Tuesday, 30 August 2016
DotCom seems pleased with this outcome as he insists that when people realise the basis of the case against him they will support him.
He insists that MegaUpload was blindly storing copyright infringing material and as such should not be held responsible. In the same way that a man who makes or sells a knife or a car is not held responsible if that object is later used to break the law.
The analogy breaks down a bit as the servers remained under the control of MegaUpload whereas the other objects mentioned do not - but that is for another day.
However, when this case is settled we will be one step closer to understanding where liability rests online and the degree of responsibility a hosting company, or third party provider, must take. This is also relevant for data protection and the GDPR.
Hold onto your hats - this is showtime !
Thursday, 18 August 2016
Stormy weather for healthcare providers (and others) not protecting personal data - $5.55 million fine
AHCN is the largest health care provider in the Chicago area and between July and November 2013 they suffered 3 data breaches. 4 million records went missing but there has been no indication that these records have been used or published. So no loss to date for the victims.
2 of the 3 breaches were straighforward theft of hardware (4 desktops / 1 laptop) rather than the more exotic type of cyber attack.
The areas of failure were identified as follows;
failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;
failure to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;
failure to obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and
failure to reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.
No doubt AHCN will have attempted to present itself as the victim of crime, which it was, but was fined nevertheless even though the data does not appear to have been misused.
How many handlers of personal data would currently pass the tests above ?
Tuesday, 16 August 2016
According to reports internal login details were used so this was less of a high tech hack and more of a walking in through an unlocked door - a disgruntled insider probably.
The Information Commissioners Office are having a look at this and this breach is potentially more serious than TalkTalk as the type of data access looks to be more valuable and personal. But when the fire has been put out who will pick up the tab and compensate the individuals whose data has been taken ?
Sage will no doubt be going through the terms and conditions of standard contracts to determine if they can wriggle out of any liability to their impacted customers. In any event what direct loss does a customer suffer if name, address, bank details etc are published on the open internet ? If a customer is later the victim of internet fraud will it be possible to create a causal link between the breach and the loss ?
Might Sage be insured for cyber breach ? If so does this cover insider threat which might well be viewed as negligent ? Will the insurance extend to pay customers of Sage compensation ?
Given the above complexity it is understandable that Sage should seek to keep as low a profile as possible on this matter but if you are using a Sage solution right now how secure do you feel ?
Anybody can be hacked but the question of who picks up the tab when it happens is far from settled.
Tuesday, 9 August 2016
Even the insurance community who are generally comfortable with risk are mainly keeping their powder dry - most policies available (AIG, Hiscox, Zurich) are bespoke and assume high levels of pre-existing cyber safety.
Court cases such as Travelers Casualty and Surety co. vs Ignition Studios Inc do not help to identify where liability falls as it was settled out of court.
From an SME perspective it is very tough to penetrate the complex language around cyber safety and absent user friendly insurance policies the market looks likely remain in its early stages. Until a few court cases have shown where liability falls between principals and third party providers and what level of cyber safety is a minimum standard before negligence kicks in sorting the wheat from the chaff will be a tough challenge.
Wednesday, 3 August 2016
Cyber security for solicitors and barristers. Can you promise confidentiality and asset security if your IT systems are vulnerable ?
Against this rapidly evolving factual backdrop can solicitors and barristers reasonably promise confidentiality and security to their clients and can clients continue to trust that this is the case ?
The legal profession plays a key role in society and the corner stone of that role is client trust in confidentiality and in the security of the assets transferred to solicitors and barristers.The SRA and Bar Standards Board both insist in their codes of Professional Conduct that confidentiality and asset security are maintained.
However, the digital age has brought outsourced IT providers (who themselves outsource), home working on personal devices and remote digital storage very little of which is measured against the criteria of security but very understandably convenience and price. This week 200 million Yahoo passwords were put up for sale on the dark web.
Common sense suggests that until solicitors or barristers have had an independent Digital Audit to check cyber risk levels it would be unwise to make promises about security and confidentialty to clients. To hide a disclaimer of liability for data loss in the small print of an Engagement Letter in the absence of an independent Digital Audit could also be viewed as unprofessional.
To get in touch with us at KLipcorp IP to discuss any issues raised in this article please CLICK HERE