Category Archives: Risk Management

Network Security, Risk Management

Anonymous Supports September 17 Efforts

On August 23, 2011, Anonymous released a video endorsing the September 17, 2011 planned “Day of Rage” occupation of Wall Street and other financial areas around the world.   Specifically, in its video, Anonymous urges protesters on September 17th to “flood into lower Manhattan, set up tents, kitchens, peaceful barricades and occupy Wall Street for a few months … Once there, we shall incessantly repeat one simple demand in a plurality of voices.”

This endorsement might seem fairly harmless.  On the other hand, those in the financial sector are urged to take this implicit threat pretty seriously.  According to a duo of FBI agents talking today at a public briefing regarding the entry of Anonymous to the September 17th efforts, financial institutions are advised to step up their network security during the next few days.  In fact, a recent FBI crackdown on Anonymous may be tied to S17.   Given there is deliberately no leadership core within Anonymous, all that can be hoped is that on the 17th its members choose to take a day off from clicking on a computer; and instead take a relaxing train ride downtown.

Update:  September 19, 2011
As of Monday morning, the “Day of Rage” event showed no publicly reported increase in data security events.  It is estimated that several thousand attended the rally in New York City but there was not much in the way of media reporting given it was largely a peaceful event.

Update:  September 28, 2011
On September 23, 2011, the FBI’s Cyber Division issued the following informational bulletin to Infragard members:

For situational awareness, the following message was posted online by the hacking group Anonymous:

Anonymous announces a nationwide “Day Of Vengence” to take place in dozens of cities across the USA on Saturday – September 24, 2011 at High Noon.  In coordination with these protests across the USA on September 24th, Anonymous and other cyber liberation groups will launch a series of cyber attacks against various targets including Wall Street, Corrupt Banking Institutions – and the NYC Police Department.  We encourage the media to follow the Twitter feed @PLF2012 for ongoing reports throughout the day.

Additional public source information has identified possible targets of these attacks, to include entities in New York (state and city), public and private entities associated with the recent execution of Troy Davis in the state of Georgia, and law enforcement in general.

No further information is available at this time in regard to the specific nature, means, or potential targets of Anonymous’ plans for September 24th; however, in the past, Anonymous has engaged in distributed denial of service (DDoS) attacks, utilized SQL injection to gain unauthorized access to computer systems, conducted social engineering to gather personal identifying information, and released both personal information (i.e. “doxing”) and the contents of compromised systems (e.g. e-mail message content, passwords, etc.).

InfraGard members are encouraged to engage in information security best practices, such as using strong passwords, not reusing passwords, updating software to protect against known vulnerabilities, and ensuring that web-based applications are not at risk to attacks, such as SQL injection.

September 24, 2011 came and went without any publicly disclosed incident tied to this threat.  The hope is that the FBI’s future warnings are not ignored given the lack of traction of these recent Anonymous warnings.  Bottom line:  Safeguarding against SQL injection exploits is obviously sound advice with or without an Anonymous threat.

Update:  October 12, 2011
Although similar to the October 8-11, 1969 “Days of Rage” riots in Chicago that led to the arrest of several hundred Weatherman radicals, the current Wall Street “Days of Rage” protesters are not facing nearly as much opposition from the police or popular media.   Moreover, despite the Anonymous threat, there have been no reports of cyber incidents directly tied to this protest.  RIM, however, has faced several recent outages.  Although RIM has publicly stated that these Blackberry blackouts were caused by a “core switch failure”, given that there is still strong Blackberry usage in the financial sector, it will be interesting to hear in a few months time whether there was anything else that contributed to these blackouts.

Update:  November 13, 2011
Much has happened since the first Day of Rage took place several months ago on Wall Street — including its morphing  into a national “Occupy” movement in cities around the country.  It’s generally been tough going for these occupiers.  There have been deaths in the Occupy Oakland and Occupy Burlington protests as well as a death at the one in Salt Lake City; a tuberculosis outbreak  hit Occupy Atlanta; and the starting point at Zuccotti Park near Wall Street has seen its share of viruses and STDs thin the ranks.  As for Anonymous, the general consensus is that the hype they generated yielded PR benefits to the organization even though to date they apparently have not been directly involved in any related cyber-security incident.

Network Security, Privacy, Risk Management

Ponemon Second Annual Cost of Cybercrime Study

A detailed study regarding the impact of cybercrime on corporations was recently released by the Ponemon Institute.  According to the Second Annual Cost of Cyber Crime Study, the median annualized cost of cybercrime incurred by a benchmark sampling of organizations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organization.  This was an increase of 56 percent from the median cost reported in the inaugural study.

According to this Ponemon deep dive of organizations who have sustained incidents of cybercrime, more than 90 percent of all cybercrime costs were caused by malicious code, stolen devices and web-based attacks.  During a four week period, the organizations surveyed by the Ponemon Institute experienced 72 successful attacks per week, an increase of nearly 45 percent from last year.  Interestingly, according to a recent study by Webroot Research, cybercrime on social networks also continues to increase — with the number of US-based users who have experienced attacks on social networks growing from 8% in 2009 to 13% in 2010 to 18% in 2011.

Smaller-sized organizations were found by Ponemon to incur a significantly higher per capita cost than larger-sized organizations ($1,088 versus $284).  This may be given that smaller organizations do not readily negotiate much off of vendor rack rates — another reason to evaluate network security and privacy insurance as well as working with a law firm that has significant experience in dealing with breaches.

According to this Ponemon survey, the average time to resolve a cyber attack is 18 days, with an average cost to participating organizations of $415,748 over this 18 day period.  Interestingly, this represents a 67 percent increase from last year’s estimated average cost of $247,744, which took place over a 14 day period. Results of the study show that malicious insider attacks can take more than 45 days on average to contain.

On September 14, 2011, New York Metro InfraGard and Coalfire are co-sponsoring a New York City event that will feature Dr. Larry Ponemon speaking on the Ponemon Institute’s Cost of Cybercrime Study.  For details on this event, visit the Infragard site or registration site.

Law Firm, Privacy, Risk Management

NJ Court Rules No Privacy Tort Exists for Location Tracking

In what may be a case of first impression, the New Jersey Appellate Division ruled, on July 7, 2011, that the tort of invasion of privacy does not necessarily exist whenever a plaintiff alleges surreptitious location tracking by a defendant.  Specifically, the court ruled:

We hold that the placement of a GPS device in plaintiff’s vehicle without his knowledge, but in the absence of evidence that he drove the vehicle into a private or secluded location that was out of public view and in which he had a legitimate expectation of privacy, does not constitute the tort of invasion of privacy.

Villanova v. Leonard, No. A-0654-10T2, slip op. at 3 (N.J. App. Div. July 7, 2011).

The facts of the case are likely not that uncommon.  A woman hired an investigator to track her husband (who she suspected of infidelity) and the investigator suggested she place a GPS tracking device in the glove compartment of the car shared with her husband.   After related divorce proceedings were concluded, the husband sued the investigator in state court.  In a summary judgment motion, the husband’s privacy claim against the investigator was dismissed by the trial court.  In affirming, the court reasoned there was “no direct evidence in [the] record to establish that during the approximately forty days the GPS device was in the Denali glove compartment the device captured a movement of plaintiff into a secluded location that was not in public view, and, if so, that such information was passed along by Mrs. Villanova to defendants.”  Id. at 11.

The court certainly took pains to limit the impact of its decision by pointing out that if the car did travel to “secluded locations”  there would be more of an issue with the conduct of defendants.  It is hard to envision, however, situations where a person traveling in a car would ever have much of an expectation of privacy sufficient to trigger an invasion of privacy claim.   See Id. at 16 (“‘A person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his [or her] movements from one place to another.'”)  (quoting United States v. Knotts, 460 U.S. 276, 281 (1983)).

In seeking to avoid dismissal, the plaintiff conjectured that secluded places might include “a private parking garage, an impound yard, or a stretch of a lonely beach.”  Id. at 6.   In strongly worded dicta, the court left the door open to such an argument:  “Although these hypothetical circumstances might well exist, there is nothing in this record to suggest that any such incident ever occurred during the time the GPS device was in place.”  Id.

As well, the court pointed out several times that the GPS data was likely not provided to the defendants.  This factor obviously undercuts by some measure the impact of the decision.  For example, if the same general set of facts were presented in a new case but the data was actually sent to numerous third parties, would a future court have more leeway in allowing a privacy claim to proceed?   Did the court inadvertently create a test whereby some allegations regarding  “secluded excursions” coupled with evidence of third party release of the location data is enough to withstand a motion for summary judgment?

Although it remains to be seen how persuasive this decision will be outside of New Jersey, it is nevertheless helpful given how unsettled location tracking remains as an area of privacy and constitutional law.   Further guidance, however, may be right around the corner given a recent privacy class action based on location tracking and the fact that, on June 27, 2011, the United States Supreme Court agreed to hear United States v. Jones — actually directing the parties to brief and argue the following question:  “Whether the government violated respondent’s Fourth Amendment rights by installing the GPS tracking device on his vehicle without a valid warrant and without his consent.”

Network Security, Privacy, Risk Management

Betterley Report on Cyber Insurance is Now Available

The highly-anticipated annual Betterley Report on cyber insurance was released right before the 4th of July holiday weekend.  In the free summary of the issue, there is mention of the 29 insurers now providing some form of network security and privacy insurance.  Betterley projects the existing market to be in the $800 million range — which would make it probably the fastest growing insurance product in the current soft insurance market.

In the free summary there is also an article written regarding cloud exposures and how such exposures may impact coverage under a network security and privacy policy.  As recently reported in the Wall Street Journal, a World Economic Forum report found “that 90% of suppliers and users of cloud services consider privacy risks to be a ‘very serious’ impediment to widespread cloud adoption.”  Given this concern, having the right privacy insurance in place becomes that much more important.

Litigation Management, Risk Management

Supreme Court Rules in Favor of Wal-Mart

In a widely anticipated decision, the United States Supreme Court today unanimously reversed a U.S. Court of Appeals for the Ninth Circuit ruling that allowed a class action to go forward against Wal-Mart.   And, in its majority ruling, the Court found that the action should be completely dismissed given that plaintiffs could not ultimately overcome Federal Rules of Civil Procedure requirements regarding class action certification.

In essence, the Court rejected the Court of Appeals reasoning that 1.5 million women could litigate their discrimination claims in a single action.   In rejecting the appeals court’s finding that individual backpay claims were allowable, the Court ultimately accepted Wal-Mart’s argument that the class action deprived it of its ability to defend itself.

The reoccurring theme of the Court’s decision can largely be distilled to the following:

Quite obviously, the mere claim by employees of the same company that they have suffered a Title VII injury, or even a disparate-impact Title VII injury, gives no cause to believe that all their claims can productively be litigated at once. Their claims must depend upon a common contention—for example, the assertion of discriminatory bias on the part of the same supervisor.  That common contention, moreover, must be of such a nature that it is capable of classwide resolution—which means that determination of its truth or falsity will resolve an issue that is central to the validity of each one of the claims in one stroke.

As detailed in a prior post, “[a]lthough named plaintiffs in the Wal-Mart case ‘waived any claim for compensatory damages, forfeiting the rights of individual class members to recover damages authorized by Congress solely in order to facilitate class treatment’, an important commonality ruling remains likely given the Court specifically requested that the parties brief the applicability of Federal Rule of Civil Procedure 23(a).  See Petitioners Brief at 35, dated January 20, 2011.”

In rejecting the notion that Fed. R. Civ. P. 23(a)(2)’s commonality requirement was satisfied, the Court went beyond the Court of Appeals decision to provide needed clarity on this important class action requirement.  Frankly, none of this is surprising given the Supreme Court’s cert wording.  See Dukes v. Wal-Mart Stores, Inc. , 603 F.3d 571 (9th Cir. 2010), cert. granted, Wal-Mart Stores, Inc. v. Dukes, 178 L. Ed. 2d 530 (2010) (“Petition for writ of certiorari to the United States Court of Appeals for the Ninth Circuit granted limited to Question I presented by the petition.  In addition to Question I, the parties are directed to brief and argue the following question:  ‘Whether the class certification ordered under Rule 23(b)(2) was consistent with Rule 23(a).’”).

In future class actions, defendants will also look to this decision to justify using sharper substantive arguments within class action certification motions.   Although courts have previously had the ability to rely on evidentiary hearings to resolve class action motions, the Court here seems to have turned the judicial discretionary dial to a much wider setting.   Specifically, in finding there was insufficient commonality to proceed with this case, the Court  ruled:

Here respondents wish to sue about literally millions of employment decisions at once. Without some glue holding the alleged reasons for all those decisions together, it will be impossible to say that examination of all the class members’ claims for relief will produce a common answer to the crucial question why was I disfavored.

And, in reaching this decision, the Court wholly rejected one of plaintiffs’ substantive arguments:  “The second manner of bridging the gap [to a common defense] requires ‘significant proof’ that Wal-Mart ‘operated under a general policy of discrimination.’  That is entirely absent here.”  This particular form of class action substantive adjudication — which will likely be looked upon by courts as viable in future class certification motions – was part of the majority opinion rejected by four Justices.  See also In re Hydrogen Peroxide Antitrust Litig., 552 F.3d 305, 318 (3d Cir. 2008) (“A contested requirement is not forfeited in favor of the party seeking class certification merely because it is similar or even identical to one normally decided by a trier of fact.”).

The Court was also coy — sometimes offering the opposite of clear guidance.  For example, the Court recognized that the District Court “concluded that Daubert [ v. Merrell Dow Pharmaceuticals, Inc., 509 U. S. 579 (1993)] did not apply to expert testimony at the certification stage of class-action proceedings. 222 F. R. D., at 191.”   Rather than adding clarity as to whether the Daubert standard for expert witness testimony actually did apply during the class action certification phase, the Court casually responds to the district court’s opinion concerning the applicability of Daubert:   “We doubt that is so, but even if properly considered, Bielby’s testimony does nothing to advance respondents’ case.”  It is interesting to read how the Court skirts the issue of whether one of its decisions would apply to a given procedural stage of a case.  How much weight such language has on future courts remains to be seen.

Finally, in a unanimous ruling that will certainly curtail the sort of tactical maneuverings done by plaintiffs’ counsel in this case, the Court offered the following clarity regarding how future courts should decide class actions involving declaratory or injunctive relief:

Rule 23(b)(2) applies only when a single injunction or declaratory judgment would provide relief to each member of the class. It does not authorize class certification when each individual class member would be entitled to a different injunction or declaratory judgment against the defendant. Similarly, it does not authorize class certification when each class member would be entitled to an individualized award of monetary damages….Contrary to the Ninth Circuit’s view, Wal-Mart is entitled to individualized determinations of each employee’s eligibility for backpay.

Although future courts may only choose to apply the Wal-Mart decision in an large employment discrimination context, there can be no denying the decision will be hailed as pro-business given it further assists large companies in avoiding class actions — whether employment based or not — brought by disparate plaintiffs with individualized claims.   As for plaintiffs’ counsel, he has vowed to take up the cause by filing potentially thousands of individual cases.  It will be interesting to see how long that hubris will last.

Litigation Management, Privacy, Risk Management

Round Four of The Personal Data Privacy and Security Act

On June 7, 2011, Senator Patrick Leahy introduced “The Personal Data Privacy and Security Act” — the fourth time he has introduced this particular piece of legislation.  According to the senator’s press release, the law would “establish a national standard for data breach notification, and require American businesses that collect and store consumers’ sensitive personal information to safeguard that information from cyber threats.”  This latest reincarnation of the law was likely prodded by the White House’s recent legislative call to action — a call to action that had listed first a national data breach notification law.

The 70 page bill proposes significant changes to existing laws – many of which make sense now that the theft of personal data has become a mainstay of organized crime.  For example, as recommended by the recent White House proposal, it amends the Computer Fraud and Abuse Act to add RICO-like language.  There are also significant obligations for data brokers as well as money penalties assessed to data brokers who violate these obligations.  Throughout the proposed law; and including the section regarding data broker duties, state attorney generals are given broad powers to bring civil actions and can obtain significant money penalties for violations of the law.

Another section of the proposed law seeks to ensure that any business “engaging in interstate commerce that involves collecting, accessing, transmitting, using, storing, or disposing of sensitive personally identifiable information in electronic or digital form on 10,000 or more United States persons” must adhere to “standards for developing and implementing administrative, technical, and physical safeguards to protect the security of sensitive personally identifiable information.”  Unlike the Red Flags regulations promulated by the FTC and subsequently clarified by Congress, these requirements would reach beyond creditors.  And, those businesses already subject to existing data safeguarding laws such as HIPAA and Gramm-Leach-Bliley would be exempt from these new requirements. Violations of this section would bring with it significant money penalties as well as possible enforcement by either the FTC or state attorney generals.  As with the other sections of the proposed law, there is no private right of action.

The final section of the proposed law provides for nationwide data breach notification which generally requires that all subject breaches be reported without unreasonable delay.  Again, state attorney generals are given broad enforcement rights:

The Attorney General may bring a civil action in the appropriate United States district court against any business entity that engages in conduct constituting a violation of this subtitle and, upon proof of such conduct by a preponderance of the evidence, such business entity shall be subject to a civil penalty of not more than $1,000 per day per individual whose sensitive personally identifiable information was, or is reasonably believed to have been, accessed or acquired by an unauthorized person, up to a maximum of $1,000,000 per violation, unless such conduct is found to be willful or intentional.

Without the ability to bring a private right of action, these enforcement powers and penalties still only indirectly stir the class action pot. 

Of the many competing privacy and data security laws being offered up in Congress, it remains to be seen which is the front runner.  Given that both parties have endorsed a federal breach notification law that would serve to harmonize the 47 state breach notice laws and this one apparently seeks to combine the best of current state law, it seems at least the breach notification section of Leahy’s proposed law might have a chance of passing both houses.    As well, this proposed law is not likely to upset privacy advocates given the Department of Commerce is given no new powers.  Most importantly, given that it has much of what was outlined in the recent White House proposal, the entire proposed law would likely be signed into law by the President.  For good or for bad, with only 40 legislative days left before the election that wouldn’t be happening any time soon.

Network Security, Risk Management

Defense Contractors May Be Impacted by RSA Breach

On the heels of the breach that potentially exposed RSA’s source code for its SecurID tokens– the same tokens used every day by thousands of employees to access their corporate VPNs –  a defense contractor acknowledged on May 27, 2011 that its network may have been compromised as an indirect result of the RSA breach.  As reported by Reuters, Bloomberg, and the New York Times, the defense contractor “detected an intruder trying to break into its networks last Sunday. It shut down much of its remote access and has been providing new tokens and passwords to many workers.”

It is still not certain whether the two breaches are related but it is interesting to note that this story was first broke by a blogger and not the broader media.   Given the fact this incident may  involve military information, it is likely we will never fully learn what has happened.  When it comes to divulging secrets, misinformation is usually the stock in trade of the military.

What remains clear, however, is that advanced persistent threats continue to pose long term threats to corporate and governmental interests.   The good old days of naive hackers stumbling upon exposed databases and inadvertently helping to plug a previously unknown hole are no more.   We are now in the age where a state actor or sophisticated cyber criminal will gladly sit on vulnerabilities for as long as it takes.  Simply put, with enough patience, a determined and sophisticated thief will eventually get whatever information a buyer may want.

[Update:  June 10, 2011]
RSA conceded that the defense contractor breaches may be related to RSA’s March breach and has offered to replace corporate SecurID fobs.  There is some supposition that a large defense bid was the catylist leading to both the RSA breach and subsequent defense contractor breaches.  We may never know who caused the various attacks or why.   What we do know, however, is that RSA has decided to appoint its first chief security officer.

Privacy, Risk Management

Location-Based Tracking Data Creates a New Privacy Concern

On March 25, 2011, Fordham Law School conducted a timely symposium on the legal and privacy policy implications of location-based technologies, i.e., those technologies that collect and use data indicating a person’s specific physical location.  The lively panel discussions all had one underlying theme – location-based tracking may be pervasive but the relevant policies are still in their infancy.  Although the “privacy-worthiness” of geo-location data has recently been in the news given the California Supreme Court’s ruling that Zip Code information can be considered “personal identifiable information”, location-based tracking of persons may actually loom as an even more fertile proving ground for privacy litigation given the ubiquitous nature of the activity.

It is commonly known that most smart mobile devices built today have some sort of GPS tracking capability.  Despite numerous media accounts, it is unlikely, however, that many mobile phone users also realize that their phone carriers ping their location every seven seconds and actually store this data.  Although consumers may not be fully aware of the location-based tracking that is going on, there are a number of startups banking on this capability.  Free mobile apps such as “Color” provide folks with the opportunity to share images and videos with those persons located in their very near geographic location.  And, start-ups such as Foursquare and Bizzy offer a more commercially viable application that provides consumers with opt-in shopping recommendations based on their geographic location.

Just how big an issue this will become remains to be seen given we are at the early stages of location-based data collection and marketing.  What should be of concern is the fact huge stores of data exist on pretty much every mobile phone user.  Although the EU has had rules in place since 2005 regarding located-based tracking, the FTC has only recently raised the privacy implications of the vast amounts of location-based data being collected.  See Protecting Consumer Privacy in an Era of Rapid Change, A Proposed Framework for Businesses and Policymakers (Preliminary FTC Staff Report, December 2010) at 23 – 25.

German privacy advocate Malte Spitz wanted to find out exactly how much of tracking data T-Mobile Germany was storing about him so he used German privacy laws to obtain the information.  What he got back from T-Mobile was six months of data including 35,831 points of location information.

According to a German newspaper that first wrote about the data trove maintained by Spitz’s phone company:

This profile reveals when Spitz walked down the street, when he took a train, when he was in an airplane. It shows where he was in the cities he visited. It shows when he worked and when he slept, when he could be reached by phone and when was unavailable. It shows when he preferred to talk on his phone and when he preferred to send a text message. It shows which beer gardens he liked to visit in his free time. All in all, it reveals an entire life.

On March 29, 2011, U.S. Reps. Edward Markey (D-Mass) and Joe Barton (R-Texas), Co-Chairmen of the House Bi-Partisan Privacy Caucus, responded to the public disclosure of the Spitz data request, by sending letters to the CEOs of the four major U.S. wireless carriers – AT&T, Verizon, Sprint, and T-Mobile.  These letters request information regarding data collection, storage and disclosure practices.

After the four major U.S. wireless carriers respond to Congressmen Markey and Barton, we may be in a better position to understand how companies plan on using the location-based data that is being collected.  More importantly, we will get a better handle on how the FTC and other regulatory bodies may eventually chime in on this privacy debate.  In the interim, companies looking to harness the marketing potential of location-based tracking data should evaluate whether it makes sense to refrain from selling available data.

Network Security, Privacy, Risk Management

Latest APT Victim: RSA

In what has become an annual mecca for the data security industry, thousands visit San Francisco each February to attend “RSA” — a conference named after the network security company purchased by data storage firm EMC five years ago.  This mega-conference caters to the security cognoscenti — as well as those who only profess to be.

Well, a few days ago, RSA announced it was the latest high-profile victim of an APT exploit.  As recognized by RSA’s Executive Chairman, Art Coviello,”APT threats are becoming a significant challenge for all large corporations.”  These exploits are the same sort of attacks that the press were quick to blame the Chinese on last year.  In fact, the Wall Street Journal reported last year that these attacks impacted over 2,400 businesses.  How exactly can a company avoid an APT or “advanced persistent attack” when a firm like RSA also gets hit by such criminal activity?

By way of background, APTs are social engineering techniques — once upon a time simply known as confidence or con games — applied with a healthy dose of hacking and malware.  RSA’s attack is a bit more troublesome than most APTs given the possible repercussions to customers as per a recent alert:

We have determined that a recent attack on RSA’s systems has resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. RSA urges immediate action.

The reason that this breach is significant has to do with the fact RSA customers all over the world use RSA SecurID to protect outside access to sensitive data.  In order to access a computer protected by SecurID, users enter a traditional password as well as the number displayed on their RSA SecurID hardware token. The numeric value displayed on the token changes once every few minutes to provide added protection.

Although the security community gave RSA high marks for its quick disclosure, there are obvious concerns — not the least of which is the mere fact that a firm such as RSA was able to be compromised in the first place.  A leading security consultant voiced a complaint that the lack of information emanating from firm makes it hard for customers to know what exactly to do other than be really diligent regarding password usage.

Although exactly how RSA was compromised will likely never make it to the kitchen table, there are many vectors that can be compromised during a successful APT threat.  The key factor to a successful APT exploit is the level of trusted connection breached — whether that is an executive friend on FaceBook or a next door neighbor’s email address.  Another important success factor is the willingness to be patient and wait for the right time to retrieve the sought-after information.  This is where there is a significant disconnect from the typical financial data hacker.  Such hackers may wait before using card data to commit a fraudulent purchase but will not likely wait to steal the compromised data.  That is why most APTs are blamed on governmental entities — who are notoriously patient when moving on a target.  Those committing APTs may get very valuable data along the way but would never risk getting caught with such data until the final target is achieved.  In other words, the APT criminal may spend months lurking in a network before any information is even compromised.  That is one of the reasons why detecting APT activity is so difficult.

For now, the way to address this very real corporate threat is not necessarily to change a firm’s security posture.  The threat is more derived from employee policy lapses, i.e., use of social media at a workstation and use of infected thumb drives, than it is from brute force hacking.  Accordingly, employee training and testing that is tied to discipline and compensation is a step in the right direction.

Thinking like an intelligence agency can’t hurt.  If a senior executive does not need to know all aspects of a project, there is no need to provide her with constant email reports.   In other words, the old adage “on a need to know basis” becomes more and more important as APTs become more and more familiar to corporations.

Finally, the basic tenets of risk management should play a role in the defense of APTs — if there is even such as a thing as a viable defense.  Knowing the relative value of your assets and the costs to mitigate a loss in advance of a loss are the bread and butter of risk managers.  Applying such insight in the proper measure will remove from the equation some ego-driven security initiatives to be replaced by focused efforts aimed at the most sensitive data of an organization.  Risk managers are routinely given the task of protecting the personal assets of the chairman of the board — by, among other things, a D&O insurance placement — as well as coordinating large scale enterprise risk management initiatives.  Providing some guidance on this front should not be that much of a stretch.

Privacy, Risk Management

New Amazon Class Action Based on Privacy Setting Circumvention

In a class action suit filed against Amazon.com, Inc.  on March 2, 2011, plaintiffs argue that “Amazon circumvents the privacy filters of IE users by spoofing [Internet Explorer] into categorizing Amazon.com as more privacy protective than it actually is” and seek relief “under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030; the [Washington State] Consumer Protection Act, RCW § 19.86.010 et seq.; and common law [unjust enrichment, trespass to chattels, and fraud].”  Although this suit appears to be similar to the flash cookie suits filed against against marketing firms such as Quantcast and their respective clients, the case has different implications.

By way of background, according to the Quantcast complaint filed last July, Quantcast used flash cookies to “respawn” previously deleted HTTP cookies in order to continue tracking web users.  The Quantcast suit was settled this past December using a cy pres fund akin to what was done by Google a few months prior.  It is worth pointing out that none of the settlement proceeds in a cy pres fund actually go directly to any victims.  Applying a class settlement strategy only previously deployed after plaintiffs were compensated, plaintiffs’ counsel now use cy pres funds — which usually go to non-profit organizations — even if plaintiffs receive zero actual compensation.  This stands apart as a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to file and resolve class actions even when actual damages are not readily apparent.

At some point, the Amazon.com suit may also end up resolving itself via the cy pres route given the potential lack of actual damages.  Plaintiffs in the Amazon.com case are claiming that Amazon.com found a way to trick browsers into believing the site was more privacy conscious than it was.    Given that Internet Explorer automates for a user the process of reading a website’s privacy policy, such shenanigans can obviously lead visitors to go on a site she or he might not otherwise visit.   Not exactly a powder-keg of potential damages.  Plaintiffs up the ante by claiming that, in contravention to its privacy policy, Amazon.com was allegedly rewarded for its trickery by gaining access to a visitor’s personally identifiable information (PII) and providing it to third parties.  Specifically, the Complaint states:  “Amazon claims in its privacy notice that it does not share users’ information with third parties for advertising purposes and that, instead, it delivers third parties’ advertisements on their behalf.  In fact, Amazon shares users’ PII with third parties for those third parties’ independent use and does not disclose this fact to consumers.”  Complaint at paragraphs 64 – 65.  Despite several readings of the Complaint, it remains far from certain what quantum of damages were actually sustained by plaintiffs.

This suit should, nevertheless, be monitored given the new FTC online privacy framework set forth in December (“The FTC’s harm-based approach also has limitations. In general, it focuses on a narrow set of privacy-related harms – those that cause physical or economic injury or unwarranted intrusion into consumers’ daily lives.  But, for some consumers, the actual range of privacy related harms is much wider and includes reputational harm, as well as the fear of being monitored or simply having private information ‘out there.'”) as well as the bills currently being discussed that may very well use the FTC’s new perspective as a legislative springboard.  According to recent public statements from Representative Cliff Stearns, a senior member of the House Energy and Commerce Committee, he will soon propose online privacy legislation that will focus “on allowing Web users to know what personal information Internet companies are collecting about them and to control how it’s used.”