Warrants, Data Leakage, and Data Loss Lessons
12–19–2023 (Tuesday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, December 19, 2023, and we’re going to look at an interesting pattern that developed over the last week around warrants - and see what that might mean for us in the private sector.
Warrants, Data Sharing, and Long-Run Implications
The last week has seen a significant amount of news about a mechanism that’s not often discussed in cybersecurity: warrants.
Discussion started with a Google Maps update that was designed to protect users’ locations from law enforcement. Previously, “geofence warrants” allowed law enforcement to gather data from tech companies like Google and others by just asking which phones passed through a certain geographic area during a specific time period.
Forbes is reporting that Google will change the way it would store and access users’ opt-in “Location History” in Google Maps, making the data retention period shorter, and making it impossible for the company to access it.
In essence, this makes it mechanically impossible for Google to respond to these “geofence warrants.” This move is being heralded as a big win by privacy advocates - and for good reason. But, as always, there’s another side of the coin here, as well.
Berkeley Law Professor and noted cyberlaw expert Orin Kerr noted that
“Geofencing has solved a bunch of really major cases that were otherwise totally cold,”
“And there are lots of ways of doing the legal process (including Google's warrant policy, although that's just one way) that are a lot more privacy protective than ordinary warrants. But I can see why this might be in Google's business interest. If there isn't a lot of economic value to Google in keeping the data, and having it means you need to get embroiled in privacy debates over what you do with it, better for Google to drop it.”
This framing as a business decision is an interesting one, of course, because Google’s main competitor - Apple - has been using Privacy as a selling point for years.
They followed Google’s announcement with one of their own - updating their own law enforcement guidelines to require a warrant to get push notification records (which previously only required a subpoena).
Other industries have been similarly disclosing - with The Record reporting this week on how pharmacies have been giving customer records to law enforcement without a warrant. Of the eight pharmacies reviewed in this investigation, only Amazon Pharmacy provided alerts to patients when it shared their records with law enforcement. Three pharmacies - CVS, Kroger, and Rite-Aid - didn’t even require legal review before sharing records, instead instructing “their staff to process those requests in the store” due to the “extreme pressure to immediately respond to law enforcement demands.”
So where does all of this leave us? I think we only need to look to Friday’s news drop from mortgage provider Mr. Cooper to see what lesson we need to learn: “that hackers obtained personal data on ‘substantially all of our current and former customers.’”
That number is 14 million, by the way.
This number “includes personal information on those whose mortgage was previously acquired or serviced by the company when it was known as Nationstar Mortgage, prior to its rebranding as Mr. Cooper. The company said affected customers may include those whose mortgages were serviced by a sister brand.”
Previously, Mr. Cooper had only disclosed 4 million victims and a price tag of $5M - $10M in terms of impact. The latest filing has updated that impact to $25M - “largely due to paying for identity protection to its current and former customers for two years.”
We should go back to the comment about Google keeping their users’ location data. If it’s not serving a business purpose and can potentially put the business in an uncomfortable (or expensive) conversation, why keep it?
Warrants, ransomware, lost drives, disgruntled employees. There’s lots of ways for this type of data to leave the organization and expose you to these ramifications. The solution, of course, is to purge data that you’re not deriving actual business value from.
It’s tempting in the era of big data and cheap digital storage to think you should keep everything - but by keeping everything, you also risk losing everything.
Review those data retention policies, make sure processes are in place for automatic purging in alignment with those policies, and maybe try to sleep just a little bit easier knowing that you can’t lose what you don’t have.
Fundraising
From a fundraising perspective, a decent week as we close out the year - nearly $10B in newly committed capital, including several multi-billion dollar fund closes.
That said, we also saw an article on MarketWatch noting that investors have amassed $2.59T in dry powder, and noted this “mountain of unused capital in the industry comes after a slow year in dealmaking “with limited opportunities” for firms that have raised money from investors in recent years.”
Will the dam break in 2024? If it does, it seems like we could see valuations rise, the “free for all” M&A market return, and FOMO rule the day. If not, it’s entirely possible that these reserves could simply continue to grow.
I can’t predict the outcome here - if I could, I probably wouldn’t be making these videos every week - but I am keenly interested in seeing how it plays out and appreciating you being along for the ride with me.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://blog.google/products/maps/updates-to-location-history-and-new-controls-coming-soon-to-maps/
https://www.theverge.com/2023/12/15/24002693/google-maps-update-geofence-warrants-law-enforcement
https://daringfireball.net/linked/2023/12/11/apple-push-notification-search-warrants
https://www.axios.com/2023/12/16/fisa-surveillance-section-702-2024
https://techcrunch.com/2023/12/18/mr-cooper-hackers-stole-personal-data-on-14-million-customers/