ArchiveCyberFeatured AnalysisOODA Original

Embracing a Future of Technical and Political Churn

Two things happened last week that will ultimately have a huge impact on almost every American consumer alive today but unfortunately, you’ve probably never even heard of them. Does the name Exactis ring a bell? How about AB-375? No? Well buckle up because there is a lot to discuss and while I promised a while back when I wrote about the General Data Protection Requirements (GDPR) that it would be my first and only post on the issue – well, I lied.

First off, Exactis. Exactis is a marketing and data aggregation company that gobbles up all kinds of information from all kinds of sources about each of us, and then sells it to other companies who use the data to develop targeted advertisements where YOU are the target. According to their own website, “The Exactis Data Cloud provides knowledge and insight to hundreds of firms enabling them to achieve marketing success through the use of high quality data.” What kind of data you ask? Well, the routine stuff like phone number, home address and email address, which aren’t really private anymore, but also over 400 other data variables like your hobbies, the age and gender of your children, your browsing history (those pesky cookies), your religion, whether or not you smoke, and even what kind of pets you have. Kind of sketchy huh? Not the kind of thing you’d voluntarily provide for no good reason. Exactis has over 3.5 billion records on US consumers and businesses which, my friends, is what we call a humongous amount of data.

OK, so what’s the point? Well, the point is that Exactis had a data leak last week which unfortunately, sounds very pedestrian and unremarkable these days. To be fair, a data leak is not the same as a data breach and in this case, it hasn’t yet been determined if any bad guys accessed the data, but this is the kind of event where the actual impact may never be completely transparent because it’s difficult to measure if, when, and the degree to which, the data is exploited. So, while your SSN or sensitive financial information allegedly weren’t leaked, the exposure of all that other personal information creates a target-rich environment for bad guys to profile your personal and professional life and impersonate you which, you know, is a bad thing.

The funny thing is, (not haha funny, but funny as in appalling), this data leak was discovered by a security researcher using a publicly available tool called Shodan, that searches the Internet for connected devices, vulnerabilities and exposed data. It’s appalling because this is the kind of security event that security professionals are paid to ensure never, ever in a gazillion years, happens. So, if a security researcher can find this kind of exposure using a public tool, the owner of the data could, and should, have done the same thing, which might have prevented this incident. One thing for sure, this does not look good on a resume!

The other reason this is heartbreaking is while this company that none of us have ever heard of is responsible, the toothpaste is out of the tube and you can’t put it back. The CEO of Exactis may eventually do the perp-walk in front of Congress, and the company will ultimately be fined by some government agency, but that won’t do anything for all of us who actually bear the brunt of the exposure. This is what troubles me more than anything else. It’s far too easy for companies and people we don’t know to get access to our sensitive and personal information, then treat it irresponsibly while making money off of it. Most of you know that I’m not a fan of more regulation but this is exactly the kind of security incident driving government legislators to take more and more action and create more and more laws.

Which leads me to my second point – AB-375. AB-375 stands for California Assembly Bill 375 or, the California Consumer Privacy Act of 2018 and was passed by the California legislature last week. There are a number of interesting tangents to AB-375 but most importantly, it gives consumers (you and I) new controls over how businesses collect and share information about us. I think that most of us will concede that having more control over our personal information is a good thing, especially when viewed through the lens of the Exactis leak discussed above, because there are many, many other companies scraping, sniffing, tracking, and gathering our information from the Internet. In fact, most consumers would be truly gobsmacked, as my British friends might say, at the amount of personal information being collected about them every day.

One of the curious things about AB-375 is how it came to the California Legislature and was signed so quickly by an almost unanimous majority. Sounds other-worldly in today’s partisan political environment doesn’t it? It’s curious because basically, a wealthy guy named Alastair MacTaggart donated a bunch of money to collect enough signatures (600,000) for a drive that would put a strong privacy initiative on the November 2018 ballot. This forced the hand of Legislators (who would much rather have a legislatively passed law than a voter passed law) and they were freaking out a bit because of a hard deadline to pass the bill and get it to Governor Brown for signature. Interestingly, this bill shows that government can indeed act quickly and in a bi-partisan fashion when they feel a sense of urgency. It makes you wonder though – why don’t they do this more often?

So why should most of us care about a privacy bill passed in California if we don’t live there? Does SB-1386 sound familiar? That was the nation’s first privacy of personal information legislation passed in California back in 2003. Fast forward to 2018 and now every state has passed some form of privacy legislation based loosely on California’s original SB-1386 law. Remember I mentioned a few weeks ago that in a conversation with a US Congressman, he asked me if we needed a GDPR-like law in the United States? Well, AB-375 is a weak version of GDPR but guess what, it’s a weak version coming to a state near you. My bet is that within 12 months, we’ll see other states with their own versions of AB-375. You heard it here first!

My final thought is this. Information collected and sold by these companies is incredibly profitable for marketing and advertising. In fact, it’s so fabulously valuable that we would be naïve in the extreme to think this law is the period at the end of the sentence. Tech companies are already calling for changes to AB-375 that will “improve the law” and address unintended consequences for which, to again be fair, there is undoubtedly room for improvement. As more states and the federal government get engaged in these tech privacy issues, regulations will become more and more finely tuned in the direction of consumer privacy protection. If GDPR is any indication, it’s a win for consumers but your company will be spending a lot of money getting aligned with a cornucopia of disparate state regulations over the next few years. Embrace the future, where the only certainty is technical and political churn!

Mark Weatherford

Mark Weatherford

Mark Weatherford is Senior Vice President and Chief Cybersecurity Strategist at vArmour. He has more than 20 years of security operations leadership and executive-level policy experience in some of the largest and most critical public and private sector organizations in the world. At vArmour, Mark focuses on helping customers understand the rapidly evolving security requirements of the cloud and 21st century data center technologies.