Cybercrime Fighter

Exposure of cloud data liability is a real concern

Reaching the Aetna building she is required to go through the device screening for BYOD. “I’m sorry,” says the guard. “This facility is under strict enterprise mobility management. Only devices using mobile device management APIs 3.0 or higher can be allowed into the building. If you leave your tablet with us, we'll give you a loaner during your visit.  You can sync it with your own cloud provider if you so chose.”  Rachael accepts the clunky tablet and enters a memorized code to link the tablet through her phone via her eSIM card in her provider’s cloud. She makes a call to her lawyer.  “I think you need to join me at the Aetna office; looks less tech-friendly here than I expected.”  He responds that he will join her shortly.

In a telepresence conference room, Rachael is asked to sign an agreement. “You are required to consent to our use of truth detectors and behavior predictors in the conference room for any telepresence call.” The agent's Flicker glasses illuminate her face to hide her emotions and prevent them from being read by Rachael.  “I’ll agree but require the meeting await the arrival of my lawyer”, Rachael declares.  She is served coffee as she waits.

Her lawyer arrives addresses the virtual attendees: “We agreed to emotional surveillance but I also think we can all agree on a level playing field. My client is suffering from a possible concussion and cannot use her metadata support.  I see several of you are wearing virtual display glasses which can receive real-time data from predictor programs.  I would ask that you remove them for the duration of this telepresence.”  Upon their compliance, the meeting starts.

“We have received the preliminary information and determined a likely course of action,” says the insurance representative.  “The good news, Ms. Greg, is that we will be able to release infrastructure replacement costs once the proposed response plan is signed.  This will cover you under your home liability and as CEO of North East Control Analytics for any damages your company may have sustained within the restricted breaches and up to the limits of the policy.”

“Thank you,” responded Rachael.

The insurance executive continues, “However, exposure of cloud data is your liability and may not be covered by your policy based on the circumstances of the loss.  Likely, upon our review, you will be fined per record lost, or in this case per device exposed, as per the terms of your policy and in accordance with current local, state and federal laws.” 

Rachael interrupts, “I was attacked, hacked and now I may have to pay for this?!?”  

The insurance executive replies bureaucratically, “Yes, and if your insurance with us is to cover the fines, you must comply with all requests for information and disclosure presented today.  And, incidentally, not be judged negligent in any way.  Determinations will take some time, but we will cover the government’s required bond now. Hopefully, the final determinations will eventually relieve you of any liability.”

“So there will be an investigation?  By who?” asks Rachael. 

“Of course,” he responds. “First up is a public and private task force. ‘Time is of the essence’ in limiting liability to all of us, Ms. Greg. So, per your preliminary analysis of the incident, we are linking in Siemens and their border agents to your sensor and control OEM.   As North East Control Analytics contracted out designed and printing of the custom sensors and control valves, Siemens, your OEM, North East Control Analytics and Aetna will be the public components of the Task Force.” During the agents monolog, two more participants join the telepresence call - representatives from Siemens and the OEM.

Rachael's lawyer interjects, “Could you explain this task force in more detail?”

The insurance agent continues: “I'd be happy to.  For over a decade now, public-private task forces have been the standard and accepted approach to resolution in the aftermath of these types of cyber attacks. If you will observe the slide on the monitor...” 

“Your Task Force will be comprised of:

  • Interaction of local jurisdictional law enforcement on home invasion;
  • Interaction of corporate jurisdictional law enforcement on corporate sabotage;
  • Interaction of suppliers of systems and impacted hardware for the encroached business; and
  • Interaction of liability discussion with agents from the encroached business.”

The meeting continues with a discussion on the evolution of laws associated with the details of the task force.  Rachael lets her attention wander as her lawyer grills the insurance agents and those present respond to his concerns.  He concludes with, “We agree to the task force with the stipulation that copies of all information collected, transcripts of official calls, and findings and reports are forward to our office.  I will also be present at all meetings and calls.  Agreed?”  The insurance executive responds “agreed” as the remote attendees nod.

The Siemens’ executive finally speaks up: “We feel that our prompt response to this complaint establishes good faith and limits our liability.  But you will only have our cooperation in exchange for all parties agreeing to Siemens controlling any and all public disclosure of this event, concerning any security vulnerability.  By giving us a continuing seat on this task force until the completion of the investigation, Siemens will assume task force costs, public and private, up to but not to exceed forty percent of the investigation and prosecution budget.”  

Aetna matches Siemens’ subscription offer. With discussion, all parties agree. The insurance executive caveats, “provided the task force does not find any intentional or malicious actions or wrongdoing on your behalf leading to the attack, we agree that Siemens provided a timely and proper response and helped limit the scope of this attack.”


Latest Updates

Subscribe to our YouTube Channel