Tag Archives: Michelle Adler

Should Protection of Personal Data Be Regulated Using a Property Model, Rather Than a Privacy Model? Probably Not.

by Avi Gesser and Michelle Adler

As public pressure increases on legislators to better protect the personal information that organizations collect, interest has grown in using a property framework, rather than the current privacy model. On October 1, U.S. presidential candidate Andrew Yang became the latest policymaker to advocate for a data security framework that treats personal information as property. Yang released a policy proposal entitled “Data as a Property Right.” The paper starts by listing several common concerns that individuals have about their personal electronic data: Continue reading

The Weakness in Two-Factor Authentication—Your Lost Phone Policy

by Avi Gesser, John R. Kapp, and Michelle Adler

Two-Factor authentication is one of the most common measures that companies use to reduce cyber risk, but it is not very effective if companies don’t also have a good lost phone protocols.

Various regulations and industry rules require two-factor authentication (also referred to as multi-factor authentication or MFA) including the NYDFS cyber rules (PDF: 97.5 KB), the NIST identification and authentication requirements, the Payment Card Industry (PDF: 1.05 MB) (“PCI”) Data Security Standard 8.3, as well as the proposed amendments to GLBA.

MFA involves confirming that a purposed user of a certain login credential and password is actually the authorized user, by employing an additional verification method, such as a passcode sent to an employee’s phone by text message or through an authenticator app like Duo or Google Authenticator.  But, not all forms of verification are equal.  In 2016, the NIST considered not recommending SMS messages as a form of second-factor authentication due to their susceptibility to being redirected by attackers. Continue reading