Basic Data Security, Passwords, and Entropy

An interesting chart is working its way around the internet showing that the number of serious data breaches in the US has soared from around 400 in 2007 to over 1,300 in 2017. The chart itself isn’t what’s interesting, because (a) the number of breaches is always rising and (b) a good half, or more, of breaches are unreported anyway. No, what’s interesting is that this chart should be newsworthy at all – to me, it is definitely a “dog bites man” kind of story. It makes perfect sense there are more breaches now than ever because there are more users, more devices, and more cybercriminals than ever. In ten years, there’ll be even more of all three. Read More

GDPR Countdown – 14 Weeks to Go

Among the mis/disinformation about GDPR readiness, I’ve noticed two trends. First, there are some who take a ho-hum approach to data security and advocate a wait-and-see approach to GDPR enforcement. That’s…that’s just a terrible idea, for reasons I hope are clear to you by now. The second trend is to go way too far in the other direction, and essentially argue that every company on earth will need to be fully GDPR compliant on May 25. I know, imagine it, something that’s not true made its way onto the internet. After predictions of doom, this latter group typically say that they are the solution to your woes, and make a strong pitch that you should hire them to be your Data Protection Officer (“DPO”), because the GDPR mandates that every company needs one, and only they can protect you. Read More

Siri, Alexa, and Cortana Walk Into a Bar…

Early mornings have become substantially easier since connected devices learned to do the thinking for us. Now, rather than having to wait until after the coffee is made to be a functional human and tackle important tasks like changing the temperature in the house, making toast, or turning on a light, we have devices that know (or learn) to do what we want at the flick of a finger in an app. Everyone seems to have adjusted to this change pretty well and, let’s be honest: despite fears of the Internet of Things (IoT) being like HAL from 2001: A Space Odyssey, so far it’s a lot more like this. Read More

GDPR Countdown – 15 Weeks to Go

I was working with my son on his homework last night, and before we began, I had to look in his backpack to find a pencil. I assumed it would be a fairly simple task: open a compartment and there it would be. In fact, it was a ten minute exercise of sorting through a nearly unbelievable assortment of items. His bag included (I’m not kidding), about twenty small heart-shaped erasers (a Valentine’s gift, no doubt), eight medium-large rocks, five small rubber balls, a Highlights magazine, two handfuls of pine tree bark, the entire Narnia series, and a fruit roll-up wrapper. Which brings me to the perfect analogy for how companies treat data. Read More

Are China’s Companies Ready for GDPR?

One of the most frequently discussed aspects of the GDPR is its global scope – if a data controller is established in the EU or if it markets its goods or services in the EU, then the Regulation generally applies. For the most part, practical and scholarly analysis has focused on how that will affect businesses in the United States. Given the drama surrounding the end of the Safe Harbor and the (likely) drama surrounding Privacy Shield, there’s no shortage of interesting things to say on EU-US data issues. Read More

Data Security in the Air

I was traveling last week, and as I answered some emails mid-flight over North Carolina, I remembered how complicated (and outrageously expensive) it used to be to make a phone call from an aircraft. You remember: Airfone. Now, we take for granted the ability to get connected at 30,000 feet and get annoyed when we can’t stream Netflix for ten minutes without a buffering lag. Read More

Data Breaches are Torts (Not the Delicious Kind)

A common data breach scenario runs along these lines: Company X keeps sensitive consumer data, including name, credit card information, and email address. Despite the company’s promises, this information isn’t encrypted, pseudonymized, or subject to restricted access. The data are accessible from any networked computer at work and through the company’s web portal. The data is stolen by a recently-terminated employee, who gained access to the database because the password iss “admin” or “password12345.” (If these are your actual passwords, stop reading and go change them. I’ll wait.)  Read More