California enacted Internet of Things (IoT) legislation intended to help protect consumer privacy and safety from potential hacking of connected devices. Under the state legislation that may apply to any connected devices sold in California, manufacturers of connected devices are required to equip the devices with security options suitable to the nature of the device

Security bugs may have wildly disparate paths of extermination. Some are quietly patched with code updates, while others make the national news and trigger companies’ incident response plans. Is your company aware of the data security vulnerabilities it should be addressing? Is your company prepared to respond to a researcher who notifies you of a serious bug, or perhaps notifies the media without any prior notice?

Bugs in all shapes and sizes. Data security vulnerabilities exist for any number of reasons. For example, companies cause their own, such as by misconfiguring implementations or poorly coding websites and mobile applications, leaving them open to common attacks. They also may be using flawed software provided by a vendor and have little control over the vulnerabilities or resolving them, other than waiting for a vendor patch. Or the underlying platforms, operating systems, and transmission methodology may have a vulnerability.

The bug hunt. Companies use various techniques for identifying and resolving vulnerabilities, including code reviews and third-party scans of networks, websites, and mobile applications. Companies can also monitor the many online resources documenting known vulnerabilities, such as the United States Computer Emergency Readiness Team website. Using supported software and promptly implementing security patches are key. Responsible use of open-source software is also strongly recommended. Recent events have shown that an unpatched vulnerability to an open-source application framework can lead to a breach. The infamous Heartbleed bug in the OpenSSL open source cryptographic software library left millions of websites at risk. Notably, for anything other than the most simple systems, assessing the criticality and implications of implementing security patches is not an easy task – among other things, a given patch may have unintended effects on related system components, or the patch may not really be necessary, given the protections provided by other layers of defense. And a company with complex systems could receive dozens, hundreds, or even thousands of patches every week.
Continue Reading Thinking about Bugs

This month’s WannaCry ransomware attack is the latest example of how these targeted attacks can cripple operating systems, with the bitcoin payments the price for alleged relief.

In the attack, the WannaCry ransomware computer worm targeted the Microsoft Windows operating system, infecting more than 230,000 computers in 150 countries. The ransomware was allegedly spread through

A panel on legal reform in the area of privacy and data security at this week’s IAPP Summit provided an opportunity for a discussion between businesses and regulators, as well as for the launch of a white paper on the activities of the plaintiffs’ bar in this area that Reed Smith prepared for the U.S. Chamber Institute for Legal Reform (ILR).

The panel, “Lessons in Liability: The US Privacy Landscape and Proposals for Reform,” featured Tanya Madison, Chief Privacy Counsel at TD Bank; Howard Beales, Professor of Strategic Management and Public Policy at the George Washington School of Business, and former Director of the Bureau of Consumer Protection at the Federal Trade Commission; and Oriana Senatore, Vice President of Policy & Research at the U.S. Chamber of Commerce Institute for Legal Reform.Continue Reading Data Privacy and Security Legal Reform, and Plaintiffs’ Bar White Paper the Focus of IAPP Panel

On June 21, 2016, the FAA issued its long-awaited regulations governing “Small Unmanned Aircraft,” or drone operation.  The regulations allow the use of drones weighing less than 55 pounds, traveling less than 100 mph groundspeed, and up to 400 feet above the ground, for a wide variety of purposes during daylight hours.  The regulations allow

Many organizations in different markets and industries are outsourcing parts (or all) of their IT functions (including support, development, help desk, data storage and others). Why are they outsourcing? What are the potential benefits of outsourcing?

  1. Helps the company bottom line – saves money. Many companies find lots of savings in outsourcing. The savings may be from better efficiencies pursuant to economies of scale, lower labor costs and other factors.
  2. Improved security. Strong security (for example, around the protection of consumer or health data) is the lifeblood of an outsourcing vendor’s business – and often, this level of security is higher than a customer could realistically achieve when keeping the functions in-house.
    Continue Reading Why Are My Competitors Outsourcing IT? Should I?

Following months of uncertainty about the future of the EU-U.S. Safe Harbor Framework, political leaders from the EU and the United States reiterated their commitment to the regime in a joint statement issued 26 March (the Statement).

EU-U.S. Safe Harbor is designed to essentially transpose EU data protection law into U.S. law so that organisations

Though the National Association of Attorneys General (NAAG) Presidential Initiative “Privacy in a Digital Age” expired in June 2013 when a new NAAG president took over, the state attorneys general have maintained their sharp focus on all things privacy, with no signs that that focus will shift anytime soon. Most recent case in

The Office for the Australian Information Commissioner (OAIC) has published initial draft guidelines which provide a good indication as to how to interpret the first five of thirteen Australian Privacy Principles (APPS) that will form the foundation of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 which will become effective from 12 March 2014.

  1. APP