12.31.2017

Cyber and Risk Disclosure on The Last Day Of The Year

Season's greetings, dear readers. On the last day of 2017, please enjoy some thoughts on cyber and risk.

As cyber, risk and information security is such a varied and diverse landscape of experience, it is so important to listen, so as to encourage a candid exchange of ideas.

That being said, one observation, that I have observed at least twice, I feel is not evidenced by existing data: "Cyber risk disclosures always take place in hindsight".

First, let's see if we can agree that risk as a general concept is exposure to vulnerability, harm or loss.  There is a moment, then, when exposure to a vulnerability goes from being a possibility to an actuality. Thus, when disclosing an event that has become an actuality ("yes, we have been exposed to this risk"), indeed, hindsight is involved. When disclosing an event of which there is a possibility of exposure to a risk, is that hindsight? Does it depend on how possible?  This could be a relevant distinction with regard to the issue of  how to approach materiality, i.e. the several hundred million dollar question: Was the risk material?

Second, let's talk about forseeability, a favorite concept of tort professors (and tortfeasors) everywhere. Let's use a simple definition: "the idea that a reasonable person could reasonably anticipate the result or the results, as predictable."

Alas, now that foreseeability has entered our last-day-of-the-year conversation, it's time to mention something else heard a few times: "We as attorneys went to school to practice law, and not to become experts on cybersecurity." My response to this is that yes, that is true; most of us intended to study law, and were not necessarily focused on any other particular area outside of law, BUT, the market will address this position, and by that I mean, of course, the clients will look for and find attorneys with a more expansive view. 

So now let's put risk and foreseeability together: 
Surfing the internet involves risk, when software runs, there is a risk it will be/has been exploited. Thus, every moment online involves risk. Every IOT device involves risk. Flash involves a GREAT DEAL of risk. When engaged in or using the previously mentioned activities or products, it's foreseeable that some types of harm will occur, and there is an entire ecosystem of services and products in existence to address some of these risks.

There are some attorneys who have indicated that the risk involved in the packaging on your clients' product being punctured is commensurate with cyber risk, which one can take to mean some attorneys believe cyber risk only involves the risk of the client's end product or service being contaminated. But cyber is more than a supply chain issue.  It is a pervasive and persistent hazard that will not be adequately addressed if it is conceived as a supply chain issue only.

Now is a good time to go back to the statement: "Cyber risk disclosures always take place in hindsight". If you think about how what we are discussing here is more than a supply chain risk, that it is an issue that involves a pervasive and persistent hazard,  it may help some law practitioners to move beyond that statement, and we need to move beyond that idea or there will be more blackouts, more out-of-order hospitals,  and losses generally.

But it doesn't have to be that way... okay, back to listening. 

See you next year.

MCC

11.29.2017

Closing Out The Year

Hello readers. I wanted to take a moment to address the issue of "Closing out the Year." I don't mean this in the business sense, I mean this in the personal sense.
In order to give some context about my frame of mind as I draft this, please allow me to share that I am lounging, in fuzzy pajamas, sipping coffee, and that is pretty much all I plan to do today. In DC today, Carpenter is on the docket; elsewhere in the world, trials are being delayed, slaves are being sold, provocateurs are provoking, and all of that is worthy of the attention it is receiving, and perhaps even more, but I will be content if I can publish this blog post today.

So what does that mean, to close out the year? You may recall from a previous blog post the notion of "taking some time to contemplate, aiming for an improved perspective, while observing the cycle of life." I try to do this at least once a year. The last twelve months have forced my hand a bit on the issue of personal reckonings, so it is even more important to take this time to scan the horizon and look at the big picture. Be wary of tunnel vision.

One helpful item with respect to closing out the year is to reiterate one's tautologies, if one has any. You can go ahead and make a list of these if you think it will help.

Two: Consider what has changed, and how it affects your plans for the coming year. It's good to set some time to specifically consider which of your life's conditions has changed in the last 365 or so days, almost as if it was an administrative task.

Three: Consider the people in your life. There are some things we can control, and there are some over which we have no control. Many wise people have observed that an important process in life is to learn to tell the difference between the two. I would add that once this is done, take a look at the parties with whom you find yourself surrounded and consider whether they continue to merit a place in your life. Who can you help? Who must you learn to forget?

Four: Consider your surroundings. Do you like where you find yourself? I seriously love New York, as you may already know, however, relocating can be a great thing, for example, for one's career. Spending the months that are typically cold in New York City, in a milder place such as Las Vegas, or France or something along those lines is what seems to have worked best for me. It can be a lot of work to maintain a residence you don't see that often, so remember that the goal is comfort, not exhaustion. Whatever your preference, as you consider 1-3 above, (especially three) consider such within the context of four. If you have had to make hard decisions in life I'm sure you already know that you can think someone is groovy, but if they do not share your ideas about surroundings, it is best to not over-invest in that relationship, because you are not going in the same direction.

Five: Execution. What will you do in the next 365 days to make this vision of your life and who you are, into a reality? What can you refrain from doing?

My best wishes to you as you close out the year,
Martha

11.22.2017

Let Us Give Thanks 🦃

It's been a while since one of these blog posts addressed a favorite American pastime, cooking. As a way of saying "Thank You" to everyone who shares their cooking tips online, and as a way of getting ready for Thanksgiving, please read on for information on a technique that has the potential to make chicken or meatballs fluffier.

Half dollar sized chicken meatballs can work well as an appetizer. Lamb meatballs as well as pork and red meat meatballs also can work well in this size. Yum. Paired with a dipping sauce that is complementary to the entree, sharing these tiny savory treats is a great way to get guests relaxed and mingling around the dining room.

To prepare, assemble the meatball ingredients, including breadcrumbs, to your liking. The more breadcrumbs, the less dense the meatballs will be when they are cooked, and less dense is good for an appetizer. (Notwithstanding edamame, which makes a great appetizer; there are probably lots of other great dense appetizers...)  Now take some olive oil and warm it in a sauce pan. Once the oil is warm, add the warmed oil to the reserved breadcrumbs. The bread crumbs will immediately absorb the warm oil. Then add the bread crumbs to the meat mixture, or if you are reading this aghast at the use of ground meat, please feel free to try this with ground chick peas and share your results. You can preheat the oven around the time you start apportioning the meat mixture.

Chicken Meatballs Appetizer:

Ground chicken meat, 1 lb.
salt, thyme and rosemary to taste
1/4 cup milk
2 eggs beaten
1/2 cup olive oil
3/4 cup bread crumbs

Mix all ingredients, except for the breadcrumbs and the olive oil, together. The breadcrumbs should be in a separate ceramic or other heat-safe bowl somewhere. Warm the olive oil over low to medium heat in a saucepan. When the viscosity of the oil begins to change, the oil is warm enough. Take it off the heat and pour the oil over the breadcrumbs; use a fork to combine well. Let breadcrumbs sit for about a minute and then add to the ground meat mixture; combine well. Use an ice cream scoop or other spoon to apportion the meat mixture and roll into spheres that are about the diameter of a half-dollar.
Place in an oven-safe tray that is large enough to fit all of the meatballs without them touching and bake for about seventeen minutes at 450 degrees.

The dipping sauce: Remember earlier in the blog post where it states this recipe is best used for appetizers? Well think about what your main entree is going to be. If it involves roasting or sautéeing anything, make a simple roux and add some of the pan drippings from the roast, or from the sautée to the roux to create a complimentary dipping sauce for the appetizer. If you're fresh out of ideas, or if you are attending a pot luck and have no idea what the main course will be, try one of these ideas for a dipping sauce. 

Thank you for reading and Happy Thanksgiving🦃 








10.23.2017

Notes From CLE with Preet Bharara & Co. in September

At CUNY law for continuing legal ed:

The first speaker is former political candidate and professor of law, Zephyr Teachout. Arguing for some type of strict liability standard in corruption matters, she observes that we are unaware when we are influenced

Is there something inherent in policing that leads to corruption? This question was posed by the panelist from Sidley Austin. Later he references Caperton.

There is an interesting comment, within the context of public corruption, about the existence of an anonymous website for self-reporting http://ipaidabribe.com/ )The anonymity of it raised an eyebrow from me, especially as was thinking recently about , and a pseudonymous Twitter account. Had been thinking about how I personally was surprised that  was being pseudonymous online (if it is, in fact ■) because it seemed like an abdication of leadership to me. Those of us who have the authority and the education and the skill set need to consider the value of coming forward and setting an example of what is appropriate and legal and what is not, especially for the benefit of those who are not so sure. However if ■ and I disagree then, clearly, reasonable minds may differ on this issue. 

Nevertheless, what can reliably be determined about a data set that is self-reported and can't be verified/authenticated?  Am briefly reminded about that legal case regarding anonymous Yelp comments, it could be anyone- thus intent may be at issue. 

(Note: the above paragraph takes on a renewed level of significance after last week's #MeToo tsunami, so here is a link to "A cryptographic solution to securely aggregate allegations could make it easier to come forward" h/t Legal Hackers

It is marvelous to be in a classroom again, and to catch up with the dean and my constitutional law professor.

Now we are having a break and Preet Bharara should be here soon... We shall see what will happen.. ( I think he has arrived because some of the panelists excitedly headed backstage)...

Preet! So far 7 people have silently gotten up with posters to protest something, something about the Bronx, the protestors seem to see him as a proxy for law enforcement generally. 

Will be thinking about tonight for some time...



Sent from my iPad


(Somewhat redacted to shield those who may prefer to stay anonymous  -MCC





9.18.2017

September 2017

A couple of weeks ago, I decided I needed a break from my everyday life. Normally, for me, when I feel like this, I get on a plane and explore some new far-away place. But for the past year, since around October of 2016, my own health had been a bit spotty, and I had taken a break from extensive travel. I will hopefully be well enough to go back to my usual ways around January 2018, and am really looking forward to that, but in the meantime, I recently took a staycation.

My friend Gary died this week (I drafted this Saturday), on September 13th.
We first met around 1995 at college. He was the immediate past executive editor of a campus newspaper where I eventually became business manager. His role at the paper meant that my initial sense of him was that he was the boss. Some of those college adventures were experiences that inspired part of a novel I once wrote (novel, not memoir- it is a novel written in memoir style). As our respective lives unfolded, we stayed in touch, and when he got married, his wife and I connected, which cemented our ongoing friendship--22 years of friendship at the time of his passing.

Gary touched many lives, in various ways. Right now I am trying to distill what I learned from him, as I consider my own life during this staycation:

Gary’s immeasurable kindness was subtle; he shared friendship and support, all the while being unobtrusive and non-invasive. He enjoyed making pies and sharing recipes, peppering dinner conversations with vocal impressions from literature and Monty Python jokes. He had strong opinions on what kind of beer should go with chili, sometimes commenting with such conviction, like it was the most important thing *ever*-- which I found calming.

Sometimes we debated ICANN policy, or traded perspectives on data retention. Mostly we talked about cats.

I can’t believe he’s gone.

It’s relevant for me that he passed near Rosh Hashanah. I took my staycation to conclude around then, a symbolic decision about taking some time to contemplate, aiming for an improved perspective, while observing the cycle of life.
I will take his example of prudent, quiet support into the next year, and beyond.

Thank you, Gary.


-MCC

6.26.2017

In Memoriam

Dr. Harbottle, who made significant contributions to the art and science of authentication, passed away last November, on the Friday before the presidential election. I learned of his passing last night. Dr. Harbottle was one of my mentors, and over the years he gave me (and many others I presume) quite a lot to think about.
Here is a link to his obituary: http://www.legacy.com/obituaries/newsday/obituary.aspx?pid=182396556

 Thank you, Dr. Harbottle -MCC

5.06.2017

High Emotion Words

This week #phishing was in the headlines again as we learned over one million Gmail users had received a fraudulent Google docs sharing request: https://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishing-attack/125436/ .

While #InfoSec professionals generally agree that employee training is one way to raise awareness of this type of attack, there is still a lot of room to learn with regard to phishing education best practices, with one EU based study asserting: “There is a lack of empirical data on the consequences of using deception in organizational phishing studies.”(https://ethicalencountershci.files.wordpress.com/2016/03/chi2016_workshop_ethicalphishing_cameraready_final.pdf )

We know that email users are sometimes tempted by the lure of easy money, as in the now ubiquitous “I’m a prince & I won the lottery!” type scams. Others may have their cognitive judgment impaired by the use of emotionally loaded words. Here is a link to a list of words that are considered to be emotionally persuasive: http://www.thepersuasionrevolution.com/380-high-emotion-persuasive-words/

Some legal professionals focus on bringing or defending suits for pecuniary losses associated with, for example, identity theft that sometimes follows from a data breach, or on complying with data protection regulations generally. There is implicit in these types of legal actions some type of culpability on the part of the hacked entity (“failure to exercise reasonable care in protecting… information”).

However, phishers often use well-known brand names without authorization. The perpetrator of the latest news grabbing phishing attack is unlikely to have a licensing agreement with the brand they are purporting to be. Phishing attacks, thus may also, at least tangentially, be diminishing the value of said brands with no fault at all attributable to the damaged brand.


What do you think is the best way to address a method of redress for the copyright and trademark holders who are harmed when the value of a global brand is affected by a criminal phishing spree?   

5.02.2017

Data in Baskets

            In August of 2014, hackers, evidently specialists in cloud security, released to 4Chan, candid iPhone (amongst other smartphones) photographs taken by Hollywood celebrities, who apparently believed that the photos would not be automatically uploaded to Apple’s iCloud cloud storage service. Clearly, they were mistaken in that assumption; iPhone users upload their photos to iCloud by default. As iOS devices become an increasingly popular item in the lawyer’s toolkit, this episode should have been especially instructive for practicing legal professionals.

     Attorneys are, of course, generally obligated to keep information relating to their representations of clients confidential. New York’s Rules of Professional Conduct make clear that a lawyer shall exercise “reasonable care” in preventing the disclosure of confidential information.

     Various state bar associations’ ethics committees have opined on the propriety of using cloud services. The New York State Bar Association’s Ethics Committee has stated that the “reasonable care” standard in maintaining confidentiality should include the lawyer’s ensuring that the cloud computing service has an enforceable security obligation, investigating what security is used, and how the cloud computing service deletes or manages data.  The opinion distinguishes between the storage and the transmittal of data, while at the same time avoiding the use of the phrases “data in motion” and “data at rest.”


     Cloud computing and storage have become very popular in recent years with mega cap tech companies providing such services for little to no cost. As reliance on cloud services has grown, so have the risks. Attorneys may want to consider mitigating these potential risks by diversifying; they may want to consider allocating their data assets with a variety of cloud services, rather than putting all of their easter eggs in one digital basket.

     How has Apple’s security posture changed since 2014? How have data protection regulations evolved since 2014?


With thanks to Aaron Collins, Esq.

Artwork by Martha C. Chemas, Esq. using Google Autodraw 

3.30.2017

#Throwback Thursday Privacy

Privacy has, again, been in the news a lot this week. Here is a link to a recording of a panel discussion from 2012 in New York City that addressed this issue: https://archive.org/details/IsPrivacyOverhyped-FourViewsOfTechnologySecurityAndDemocracyOnline.

And here is a link to some media coverage that the event received at the time: http://observer.com/2012/04/is-privacy-overhyped-a-panel-discusses/. 

The media doesn't mention it, but I was there also, standing behind Jacob Appelbaum and his attorney in the audience, and apprehensively and curiously observing the interplay between the stated positions of these various personalities.


Are we making progress or nah? J      

-Martha




1.08.2017

Delightful Vacation Technicality

Even though, technically J I am on vacay, I found myself reading and researching; perhaps the true markings of a workaholic, or perhaps just an indication that doing what I enjoy most, is its own vacation.

One of the big frustrations in life is writing and thinking that no one cares, or that no one listening. Another is feeling that people have missed your point.

When I composed the cyberlaw big bang (http://stanza28.blogspot.com/2011/05/big-bang.html), about seven years ago, I was toiling in obscurity. Since then I have had the wonderful honor of being given a central role in the development of cybersecurity jurisprudence via my role at the American Bar Association, as immediate past chair of the Information Security Committee. Along the way I got to meet with incredibly sharp people from the intelligence community, the Assistant Attorney General For National Security, some nice people at the UN, deputy governors, all manner of legislators and Supreme Court Justices; not a bad way to spend the last seven years. J

The big bang was composed in a stream of thought, dreamlike, incoherent-ish writing fashion to reflect the state of cybersecurity at that time.

Good things come to those who wait, or so they say, and today I turn your attention to this great piece, written in part, by the PEOTUS’s pick to Chair the SEC:


On the issue of cybersecurity, the world is in the early stages of the Socratic Process.

Cheers, Gentlemen.  -MCC