- Lawyer -Private Practice | SANS Instructor: Law of Data Security & Investigations | Author: Law of E-Commerce | Blogs: BYOD, Bitcoin, Cyber-attacks, Digital ForensicsLawyer, presentContracts, policies, training and public communications in regards to risk and compliance in technology law around the world.
Benjamin Wright is an attorney in private practice. He helps others navigate the law of data compliance, including privacy, outsourcing, IT security, online investigations and forensic investigations. He teaches e-discovery, BYOD, cryptocurrency and data protection law for SANS Institute.
Mr. Wright has published hundreds of blog posts on technology law. Search them.
Wright is known for promoting screencast video to document legal investigations in social media and audit evidence in online trading platforms.
To email Mr. Wright, please send to ben_wright at compuserve dot com; put "BLOG" in subject line.
Speaker and Author
Mr Wright is a frequent public speaker at professional groups like state CPA societies and local ISACA chapters. As author of technology law books such as Law of Electronic Commerce, he blogs on electronic data, records, security and social media law, and he spots trends, such as the rise of big data as a tool for legal investigations.
Mr. Wright is an editor for compliance topics at SANS Institute's Securing The Human program.
Texas Bar Association publishes an attorney profile on Mr. Wright.
Mr. Wright mentors students at SMU's Lyle School of Engineering. He is a member of the Pennsylvania College of Technology Advisory Committee for the Information Assurance and Cyber Security Degree.
IMPORTANT: No public comment by Mr. Wright (blog, book, tweet, video, update, speech, article, podcast or the like) is legal or other professional advice. If you need legal advice, you should hire and consult a lawyer.
Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.
Public Education and Discussion
Mr. Wright's blogs, tweets, videos, web comments, web courses and the like are intended to promote public education and discussion. They are not intended to advertise or solicit legal services. They constitute an online update service for the book Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is published by Wolters Kluwer.
Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to (a) notify him at 1.214.403.6642 (b) comment publicly on his blogs or pages that he is wrong. Promptness helps mitigate damage.
Any person accessing Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Mr. Wright's interests.
Forming an Attorney-Client Relationship
Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchange of private messages with Mr. Wright does not, by itself, create an attorney-client relationship.
Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.
IMPORTANT Confidentiality Notice
Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.
The only person responsible for Mr. Wright's words is Mr. Wright.
Mr. Wright often earns financial or other reward from those he mentions or links on blogs and social media, such as Yellow Brick, Messaging Architects/Netmail, SANS Institute, Credant Technologies, state CPA societies, Park Avenue Presentations, LabMD and others.
Some images, sounds and font output associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.
Dallas, Texas. Tel: +1.214.403.6642
- Georgetown University Law (J.D. 1984)Law, 1981 - 1984
- Trinity UniversityEnglish, 1978 - 1981
- Data Law Blog (current)
- Cyber Investigation Evidence (current)
- Electronic Records blog (current)
- Forensic Investigation blog (current)
- Security & Investigations Training (current)
- Crowdfunding Law Blog (current)
- SANS Technology Institute (current)
- SANS Institute (current)
- Preserving Cyber Evidence (current)
- Cyber Forensics (current)
- Telemedicine Law (current)
- Data Security Breach Investigation (current)
- 1990s Electronic Commerce Law (current)
- Electronic Signature Law 2000 (current)
- Online Privacy History (current)
- Digital Evidence Law (current)
- Digital Signature Law History (current)
- The Law of Electronic Commerce, book (current)
- Data Protection Law 2004 (current)
- Internet Safety (current)
- SANS Survey of Digital Forensics #DFIR (current)
- Electronic Signature Law 1990s (current)
Public relations is more important to legal controversies than many lawyers and non-lawyers appreciate.
Home Depot is today in legal jeopardy because it has announced what appears to be a large breach of payment card data.
The Home Depot predicament fits into a historical context. Many major data breaches have happened before today, including TJX, Target and Sony Playstation Network.
Home Depot faces many difficult choices in the coming weeks. HD’s statements to the public about this breach will affect the company’s
* legal liability
* relationship with customers
* support or hostility from payment card issuers
* punishment from regulators
As explained in the blog post below, the SANS Institute offers unique professional training on this topic. The SANS course emphasizes the role of public communications in coping with infosec legal and reputation risk.
#homedepotbreach #dfir #databreach
Cyber insurance is in the news. On the heels of the many data security breaches that have happened recently, two lawsuits have been filed between the corporate victims and their cyber insurance companies. The insurance companies have said that their cyber insurance policies (for which premiums had been paid) did not cover the particular breaches that happened.
These lawsuits raise controversy. The cyberdefense community is debating the role of cyber insurance. See the blog article below, including the comment I posted at the end of the article.
What do you think?
As researchers demonstrate how to hack into the Internet of Things ... like Jeeps (!) ... then new defenses are necessary. An increasingly popular style of defense is called Active Defense. Aggressive Active Defense can raise legal questions for defenders. The blog post below offers ideas for reducing legal risk.
What do you think?
#ThreatIntel #ActiveDefense #PenTest
Below I published an FAQ on the law and ethics of Active Defense.
In connection with that, SANS hosted a popular Twitter Chat on Active Defense, featuring the incomparable John Strand and Bryce Galbraith, plus me.
I am keen to learn more about the cybersecurity topic known as "Active Defense." I invite your comments.
#activedefense #infosec #ethicalhacking
In video below Cory Doctorow makes a compelling case for open source stuff. But he fails to acknowledge that sometimes closed, proprietary systems are more desirable.
The iOS ecosystem is fabulously successful. Is it because iOS is open source? No. iOS is basically a closed proprietary, tightly-controlled ecosystem.
So why do people buy iOS systems rather than Android or Linux? A key reason is that, in the eyes of many consumers, iOS consistently delivers a better package of innovation and reliability.
Consumers are not forced to buy the closed iOS ecosystem. Consumers have alternatives, including open source alternatives. But many consumers (not all) have decided that they prefer the closed, proprietary ecosystem of iOS.
Doctorow says people don't like it when vendors use law to make closed ecosystems. He says consumer don't wake up and hope that a vendor has given them an IoT ecosystem that limits what can connect to it. The success of iOS proves he is (in some cases) wrong.
In some cases, the trick to making an ecosystem work is "discipline". Discipline makes sure that only good stuff gets into the ecosystem, and the bad stuff (spam, viruses) is kept out.
In iOS the discipline is enforced by Apple, using all the powers of law (many of which Mr. Doctorow says, in video above, are bad).
An example of an open source ecosystem that has achieved the needed discipline is Bitcoin. Bitcoin decides what is good and what is bad by motivating miners to vote. If the miners vote not to make a change to Bitcoin (maybe because the proposed change will inject fraud or unreliability), then the change is rejected.
To me, it is not clear that open source is always more efficient. Bitrcoin, for example, suffers great inefficiency. It costs a tremendous amount of electricity to keep Bitcoin running. Some people argue that Bitcoin is therefore ecologically unsustainable. ... But then the advocates of Bitcoin say that future bitcoin-type projects will learn from the mistakes of the past and will be more efficient.
Legally speaking, an infosec incident investigation is very dangerous. If you conduct an incident investigation, your legal and political adversaries are motivated to claim you did something wrong.
Your adversaries include regulators, politicians and plaintiff lawyers. If they come to possess any hint that you did something wrong, then they are motivated to extract money from you (e.g. lawsuit or fine) and to grandstand against you in the media.
Therefore, when you or your enterprise investigates an "incident," you have incentive to keep the investigation confidential. You may accurately conclude that the incident did not amount to a data breach.
But you don't want your adversaries to see the details of your investigation. They have incentive to nit-pick and second-guess your investigation and find an excuse to claim you did something wrong.
See discussion and tips in SANS Institutes DFIR blog post below.
#databreach #DFIR #cyberattack
Below is episode 1 in an 8 part video series. The 8 parts summarize the book The Devil Inside the Beltway. The book chronicles the strangest and possibly longest legal case in the history of cyber security.
The curious case of LabMD new developments in the “other” FTC data-secur...
By now, businesses with an interest in data security are aware of FTC v. Wyndham Worldwide Corp., in which a US District Court of New Jersey
Here Are My Official Comments on the New York Department of Financial Se...
Dear Mr. Syracuse: I am an attorney and Certified Public Accountant with a Master's Degree in Accounting. For nearly twenty years I have als
Toni Ruttimann: The Bridge-Builder | Indonesia Expat
Meet Toni Ruttimann, the bridge-builder. He is, literally, bringing two worlds together; one community at a time. Toni has built over 600 br
FTC told to disclose the data security standards it uses for breach enfo...
As reported in Computerworld yesterday, there was a leg …
Is Zippo Getting Zapped? | Litigation News | ABA Section of LitigationA...
Florida court rejects Zippo’s “sliding scale” for jurisdiction over Internet activity.
Spy Privacy Subpoena Law: Definition of Data Security Breach
When Has Privacy of Credit Card or Social Security Numbers been Compromised? Security Incident Response and Information Protection Law. Many
FINRA and the SEC Move One Step Closer to JOBS Act Implementation
Washington, D.C. (PRWEB) January 31, 2013 – Earlier this week FINRA invited prospective Crowdfunding portals to voluntarily file an interim
Computer forensic delays a growing problem? | Cybercrime Review
It is hard not to notice the growing number of cases that revolve around or discuss the delays associated with processing computer forensic
Hide & seek profile research Discreet & Confidential
Hide & seek profile research. Discreet & Confidential. We all have felt the stings of betrayal from lies told by people very close t
Microsoft DMCA Notice ‘Mistakenly’ Targets BBC, Techcrunch, Wikipedia an...
Over the last year Microsoft asked Google to censor nearly 5 million webpages because they allegedly link to copyright infringing content. W