Tag: breach

Posted on

Some courts making ‘it might happen’ grounds for litigation

The U.S. appeals courts are split on whether the simple perception or belief that stolen data might be used is grounds for litigation.

A recent federal appeals court ruling in a putative class action lawsuit that says plaintiffs can sue even if there is only fear of, but no actual, damage from a data breach further deepens an appeals court split on the issue and enhances its chances of being considered by the U.S. Supreme Court, experts say (Greenwald, 2017)

This is interesting and concerning.  All organizations are vulnerabile to an attack.  No security framework is perfect.  Prevention, detection, and response are all important actions taken by diligent organizations, so how these are implemented and conducted should be considered.  Juries and judges are likely not to understand this.

I agree that negligence should is grounds for litigation.  However, no organization that promptly and effectively responds to a breach should not be held liable.  Thoughts?

 

 

Posted on

Biometrics theft is not necessarily the end of the world

Theft of biometrics data is becoming more frequent.  A recent example is the breach of Avanti point of sale systems.   Although this is a problem, it isn’t likely as high risk as many believe.  Using stored biometrics data is harder to use than is practical, making too high (in most cases) the effort given the attacker’s financial returns.  So possible theft of biometrics data shouldn’t be a reason to stop using biometrics as an authentication factor.

When a user registers a physical attribute with a biometrics solution, the attribute’s characteristics are converted to a numeric value.  This value is encrypted and stored.  According to Larry Greenemeier, in an article written for Scientific American, “Misuse of stolen digital fingerprint files is hardly that straightforward and would involve cracking encryption codes, reverse-engineering data files and several other complicated procedures that are probably not worth the effort.”

The biggest problem is not in the actual risk.  It is in the public’s perception of the risk.  We have enough challenges trying to get many people to accept biometrics without spreading misinformation about the risk.  Yes, we need to protect biometrics data.  Yes, theft of this data elevates risk.  However, biometrics alone should never be used to protect highly sensitive information, and the effort needed to use stolen customer biometrics data is likely too high for common use.

There is an exception, however, that might elevate the risk above acceptable levels.  What if the attacker steals the imprint information passing between the sensor and the biometrics verification algorithm? Any solution selected to protect our customers or our highly sensitive information must be protected and designed in ways to make this kind of attack highly improbable.