Whose Job is it to Protect Corporate Data Stores from State Actor Cyberattacks?


It’s hard not to notice, that constant breach of data under corporate care has become our new normal. Headlines seem almost redundant — another data breach revealed, some very tardy.  In this barrage of breach announcements, we hear more about state-actors originating cyberattacks on corporate data stores. So, whose job is it to protect against foreign state attacks on corporate data stores?

“As we all have witnessed: no company, individual or even government agency is immune from these [cyber] threats.” So said Marisa Mayer, former Yahoo CEO, during her November Senate testimony on the Yahoo breach. Despite years of heading off may cyberintrusions and leveraging white hackers to test their defenses, Mayer says Yahoo still does not know exactly how “Russian agents intruded on our systems and stole our users’ data.”

Last year, North Korean hackers almost succeeded in stealing $1 billion from the New York Federal Reserve, after hacking into the Bangladesh Central Bank. The misspelling of “foundation” as “fandation” is the only thing that stopped the heist.  Let’s not forget,  Pyongyang Sony Pictures hack to stop release of an unflattering movie.

In 2011, North Korea’s leader Kim Jong-un started investing beyond cyberattack prowess for warfare, with a new focus on training hackers for theft, harassment and political-score settling. Researchers believe that 1/5th of Pyonyang cyberattacks originate from their hackers stationed in India, while other attacks are routed through Malaysia, Nepal, New Zealand and other countries.

“Only stiffer enforcement and stringent penalties will help incentivize companies to properly safeguard consumer information and promptly notify them when their data has been compromised,” said Senator Nelson during the Yahoo hearing. The Senate committee chairman, added that the patchwork of state regulations on breach notifications must be replaced with a federal law.

On another front, the SEC plans to update its cybersecurity guidance for publicly traded companies, after the Equifax fiasco. Equifax discovered the attack in July but waited until September to inform shareholders. During that window, Equifax executives sold company stock. A company investigation exonerated them. A senior SEC regulator wants  faster cyber intrusion notices to investors, and revision of post-breach insider trading policies.

Is federal cyber-regulation of the private sector the answer?

In a Friday the 13th London speech, DOJ’s Rod Rosenstein said law enforcement’s  goal is to disrupt and deter future attacks, and punish cybercriminals. The Deputy Attorney General observed that “foreign criminals regularly break into systems to steal ideas that make our nation strong and competitive in the global marketplace.” Rosenstein recommends corporations immediately tell law enforcement when they discover a breach, in part so the company can gain access to sophisticated government tools.

What is law enforcement doing to head off these attacks before they happen?
Is Homeland Security doing enough to help corporations protect data from cyberattacks?

Ransomware attacks sure got corporate security folks’ attention this summer. WannaCry and NotPetya wreaked havoc on companies from FedEx to Merck.

SC Magazine places heaps of blame on the National Security Agency (NSA) for the  these  attacks. The NSA originally discovered the Microsoft security vulnerabilities, didn’t tell anyone and let their own hacking tools for the flaws get stolen by cybercriminals.

If the NSA can be hacked, how can corporations fend off nation-state and sophisticated hackers?

Then there’s the ultimate economic cyberattack —  where a nation-state aims to shut down the power supply or scramble bank records with a cyberattack. The NotPetya  attack gripped Ukraine’s power grid this summer. Ukraine claims Russia was behind this cyberwarfare.

Wired reports that the NotPetya October follow-on, “Black Rabbit attack” — locked hundreds of machines and hampered critical infrastructure in Russia, Ukraine, Germany and Turkey — may raise doubts about Russian involvement in NotPetya. Though one of the cybersecurity firms commenting on the situation is under F.B.I. investigation for links to  Russian intelligence.

Is this a spy novel or what?

These massive destructive attacks on critical infrastructure and data manipulation worry the head of the US National Security Agency (NSA), Admiral Michael Rogers. Let’s remember that a vast swath of US critical infrastructure is run by the private sector.

How will we protect corporate data stores from nation-state and rogue cyberwarfare, let alone run-of-the-mill profit-seeking hackers?

Isn’t the private sector’s job commerce and innovation? Yet in the digital economy, corporations must also be extremely sophisticated data security companies. After all, they leverage our personal data for profit, right?

The European Union’s  GDPR is about to usher in massive corporate liability for data privacy.  Though “cybersecurity,” a major data breach threat, is not mentioned in the regulation.

Does the government need to take a wider role in combating state-actor cyber attacks on corporate data? What new public-private models are needed to protect corporate data stores? Whose job is it to protect against state-actor cyberattacks on the private sector?

Food for thought.


Breaking News – Supreme Court to Rule on Microsoft EU Emails

A significant battle between Microsoft and law enforcement has made its way to the US Supreme Court. The DC Court of Appeals struck down lower courts’ decisions that Microsoft must give US law enforcement client emails  stored in Ireland in a drug trafficking case. The  upcoming Supreme Court ruling on this case will have far-reaching impact in our digital economy where data crisscrosses the global internet, coming to rest on a server in a particular country.

global internet

How far do US laws extend to data stored in foreign countries?

If Microsoft is forced to hand over the emails from their Ireland data center, how will EU data protection authorities react?  Especially, given that the General Data Protection Regulations, an overhaul of EU data privacy laws, massive financial penalties for non-compliance take effect in May 2018.

If Microsoft does not have to hand over the emails, will criminals hide their communications and data overseas so US law enforcement cannot access it?

Be sure to follow this case and watch for the Supreme Court ruling.

How are Law Firms using Artificial Intelligence Today?

Starwars DroidThis year at ILTACon 2017 my radar was searching for an update on what is really happening with legal AI in law firms. Are law firms getting beyond the hype and using AI? What specific use cases are catching on? How does AI impact lawyers and staff? Here’s what I found out.

The Nitty Gritty On AI For Matter Budgeting And AFAs

Law firms have learned that AI tools are very good at finding key issues in billing narratives to support AFAs and budgeting, for one. This law firm use case was highlighted again and again in ITLA sessions.

read the rest of my blog in ABA Law Technology Today.


Data Protection is Everybody’s Job

Data protection is everybody’s job today. With the perfect storm of  a doubling of data every two years, juicy dark web profits for stolen personal info and crushing data breach business impacts, organizations simply have to build data protection values into the company’s culture.  Read this blog for practical tips on how to do this in your organization.


Groundbreaking Cybersecurity Regulation Kicks in Today for New York Financial Institutions

It’s the first of it’s kind, but  surely not the last. The groundbreaking New York Department of Financial Services cybersecurity regulation takes effect today, August 28, 2017.  All financial services organizations operating in New York must be in compliance, along with their law firms and accountants. This regulation is likely the forerunner of more state cybersecurity regulations, especially after the summer of WannaCry and Not Petya. Learn more about the regulation in  a blog I wrote, published by the information governance leader Iron Mountain.

Information Governance Refresh Checklist

Summer time can be the perfect time to refresh your information governance road map. Goaded by the explosive growth of digital content, devices and cloud storage, smart organizations are morphing traditional records management towards a more holistic information governance (IG) road map, accounting for digital information, security, compliance and information assets life cycles. The latest go-to road map for navigating this jagged journey — the Cohasset Associates and ARMA International Information Governance Benchmarking Survey — is once again available for fresh insights and best practices. In the ninth biennial web-based survey, nearly 1,000 industry professionals added their perspective.

Read full article here. 

Foreign Corrupt Practices Act “Pilot Program” Still Alive and Kicking

In April 2016, the Department of Justice (DOJ) launched the foreign corrupt practices act (FCPA) Pilot Program. The program puts into effect several policies introduced in the famous “Yates Memo,” outlining guidance on voluntary self-disclosure of FCPA transgressions, investigation cooperation, individual accountability and even how cooperation  can result in non-prosecution. Despite expected regulatory rollbacks and ironically, the highly public firing of the Yates Memo author Acting US Attorney General Sally Yates, the Trump administration shows no signs of let up in FCPA enforcement or the Pilot Program.

Last month, Acting Assistant Attorney General Kenneth A. Blanco announced that the DOJ will evaluate the Pilot Program for extension and any revisions when it expires in April 2017. In the meantime, Blanco advises that the program remains in full force and effect.  Here’s an article to learn more about how the Pilot Program works.


It’s 2016 Data Protection Day!

2016 DP Day.jpg

Did you know January 28th is Data Protection Day? The Council of Europe started this annual celebration in 2006 to grow European’s awareness of their rights around how their personal data is collected and processed in the digital economy. For 20 years, Europe has led the world in developing comprehensive protection for individuals’ privacy rights, from the ground breaking 1995 data protection rules to the recent massive update to make them “fit for the digital age.” Europe has inspired other nations to build data protection safeguards, and Data Privacy Days too.

There is a passion for safeguarding citizen’s privacy in Europe, like nowhere else. It is a fundamental right, guaranteed in the European Union Charter.

Upholding fundamental rights to privacy is “not something Europe should be ashamed of.”
Koen Lenaerts, the Harvard trained European Court of Justice judge after invalidating Safe Harbor data transfers due to data protection concerns with US surveillance programs.

In 2008 the US and Canada extended Europe’s celebration by establishing a January 28th Data Privacy Day.

Oh Canada! The Office of the Privacy Commissioner of Canada offers new resources to mark the Day.

Pacific Northwest. The Better Business Bureau of Alaska, Oregon and Western Washington celebrates the Day with a warning to think twice before you take that Facebook quiz to find your spirit animal. All kidding aside, they offer some excellent data protection tips.

Mississippi. The Mississippi Department of Information Technology suggests citizens check out this data privacy day video that recommends treating your information like money – value it and protect it!

Stay Safe Online, powered by the National Cyber Security Alliance, has a wonderful infographic on how privacy is good for business.

United States. In the US, the Federal Trade Commission has responsibility for consumers’ data privacy and security. The FTC’s privacy work goals remain: “to protect consumers’ personal information and ensure that consumers have the confidence to take advantage of the many benefits offered in the marketplace.” The US participated in the celebrations with a live FTC Twitter chat to promote privacy awareness and respect, and posted Tweets with some good practical data protection tips.

I wonder when the US will have a Data Privacy Commission.

Microsoft joins in the party too. But perhaps more enlightening is a read of Brad Smith’s Blog in which he chronicles global data security issues including the minefield of data privacy issues his company faces. Though self-serving for their cloud business, Brad’s blog is like a treatise on the privacy issues of our day.

“Microsoft needs to go beyond standing up for the rights of businesses and governments; we need to be a voice for people.”
Brad Smith, President and Chief Legal Officer, Microsoft

Mexico used Data Protection Day to mark the Mexican Federal District Data Protection Authority’s endorsement of the signing of 13 principles on limiting surveillance.

Data Protection Day is not yet celebrated in all corners of the world. But with the vast amounts of digital information seeping across the internet, data protection continues to grow.

Brazil has a Draft Bill of Law on Personal Data Protection.

Hong Kong’s Office of the Privacy Commissioner for Personal Data Protection recently announced they plan to update their privacy laws to keep up with developments, citing the recent EU reforms. Hong Kong saw an upward trend in privacy complaints in 2015.

In South Korea, recent changes to the personal information protection legislation takes effect this month. The Korean Government  Personal Information Protection Commission develops policies and plans for data protections.

So let us celebrate all these global efforts supporting the protection of personal information. And, let us welcome the continued debates on privacy, digital commerce and national security that we face as a global community.

Happy 2016 Data Protection Day!

Ready for New EU Data Protection?

I recently did a Guest Blog for AccessData on the sweeping new changes to the European Union data protection regulations. An end to a patchwork of national laws, bigger fines, faster breach notice and the “right to be forgotten” are just a few of the many changes businesses selling in Europe will want to know about.  Be sure to check out the practical tips on how to get ready for 2018 when the new regulations go live.

Safe Harbor Chess Game Heats Up.

It is fascinating to watch this chess game unfold, with knights, bishops, kings and queens making their moves. The sudden October abolishment of the Safe Harbor framework for data flows – moving personal information like payroll data, user information and marketing data from the EU to the US — literally threw out the rules of the game.  For over fifteen years, US companies have been able to self-certify, under the Commerce Department Safe Harbor program, that their data protection protocols satisfy EU laws.

That all came to an end when the European Court of Justice invalidated Safe Harbor in a case still underway calling for a halt to Facebook’s transfer of EU user information from its Irish subsidiary to Facebook US. The high court essentially agreed with complainant Max Schrems, that the Snowden revelations demonstrate that European’s private data is not safe from the prying eyes of US intelligence agencies. The ruling ricocheted simmering EU-US privacy and security policy discussions to center stage.

EU Data Protection Gets Hot.
Europeans have some of the most advanced protections for personal data, currently being updated in a massive EU modernizing effort. Keeping personal data private is a fundamental right of every person, according to the EU Charter of Fundamental Rights. This right has emotional roots in the transgressions of European totalitarian regimes and their secret police activities.  Leaders in Germany and France were livid when they learned from the Snowden documents that US intelligence was likely tapping their personal cell phones.  Over the last few years, things have heated up in EU data protection authorities’ investigations of Facebook  and Google over privacy violations.  This is especially true in privacy-sensitive Germany, where the DPA announced immediate investigations of former Safe Harbor companies such as the internet behemoths.

An EU Move: New Safe Harbor Rests in US Hands.  
On the eve of continued Safe Harbor 2.0 negotiations in Washington DC this week, the European Commission shared its official views and guidance for US companies after the momentous high court ruling. They also made their negotiating position very clear: any new agreement must uphold the court’s ruling, “… notably as regards limitations and safeguards on access to personal data by U.S. public authorities.”

Late last week, Vĕra Jourová, the European Commissioner for Justice and Consumers and lead Safe Harbor negotiator, said she expects the U.S. to show clear conditions and limits on US intelligence access to European private data. The Commission also indicated that a solution is urgently needed, but expects negotiations to take three months – a target set earlier by the pan-EU data protection authorities group, known as the Article 29 Working Party.

Is this soon enough?  US Secretary of Commerce, Penny Pritzker tweeted on November 9th: “Safe Harbor and cross-border data flows are vital for American business. I heard a sense urgency on resolving this at #Techonomy15”. Tech company trade associations encourage policy makers to arrive at a bullet proof agreement sooner than 3 months. Many guess that more US surveillance reforms to narrow intelligence gathering, and passage of the redress rights bill giving European citizens access to US courts for privacy violations, are part of the equation to restore trust and move forward.  Things like this take time.  Meanwhile US companies spend time and money trying to figuring out how to stay inside the lines.

More Chess to Come.
No doubt we will see some master chess moves over the next few months.  Let’s hope so – keeping the digital economy vibrant while modernizing global privacy and security policy is no easy game to play.