On the off chance that you haven't read Senator Ron Wyden's recent press release, allow this Journal to call your attention to a whole new developing category of risk - algorithm risk. Sen. Ron Wyden, D-Ore., Sen. Cory Booker, D-N.J., and Rep. Yvette D. Clarke, D-N.Y., have introduced the Algorithmic Accountability Act, which requires companies to study and fix flawed computer algorithms that result in inaccurate, unfair, biased, or discriminatory decisions impacting Americans.
This is serious business. Recent research has shown that presumably impartial computer algorithms may be practicing subtle forms of sexual or racial or other types of discrimination in making decisions such as who gets a loan or who gets hired or retained, often in large part because the big data bases on which the systems were trained included illegal discrimination practiced by the human actors whose activities populated the data bases. For a quick overview of this often complex topic, broadly known as algorithmic bias, check out Wikipedia.
The proposed Act would authorize the Federal Trade Commission (FTC) to create regulations requiring companies under its jurisdiction to conduct impact assessments of highly sensitive automated decision systems. This requirement would apply both to new and existing systems. It would also require companies to assess their use of automated decision systems, including training data, for impacts on accuracy, fairness, bias, discrimination, privacy, and security. The proposed Act is a long way from becoming law, but its introduction may be taken as fair warning that your company's use of algorithms in any number of contexts may be subject to legal review at some point or to possible civil action.
This is a whole new area of potential risk. Time to start asking questions such as: what controls do we have in place? What insurance policies may attach in the event of a civil legal action? What possible exposures lurk in legacy systems? Hey, good thing you thrive on challenge, right?
Ready for RaaS?
Probably not. RaaS is Ransomwear-as-a-Service. In this year of grace, 2019, you can fire up your encrypted Tor browser, head for the Dark Web and buy RaaS packages designed to be used by average hackers (roughly grade 7 and up) to penetrate just about any major enterprise system and wreak havoc. Or, if you have some Bitcoin handy, you can bid on sections of Collection #1 (773 million sets of financial records most people naively think confidential) for whatever kind of extortion or thievery your heart desires. Don't know how your kids are going to afford university? Just get them a Tor browser*, point them to the Dark Web, and watch the Bitcoins flow.
The Dark Web is set to become a trillion dollar a year international industry in the very near future. As a recent feature article in the Daily Telegraph points out: "Crooks selling software specifically designed to break into banks, retailers, law firms etc. now routinely offer 24-hour help desks and technical support for the unskilled cyber criminal." Translation: if you can buy a tea cozy on Amazon, you can set yourself up as a Dark Web hacker. THINK ABOUT THAT!
You can buy a kit to set up "watering hole" hacks or paint-by-numbers phishing exploits. You can buy predatory software originally developed by the Russian and Chinese state hacking agencies (you know about them, of course) like the incredibly powerful Saturn ransomware which can seize entire enterprise systems and seal them off until they cough up those Bitcoins. The Daily Telegraph refers now to a "tidal wave of cyber crime." For another view, check out Marsh's new cyber security product, Cyber Security by Marsh (SM).
Your humble scribe has been hacked twice in recent months, once by a Romanian and once by a Chinese hacker. I tracked the latter down to his email lair on 163.com (notorious) and sent him a really strong letter in Mandarin. Made me feel better, but I still had to change out credit cards and set up all new email accounts. Then some hacker shmuck transferred my Netflix account to an email in Giza, Egypt. No joke.
The point is that the realm of cyber crime was, until recently, the lair of a relatively small number of expert hackers going after a limited number of high value targets. Now it's the kid down the street stealing credit card numbers from the local fast food joint. You can either (a) protect yourself (do you have a Faraday sleeve in your wallet yet?) (I do) or (b) expect a lot of cost and inconvenience as you reconstruct your online accounts every month.
*Be sure to get Tor's Onion Service Protocol with location shielding - a hacker's delight.
Quick Take 1:
Our First Hurricane Prediction for 2019
Earlier this month, AccuWeather issued its seasonal forecast for the 2019 hurricane season. They expect it to be near normal to slightly above normal with 12 to 14 named storms. That key word, "normal," requires some definition nowadays: a normal season has 12 named storms, including six hurricanes and two major hurricanes. That last item is the kicker. A major storm is Category 3 or higher.
Our last season had only two "major" storms, but hurricanes Florence and Michael both caused enough damage and death to have their names retired from the rotating six-year list of storm names. Yup, same as retiring the jersey of a champion major league player. Who says meteorologists aren't just like the rest of us?
As usual, the primary predictive factor among the dozens that influence hurricane formation is El Nino. We are in an El Nino year but will it weaken or strengthen as we get into hurricane season? The federal Climate Prediction Center will issue its hurricane forecast in May. Stay tuned. Let's see what they think. And remember, every year the Atlantic Ocean and the Gulf have a little more water in them thanks to Global Warming. Hey, who left Greenland out to thaw?
Quick Take 2:
It's Alive! The GDPR on the Move
The GB Journal started raising storm flags about the European Union's General Data Protection Regulation (GDPR) early last year. A recent finding and civil fine levied by the EU's Information Commissioner's Office (ICO) adds some dimensions to the matter. The ICO has fined a British parenting club called Bounty £400,000 ($523,000 in USD) for violations of earlier data privacy regulations before the GDPR took effect according to The Guardian. From June 2017 to April 2018 Bounty shared approximately 34.4M records concerning new parents and their children with 39 organizations, by the company's own admission.
Here's the kicker: the violations and the fines noted here were incurred before the GDPR and its tougher regulations went into effect. Now, under GDPR, the maximum fine for similar infractions for a company of Bounty's size is €20M (£17M or $22M). If you were wondering where GDPR compliance should fit in your worry hierarchy, this may help to make that clear. GDPR has serious teeth. If you have data operations in the EU, take note.
The GDPR begins to stir...
The dean of workers' comp journalism, Peter Rousmaniere, recently wrote an insightful column, "Making Treatment Guidelines Matter". While the discussion concerns work being done here at Gallagher Bassett, Peter's article focuses on a number of important issues about how to use guidelines like the Official Disability Guidelines (ODG), intelligently to optimize injured worker care while avoiding "cookbook medicine." We expect to see more discussions on this important topic in the near future. Peter's well balanced view is a good starting point.