ISO’s new cloud privacy standard (Covington, 23 Sept 2014) – This summer, the International Standards Organization (ISO) adopted a new voluntary standard governing the processing of personal data in the cloud – ISO 27018. Although this recent development has gone mostly unnoticed by the technology and media press to date, the new cloud standard provides a useful privacy compliance framework for cloud services providers that addresses key processor (and some controller) obligations under EU data protection laws. ISO 27018 builds on existing information security standards, such as ISO 27001 and ISO 27002, which set out general information security principles (e.g., securing offices and facilities, media handling, human resources security, etc.). By contrast, ISO 27018 is tailored to cloud services specifically and is the first privacy-specific international standard for the cloud. ISO 27018 seeks to address such issues as keeping customer information confidential and secure and preventing personal information from being processed for secondary purposes (e.g., advertising or data analytics) without the customer’s approval. ISO 27018 also responds directly to EU regulators’ calls for the introduction of an auditable compliance framework for cloud processors to increase trust in the online environment (see the European Commission’s 2012 Cloud Strategy here ). More specifically, the standard requires cloud providers to, among other things: * * *

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/StuartMiles

Unprepared law firms vulnerable to hackers (Pittsburgh Tribune, 14 Sept 2014) -Computer hackers are targeting top international law firms, including Pittsburgh-based K&L Gates, to steal intellectual property data and trade secrets, the Tribune-Review found. Cyber criminals stepped up attacks against lawyers to get around defenses set up by their corporate clients, who became more protective of their computer systems, legal and cybersecurity experts said. Too often, law firms do not employ the same high level of cybersecurity precautions that many major corporations practice, experts told the Trib. In addition, experts said these hackers increasingly work on behalf of foreign governments – or at least with their implicit protection. “Law firms are a rich target,” said Patrick Fallon Jr., the FBI’s assistant special agent in charge of the Pittsburgh field office. “They don’t have the capabilities and the resources to protect themselves. Within their systems are a lot of the sensitive information from the corporations that they represent. And, therefore, it’s a vulnerability that the bad guys are trying to exploit, and are exploiting.” Federal prosecutors in Pittsburgh charged Chinese military hackers this year with stealing attorney-client communications from SolarWorld, an Oregon-based solar panel manufacturer. Computer attacks on law firms happen every day, Fallon said, and the FBI warns attorneys about the threat. Many law firms don’t do enough to protect their computer systems, especially against an attack sponsored by a foreign government, agreed Thomas Hibarger, managing director of Stroz Friedberg, a law firm in Washington. “Protecting against state-sponsored hackers is a big undertaking, and many firms have not devoted adequate resources to address this threat,” Hibarger said. “Nation-state hackers are very, very sophisticated and targeted in their approach, and it is likely they will succeed.” For corporate clients with strong computer defenses, a poorly prepared lawyer can be like an unlocked back door into an otherwise secure operation, said Vincent Polley, a lawyer in Bloomfield Hills, Mich., who co-wrote the American Bar Association’s cybersecurity handbook. Because of the high cost of cybersecurity and the hassle of protecting documents, firms often are reluctant to invest in necessary technology. “Lawyers aren’t technologically adept. They’re not particularly interested in technology, and they’re loathe to spend the resources – both time and money – to harden data” protection, Polley said.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/trigger11th

Get the GC plugged in to cybersecurity (Corporate Counsel, 13 August 2014) – As more countries try to create rules to deal with cybersecurity and data privacy, general counsel need to become more engaged participants in the conversation, said Kaye Scholer partner Adam Golodner, because those rules will affect future business. Recent incidents, including the massive hacking of data by a Russian gang revealed last week and the theft of customer financial data from Target Corp. in December, only accelerate the process. So GCs should “engage in those discussions now,” Golodner told CorpCounsel.com this week. Cybersecurity is a fundamental issue for general counsel and corporate counsel, Golodner said, and it now has escalated to a board of directors’ issue. “We’ve seen significant change over the past three years where it has matured to a top-level risk management issue,” he explained. Proposed legislation in the EU, he noted, will set cybersecurity standards for all enterprises. The proposal affects network and information security separate from the EU’s data privacy directive. Before these standards become final, Golodner said, there’s still a chance for multinational companies to participate in what the rules will look like.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/twobee

US universities at greater risk for security breaches than retail and healthcare (ZDnet, 21 August 2014) – The back-to-school season is a busy time for many, even hackers. According to a new report by the security rankings provider BitSight Technologies, higher education institutions experience an influx in malicious cyberattacks during the school year. But what’s worse is that most of those universities are ill-equipped to prevent and handle such attacks, which, according to the report, results in cybersecurity rankings below that of retail and healthcare – two sectors plagued by near-constant security attacks that often result in successful breaches. The majority of attacks experienced by higher education institutions come from malware infections, with the most prevalent being Flashback, which targets Apple computers. Other prominent malware include Ad-ware and Conficker. BitSight said universities are the targets of so many attacks because they harbor a trove of sensitive and personal data, ranging from addresses and social security numbers to credit card numbers and intellectual property – and hackers are quick to notice the weak IT infrastructure in place to keep that data protected.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/StuartMiles