- Lawyer -Private Practice | SANS Instructor: Law of Data Security & Investigations | Author: Law of E-Commerce | Blogs: BYOD, Cyber-attacks, Digital Forensics, Professional TrainingLawyer, present
Benjamin Wright is an attorney in private practice, advising clients on privacy, outsourcing, IT security and forensic investigations. He teaches e-discovery, BYOD and cyber-investigation law for SANS Institute.
Mr. Wright has published hundreds of blog posts on technology law. Search them.
Wright is known for promoting screencast video to document legal investigations in social media and audit evidence in online trading platforms.
To email Mr. Wright, please send to ben_wright at compuserve dot com; put "BLOG" in subject line.
Speaker and Author
Mr Wright is a frequent public speaker at professional groups like state CPA societies and Institute of Internal Auditors. As author of technology law books such as Law of Electronic Commerce, he blogs on electronic data, records, security and social media law, and he spots trends, such as the rise of activists and whistleblowers wielding small video cameras. 2010: Russian financial authorities tapped Mr. Wright for advice on regulation and investigations in the micro-finance industry.
Mr. Wright is (sometimes) editor for compliance topics at SANS Institute's Securing The Human program.
Texas Bar Association publishes an attorney profile on Mr. Wright.
Mr. Wright graduated Georgetown University Law 1984. He mentors students at SMU's Lyle School of Engineering.
IMPORTANT: No public comment by Mr. Wright (blog, book, tweet, video, update, speech, article, podcast or the like) is legal or other professional advice. If you need legal advice, you should hire and consult a lawyer.
Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.
Mr. Wright's public blogs, tweets, videos, web comments and the like are intended to promote public discussion. They are not intended to advertise or solicit legal services. They constitute the online update service for the book Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is published by Wolters Kluwer Law and Business.
Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.
Any person accessing Mr. Wright's blogs, tweets, profiles, comments, web pages or other public activities or statements agrees not to use data from them in a way that is adverse to Mr. Wright's interests.
Forming an Attorney-Client Relationship
Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchange of private messages with Mr. Wright does not, by itself, create an attorney-client relationship.
Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.
IMPORTANT Confidentiality Notice
Benjamin Wright is licensed as an attorney. Some of Mr. Wright's non-public records stored in the cloud are confidential and subject to protections associated with attorney work and communications. The laws of many countries recognize such protections. Mr. Wright insists that you recognize those protections with respect to his records and communication.
The only person responsible for Mr. Wright's words is Mr. Wright.
Mr. Wright often earns financial or other reward from those he mentions or links on blogs and social media, such as Yellow Brick, Messaging Architects, SANS Institute, Credant Technologies, state CPA societies, Park Avenue Presentations, LabMD and others.
Some images and sounds associated with Wright's work and comments are copyrighted by Corel Corporation or its licensors or partners like iStockphoto; they reserve all their rights. Some images are declared on wikimedia to be public domain. Mr. Wright strives to respect IP rights, but sometimes technology behaves in surprising ways. If you are an IP owner and you have a problem with something published by Mr. Wright, please telephone him promptly. Trademarks are property of their respective owners.
Dallas, Texas. Tel: +1.214.403.6642
- Georgetown University Law (J.D. 1984)Law, 1981 - 1984
- Trinity UniversityEnglish, 1978 - 1981
- Cyber Investigation Evidence (current)
- Electronic Records blog (current)
- Forensic Investigation blog (current)
- Security & Investigations Training (current)
- Data Law Blog (current)
- Crowdfunding Law Blog (current)
- Police Technology Abuse? (current)
- SANS Technology Institute (current)
- Video: Wright on Trends InfoSec Law (current)
- SANS Institute (current)
- Cyber Forensics (current)
- Telemedicine Law (current)
- Data Security Breach Investigation (current)
- 1990s Electronic Commerce Law (current)
- Electronic Signature Law 2000 (current)
- Online Privacy History (current)
- Digital Evidence Law (current)
- Digital Signature Law History (current)
- The Law of Electronic Commerce, book (current)
- Data Protection Law 2004 (current)
- Internet Safety (current)
- SANS Survey of Digital Forensics #DFIR (current)
- Electronic Signature Law 1990s (current)
- Preserving Cyber Evidence (current)
When a computer defender engages in unconventional or “active” defense measures, a serious concern is collateral damage. An innocent party can be hurt. The defender may not possess enough information to know for sure who she is actively disabling or surveilling.
In the blog post linked below, an investigator had good justification to snoop on someone. But the investigator failed to carefully factor the possibility that the target of the investigation would be considered innocent by a court.
Thus, the good investigator looked arguably like a bad guy in the harsh light of the courtroom.
As explained in the blog post below, wise investigators and defenders can take measures to reduce the risk that an innocent party will be damaged.
#activedefense #eavesdropping #forensicinvestigation
In reaction to Target’s credit card data breach, banks have sued one of Target’s security vendors, Trustwave. Trustwave audited Target’s compliance with the Payment Card Industry Data Security Standard (PCI-DSS) and provided ongoing monitoring of security for Target.
Trustwave worked for Target. It did not work for the banks.
The banks (card issuers) claim that they incurred costs (card cancellations) because they relied on Trustwave to perform its services well and Trustwave let them down.
This Is a Rare Kind of Lawsuit
For a security vendor like Trustwave, a lawsuit by third parties is an unwelcome surprise. Trustwave agreed to work for Target for a certain price and under certain contract terms. If it made mistakes, it could be liable to Target under the terms.
But Trustwave did not bargain to be liable to third parties.
The Credit Card System is Flawed
I have this to say in defense of security vendors who work for merchants like Target:
Breaches at Target, TJX and many, many other retailers have demonstrated that credit cards are inherently insecure as they are implemented in the US. Imposition of the PCI-DSS on merchants has not prevented the theft of data by hackers. Hackers have grown steadily more sophisticated in stealing credit card data.
Legally Warn Banks Not to Rely
The lawsuit against Trustwave motivates all security vendors to publish disclaimers. A disclaimer would remind banks that they necessarily incur substantial risks when they issue credit cards; they should not expect vendors who work for merchants to cover those risks.
A vendor, an auditor, a qualified security assessor (QSA), a penetration tester or another security consultant is motivated to publish disclaimers roughly like this:
“Notice to all credit card issuers: When you issue credit cards, you assume much risk that the security of card data will be compromised. Although Vendor may help its merchant clients with security, credit card data security cannot be assured. Vendor may make mistakes. Vendor assumes no liability to you.”
A vendor is motivated to publish this disclaimer on its website, on official reports (like a QSA report), on social media and elsewhere.
Is a disclaimer like this guaranteed to shield a vendor from legal liability? No. But it won’t hurt.
What do you think?
Update: The banks quickly withdrew their lawsuit. My guess is they learned they had erroneous information.
#trustwave #pcidss #targetbreach
1. Live, in-classroom (in two weeks I'll teach in Orlando)
2. Live, via webcam - this is what SANS calls "vLive" or "CyberCon"
3. Pre-recorded - this is what SANS calls "OnDemand"
The course and its different formats are described at http://www.sans.org/course/law-data-security-investigations
In the vLive/CyberCon format, students see me live, interacting through the webcam. Students can send me chat questions/comments. vLive/CyberCon is where I wave handheld signs like the Evidence sign in the photo above.
When I teach vLive/CyberCon, SANS records my voice. Then it inserts the (edited) voice recording into SANS' own OnDemand platform. OnDemand is an online, pre-recorded, study-at-your-own pace course. The student hears my voice in relation to slides and notes. The student takes short quizzes along the way to demonstrate that the student is engaged and qualifying for CPE credit.
For many enterprises the IT department is the first to recognize the need for a modern policy on electronic mail record retention and destruction. IT is charged with managing the media on which email is stored and the technology by which email is searched. IT is charged with finding particular email records in an audit, in an investigation or in response to an e-discovery request.
Increasingly IT sees the need to implement a system that is dedicated to archiving email.
But IT does not have the authority or expertise (by itself) to set enterprise policy on a topic like record retention. If the IT department were unilaterally to declare a policy on e-record retention, other departments would reject the policy. Departments like legal, HR, internal audit and risk management would each say, “Hey, wait. I was not consulted on this. What do those tech guys know about records management policy? They do not have the experience to evaluate the legal and practical implications of such a sensitive policy.”
So IT is often in a bind. It knows the enterprise needs a policy. But it does not have the ability to adopt the policy by itself. And it often has a hard time persuading other departments to devote concentrated energy into developing a policy.
I believe good email policy comes from a collaborative process, where all of the relevant stakeholders (departments IT, legal, HR, internal audit and risk management) work together.
The blog article linked below explains the urgency for an enterprise to adopt responsible policy on email archiving.
Historically corporate record retention policies organized records according to content. Purchase orders went in the purchase order box; invoices went in the invoice box; and so on.
Thus, when you wanted to find or destroy records of a given content, you went to the box or folder designated for that content.
Automated Search for Content
Today, however, when you want to find particular electronic content you use a search engine.
Thus the old policy of organizing records and archives into folders/categories according to content is becoming less and less relevant. And the process of putting e-records into folders/categories according to content can be excessively labor-intensive.
Records management policy must adjust to a different paradigm, as explained in the blog post linked below.
#recordsmanagement #emailpolicy #recorddestruction
Data privacy is a delicate subject for our society. It necessarily involves trade-offs among factors like civil rights, property rights, economic convenience, public safety and national security.
Virtually all social institutions are wrestling with data privacy issues today. Whether the institution be a nonprofit, a corporation or a government agency, it is asking how much data it should collect, how the data should be protected and so on.
The blog post linked below evaluates one tool for striking the right balance with data privacy. The tool is transparency.
The blog post below examines a recent public dialog about privacy and transparency to glean some lessons of general applicability.
The particular dialog that sparked the blog post involves Microsoft – in its capacity as cloud computing service provider – searching the contents of customer accounts for evidence of misbehavior.
But the post linked below is not really about Microsoft. It is about methods for giving assurances to the public, methods that can apply to many institutions and in many settings.
#cloudcomputing #checksandbalances #dataprivacy
In this case where Microsoft leveraged it's intelligence resources (a mighty one at that), they used a little known T&C clause to investigate alleged IP abuse.
All this will do is make those who use the myriad of Microsoft products, rethink their use. And, in some cases it might just hurt enterprise programs which, if the case, would send a strong signal to Microsoft to backoff prying into anyone of the hundreds of Microsoft resources that have become an integral product in hundreds of millions of lives.
The positive economic impact of crowdfunding is hard to overstate. New technology, such as social media and mobile phones, has enabled crowdfunding to burst onto the scene as a responsible vehicle for new ventures to raise money, create jobs and grow value.
Crowdfunding has arisen like nothing before in economic history . . . so that in the course of just a few years it has come to stand as a peer to traditional sources of early-stage funding (bank loans, angel investors, friends & family).
Crowdfunding performs an economic service that simply could not be performed in the past. It pulls together like-minded individuals, scattered all over the world, to contribute small sums toward a project.
It has a proven track record for sifting out fraud and con men. It does this by deputizing the social-media crowd to analyze proposals and flag the bad apples.
Five years ago it was not feasible for these scattered individuals to pool their resources in support of a project in such a low-risk fashion.
Today a crowdfunding success story from 2012, Oculus VR, struck a deal to be acquired by Facebook for $2 billion. Astonishing.
Rewards-based crowdfunding -- the most popular type of crowdfunding and the type that got Oculus going -- has required little regulatory oversight. Although state attorneys general have authority to go after crowdfunding fraudsters, that has not been much necessary in practice. The crowdfunding community has policed itself.
#fraudprotection #economichistory #jobcreation
In the 2012 G+ post shared below I speculated about a future app that would create original ambient music to suit the listener’s mood, activity and surroundings.
Now, researchers have taken a step toward creating such an app. They have developed a program –called TransProse – that analyzes the mood or temperature of a literary passage and creates original music to reflect that mood or temperature.
TransProse can interpret the emotions from a page in, say, Alice in Wonderland and portray those emotions with unique music. See "The Music Composed By An Algorithm Analysing The World’s Best Novels," https://medium.com/the-physics-arxiv-blog/cfaaa96198e2
A friend asked me to describe an Android app I'd like to have in the future. Here is my answer . . .
I have a long answer to explain one Android app.
Think of how "dull" a movie would be if it had no soundtrack music.
Music Evokes Tingle
I have long contemplated how the soundtrack music to a movie (or TV show) complements or amplifies the mood and emotions that the director is trying to convey. Good soundtrack music sends a warm tingle up and down my body as I watch a grand Hollywood movie in a dark theater. I love the experience!
Example Setting: Travel in an Automobile
Summer 2011 I made a long automobile journey through the central part of southern, upstate New York. I (a Texan) did not expect the landscape to be as beautiful and mountainous as it was. The highway, Route 17, did not dominate the scene. The highway was modest. It was not an interstate expressway, and there were not many cars on it. As the highway crested over a mountain pass, an enormous, beautiful valley opened below me. I could see for 30 miles to the West. The valley was a forest, and the mountains around it were densely forested. The sun was preparing to set in the West. There was little development within my view (in other words, I couldn't see any gas stations or bill boards or big power-lines). I felt as though I had entered a great American painting circa 1850. The view was a majestic, untamed part of Eastern North America that I did not realize still existed.
At that moment, it would have been cool if my Android device were to play grand orchestra music that fit the scene . . . as though I was living in a John Wayne movie.
Device Observes Many Aspects of the Situation
I have long dreamed of the day when my mobile device observes (a) what I am doing, like walking through the mall, waking in the morning or driving through Appalachia, and (b) my mood. Then, the device plays background music -- like the soundtrack music in a movie -- that complements or amplifies the situation.
Could Subscribe to Many Different Styles of Soundtracks
I have long anticipated that we will be able to subscribe to different styles of life-stream "soundtracks". So, an Android user could subscribe to different styles of soundtracks like this:
(1) Broadway show tunes; or
(2) ESPN sports; or
(3) classic cartoons from the 1940s and 1950s; or
(4) Disney princess movies; or
(5) Horror films; or
(6) 1980s pop music; or
(7) female jazz vocalist; or
(8) music from medieval Japan
I dream of this life-stream app being as intelligent, creative and original as a great music director (or song writer) who works in Hollywood. Thus, the music would always sound fresh . . . just as every time I watch a good movie for the first time, all of the music is fresh. I don't know what the music in the movie is going to be -- and I have never before heard the music -- until I experience the movie.
That will be one heck of an Android app. I think we will see stuff like that within about 5 years. What do you think?
[Below is an image of Route 17, but it is not the location I described above.]
Update June 2013: Microsoft develops prototype software for smartphone to detect the user's mood. http://science.slashdot.org/story/13/06/28/1430259/microsoft-research-adds-mood-detection-to-smartphones
Legal and political authorities rely on computer evidence every day. More and more that evidence comes from cloud computing.
But the evaluation of that evidence by authorities such as juries can be trickier than the evaluation of traditional evidence such as ink, paper and testimony by a witness.
Computer evidence can be manipulated in novel ways.
However, there is reason for optimism. One modern development does mitigate the threat that evidence is manipulated or abused: Increasingly, legal evidence is made available in the court of public opinion (on the Internet) in addition to the courtroom. The Internet enables amateur and professional forensic experts around the world to speak up when the legal system is stumped or about to make a mistake.
#digitalforensics #courtroom #expertwitness
Every bit of it was insightful and thought provoking. I particularly liked "Such an expert is able to separate emotions from logic. Such an expert is also able to set his or her ego aside and acknowledge when he or she does not know something or have enough data to state an opinion."
Since digital data recovery is still in it's infancy -- and there are many novice forensic practitioners -- there will be a period of time where most investigators will have to make a conscientious decision on whether to take a step back on a case. The reality is if they push it, and are unqualified to do so, they may find themselves with egg on their face when push comes to shove (trial, etc).
I puzzle whether people will really want to work in the networked format MSFT envisions for Office 365. Maybe some will.
However, there will be risks, and for many people the learning curve to address those risks will be steep. As a lawyer, I think of two risks.
Over-sharing of Sensitive Information
One risk is that information could be over-shared in Office 365. Employees may require lots of training to fully understand how information is being shared and how to prevent over-sharing. The Edward Snowden experience has caused some organizations like law firms to shift toward more compartmentalization of information and records. They don't want their own Snowden to run rampant through the organization, swiping secrets.
How to Control the Document & Records About the Document?
A second risk is that documents are often negotiated in an adversarial way (whether the adversary be internal to the organization or external). Even though the creator of a document may be able to control how it is edited, s/he may be surprised or confused how adversaries can manipulate the interpretation of the document in Office 365's social-engineering network of connections.
For example, I could create and control a document that is accessible to others out in the 365 network. But my adversary (who could be a peer employee or a lawyer who represents another party) might be able to create recorded comments around the document (or connected with the document) that affect the final interpretation of the document. (See this article about the legal influence of embedded comments in a Word doc http://hack-igations.blogspot.com/2013/11/terms-and-conditions.html .) For untrained users, Office 365's network of recorded comments could be a booby trap.
#negotiation #office365 #electroniccontract
Is Zippo Getting Zapped? | Litigation News | ABA Section of LitigationA...
Florida court rejects Zippo’s “sliding scale” for jurisdiction over Internet activity.
Spy Privacy Subpoena Law: Definition of Data Security Breach
When Has Privacy of Credit Card or Social Security Numbers been Compromised? Security Incident Response and Information Protection Law. Many
FINRA and the SEC Move One Step Closer to JOBS Act Implementation
Washington, D.C. (PRWEB) January 31, 2013 – Earlier this week FINRA invited prospective Crowdfunding portals to voluntarily file an interim
Computer forensic delays a growing problem? | Cybercrime Review
It is hard not to notice the growing number of cases that revolve around or discuss the delays associated with processing computer forensic
Hide & seek profile research Discreet & Confidential
Hide & seek profile research. Discreet & Confidential. We all have felt the stings of betrayal from lies told by people very close t
Microsoft DMCA Notice ‘Mistakenly’ Targets BBC, Techcrunch, Wikipedia an...
Over the last year Microsoft asked Google to censor nearly 5 million webpages because they allegedly link to copyright infringing content. W
Lawyer removed as counsel, alleged to have encouraged client to install ...
In Zang v. Zang, 2012 U.S. Dist. LEXIS 123383 (S.D. Ohio, August 30, 2012), the defendant's motion to disqualify plaintiff's counsel was gra
Social Networking Sites Assist Investigations | Security Management
Law enforcement officers and private investigators are turning to social media to assist them with investigations. Facebook and other Web si
SEC Chair Testifies that SEC Expects to Meet Deadline for Crowdfunding R...
The Jumpstart Our Business Startups Act (JOBS Act) became law on April 5, 2012 and requires the SEC to implement rules within 270 days to al
Ning – Create a Social Networking Site with Ning, the Best Social Site P...
The World's Largest Platform for Creating Social Websites™