Australia's IoT Code, or "No worries, mate, she'll be right."

The Australian government has introduced a new code of practice to encourage manufacturers to make IoT devices more secure. 

The code provides guidance on secure passwords, the need for security patches, the protection and deletion of consumers' personal data and the reporting of vulnerabilities, among other things.

 The problem is the code is voluntary. Experiences elsewhere, such as the United Kingdom, suggest a voluntary code will be insufficient to deliver the protections consumers need.

Indeed it might even increase risks, by lulling consumers into a false sense of security about the safety of the devices they buy. more

Employer Best Practices For Monitoring Remote Devices

It is generally known that individuals have reduced privacy rights for work-related activity than they have in their personal lives, and that these reduced privacy rights extend to devices owned or provided by their company.

As just one example, consider the federal Electronic Communications Privacy Act, or ECPA, which permits employers to: 

(1) monitor employees' oral and electronic communications to the extent that they relate to a legitimate business purpose;
(2) monitor any communications for which the employee has provided consent; and
(3) access emails that are stored by the employer.

All of these exceptions decrease an individual's privacy rights and reasonable expectation of privacy in work-related matters. However, is "exceptions" the correct word? Exceptions to what? Does this reference a specific privacy law or privacy rights in general? 

(The short version.) Ultimately then, the best practice for employees is to keep work and personal devices and communications entirely separate even in COVID-19 times. more

Proposed Bill: Anti-Espionage Theft in Airports

U.S. Rep. Ross Spano (R-FL) signed on to co-sponsor a bill designed to protect the transportation infrastructure from espionage and intellectual property theft. 

The bill, HR 6917, the Airport Infrastructure Resources (AIR) Security Act, would prohibit federal airport improvement funds from being used in the purchase of passenger boarding bridges made by companies that have violated the intellectual property rights of the United States.

Introduced by Reps. Ron Wright (R-TX) and Marc Veasey (R-TX), the bill is intended to keep the Chinese Communist Party from spying on American airline passengers, and to prevent China from any further power grab, Wright said. more

Trade Secret Protection in a Nutshell

Trade Secret Law in a Nutshell (book)

The federal Defend Trade Secrets Act and similar laws in most states let employers seek injunctions for the return of certain business information if three things are true: 

1. The information is actually secret,  
2. the business has taken "reasonable measures" to keep it so, 
3. and the information has "independent economic value" because it's unknown to others who could profit from it.

These cases often turn on what an employer did to protect its alleged secret. If security was tight, it stands a good chance at getting an injunction; if it was lax, it'll likely lose. more

Attorney Warns Business Against Relaxing Security Standards

via Seyfarth Shaw LLP - Jeremy A. Cohen

And, of course, there are bad actors taking advantage of the current situation.

Relaxed security make systems and information far more susceptible to hacking and other data breaches, which often carry mandatory reporting obligations and hefty penalties, and invariably lead to class action lawsuits, not to mention privacy concerns.

Accordingly,  companies should think twice before loosening these security standards. By all accounts, the current COVID-19 crisis will be relatively short-lived (whether that means weeks or months is, of course, unknown), but as the saying goes, once a secret is known, it cannot be unknown.

And when this is all said and done, while courts will likely give some leeway as a result of the emergency situation, if basic safeguards were disregarded, courts may have a hard time concluding that a company undertook reasonable efforts to safeguard its information, as is required in all jurisdictions to merit trade secret protection. more

Business Security Trend: Proactive Information Security... Legislated by law!

via Brian G. Cesaratto, Epstein Becker Green
New York is the latest state to adopt a law that requires businesses that collect private information on its residents to implement reasonable cybersecurity safeguards to protect that information.

New York now joins California, Massachusetts and Colorado in setting these standards. New York’s law mandates the implementation of a data security program, including measures such as risk assessments, workforce training and incident response planning and testing. 

Businesses should immediately begin the process to comply with the Act’s requirements effective March 21, 2020.

Notably, New York’s law covers all employers, individuals or organizations, regardless of size or location, which collect private information on New York State residents.

In order to achieve compliance, an organization must implement a data security program that includes:

• reasonable administrative safeguards that may include designation of one or more employees to coordinate the security program, identification of reasonably foreseeable external and insider risks, assessment of existing safeguards, workforce cybersecurity training, and selection of service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract;
  
• reasonable technical safeguards that may include risk assessments of network, software design and information processing, transmission and storage, implementation of measures to detect, prevent and respond to system failures, and regular testing and monitoring of the effectiveness of key controls; and

• reasonable physical safeguards that may include detection, prevention and response to intrusions, and protections against unauthorized access to or use of private information during or after collection, transportation and destruction or disposal of the information.

 

Supreme Court Relaxes the Confidentiality Standard... but you have to do your part!

via Blank Rome LLP - Robyn N. Burrows

The Supreme Court in Food Marketing Institute v. Argus Leader Media, No. 18-481 (U.S. June 24, 2019) recently relaxed the standard for withholding confidential information under Exemption 4 of the Freedom of Information Act (“FOIA”)—a major win for contractors that regularly submit sensitive business information to the government...

To take full advantage of the Court’s holding, companies doing business with the government should keep in mind the following practical tips:

• Carefully document all efforts to keep information private.* This includes updating internal policies on maintaining the confidentiality of company records, increasing security features limiting access to certain sensitive data, and providing additional training to employees on how to properly handle confidential business information.

• In submissions to the government, clearly indicate which information is to be kept confidential. This includes marking the data with a protective legend identifying it as subject to Exemption 4 protection. Be aware that certain statutes and regulations may require specific language to be used.

• To the extent possible, obtain written assurances from the agency that the information will be kept confidential and will not be released to third parties absent the contractor’s consent. Contractors may also be able to negotiate contractual provisions protecting the data to be submitted to the government. more

* An independent consultant specializing in quarterly holistic information security audits can do this for you. 

San Francisco Prohibits Deployment Of ‘Secret Surveillance’ Technologies

Although the facial recognition aspects of the ordinance have been the most publicized, it also targets a long list of other products and systems.

According to the ordinance, "Surveillance Technology" means “any software, electronic device, system utilizing an electronic device, or similar device used, designed, or primarily intended to collect, retain, process, or share audio, electronic, visual, location, thermal, biometric, olfactory or similar information specifically associated with, or capable of being associated with, any individual or group.” Broadly interpreted, that’s a lot of devices.

The ban only applies to city departments and agencies, not to private businesses or the general public. Therefore, San Franciscans can continue to use facial recognition technology every day when they unlock their smart phones.

And technologies such as facial recognition currently used at the San Francisco airport and ports are not impacted because they are under federal jurisdiction. more

Police Can't Take Suspect's Garbage Without a Warrant, in Oregon

The Oregon Supreme Court on Thursday disagreed with more than 50 years of state case law by ruling that Oregonians retain a privacy interest in the garbage they leave on the curb for pick-up. That means police can’t search the garbage without a warrant even after a truck hauls it away...

The majority opinion noted that even the U.S. Supreme Court has said Americans don’t have a reasonable expectation of privacy “in trash left for collection in an area accessible to the public.” But the U.S. Supreme Court also said individual states are free to impose “more stringent constraints on police” based on their own constitutions.

Thursday’s ruling applies to curbside refuse collected from private homes. It doesn’t appear to apply to trash thrown in public garbage cans in public places. more

California Weighs Limiting Smart Speaker 'Eavesdropping'

California is weighing whether to ban smart speakers from storing customer voice recordings by default. 

The Anti-Eavesdropping Act moving through California's state legislature would require all smart speaker vendors, including Amazon and Google, to get explicit written consent from customers before voice queries are stored.

The same legislation also seeks to ban smart speaker vendors from sharing voice-recording data with a third party, unless the customer has opted into it. more

Can Doctor Visits be Recorded? - State & Federal Laws Govern

Audio and video recordings of doctors’ visits can be used to improve patients’ and families’ understanding of medical conditions and care instructions. In some situations, however, providers may be concerned that recordings could be harmful or illegal or may cause liability down the line.

What legal protections apply to recordings of doctors’ visits, and what rights do doctors have to limit recordings when they are uncomfortable? more

The Bose Knows... legally

According to a recent decision from a federal district court in Illinois, Bose Corp. may monitor and collect information about the music and audio files consumers choose to play through its wireless products and transmit that information to third parties without the consumers’ knowledge. 

Such action does not violate the federal Wiretap Act or the Illinois Eavesdropping Statute.

As such, the Court granted Bose’s motion to dismiss the plaintiff’s class action claims. more

From Those Wonderful Folks Who Brought You APT - Manditory Free Pen-Testing

New provisions made to China's Cybersecurity Law gives state agencies the legal authority to remotely conduct penetration testing on any internet-related business operating in China, and even copy and later share any data government officials find on inspected systems...

These new provisions, named "Regulations on Internet Security Supervision and Inspection by Public Security Organs" give the MSP the following new powers:

• Conduct in-person or remote inspections of the network security defenses taken by companies operating in China.
• Check for "prohibited content" banned inside China's border.
• Log security response plans during on-site inspections.
• Copy any user information found on inspected systems during on-site or remote inspections.
• Perform penetration tests to check for vulnerabilities.
• Perform remote inspections without informing companies.
• Share any collected data with other state agencies.
• The right to have two members of the People's Armed Police (PAP) present during on-site inspection to enforce procedures. more

FutureWatch - Who Really Lives in that Apartment

NY - A Brooklyn landlord intends to install facial recognition technology at the entrance of a roughly 700-unit rent-stabilized complex, raising alarm among tenants and housing rights attorneys about what they say is a far-reaching and egregious form of digital surveillance...

“We don’t want to be tracked,” said Icemae Downes, a longtime tenant. “We are not animals. This is like tagging us through our faces because they can’t implant us with a chip.” more

Corporate Security: Will Your "Secret" Status Hold Up in Court?

via Epstein Becker Green - Peter A. Steinmeyer
A federal judge in Chicago recently taught a painful lesson to an Illinois employer: even if information is sufficiently sensitive and valuable that it could qualify as a “trade secret,” it won’t unless the owner of the information took adequate steps to protect its secrecy. 

This doesn't qualify.

In a thorough opinion issued in the case, Abrasic 90 Inc., d/b/a CGW Camel Grinding Wheels, USA v. Weldcote Metals, Inc., Joseph O’Mera and Colleen Cervencik, U.S. District Judge John J. Tharp, Jr. of the Northern District of Illinois explained that “there are two basic elements to the analysis” of whether information qualifies as a “trade secret”:

(1) the information “must have been sufficiently secret to impart economic value because of its relative secrecy” and

(2) the owner “must have made reasonable efforts to maintain the secrecy of the information.” more

Contact a Technical Information Security Consultant if you are unsure about the "reasonable efforts" you should be taking.

Business Espionage – A Cunning Protection Plan to Protect us and U.S.

We are bombarded with news stories and court trials tornado-ing around Chinese spies. They’re everywhere. Collecting everything. They are such a fixture in and around our hapless businesses that it only seems right to offer them health insurance, a pension plan, cookies and milk.

But wait. Let’s think this through.

Aren’t these the folks who had the secrets of silk stolen from them by Justinian I? Humm, could this be why great neckties are made in Italy, not China? Even their espionage death penalty law couldn’t protect them. Boom! Business espionage devastated their economy.

I also recall a dude from the UK, Robert Fortune, sort of an early 007. He was sent to steal the secrets of tea production from… Have you guessed yet? China! That caper is now know as The Great British Tea Heist. Boom! Business espionage devastated their economy yet again.

Oh, and what about the Chinese secret of making porcelain? A French Catholic priest stole that one. BOOM!! I could go on and on. Gunpowder, paper, etc. Bing! Bam! BOOM! 

Feeling sorry for China yet? Don’t. They are making up for it, right now. The disk drive that just started whirring in your computer… it might be them.

And, don’t think this is just some cosmic Yin and Yang, great mandella, or as we say here in New Jersey, “What goes around, comes around.” No, that explanation is too simplistic, not to mention fatalistic. There is more to this industrial espionage business. The circle is bigger. This is history repeating itself, over and over and over, but I think I have the solution... more

Australia's New Encryption Law May Rock the World - bad'day mate

A new law in Australia gives law enforcement authorities the power to compel tech-industry giants like Apple to create tools that would circumvent the encryption built into their products.

The law, the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, applies only to tech products used or sold in Australia. But its impact could be global: If Apple were to build a so-called back door for iPhones sold in Australia, the authorities in other countries, including the United States, could force the company to use that same tool to assist their investigations. more

The Weed of Crime Bears Bitter Fruits - The Worldwide Huawei Wows

Federal prosecutors are pursuing a criminal investigation of China’s Huawei Technologies Co. for allegedly stealing trade secrets from U.S. business partners, including technology used by T-Mobile US Inc. to test smartphones, according to people familiar with the matter.  

The investigation grew in part out of civil lawsuits against Huawei, including one in which a Seattle jury found Huawei liable for misappropriating robotic technology from T-Mobile’s Bellevue, Wash., lab...

On Wednesday, a bipartisan group of congressional lawmakers introduced legislation that would ban the export of U.S. components to Chinese telecommunications companies that are in violation of U.S. export-control or sanctions laws. Backers said the bill was aimed at Huawei and ZTE Corp...

Last month, Canadian authorities arrested Huawei Chief Financial Officer Meng Wanzhou at the request of U.S. authorities...

In another development, Polish authorities last week arrested Huawei executive Wang Weijing and charged him with conducting espionage on behalf of the Chinese government. more

Court: Authorities Can't Force Technology Unlocks with Biometric Features

A judge in California ruled Thursday that U.S. authorities cannot force people to unlock technology via fingerprint or facial recognition, even with a search warrant.

Magistrate Judge Kandis Westmore, of the U.S. District Court for the Northern District of California, made the ruling as investigators tried to access someone's property in Oakland.... (however)

The judge in her ruling stated the request was "overbroad" because it was "neither limited to a particular person nor a particular device." The request could be resubmitted if authorities specify particular people whose devices they'd like to unlock. more

New Year’s Resolutions for Your Intellectual Property

by Bryan K. Wheelock - Harness, Dickey & Pierce, PLC 
Its the start of a new year, and here are ten things that you should consider doing to enhance your intellectual property in 2019... more

Number 3 is... "Take secrecy seriously. Trade secret protection depends upon whether steps, reasonable under the circumstances, have been taken to protect the secrecy of the subject matter."

The other numbers offer sage advice as well. ~Kevin