Monday, August 17, 2015

STEM Resources

A number of associates have asked about STEM resources, especially for women interested in Science, Technology, Engineering, and Math fields. Here's my current list.  Your updates appreciated.

White House: Women in Stem initiative

American Association for University Women: Building a STEM Pipeline for Girls and Women

National Geographic: Why It's Crucial to Get More Women Into Science

The Atlantic: The Female Pioneers Who Changed STEM Forever

CISCO: IoT World Forum Young Women's Innovation Grand Challenge

PBS NewsHour: How outstanding women in STEM fields overcame obstacles – Lesson Plan

PBS Learning Media – STEM resources

STEMconnector® is "The one-stop for STEM Information." With an innovative product-line, STEMconnector® works closely with corporations and other organizations to provide them with a set of tools and resources that support their corporate development, corporate structure and smart STEM investments.

STEMconnector: One hundred women leaders in STEM

Monday, August 10, 2015

Lessons from the Target Corp. Cyber Breach

Target Corp. Customer Data Security Breach Litigation was a class action lawsuit alleging that the third largest retail company in the U.S. failed to protect customers’ financial data from thieves who stole credit and debit card information from 40 million customers who shopped at Target stores between Nov. 27 and Dec. 18, 2013. Early in 2014, the company revealed that additional personal information, including email and home mailing addresses, also had been stolen from between 70 million to 110 million other Target customers.  

The text of the class action filing by financial institutions, describing in detail, the extent of Target’s inaction and hesitance, is located at: http://blogs.reuters.com/alison-frankel/files/2014/09/targetdatabreach-bankcomplaint.pdf

The biggest and most obvious problem was that Target ignored explicit warning from inside and outside the company.  Employees and security firms told Target that the breach had happened and was getting worse.  The primary culprit was a vendor whose computer system was a sieve, allowing Russian-based hackers free entry.

Target’s $10 million settlement proposal was approved by a federal judge in March 2015. The settlement also required Target to hire a chief information security officer and maintain a written information security program to incorporate new data security measures. The settlement amount is a travesty given the scale of the financial impact.  Target already had invested in an extensive revamp of their security systems by FireEye Inc., a well-regarded cybersecurity firm.  The real problem was how deeply Target’s management and board buried their heads in the sand.

A recent white paper advised corporate directors how to defend against class action lawsuits, such as the Target “wrist-tap”. The white paper listed “three practices that boards should adopt to defend themselves” against such lawsuits.  Unfortunately, the recommendations sounded much more like instructions on “How to close the barn door after the horse was stolen.”

The recommendations focused on reactive measures designed by corporate counsel to limit adverse PR for the company or to draft corporate PR as a strategy to ward off stakeholder lawsuits.  The recommendations are simplistic, at best, and inadequate, at worst.

Cyber-savvy firms know that a much more effective strategy would include a clear company focus on identifying – before hacks happen – the high value information at risk in the company and appropriate high value measures to protect that data.
  • What data is valuable to the company, shareholders, and stakeholders? Why?
  • Where does the data reside?
  • How much data (e.g., emails) is archived to encrypted storage away from online access?
  • How many individuals/computers have access to the data? Who are they?
  • How much access is provided to vendors and suppliers? How protected are their systems?
  • What levels of access are permitted? Who manages that access?
  • How frequently are security protections applied?
  • How are payment systems secured?
  • Should more limitations be applied commensurate with the data’s value?
  • Are shareholders at risk?
  • Are stakeholders at risk? Which ones?
The next most important action would be to evaluate the potential and likely sources of incursions faced by the company and how well the company protects itself:
  • Is competitive espionage likely? National or international?
  • What are the company’s vendor or supplier vulnerabilities?
  • What are the known incident histories for software products at the company?
  • Where does the company have technology risk:  at the cloud, network, systems software, application software, outdated or legacy software/systems, data retention, mobile or remote device access, social media?
  • What are the known protections available? Are they current?
  • What monitoring tools are available?
  • Who is responsible for review and tracking?
  • How frequently are senior management and the board informed?
  • How will they respond and how quickly?
Finally, how well is the company preparing employees to be part of the solution rather than a source of problems in the area of cybersecurity? Companies rely upon extensive training to mitigate potential health and safety risks.  They must take a comparable approach to ensuring that employees are aware of cybersecurity hazards and act responsibly in any situation where hackers or intrusions could harm the company and any of its assets.
  • Have all employees been given basic cybersecurity training?
  • How often is that updated to reflect the constantly emerging risks?
  • Do employees know what data, what devices, and what services require extra cautions?
  • Are high value employee accesses limited and closely monitored?
  • Do employees’ terminate computer access when they leave their station?
  • Do employees know proper safety protections carrying mobile devices away from the office?
  • Are appropriate employee background checks undertaken?
  • Are terminated employees’ access properly cleansed?
Kimberly Pease, CISSP, co-founder and Vice President of Citadel Information Group, Inc., a prominent Los Angeles-based information security management firm, sums it up this way:

“Policies and training on the people side and patching on the technology side will address most common problems and incidents. Studies show upwards of 80% of breaches are preventable.”
Only if technology and cybersecurity risks are known and only if effective measures are being taken to prevent their intrusion into a company’s affairs will it be possible to invest in insurance and other measures to “cover” known risks.

According to the lawsuit, there were countless warnings given to Target about multiple breaches, but management, security personnel, and the board sat on their hands, probably conversing with internal legal counsel.  Today’s business demands heightened responsibility and resilience in the face of an extensive network of hackers and cyber espionage agents. A $10 million settlement is meaningless in view of the extent of personal and business losses allowed by this ignominious breach.

Monday, July 27, 2015

Thomas on Data Breach

We have read a bit about the legal consequences of corporate data hacks, but nobody covers this topic more thoroughly than Liisa M. Thomas, partner at the Chicago offices of Winston & Strawn LLP and Chair of the firm's Privacy and Data Security Practice.

Thomas has updated the first edition of her comprehensive legal guide, Thomas on Data Breach: A Practical Guide to Handling Data Breach Notifications Worldwide, 2015 ed., with the February 2015 release of this must-have reference. In the marketing brochure Thomson Reuters announced the availability of the new release at legalsolutions.com and offered a 20% promotional discount (promotional code WPD20) making the $249 tome available at just under $200. 

This resource provides a comprehensive legal guide and roadmap for corporations and boards:
  • evaluate what breach laws govern
  • identify what information may have been breached
  • determine if there was really a "breach"
  • analyze if n exception applies
  • determine who needs to be notified
  • draft the notice
  • figure out how and when to give notice
  • prepare a public relations strategy
  • create a plan for follow-up inquiries
  • take steps to stop another breach
Thomas has a unique "ability to create clarity in a sea of confusing legal requirements" through her comprehensive analysis of U.S. Federal and state breach notification laws in addition to international requirements. There is no better compendium of prevailing requirements and no clearer guide to addressing this side of the cybersecurity challenge.

In addition to Thomson Reuters, the reference is available from Amazon.com.