Rockefeller to Target: why haven’t you reported data breach to the Securities and Exchange Commission (US Senate, 28 Jan 2014) – Chairman John D. (Jay) Rockefeller IV today sent a letter to Target asking why the company has not yet reported its recent massive data breach to the Securities and Exchange Commission (SEC), as the Commission recommended in an October 2011 guidance. Rockefeller encouraged the SEC to issue this guidance, and is a strong supporter of giving investors more complete and timely information about cyber incidents such as the Target data breach. “A data breach involving the theft of personal information about tens of millions of Target customers is clearly a material cyber attack that has affected how your business operates. I am therefore puzzled why your company has not yet updated its SEC filings to reflect this event. Your failure thus far to provide this information to your investors does not seem consistent with the spirit or the letter of the SEC’s financial disclosure rules,” Rockefeller wrote. More recently, Rockefeller encouraged SEC Chairman Mary Jo White in April 2013 to issue Commission-level guidance to spur companies to take their cybersecurity efforts seriously. Chairman White recently asked SEC staff to review disclosure rules, saying, “I believe we should rethink not only the type of information we ask companies to disclose, but also how that information is presented, where and how that information is disclosed, and how we can take advantage of technology to facilitate investors’ access to information and make it more meaningful to them.” Rockefeller and Senator Claire McCaskill (D-Mo.) asked Target on January 14, 2014 for the latest findings on the circumstances that permitted unauthorized access to the financial and personally identifying information of as many as 110 million Americans. [Polley : see also the earlier To 8-K, or not to 8-K? For Target, that is indeed the question (Mintz Levin, 17 Jan 2014)]

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Stuart Miles.

Japan warns of security risk in software for language input (Bloomberg, 26 Dec 2013) – Japan’s government warned that certain software used for writing Japanese characters could lead to security leaks, including some programs made in China. The National Information Security Center asked all central government ministries to avoid the programs when making confidential documents because a record of the writing can be sent to servers outside the country. The programs, made by Beijing-based Baidu Inc. (BIDU), Microsoft Corp. (MSFT) and Google Inc. (GOOG), allow people to use an English-language keyboard to write Japanese characters by spelling them phonetically.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Stuart Miles.

Court upholds willy-nilly gadget searches along US border (Wired, 31 Dec 2013) – A federal judge today upheld a President Barack Obama administration policy allowing U.S. officials along the U.S. border to seize and search laptops, smartphones and other electronic devices for any reason. The decision (.pdf) by U.S. District Judge Edward Korman in New York comes as laptops, and now smartphones, have become virtual extensions of ourselves, housing everything from email to instant-message chats to our papers and effects. The American Civil Liberties Union brought the challenge nearly three years ago, claiming U.S. border officials should have reasonable suspicion to search gadgets along the border because of the data they store. But Judge Korman said the so-called “border exemption,” in which people can be searched for no reason at all along the border, continues to apply in the digital age. Alarmingly, the government contends the Fourth-Amendment-Free Zone stretches 100 miles inland from the nation’s actual border . The judge said it “would be foolish, if not irresponsible” to store sensitive information on electronic devices while traveling internationally. [ Polley : ABA members might read my article on international travel with e-devices here .]

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/renjith nattavut.

Senator wants cybersecurity answers from automakers (Tom’s Guide, 5 Dec 2013) – A U.S. senator has asked 20 automobile manufacturers how each plans to stave off wireless hacking attempts on vehicle computer systems, as well as prevent violations of driver privacy. “I write to request information regarding your company’s protections against the threat of cyberattacks or unwarranted invasions of privacy related to the integration of wireless, navigation and other technologies into and with automobiles,” wrote Sen. Ed Markey, D-Mass, in a letter to Daniel Akerson , CEO of General Motors, on Monday (Dec. 2). Markey’s questions imply that he wants carmakers to apply computer-industry security processes, including implementation of anti-virus software, incident logging, incident-response planning, software vulnerability patching and third-party penetration testing – the last of which would stage real hacker attacks on mass-production vehicles. Markey, one of the half-dozen lawmakers on Capitol Hill who has demonstrated a clear understanding of computer technology, cited research done earlier this year by two Pentagon-funded “white hat” hackers. “In a recent study that was funded by the Defense Advanced Research Projects Agency (DARPA),” Markey wrote, “Charlie Miller and Chris Valasek demonstrated their ability to directly connect to a vehicle’s computer systems, send commands to different ECUs through the CAN and thereby control the engine, brakes, steering and other critical vehicle components.”

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/stockimages.

Firms will need cyber “badge” to win some British govt business (Reuters, 12 Dec 2013) – Britain will announce on Thursday that firms wishing to bid for certain areas of government procurement will have to meet a new standard demonstrating basic levels of cyber security. The scheme forms part of the latest plank of Britain’s attempt to counter a growth in hostile cyber assaults, which has been earmarked as a top national security issue but whose progress has come in for severe criticism from lawmakers. The plans will include creation of a government-backed cyber standard for businesses which would be adopted for future procurement, while also designed to give insurers, investors and auditors something “they can bite on” when they weigh how good companies are at managing risks.

Is this a necessary precaution, a protectionist measure, an innovation killer, or all of the above?

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Victor Habbick.