Wednesday, 12 April 2017

One of the biggest cyber threats that many US companies face is theft of their intellectual property (IP).  This includes trade secret, patents, software and copies of tangible goods.  The recently released “Update to the IP Commission Report” gives tangible, current information on all four categories.  The original report was published in 2013 amidst headlines about Chinese cyber-attacks on US businesses.  The conclusion of the February 2017 update report is that IP theft continues, although the headline grabbing thefts may have dropped off.  Not all intellectual property results exclusively from a cyber-attack, although most thefts are cyber enabled.

The most notable report points related specifically to trade secret theft are:

  • Total loss to US economy in the range of $180-$540 billion per year

  • IP-intensive firms responsible for 35% of jobs in US labor force

  • No evidence that China has stopped hacking US firms

The updated report also includes recommendations, including those for improved cybersecurity:

  • Implement vulnerability mitigation measures such as information sharing

  • Support US companies that can identify and recover IP stolen through cyber means

  • Reconcile needed changes in the law with changing technical environment

The report is a good read for anyone interested in locking down trade secrets and other intangible assets against cyber thieves.

Posted on 04/12/2017 4:07 PM by Fred Scholl
Thursday, 6 April 2017

The Tennessee legislature recently passed a modification to the state privacy breach notification requirements, § 47-18-2107.  The modification has been sent to the governor for signature.  Unfortunately, the modification just confuses the law’s requirements.

The existing code says that a breach notification is required if “unauthorized acquisition of unencrypted computerized data” takes place.  The breach also has to materially compromise the security, confidentiality, or integrity of personal information. This seems clear to me.

The new code says that notification is required when acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information takes place.  The data does not have to be unencrypted.

However, subsections add an exception for encrypted data.  If the data breached is encrypted, breach notification is not triggered.  One encryption exception is for data encrypted in accordance with FIPS 140-2, a Federal Information Processing Standard.  I have never seen this used in private business.  The second exception is for information that has been made “unusable”.  On the face of it, this would seem to include any type of “encryption” processes, good or bad.  

So, in the old (current) law, if you lost unencrypted data, you had to carry out notification.  The new law seems to say that that’s still true, but if you have any reasonable encryption process, you have no duty to notify.

Posted on 04/06/2017 11:20 AM by Fred Scholl