The Chinese and U.S. economies are so inextricably linked that China naturally is the main culprit for targeted theft of confidential business information and proprietary technologies.  However, there are many other state-sponsored and political “hacktivist” groups that are actively stealing corporate digital assets.  The proliferation of employee-owned mobile devices in the workplace, along with antiquated network systems, has allowed cyber-criminals to access corporate databases at unprecedented levels.  Saudi Arabian oil producer, Aramco, was recently a victim of a massive cyber-attack where 30,000 desktop PCs were wiped in what some can only presume was designed to disrupt oil production.  Additionally, JP Morgan Chase, Wells Fargo, and Bank of America were victims of a sustained distributed denial of service (DDoS) attack that appears to have been commenced overseas.

What frustrates investigators most when a breach of corporate data occurs is the lack of internal and external controls within the organization.  While readily available technology allows organizations to address security issues, it is often a failure to properly train and educate employees that makes theft of intellectual property so easy for cyber-criminals to obtain.  Technology alone will not prevent the theft of intellectual property.  Organizations must have a tone at the top mentality when it comes to awareness training and policy creation around cyber-security.

How quickly other organizations adopt Netflix’s example will be dependent upon an internal assessment of risk for potentially running afoul against decades-old rules that are designed to protect consumers and investors from fraudulent activities.  The SEC has signaled an unwillingness to update years of regulatory legislation, in response to new technology, out of fear that doing so would create a slippery slope of deceptive or “puffed” disclosures/activities.  Frustrated by this unwillingness, many financial industry and Wall Street firms are trying to seek guidance on how to apply social-media disclosures to antiquated regulatory requirements.

An example of this frustration is whether a third-party’s use of the “like” button on a financial services company Facebook page, or endorsing an advisor’s skills on LinkedIn, could be viewed as an improper testimonial defined under applicable regulations.  Such an act, could potentially subject the company, and/or individual, to penalties and jail time.  Financial services firms seek relief from these regulatory bans that prohibit testimonials in advertisements, but the SEC considers them to be “inherently misleading,” and suggests they get pre-clearance before posting on social media sites.

Therefore, while the SEC seems to have acknowledged the presence of social media in our daily routines, it still remains skeptical on how it is going to be applied in our everyday world and will leave it up to the organizations to police themselves.  In this regard, a proper assessment of social-media use within an organization is an emerging talking point across most boardrooms in America.

Software Application firms are weary of the new rules because they fear regulatory fallout from developing a game, like Angry Birds, and being classified as a “kid app” under the new COPPA rules.  Such a designation would subject the game designer to strict regulatory requirements or face civil penalties.  The FTC has signaled that it will look to define what constitutes a “kids’ app” broadly, and suggests that all software firms know the law if they plan on building an app with a cartoon character in it.  Enter the lessons learned in Big Tobacco…

In the mid-1990′s, Big Tobacco faced an onslaught of class action and regulatory (i.e. FTC) lawsuits that would end up changing the way the industry fundamentally advertises its products to the general public.  On or about September 12, 1997, the Tobacco Industry was informed that “Joe Camel in California is dead.”  The makers of the Joe Camel marketing campaign, R.J. Reynolds, repeatedly denied that it was targeting smoking to minors, and stated that the Joe Camel campaign was directed at “adults in their 20′s who choose to smoke.”  However, R.J. Reynolds agreed to settle the numerous lawsuits by agreeing to a cash settlement payout and dropping the ads that depict Joe Camel.

Now one would logically ask how in the world do kid apps and the targeting of smoking to minors belong in the same discussion?  The answer to that question lies in a minors’ ability to make an intelligible informed decision.  For years Big Tobacco lawsuits addressed the health, safety and public welfare issues related to minors smoking, but it was not until Joe Camel was literally put on trial, that the issue of a minors’ informed consent was raised.  How possible is it for a minor to distinguish between a simple cartoon character and the message that cartoon character is sending?

Similarly, App Industry advocates suggest that in order to offer free software apps, data collection about the user, like time spent on the device, is needed to ensure its long-term ability to offer targeted advertising (which is where their money is made).  Additionally, app providers fear losing important third-party data aggregators, because the data aggregators don’t want to deal with the regulatory headache of COPPA.  Online privacy advocates, like their predecessor anti-smoking advocates, state that the lucrative children’s technology market needs basic fundamental safeguards in place to prevent minors from being preyed upon by Big Data advertisers.  Is it incredulous for app development firms to know when your child goes to sleep, eat, bathroom, etc., based on their login/logout time?  Is there an expectation that a minor has the capacity to fully understand that their location may be accessed remotely via the mobile device they are walking around with?  In that sense, a seven year-old boy/girl will login to Angry Birds expecting to smash pigs and hippos, and not fully comprehend the impact of his/her actions.

Stagnation is the worst thing that could happen to any organization, and never being satisfied with the status quo is what sets successful organizations apart.  Application firms need to change the development process to make regulatory compliance a core part of their design programs – but is that necessarily a bad thing?  Big Tobacco companies have survived now for almost 15 years without Joe Camel by adapting the strict regulatory requirements into their advertising campaigns.  In this vein, software application firms are no different – at least the innovative ones.  The future of the software application industry depends upon its ability to develop a product that is adaptable to emerging trends.

The Court opined that the “uniquely sensitive nature of data [stored] on electronic devices” gives rise to a significant expectation of privacy that renders an exhaustive exploratory, or in Cotterman’s case, forensic, search more intrusive than a mere cursory scan, or quick look, through the electronic device.  The Court continues to state that “digital media nowadays contains volumes of intimate details of our lives.  It is simultaneously an office and personal diary.  This type of material implicates the 4th Amendments specific guarantees of the people’s right to be secure in their papers.”

In the “cloud,” an electronic device (i.e. laptop) is merely a conduit for accessing user data that, in earlier times, would be akin to sensitive “papers” found in the home – thus triggering 4th Amendment protections for the cloud data.  While the information stored in the “cloud” may not itself cross the U.S. border, it may appear as a “seamless part of the digital device when presented at the border.”  In making reference to cloud computing technology, the Court seems to not distinguish between the type of hardware being used to store electronic data.  Regardless of whether the device is mobile, like a laptop, or stationary, like a server, a warrant is needed, absent reasonable suspicion, to search the content of any electronic device.

The Cotterman conclusion is consistent with, and builds upon, other “electronic data” 4th Amendment cases brought before the 9th Circuit.   In U.S. v. Comprehensive Drug Testing (the “Balco” case), the Court was asked to determine the proper administration of a search warrant.  In the Balco case, the Court determined that special, independent third-parties must segregate and redact seizable data from non-seizable data when the Government wants to execute a search warrant of electronic databases.  Again, the Court is trying to prevent the Government from conducting an unfettered dragnet on persons who might not even be aware that information is being seized about them.

As for Mr. Cotterman’s narrative, the Court did conclude that the forensic examination of his laptop required a showing of reasonable suspicion, however the facts, viewed in totality of the circumstances, supported the Government’s assertion that the border agents had acted upon reasonable suspicion in conducting the initial search of Mr. Cotterman’s laptop and subsequent forensic examination.

Advocates for regulatory oversight suggest that the federal government should develop a set of strict security standards that are developed in “concert” with the National Security Agency and other agencies.  However, Telco advocates say that a “checklist” of government standards would be “clunky,” create an additional layer of unnecessary bureaucracy, and potentially expose ISPs to liability for failing to prevent cyber-attacks (since a vast majority of malicious code travels over the fiber optic pipes owned by Telco’s). 

The irony behind the Telco industry lobbying against a checklist of standards for fear that their industry would become ”clunky” and “bureaucratic,”  has never made a customer service call to Verizon, AT&T, et al, or taken a tour of a telecommunication co-location facility.  A response to the “bureaucratic” position requires little mention, simply because its absurdity.  A co-location facility, which is the physical aberration of the Internet “clouds,” can best be described as a large, climate- and air- controlled office space with a seemingly endless series of interconnected wires, metallic racks stuffed with servers, switches, routers, processing units, “fan noise” and blinking yellow, blue, red, orange, and white lights that resembles Dr. Seuss’ Thinga-ma-jigger - it’s the definition of already being “clunky.” 

In fairness to the regulatory oversight advocates, the government has been telling the private sector for years that self-regulation is a preferred option, but even self-regulation has its limitations.  Organizations cannot self-regulate, because they themselves have become, or are, too bureaucratic – and this is not limited only to the Telco industry.  If the Telco industry wants to have a straight-faced discussion on why a checklist of standards would not work, then they should look no further than the financial sector.

The financial industry has tried its own version of self-regulation in the form of the Payment Card Industry Data Security Standard, or as it is more commonly known, “PCI Compliance.”  Banks and credit card companies love to show regulators that they have their act together when it comes to the issue of cyber-security, because participating members must be in compliance with the set of standards articulated by the PCI governing body (which is exclusively made up of banks and credit card companies).  The problem with the PCI checklist is that, regardless of when a breach of data will occur (and it will),  the customer, not the credit card companies,  will still be liable for the loss in data.  There is no “risk transference” in the PCI standard, and therefore what’s the incentive for customers to be PCI compliant?

Consider the Heartland Payment Systems (HPS) data breach case - at the time, the HPS data breach was the world’s largest release of unauthorized data; HPS was PCI Compliant; ended up numerous pending class action lawsuits as a result of the data breach; PCI governing body “revoked” their compliance AFTER the breach; and HPS is still in business today.  Result:  can a checklist of standards have any teeth if a company is “certified” compliant one day, and a cyber-incident occurs on another?