Acting Secretary of DHS, Elaine Duke, issued a BOD requiring departments and agencies to identify the use or presence of all Kaspersky products on their information systems and to develop detailed plans to remove and discontinue present and future use of the products and to finalize implementation of those plans within 3 months.  She is

Free and Open-Source Software (FOSS) is computer software that can be classified as both free software and open-source software. Anyone who wishes to use FOSS is freely licensed to use, copy, study, and change the software in any way, and the source code is openly shared so that people are encouraged to voluntarily improve upon the design of the software.  The Apache Software Foundation (web servers and other projects), the GNU Project (Linux) and the Android Open Source Project (mobile device platform) are some of the more popular FOSS projects that have been used to build the foundation of other products that are not free, like RedHat Linux.

Software development and licensing can be an expensive proposition: free, open-source projects can offer a tempting shortcut in software development (the code is already there) and an attractive cost-saving alternative to purchasing or licensing expensive “off the shelf” solutions. However, with the use of FOSS comes a serious risk decision: everything is provided “as is.” With a commercial solution you have warranty and support contracts that you can rely on to keep the software as current and bug-free as possible. There is no such assurance with the use of FOSS, where you’re directly responsible for the quality and security of the ‘free’ code.

Before you decide whether or not to use FOSS either as a solution to a technical issue or as part of a software development project, ensure you address the following risk factors – seeking adequate counsel in any area where you don’t feel 100% sure you’ve covered all the angles:

Code review: Open source projects are coded by the public at large. While there is certainly a Wikipedia-like argument that “the more people that work on it, the better the product,” you will still carry the liability for anything you produce/use using open source code.  Be careful that your IT teams apply the same level of rigor reviewing any open-source component of your products as they would to something they coded themselves. If you don’t have the staff for this kind of review I recommend sticking with off-the-shelf business solutions as much as possible.
Continue Reading What is FOSS, and why should I be worried about it?

Should I Place A  Fraud Alert vs. Security Freeze?  As a privacy professional, almost all your fellow employees were affected by the Equifax data breach.  You may be asked about whether to place a fraud alert or a security freeze.  You can send this guidance from the FTC on the difference between fraud alerts and

Yawn – Another Company Failed to Patch.  Wait!  144 Million Affected?  A PR Disaster?  Failure to promptly patch is an incredibly common cause of data breaches.  Learn from Equifax’s situation about patching and communication.  Boards, Senior Management and privacy personal should confirm that patches are applied promptly.  Also, when breaches occur, hire and listen to

As you work to finalize your cyber insurance riders or supplemental policies, it’s important to pay attention to the language around what is specifically covered. To ensure you’re receiving the coverage desired, the first step is to understand the difference between hacking and phishing, and how this is being applied to your policy, and to ensure the language is mutually interpreted as clearly and uniformly as possible.

Hacking is the use of exploits and vulnerabilities to gain access to and extract information from, disrupt or tamper with a computer system. Hackers break into a system and take information.

Phishing is the use of social engineering via e-mail to trick the recipient into revealing personal or confidential information, or granting access to a computer system either directly or through the installation of malicious software. Phishers convince you to let them into a system or give them information.

Why is this so important to your cyber coverage? Because there’s been some fairly significant litigation around these differences that has supported both the upholding and denial of coverage. Here are 3 examples of cases where interpretation of the rider/supplemental policy language led to litigation:

Universal American Corp. v. National Union Fire Insurance Co., 37 N.E. 3d 78 (N.Y. June 25, 2015)
Continue Reading Hacking vs. Phishing – and Why the Difference is Important for Cyber Insurance Coverage

About the Global Privacy & Security Blog

Learn More

Contracts, laws and regulations require privacy compliance, and good business practices demand it. This blog is designed to inform our clients and readers about developing privacy issues and regulatory updates, and provide alerts on cyber security stories and data breaches that impact various data privacy and security requirements.