Organizational strategies against legal threats
intros and interests
- transnational legal situations - gdpr - risk for organization - bug-bounty - potential legislation around data breeches - resources around entity separation b/w 5013c/5014c - specific issues for service providers
Tech security issues and legal issues often overlap operationally. There hasen't been as much of a discussion on legal threats facing organizations. Legal threats should be included into threat modeling activities.
CFA - computer fraud and abuse act -- which is how the feds go after someone for hacking (a la Aaron Swartz).
Difference between "legal" protections and "actual" protections.
De-mystifying the legal process for grassroots organizations.
What are you protocols for sensitive data? Don't want to be in position if you have data that you shouldn't have and don't know what to do about it. Abi wants service providers to already have plans for these situations.
Question: does your org talk to lawyers?
research org consults with lawyers to ensure data is "factually" correct to avoid libel lawsuits, but needs to improve about security and data retention practices.
nonprofit tech org: has legal working group that's connected to lawyers.
do we need retainer lawyers? how do smaller groups best use probono lawyers, who typically only come into the picture during a crisis.
- big dilemma* -> small groups have legal needs from completely
divergent areas of law.
Large nonprofit -> has lawyer on staff (since org of team of 20). Lawyers are also good at campaigning, silo-ing lawyers isn't always the best approach.
How do we understand the objectives of policy makers?
example of SB 315 in Georgia. A person ethically reported data leak about Georgia voter registration and FBI said no crime was committed, but Georgia decided to MAKE it a crime afterwards.
Questions: should there be something similar to surveillance self- security self-defense? More documentation?
A good security trainer will also always say "it depends".
Legal issues are generally more fluid, which makes a check-box solution less possible. You don't want advise from lawyer who doesn't know about your organization.
Don't roll your own crpyto and don't roll your own legal advice. These things are complex both in use and understanding -- both sides should acknowledge this when giving and receiving advice.
The "a la carte pro-bono laywer" will just solve one problem without building on capacities of other organizations.
Question: Is there anything that a developer should know about when building sites for non-profit legal organizations (esp. when working with undocumented immigrants)
There is an assumption that "your privilege will save you from everything". Attackers could still go afterward the attorney's systems and data. Developers have a responsibility to help lawyers maintain good security practices.
Question: best practices to manage legal data?
Programmer are promiscuous about information, but end up having good awareness of digital security.
Lawyers are trained with right instincts, but have terrible op-sec. Lawyers rely on "legal security" not "digital security"
Bring your lawyers into your digital security training!
Concept of legal boutiques -- is there a practice that focuses on digital security? They depending on vendors.
Are there movement security practices? Should data practices be written into contracts and/or guides for on-boarding new employees?
Generational gap between new and older lawyers
informational ecology non-profit security handbook: https://iecology.org
Having a *bug bounty* is a good idea (even for small organizations). Also pay for pentesting periodically. And use Hacker1 & bugcrowd for points when you can't pay.
Perhaps there should be a bug-bounty pool for movement organizations? Kate Moris who founded bug bounty might be a good resource.
Can a c4 user invite a c3 user to an event? Sharing information between c3/c4 ? ask the lawyers! bolder advocacy / AJF also have good resources this.
THESE NOTES DO NOT CONSTITUTE LEGAL ADVICE :)