Monday, September 26, 2011

Massachusetts Maps The New Data Breach Landscape: 1000 Plus Breaches Affect 2 Million Residents

The Massachusetts Attorney General Martha Coakley reported last week on the count for data breaches in the state since the Massachusetts data-breach law went into effect January of 2010. Breaches in the period totaled 1,166, affecting 2.1 million residents in a period of 10 months.

Because Massachusetts is the first state to require mandatory reporting of this kind to a state’s attorney general’s office, the statistics offer a first of its kind map of data breaches occurring across any US state. The stats hint at huge data breach numbers occurring nationwide even as the US Senate Judiciary Committee OK’d legislation last week to preempt state data breach legislation, including those of states like Massachusetts and California with strong reporting requirements.

According to the Boston Globe in their coverage last Wednesday:

Of the reported incidents, 25 percent involved deliberate hacking of computer systems containing sensitive data. Another 23 percent involved accidental sharing of information with unauthorized people, such as sending faxes or e-mails with personal information to the wrong recipient. In 15 percent of cases, retailers reported the theft of customer credit card numbers. Data was also lost through thefts or accidental losses of laptop computers and paper documents, or in cases in which workers deliberately gained unauthorized access to client files.

Thursday, September 22, 2011

Thomson Reuters Survey Shows Most Corporate Board Correspondence Easily Hacked

A global survey of corporate boards published yesterday by Thomson Reuters concludes that most boards are transparent to the lowest level of hacking efforts. According to the survey, published through Thomson Reuters' London office:

Most major corporations surveyed have significant security gaps that leave sensitive board-level information open to information theft and hacking. Those are among the findings of a new survey of board members of UK and global corporations conducted by Thomson Reuters Governance, Risk & Compliance. The findings are particularly noteworthy in light of recent news stories about the handling of board communications involving executive succession decisions at companies including Yahoo and Apple.

The survey found that information provided to members of corporate boards of directors is often in unencrypted email accounts and computers, or otherwise provided in forms that are easily lost, misplaced or stolen. The Thomson Reuters Governance, Risk & Compliance survey polled general counsel and board members at leading global corporations across a wide variety of industries.

Unencrypted board communications


Board documents stored on personal computers at home or work


Board documents stored on personal mobile devices
(e.g., iPad, laptop, smartphone, etc.)


Documents sent to board members via personal, non-commercial email addresses


Board documents accessible via wi-fi or unsecured networks


Have reported computer, mobile devices, or sensitive company documents
lost, stolen or left in public places


Monday, September 19, 2011

Real-time Technique Used to Spy on Gmail Accounts Detailed in Korean Legal Battle

Ease of use for a technique known as packet tapping to spy on Gmail accounts, has been detailed in court documents in a high-profile legal appeal in S. Korea. As reported in S. Korea’s Hankyoreh Shinmun Times on Friday:

Unlike normal communication tapping methods, packet tapping is a technology that allows a real-time view of all content coming and going via the Internet. It opens all packets of a designated user that are transmitted via the Internet. This was impossible in the early days of the Internet, but monitoring and vetting of desired information only from among huge amounts of packet information became possible with the development of “deep packet inspection” technology. Deep packet inspection technology is used not only for censorship, but also in marketing such as custom advertising on Gmail and Facebook.

[South Korea’s] National Intelligence Service [NIS] itself disclosed that Gmail tapping was taking place in the process of responding to a constitutional appeal filed by 52-year-old former teacher Kim Hyeong-geun, who was the object of packet tapping, in March this year.

The NIS went on to explain, “[Some Korean citizens] systematically attempt so-called ‘cyber asylum,’ in ways such as using foreign mail services (Gmail, Hotmail) that lie beyond the boundaries of Korea‘s investigative authority, making packet tapping an inevitable measure for dealing with this.”

The NIS asserted the need to tap Gmail when applying to a court of law for permission to also use communication restriction measures [packet tapping]. The court, too, accepted the NIS’s request at the time and granted permission for packet tapping.

Friday, September 2, 2011

Law Firm Failures as Trusted Repositories for Secrets Now Open to Exposure Under New Law

Law firms face new challenges to the exposure of both their client confidence and security practices. California Governor Jerry Brown signed SB 24 into law on Wednesday requiring companies with data breaches to report the scope of the breach to the California Attorney General’s Office.

The new law, likely to influence other states, offers special challenges for law firms. According to David Navetta, a founding partner with the Information Law Group, “Law firms are a repository of the most sensitive and private information. It’s one of the benefits of dealing with a law firm, the nature of the protected attorney client relationship. Even the possibility of a law firm having weak security is frightening.”

Tanya Forsheit, also a founding partner with Information Law Group, offers a very readable review and summary of the law, offering context and its likely impact on other states.

SB 24, effective January 1, 2012, opens a scenario in which law firms are required to report the data breach of 500 or more client files to the State Attorney General’s Office, creating a tacit admission to the violation of client privilege for a block of clients. According to Navetta, in a scenario like this, “I don’t think a law firm would characterize it that way. But even if we’re talking about the loss of intellectual property instead of personal information, what is the potential impact to litigation, if these items are discoverable? Bad practices may be exposed in a law firm.”

Webinar Pick: Chief of the California Office of Privacy Protection Joanne McNabb will present on the impact of SB 24 in a webinar sponsored by the California Webinar Law Journal on Oct. 20th. McNabb will discuss drivers to the new California Data Privacy Law and best practices for law-firm client privacy. The event is open for members of the California State Bar for continuing legal education credit and free to law school staff and students. See here for registration details.