Secure your business with CyberHoot Today!!!
An Emergency Data Request (EDR) is a procedure used by U.S. Law Enforcement agencies to obtain critical data from service providers in emergency situations where there is no time to get a subpoena. In the United States, when federal, state, or local law enforcement agencies want to obtain information about who owns an account at a social media firm, or what Internet addresses a specific cell phone account has used in the past, they typically must submit an official court-ordered warrant or subpoena.
Virtually all major technology companies and Internet Service Providers (ISPs) have departments that routinely review and process these requests. Such requests are only granted once proper documentation is provided and the requestor’s identity is verified out-of-band (not from the email requesting the data) as belonging to the actual police department or law enforcement agency.
The Hacker Angle on EDR
Similar to phishing attacks that create a critical sense of urgency hoping that’s the catalyst for action on the victim’s part, hackers are making data requests of these organizations claiming imminent harm or death will result from inaction. Many times, legitimate investigating officers make what’s known as an “Emergency Data Request” (EDR), which essentially bypasses any official review and does not require the requestor to supply any court-approved documents. If tech companies do not validate the requestor in such circumstances, the hacker wins and gets critical data required to carry out their attacks.
What does this mean for an SMB?
Lawmakers in Washington, DC, have introduced a Bill To Combat Counterfeit Court Orders that would improve the current system in place for sending EDRs. It would require all federal, state, and tribal courts to use a digital signature for orders authorizing surveillance, domain seizures, and the removal of online content. Digital signatures use encryption technology to prove the authenticity of documents and other data, which are widely used by the private sector, executive, and legislative branches. The bill provides funding for state and tribal courts to adopt widely available digital signature technology that meets standards developed by the National Institute of Standards and Technology.
Until something like that is in place and implemented, there are actions your company can take to verify the legitimacy of these data requests:
- Phone-Based Verification: Your organization’s Data Protection Officer (DPO), or similar role, must research the Law Enforcement agency making the request. Have them follow a process where they place a phone call to the Requestor’s Supervisor or department to verify the identity of the requestor and the validity of the request itself. Care must be taken to research the correct entity phone number and not use a number found on the request form or email as both could be spoofed by a fraudster.
- In-Person Verification of Government Issued Documentary: A requestor can provide a government-issued ID in person to the DPO to validate their identity. This brick-and-mortar method requires the review of a government-issued identification card or document, however, it is always wise to also call the Law Enforcement Agents’ office to validate the request. This method is only necessary if the Law Enforcement Agent needs immediate information where time is of the essence.
- Notary: A requestor can provide a notarized document to the company or DPO to validate their identity. This method requires the Notary to inspect a government-issued identification card or document and attest to that visual inspection in writing. Ideally, this method would be combined with #1 above – phone-based verification to provide two-factor-based identity validation. However, it is not required based on current protocols within GDPR or CCPA (though it should be AND is what CyberHoot vCISO practitioners do).
Once this has been done, additional steps can be taken to verify the authenticity of the request, they include inspecting the following items:
- Is the sending email address for this request accurate and appropriate (95% of these requests come from a .gov email address)?
- Is the Government Seal correct? If it is the first time you are seeing a Seal, please Google that agency’s Seal for reference and validation.
- Review the date of the request to ensure it is still a valid in-force SUBPOENA and/or FISA request as these requests do expire.
Once the request has been confirmed as legitimate and authentic, your organization can take action and complete the request as needed.
Additional Cybersecurity Recommendations
Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.
- Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
- Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
- Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
- Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, and deploy DNS protection, antivirus, and anti-malware on all your endpoints.
- In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
- If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
- Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.
All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.
CyberHoot does have some other resources available for your use. Below are links to all of our resources, feel free to check them out whenever you like:
- Cybrary (Cyber Library)
- Press Releases
- Instructional Videos (HowTo) – very helpful for our SuperUsers!
Note: If you’d like to subscribe to our newsletter, visit any link above (besides infographics) and enter your email address on the right-hand side of the page, and click ‘Send Me Newsletters’.