There is no specific legal requirement for law firms in North Carolina to carry cyber insurance. However, certain laws mandate the implementation of reasonable security procedures to protect personal information. These include:
The costs associated with a data breach can be substantial, particularly for small law firms. While specific North Carolina data is limited, national reports provide insight:
Though specific data for North Carolina law firms is not available, general data provides a useful benchmark:
Key North Carolina laws that govern data protection include:
The North Carolina Rules of Professional Conduct highlight ethical obligations for lawyers concerning data protection:
While not having cyber insurance is not illegal, it leaves the firm exposed to significant risks and costs in the event of a breach. These could include:
While cyber insurance is not legally mandated in North Carolina, the financial risks of a data breach and the ethical obligations of lawyers make it a prudent consideration. The decision to purchase cyber insurance should be based on a careful risk assessment, considering the firm’s specific circumstances and the potential costs of a breach versus the cost of insurance.
By securing cyber insurance, you can safeguard your legal firm against the growing threat of cyber incidents, ensuring both financial stability and compliance with legal obligations.
]]>This is also a time to be with (or contact) loved ones, reflect upon what you have achieved, and plan for the upcoming year.
With all this travelling, buying, and communicating, it is also a great opportunity for those with coal in their hearts to use the Festive Season to spread malware, collect personal data, and hand out data breaches.
Expect phishing attacks to be on the rise, specially using phone calls and text messages pretending to be a loved one in need or a misplaced package.
The pictures you took of your holiday events and shared in social media may be used against you
For those of you who are business owners, this is not a time to relax your defenses:
The MOVEit-related data breaches, which we talked about before, are still going strong.
This is also the time when boss needing gift cards scams are on the rise.
Vigilance is the Price of Freedom, and that means you being vigilante. Don’t rely the protection of your (and that of your customers, employees, and loved ones) information on some magic product or service. You need to understand what you need to protect and how much you need to share before deciding on how to do that. There are a lot of resources out there. Companies like ours offer training on business/personal data security and data privacy. The Federal Trade Commission puts out consumer alerts. We run a blog discussing the different types of phishing attacks we have observed and how to identify them.
You are not alone but you must do your part. Make learning about data security and data privacy a goal for next year. And stick to it!
]]>This event wasn’t just another conference; it was a vibrant gathering of minds – urban planners, tech gurus, policymakers, and visionaries, all brainstorming on how to weave technology into our cityscapes.
At this summit, ideas were flying left and right. Topics ranged from governance and cybersecurity to privacy and tech integration, all seen as vital to urban transformation. We delved into how IoT, AI, and 5G are reshaping our cities, making them more connected and efficient.
Sustainability was a hot topic too. There was a lot of buzz about how to make our cities greener and more livable, focusing on creating spaces that are tech-savvy yet environmentally friendly.
We also talked a lot about transforming transportation and infrastructure. Think electric vehicles (EVs) and smart traffic systems – all part of making cities more advanced and liveable
Now, let’s talk about Generative AI. This tech could totally change the game for smart cities. It’s about analyzing loads of data, foreseeing trends, and coming up with solutions that make city life better.
Imagine less traffic congestion, safer roads, and smarter energy use. Generative AI can make all of this (and more) possible.
At the summit in Raleigh, I was struck by the focus on using tech for the good of the community. There was a lot of talk about Generative AI and its role in governance, cybersecurity, and privacy. Yet, I noticed something missing: a mention of ISO standards, which are crucial for setting privacy safeguards in AI and Machine Learning for Smart Cities.
I believe the Smart Cities Privacy ISO/IEC TS 27570:2021 standard could be a key player here. Though this ISO is not specific to AI it can serve as a foundation to act as a bridge until new formal standards emerge and are accepted.
Here’s a chart of ISO 27570 supporting standards to show you what I mean.
The Raleigh summit was a melting pot of ideas from city, industry, business, and academic leaders, all focused on making our region smarter and more connected. We looked at how AI and innovative technologies can build sustainable smart cities.
But it was more than just a status update on smart cities; it was a peek into the future. Discussions and demos of Generative AI showed us what’s possible and what’s coming. This tech isn’t just about innovation; it’s about building cities that are sustainable, focused on their citizens, and ready for the future. This is a future I hope for my children and their children’s lives. Let us all work toward this brighter tomorrow in hope for them
]]>The sequence of events looks like a replay of our discussion on Wordpress plugins and the importance of maintaining a healthy supply chain: vendor finds vulnerability, publishes patch, and customers do not apply it. On 31 May 2023 Progress Software disclosed a vulnerability that affected its MOVEit Transfer and MOVEit Cloud products, and issued a patch to address that. This vulnerability had a severity rating of 9.8 out of 10. Further patches were issues on 9 June and 15 June.
Why have these patches not been deployed by the affected organizations running MOVEit locally (on premises)? Unfortunately, some companies have strict patch policies such as only allowing updates once every quarter or only when they do not affect the deadlines of the income-generating – marketing, sales, product development – groups.
Maintain your supply chain!
]]>Since 2015, efforts have been ongoing in Congress to update COPPA. None of these bills have progressed past the various congressional committees and subcommittees. The Kids PRIVACY Act, by US Representative Kathy Castor (FL), and the The Children and Teens’ Online Privacy Protection Act, by Senator Edward J. Markey (MA), are two of the bills introduced in 2023. These initiatives demonstrate a strong commitment to addressing the unique challenges of protecting children’s online privacy in the 2020s. Some the key provisions of the Children and Teens’ Online Privacy Protection Act are
While the The Children and Teens’ Online Privacy Protection Act reached the Committee on Commerce, Science, and Transportation, the Kids Privacy Act has advanced to the Subcommittee on Innovation, Data, and Commerce. No further action has been recorded in either bill. Given the history of the similar bills that have been introduced in the previous congress sessions, there is a great possibility neither will progress any further.
We need a privacy law that protects minors and is in tune with the modern digital landscape. Our senators and representatives must overcome congressional inertia. They must discuss and vote on these bills so they can move forward and become laws.
]]>It’s summer. You may want to travel, visit family or friends, or just enjoy watching a butterfly float past. You probably want to save the memory with a picture, or share it with a picture you post online.
You may already know that your camera/phone saves information about the picture, such as time and date, and location. You may have chosen to turn this feature off.
What other information is in the picture?
Anything else in the picture is in the picture.
Other people, buildings, vehicles, your mail/ bills/ package labels, your credit card, car GPS…
Other people may be in the picture. Not everyone wants to share where they are and what they are doing. Maybe there is drama, or even a restraining order, in their life and they very much do NOT want it shared where they are and what they are doing. See if you can get a good angle without other people identifiable in the background, or ask if it’s OK. If it isn’t OK for them to be in your picture, please wait for them to clear the area. You may be able to reassure them that you won’t be publicly posting the picture. Bear in mind that any posting online (including private groups) may be found by a determined investigator, and that the Internet doesn’t forget. If you do post in a private group then get agreement from EVERYONE in the group that NOTHING will be shared further, or anywhere else, or outside your private group.
Buildings, businesses, and landmarks may be in the picture.
You can find the location where a picture was taken by adding these background bits together.
Geolocation skills can be useful for a geocache quest, geologists, anthropologists, marketing, building and bridge damage estimation for disaster recovery, law enforcement, journalism, war crimes investigation, offensive cybersecurity, and stalkers.
JoseMonkey can (usually) find the location where a picture was taken if you post your video or picture, tag him in the comments and say or have a sign asking him to find you, and are over 18.
If you’d like to learn and practice, Search by Image browser tool can be found in the Chrome web store, and GeoTips offers tips so you can become a GeoGuessr.
Have fun, but also remember that it’s not just all about you.
]]>Companies doing business in these states will need to comply with these new laws, which may require changes to their data collection, storage, and how they share data. They may also need to update their privacy policies and provide consumers with new rights and disclosures. It is important for businesses to review the specific requirements of each state law. When more states follow with their own privacy laws then it will cost more to comply than to protect customer privacy.
Currently there is no single Federal privacy privacy law to oversee this issue nationally. There have been repeated efforts to create a federal privacy law to solve this issue. The American Data Privacy Protection Act (ADPPA) was proposed by the House of Representatives who wanted to protect businesses from the complications of too many state regulations.. This federal law will set a minimum standard. Some states have pushed back because of concern the ADDPA will override part of their state law. Its legal authority is based on The Commerce Clause in Article 1, Section 8, Clause 3 of the U.S. Constitution, which gives Congress the power to regulate commerce. The ADPPA would level the playing field with a clearer and more unified set of rules for business to operate under. The simplified law leads to cost savings enabling companies to better protect their customer’s data privacy.
We can expect by the summer of 2024 the number of states having their own individual privacy laws will increase. This is a growing gap that the Federal government must fill quickly. Unless the ADPPA is signed into law then businesses will continue to struggle protecting their customers’ data privacy while handling so many state privacy laws. If ADPPA is passed, businesses can finally spend more to protect than to comply.
]]>To make this a bit more real, let’s talk about the most commonly used web content manager, WordPress
There is a running joke about how insecure it is given the mind-boglling number of vulnerabilities related to it. Thing is, WordPress by itself is actually quite secure. The source of vulnerabilites is the plugins, and the top two reasons are
There is a lot of them. Some are well written and maintained, others not quite. People building websites look for plugins based on which task they are trying to solve and feedback. This feedback most of the time is about how easy to install and use a given plugin is; just because a plugin is popular does not mean it is well maintained, specially regarding security.
Many people deploy these plugins in a fire-and-forget fashion: they will only check on whether the plugin has a new update when it crashes or cause the site to crash. This by far is the largest source of problems: it does not matter how quickly the developers identify a vulnerability and create a patch to fix it; if nobody applies it, it is useless. Worse: attackers will now know the patch has a vulnerability and then will start looking for unpatched sites.
Let’s use a real life example to show how bad that can be: A few days ago we learned that the WordPress cookie consent plugin named Beautiful Cookie Consent Banner, which is currently deployed in more than 40,000 locations (you may have a single deployment being used by multiple websites), is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS). This allows an attacker to send malicious commands to a vulnerable website (do you remember the 40 thousand locations we mentioned earlier? That translates to more than 1.5 million websites) and take over not only the website but also the computer running it. Since this is a privacy blog, we need to talk about that angle: once they compromise the website, they can go after any confidential information – user data, passwords, credit card info – available in the website.
This vulnerability has been known since January of 2023, and has been immediately patched by the developer (good job!), but many sites have yet to apply the patch.
If we go back to our supply chain, the original weak link was the plugin. That was solved in January. The next weak link is to ensure the patched plugin is used in the website. Until that is done, this chain is still very weak.
Maintain your supply chain!
]]>ChatGPT is a powerful tool that can provide businesses with a new competitive advantage. By automating content creation and providing more personalized customer experiences, ChatGPT can help businesses save time and costs.
It grants greater operational freedom and strengthens their online presence.
This advantage will be the driving force for adoption by corporate
management to gain an edge in sales automation, customer service, software
coding and consumer advertising.
We can expect to see even more uses emerge over time as ChatGPT’s
business adoption continues growing.
Not everyone is ready and eager to embrace this tool.
Italy banned the use of ChatGPT recently within
its borders because of privacy concerns.
Currently OpenAI, the parent company of ChatGPT, is in talks with the Italian
Government to allow citizens of that European nation access this product.
Italy requires OpenAI to improve transparency, allow users to view and
delete their data, and implement additional safeguards to protect minors.
These proposed privacy controls by Italy’s government should be applied internationally. This must be addressed to protect ChatGPT user’s privacy and intellectual property.
What are the main ChatGPT-related privacy threats?
Phishing attacks: Cybercriminals are already using ChatGPT to write more realistic phishing emails to trick more people into revealing their private information or downloading malware. Sometimes that is labeled “social engineering”. No matter the label, the danger and damage done is real.
Access to sensitive data: ChatGPT already has accessed billions of Internet data points and it is growing daily. It can be used to gain access to more sensitive information by connecting previously separated data sources together to reveal private data and intellectual property such as human generated artwork, writing, and coding for example.
Today a growing number of businesses and consumers are using AI technologies for gaining a competitive advantage. We should be extremely careful about what types of information we share with ChatGPT and similar tools. This is very important if people want to integrate ChatGPT into their business operations. Now it may be impossible to put this AI genie back in the bottle due to business competition and cybercriminal threats.
Worldwide, nations should support the responsible use of ChatGPT. Government’s must step into this new arena of public use of AI tools to create a consensus for the public good. This requires that each nation forges a new coalition of the public, government, and business to create new and effective regulations for AI usage and privacy protection.
]]>Panera Bread started to deploy Amazon-based Palm scanning for payments and loyalty rewards in two locations in the St. Louis area. The reason for using this biometric technology is a frictionless, personalized, and convenient service: instead of its customers having to be inconvenienced with grabbing their wallet or phone to pay for their order, all they have to do is hover their hand over the sensor and the order it processed and their MyPanera Rewards are updated. On the top of that, if they hover their hand as they get in, they are greeted by name by the Panera associates.
According to Amazon, it scans the shape of your hand and the shape of the veins inside it. Palm vein pattern recognition is considered a reliable biometric identification method since it is unique to a person and does not change much with age.
Panera and Amazon claim this technology is much more privacy conscious than other biometric solutions such as face recognition because, according to them, you cannot identify people from looking at the image of their palm.
Well, that reasoning has a few issues:
In turn this is tied to their MyPanera account. For this to work, palm scanning must be enough to identify customers so Panera can submit the right bill to the right person.
Amazon did say if users submit a request, it will delete their personal information it already collected.
We believe there is no reason for you to allow Panera and Amazon to connect your biometric data. With that said, given this is an opt-in service, it is up to you to decide if the convenience outweighs surrendering your personal information.
]]>