Tuesday 30 August 2016

Kim Dotcom LIVE

Kim Dotcom has been successful in insisting that his current trial can be viewed live on YouTube.

DotCom seems pleased with this outcome as he insists that when people realise the basis of the case against him they will support him.

He insists that MegaUpload was blindly storing copyright infringing material and as such should not be held responsible. In the same way that a man who makes or sells a knife or a car is not held responsible if that object is later used to break the law.

The analogy breaks down a bit as the servers remained under the control of MegaUpload whereas the other objects mentioned do not - but that is for another day.

However, when this case is settled we will be one step closer to understanding where liability rests online and the degree of responsibility a hosting company, or third party provider, must take. This is also relevant for data protection and the GDPR.

Hold onto your hats - this is showtime !

Thursday 18 August 2016

Stormy weather for healthcare providers (and others) not protecting personal data - $5.55 million fine

The recent fine of $5.55 million dollars levied on Advocate Health Care Networks (AHCN) starts to sketch out liability levels for failing to protect sensitive personal information. This will be of great interest to insurance companies looking to calculate risk premiums and to IT providers looking to limit liability.

AHCN is the largest health care provider in the Chicago area and between July and November 2013 they suffered 3 data breaches. 4 million records went missing but there has been no indication that these records have been used or published. So no loss to date for the victims.

2 of the 3 breaches were straighforward theft of hardware (4 desktops / 1 laptop) rather than the more exotic type of cyber attack.

The areas of failure were identified as follows;

failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to all of its ePHI;

failure to implement policies and procedures and facility access controls to limit physical access to the electronic information systems housed within a large data support center;

failure to obtain satisfactory assurances in the form of a written business associate contract that its business associate would appropriately safeguard all ePHI in its possession; and

failure to reasonably safeguard an unencrypted laptop when left in an unlocked vehicle overnight.

No doubt AHCN will have attempted to present itself as the victim of crime, which it was, but was fined nevertheless even though the data does not appear to have been misused.

How many handlers of personal data would currently pass the tests above ?

Tuesday 16 August 2016

Sage hacked : insider threat and third party liability

Recent news that Sage (the accounting software provider) has been hacked and that staff details of around 300 UK businesses have been accessed (names, addresses, bank details etc) should alarm many SME's who rely on third party technology providers without question.

According to reports internal login details were used so this was less of a high tech hack and more of a walking in through an unlocked door - a disgruntled insider probably.

The Information Commissioners Office are having a look at this and this breach is potentially more serious than TalkTalk as the type of data access looks to be more valuable and personal. But when the fire has been put out who will pick up the tab and compensate the individuals whose data has been taken ?

Sage will no doubt be going through the terms and conditions of standard contracts to determine if they can wriggle out of any liability to their impacted customers. In any event what direct loss does a customer suffer if name, address, bank details etc are published on the open internet ? If a customer is later the victim of internet fraud will it be possible to create a causal link between the breach and the loss ?

Might Sage be insured for cyber breach ? If so does this cover insider threat which might well be viewed as negligent ? Will the insurance extend to pay customers of Sage compensation ?

Given the above complexity it is understandable that Sage should seek to keep as low a profile as possible on this matter but if you are using a Sage solution right now how secure do you feel ?

Anybody can be hacked but the question of who picks up the tab when it happens is far from settled.

Tuesday 9 August 2016

Cyber safety: separating the wheat from the chaff

It is predicted that the internet of things will see 20 billion devices connected to the internet by 2020. The pace of change is enough to make your eyes bleed and inevitably there will be some major cyber security issues along the way.

Even the insurance community who are generally comfortable with risk are mainly keeping their powder dry - most policies available (AIG, Hiscox, Zurich) are bespoke and assume high levels of pre-existing cyber safety.

Court cases such as Travelers Casualty and Surety co. vs Ignition Studios Inc do not help to identify where liability falls as it was settled out of court.

From an SME perspective it is very tough to penetrate the complex language around cyber safety and absent user friendly insurance policies the market looks likely remain in its early stages. Until a few court cases have shown where liability falls between principals and third party providers and what level of cyber safety is a minimum standard before negligence kicks in sorting the wheat from the chaff will be a tough challenge.

Wednesday 3 August 2016

Cyber security for solicitors and barristers. Can you promise confidentiality and asset security if your IT systems are vulnerable ?

In 2015 62% of law firms were estimated to be the victim of cyber attack (PWC) and only 35% had mitigation plans in place. The Information Commissioners Office reported a 32% increase in data breaches in the legal sector in 2015.  Mossack Fonseca was the victim of a major data breach which looked to be carried out by a malicious insider. Insider threat shows that cyber security and safety is more than just a matter of technology safeguards.

Against this rapidly evolving factual backdrop can solicitors and barristers reasonably promise confidentiality and security to their clients and can clients continue to trust that this is the case ?

The legal profession plays a key role in society and the corner stone of that role is client trust in confidentiality and in the security of the assets transferred to solicitors and barristers.The SRA and Bar Standards Board both insist in their codes of Professional Conduct that confidentiality and asset security are maintained.

However, the digital age has brought outsourced IT providers (who themselves outsource), home working on personal devices and remote digital storage very little of which is measured against the criteria of security but very understandably convenience and price. This week 200 million Yahoo passwords were put up for sale on the dark web.

Common sense suggests that until solicitors or barristers have had an independent Digital Audit to check cyber risk levels it would be unwise to make promises about security and confidentialty to clients. To hide a disclaimer of liability for data loss in the small print of an Engagement Letter in the absence of an independent Digital Audit could also be viewed as unprofessional.

To get in touch with us at KLipcorp IP to discuss any issues raised in this article please CLICK HERE