement. However, other sections of the SCA provide less clarity, and sole reliance on the Ninth Circuit’s decision in this case may lead to some exposure for service providers if they aren’t careful.

CISPA is Back

Leave a reply

The US House of Representatives Intelligence panel will mark up the Cyber Intelligence Sharing and Protection Act (CISPA) this week.  Last year, CISPA met strong opposition by privacy advocates and the public due to privacy concerns.  The bill is intended to give companies the ability to receive and share threat intelligence from the government in order to defend against cyber attacks in real time.

Leaders are expected to propose changes aimed at addressing privacy concerns to avoid repeating last year’s veto threat from the White House which came one day before the bill was to go to the House floor for a vote.  carrier-iq-privacyThe White House said that its rapid response to the bill was due to the fact that it lacked sufficient privacy measures to prevent companies from sharing private customer information with the government and law enforcement.

CISPA is one of many bills expected to emerge in the House in the next sixty days or so as part of a package of cyber security-related measures currently making their way through both houses of Congress.

Privacy groups are already mobilizing to oppose the bill in whatever form.  They have been raising public awareness of the consequences of allowing private companies to share people’s electronic communications with the federal government.  In response to these concerns, Rep. Adam Schiff (D-Calif.) plans to introduce an amendment that would remove any personally identifiable information prior to any information sharing with the government or other companies.

CISPA has been highly controversial and demonstrates how difficult it will be to pass comprehensive national cyber security laws.  However, the imperative and well-documented need to have a centrally organized cyber security defense strategy will likely result in some form of legislation passing very soon.

Bill Introduced in the House on Warrantless GPS Tracking

Leave a reply

Bill introduced on Warrantless GPS Tracking

A bipartisan group of legislators in the House of Representatives introduced a new bill, called the Geolocation Privacy and Surveillance Act, which would force law enforcement to obtain a warrant to track suspects with GPS devices.

The bill was introduced on March 21st, 2013 and is sponsored by House judiciary committee ranking member Representative John Conyers (D-Mich.) and Reps. Jason Chaffetz (R-Utah) and Jim Sensenbrenner (R-Wisconsin).  The bill provides a “legal framework” with guidelines on when and how GPS devices may be accessed and used by law enforcement.GT_shutterstock_GPS+cell_carousel

The bill was introduced one day after the Obama administration argued before a federal appeals court that authorities should not be required to obtain a warrant to attach GPS devices to cars.  The debate over warrantless GPS tracking has been underway for years.  Last year, the US Supreme Court ruled in a unanimous decision that the Fourth Amendment protection of “persons, houses, papers, and effects, against unreasonable searches and seizures” would be violated if law enforcement agencies were allowed to attach a GPS device to a suspect’s vehicle without obtaining a warrant.  However, the Supreme Court’s decision left the door open for law enforcement to use other devices such as smartphones and systems like OnStar for location-tracking without a warrant.  The Geolocation Privacy and Surveillance Act is intended to close these loopholes.

I will be interested to see how bills like this continue to pop up to try to address the increased power and capability of law enforcement to monitor our activities by leveraging technology.  I am specifically curious as to how the companies that manage and operate GPS systems will respond to requests by law enforcement to turn over data.  I know that some companies already have a “no warrant, no data” policy.  However, many times these same companies do not alert consumers that law enforcement has requested their records.

Privacy protection and law enforcement have been at odds when it comes to fighting crime since before there was GPS or any of the modern gadgets that can be used to track your activities today.  A comprehensive legislative approach to protecting consumer privacy alongside industry transparency and consumer education is the best way forward.  As with anything related to technology and privacy there are no easy answers.

Legal Considerations for Companies Migrating to the Cloud

Leave a reply

Demand is increasing for cloud services by US companies in order to reduce costs and increase efficiencies.  Those same companies are asking law firms and legal departments to review cloud service contracts submitted by service providers.  A migration to the cloud, or a switch betweenSafe cloud computing concept service providers should only occur after close review of both the technology involved and the terms of the service contract.  At a minimum, companies should examine and consider the following concerns before entering into any cloud services contract.

1. Know Your Regulatory Requirements

Companies should be mindful of industry-specific rules and regulations that govern their respective industries.   For example, health care companies must comply with HIPAA and financial services companies must comply with FINRA. In addition to federal rules, virtually all states have laws governing data systems, breach notifications, and data migration.

2. Length of Term, Modification

Companies should carefully consider the length of the term of all cloud services contracts.  Technologies evolve very rapidly and being locked into a lengthy contract may put your company at a competitive disadvantage by making it unable to keep up with emerging technologies and client demands.  Periodic benchmarking and allowing for modifications should be included in cloud services contracts with all providers.

3. Security and Privacy

Few things will damage a company or its brand quicker than a data breach that compromises customer data. In addition to reputational damage, financial losses due to a data breach can be crippling. Companies should thoroughly understand how cloud service providers will use data, and should further ensure that all such providers have rigorous data security practices and procedures. Typically, the cloud service provider should indemnify the customer for losses suffered as a result of a data breach caused by the vendor’s negligence, mistake, or carelessness. Further, the cloud services provider should be required to notify the customer about any hacking attempts regardless of whether any such attempt is successful.

4.  Compliance

Generally, cloud service providers should be contractually obligated to comply with all requirements imposed on its client by regulators, industry best practices, and courts. Vendors should also typically indemnify customers for any failure to comply with all obligations imposed on its clients.

5. Termination

Finally, cloud services contracts should include a comprehensive termination clause. Most important, the clause should clearly state that, regardless for the reasons of termination (including customer breach), the cloud services provider must promptly return all of the client’s data in a pre-arranged format. A cloud services provider should never be allowed to withhold its customer’s data for any reason. Additionally, cloud service providers should be required to provide transition services to migrate data to a new vendor upon termination.

These are just a few of the issues companies should consider when entering into cloud services contracts.  Companies should weigh these and other factors such as cost, complexity, and business needs before securing the services of a cloud services provider. All companies should work with experienced technology consultants and legal counsel to ensure that the products and services, as well as the terms of their use, are properly vetted.

Automotive Telematics: Balancing the Benefits and Potential Risks

Leave a reply

Automotive telematics is the technology of sending, receiving, and storing information related to remote vehicles via telecommunications devices. It allows third parties to monitor a wide range of information regarding the status of a vehicle or vehicle fleet, including location and movements. GPS navigation, wireless safety communications, and automatic driving assistance systems are all covered under the automotive telematics umbrella. In each instance, data is collected from the vehicle, and sent over a network to provide a benefit to the driver.

Increasingly, auto insurers are exploring the use of telematics to capture and analyze data about their customers’ driving habits. Insurers can then use this information to write usage-based or “pay-as-you-drive” policies that consider a driver’s mileage and/or adherence to safer driving practices when setting premiums.

Despite potential benefits to insurers and their customers, the use of telematics has raised concerns related to privacy, security management, and possible claims of discrimination. This paper briefly explores each of these issues.

Privacy

Privacy concerns inevitably arise when a third party collects and stores large amounts of consumer data. After all, the use of telematics enables insurers to monitor some aspects of their customers’ personal lives. For example, an insurer, through telematics technology, can determine where customers go, how long they stay there, and whether they exceed the speed limit en route. The implications of being tracked may include the release of certain information to authorities in situations involving a legal action or court order, such as an accident.

On the other hand, many customers may determine these concerns are offset by the potential benefits of lower rates.  In fact, when given the choice to pay a standard auto insurance premium or a personalized premium based on individual driving habits, most consumers polled say they would rather pay the latter.

The most significant consideration presented by the use of telematics tracking systems concerns the degree to which government oversight, which is inevitable, will be exercised. The collection and reporting of information such as mileage is likely to be broadly permitted. In some states it is already affirmatively allowed. But the handling of data regarding location, breaking and acceleration patterns, and more, is likely to invite close scrutiny by regulators[1] and raise consumer suspicion.

The FTC report, “Protecting Consumer Privacy in an Era of Rapid Change,”[2] cautioned that a company’s consumer privacy best practices should incorporate either an industry-created, “easy to use and effective” Do Not Track option, or Do Not Track legislation from Congress. It is difficult to tell how these measures will impact the use of telematics, but clearly the telematics and insurance industries must monitor this topic closely to ensure appropriate exceptions are carved out to protect telematics based business models.

Information Security and Privacy

The use of telematics also raises issues related to the management and security of customer data. Collecting and storing increasingly large amounts of customer data presents significant business risks. Some telematics systems transmit data from vehicles once per second while the vehicle is turned on. Companies that collect such vast amounts of consumer data must take special care to mitigate both the technological and business risks associated with deploying a telematics program.  Any data breach would almost certainly bring unwanted attention by regulators, shareholders, and the media.

A data breach containing customer data would also raise a variety of privacy issues and concerns by both consumers and regulators. Therefore, before any data is collected, it is important to present consumers with all the information they need to decide whether they want to opt in, or out, of a telematics insurance program. This information includes what data is being collected, how and where it is stored, how it is analyzed, who it is shared with, how long it is kept, and how it is disposed of or destroyed.

[1] Regulators in this space are the FTC and potentially other federal agencies, state and federal insurance regulators, state legislators, and ultimately the US Congress.

[2] http://www.ftc.gov/os/2012/03/120326privacyreport.pdf

President Obama to Meet with CEOs to Discuss Cyber Security

Leave a reply

President Obama will be meeting with top US CEOs on Wednesday to discuss cyber security. The meeting will take place in the situation room which is an obvious symbol of how seriously the president is taking this issue.

The president is interested in exploring new and innovative ways for the private sector to collaborate with the feds and regulators to sure up our computer systems from hackers and international threats such as China’s government-sponsored cyber warfare unit. This meeting presents another sign that cyber security is high on the mind of the president.

However, this type of government attention may mean trouble for individual liberty and privacy. Too much collaboration between government and the private sector can only mean that more of our personal and private information will at least move through the hands of the government.

Everyone should be watching this as it develops to ensure that there is no overreaching in the name of security. The fact is that no matter how much information and resources are shared, the threats will still be out there and they will evolve and change just enough to always stay one step ahead. The real key to better-addressing national cyber security concerns is to develop more secure technologies and methods not just to share thoughts and data.