Cybersecurity Ethics

At an MLCE today and got this hypothetical:

Your Company learns that a bug in one of your apps could have provided bad guys with access to confidential user information, but you do not have evidence that anyone actually obtained such information. You’ve fixed the bug. Arguably, privacy statutes require the Company to make disclosure to users and/or regulators. Management makes decision not to disclose, because no indication of actual breach. Ethical issue?

The audience of lawyers split 75% / 25% (live polling) calling this an ethical issue. Fascinating.

Two points: (1) I think the right answer is no. If the statute “arguably” does not require disclosure (i.e. reasonable people disagree) then this is not an ethical issue. But also (2) this scenario is almost certainly true all the time for all companies with confidential user data and internet-facing systems. Should they all be disclosing all the time? Is that even realistic?

Just take a look at the National Vulnerability Database, do a blank search, and look at the security bugs listed today. Awful security bugs are being found, published, and fixed every day for every major application everywhere. If you have confidential user information and internet-facing applications, you may face this hypothetical every single day.

When tech comes to health

Apple Watch’s ECG feature is making the news, as it should.* I’m not tracking it, and don’t plan to, but this should spawn a lot of innovation from the plaintiffs’ bar in the complaints we see against Apple. Wrongful alerts leading to economic and health harms, negligence for not alerting (what constitutes a proper training set? And when is that training a form of negligence? What’s the duty? – so much fun stuff), does it reach to wrongful death?

*Full disclosure, I used to work at Apple but never advised on this feature.

Permian Extinction Resolved / Replicated

So this is bad:

On Thursday, a team of scientists offered a detailed accounting of how marine life was wiped out during the Permian-Triassic mass extinction. Global warming robbed the oceans of oxygen, they say, putting many species under so much stress that they died off. 

And we may be repeating the process, the scientists warn. If so, then climate change is “solidly in the category of a catastrophic extinction event,” said Curtis Deutsch, an earth scientist at the University of Washington and co-author of the new study, published in the journal Science.

https://www.nytimes.com/2018/12/07/science/climate-change-mass-extinction.html

Feels like this should be bigger news.

You could see this working in the future (or now)

I find this case (paywall) very enjoyable and creative.  But read the actual decision attached – it’s short and delightful!

Plaintiff alleged that the medical provider used software that was not secure and that it did not protect his personal information. But also tacitly admits that, as of yet, no one has taken or used plaintiff’s personal information.

In other words, the poorly secured software had yet to be hacked. But plaintiff was harmed because it could be.

The plaintiff lost. But imagine a world where this was a siren’s call for someone to hack the hospital system. It’s a really interesting market. Regular folks find deficient security on a platform that should probably be more secured.  That person hires a lawyer.  The lawyer drafts up and files the complaint and… maybe publicizes to interesting channels that are willing to poke around in weak systems.

And ta da! You may have yourself an actual case at that point.  

Does this feel to anyone like short sellers who short a company and then say how awful a company is?  

Here, let me rewrite that for you

This from Forbes:

Blockchain is the latest innovation to take over vacation planning. It’s expected to disrupt the industry as much as when Expedia, Airbnb, and Priceline took vacation planning online.

A company is attempting to apply blockchain to the travel industry.  To be successful it needs to outcompete other entrenched rivals such as Expedia, Airbnb, and Priceline in a historically very low margin business. At the time of this writing, blockchain has not been found to be a competitive advantage in any industry outside of blackmarket transactions.

The Complexity of the Legal Domain

How to comply with legal rules? It’s even worse in other countries.

Speaking personally, I recently spent about a year living in Spain (helping out our Barcelona office) and I read everything I could on Spain visas before I went but I knew that I still didn’t know enough to do it on my own. So I hired a really good and really expensive Spain immigration lawyer and in about three hours she totally set me straight and I walked out of her office knowing exactly what to do and I did it and it worked. 90 percent of what I had read about Spain visas on the internet was true but ten percent that was either dead ass wrong or had changed recently changed or just did not apply to our specific situation. Had I gone with just what I had learned on the internet, I likely would have been booted out of Spain in 90 days. Despite all that I had learned by going through all of this, when it came time for another American lawyer in my firm to take my place in Spain, he too went to this same Spain immigration lawyer and he reported back to me the same result. She saved him huge amounts of time and huge amounts of problems.

And the whole point of this excerpt is that China is way worse.

Link

Season 3 Serial

If you haven’t yet listened to season 3 of Serial, I highly recommend it.  While the podcast itself is great and well reported, what I find interesting is the Sarah Koenig’s surprise at what she finds.  This is exactly how the legal system works.  It’s ugly.

Sometimes I feel like lawyers are all in on a great secret that we’re all ashamed to talk about. That the legal system is meant to handle volume, not individual cases.