April is Emergency Communications Month at the Cybersecurity Infrastructure & Security Agency (CISA).

With its verdant landscapes and bustling cities, the Pacific Northwest is also home to one of the most significant seismic threats in the United States: the Cascadia Subduction Zone. Stretching from northern Vancouver Island to northern California, this fault line represents a geological boundary and a looming challenge for Vancouver, WA, and Portland, OR.

The Cascadia Subduction Zone, where the Juan de Fuca Plate is sliding beneath the North American Plate, has a history of producing massive earthquakes with magnitudes up to 9.0 or higher. The last such event occurred in 1700, sending a tsunami across the Pacific and jolting the region with ground-shaking of several minutes. Today, the implications for Vancouver and Portland metropolitan areas could be catastrophic, with scientists estimating a 1 in 3 chance of a significant quake in the next 50 years.

The risks associated with such an event are manifold. Infrastructure, much of which was built before the advent of modern seismic standards, could suffer extensive damage. This includes bridges, roads, and buildings, potentially isolating communities and hampering emergency response efforts. The economic impact could be staggering, with estimates suggesting billions of dollars in damages.

Moreover, the region's geography exacerbates the risk. The soft soils along the Columbia River, which both cities straddle, are particularly susceptible to liquefaction—a process where solid ground behaves like a liquid during intense shaking. This could lead to the collapse of structures, the severing of utility lines, and even landslides, further complicating rescue and recovery operations.

There are always risks of disaster. Whether it’s from earthquakes, forest fires, or a utility outage, this is the big one that keeps me up at night. I wonder how well the companies I work with will be prepared, specifically when communicating with employees and customers during a crisis. Now’s a good time to review IT Disaster Recovery Plans (DRP’s) and think about how emergency communication would go without Internet, mobile, text, and landline service; how would the business concern keep functioning?

In conclusion, while the beauty of the Pacific Northwest is undeniable, so is the threat posed by the Cascadia Subduction Zone. It underscores the need for continued investment in seismic research, building retrofits, and emergency preparedness efforts. For residents of Vancouver and Portland, understanding and preparing for these risks is not just prudent—it's imperative.

Do you have questions concerning your strategic position with an IT DRP? Contact me. Let’s talk it through.

I wanted to take a few minutes to explain how business professionals - Consultants, Attorneys, Doctors, CPA's, and Financial Analysts specifically - can prepare their practice to recover from a cryptoware attack made against their data processing systems.

I'm signaling-out these professionals because they usually have non-disclosure, fiduciary obligations, confidentiality agreements, or legal mandates to safeguard their clients' data. 

The nature and risk of that data is therefore more consequential than most; extra precautions should be exercised both protect data from unauthorized disclosure as well as restore operations.

This write-up may get a bit lengthy and for that I must apologize, still, I think it's a good blueprint to help draft a roadmap for your firm.

I'll be writing it in pieces over the next week and I'll provide hyperlink updates within this post to the latest posts that I complete.

Guiding Principles

• We Do Not Pay Ransoms. A terrible strategy that only promotes more attacks. People who weaponize your data processing systems shouldn't be compensated.
  

• Invulnerability Isn't Possible; Failure Is Inevitable. There's no way to guarantee absolute computer security or to avoid systems failure. It will happen. The risk must be planned for.
  

• Disasters are Disasters. Planning for a ransomware attack is just the same as planning for an earthquake, a flood, or a fire. Our disaster recovery plan may be universally-applied.
  

• Access Control. Only authorized people should have access to confidential information. That means strong authentication, managed risk, and low attack profiles.
  

• Separation of Systems. We will design systems that are independent of each other and quarantine sections of risk so that firewalls exist between computing environments.
  

• Layers of Recovery Options. Instead of depending on just one data recovery option, we will use many options to give us an opportunity to recover from a disaster.
  

• Leverage Encryption Everywhere. Throughout our data ecosystem, we will leverage encryption wherever possible to prevent what could be compromised from being used.
  

• Asset Management and Maintenance. A good best-practice that keeps our firm on-top of emergent threats.

Please feel free to contact me if you have any questions about what you're reading in this series.

If you have concerns about your own practice and your disaster recovery planning, contact me. I'd be happy to help.

R

Believe it or not, accessing private data after death has historically been an act of hacking. Yeah, imagine having to hack your loved one's accounts to get access to important stuff like checking and savings accounts, bill paying systems, accounting systems, or invoicing systems.

Essentially, survivors would need to impersonate the deceased, guess at passwords or have passwords rotated by a hack to access accounts, of have secure systems compromised to access data.

And legally, the heir or assign of an individual didn't have any rights to the data. That data was owned by the account holder (who is now dead) and there wasn't a legal transference of digital property rights.

However, effective June 2016 in the State of Washington, this has changed with the adoption of 11.120 RCW Uniform Fiduciary Access to to Digital Assets Act (UFADAA).

UFADAA establishes a standard process for a fiduciary to access the secured digital assets of the deceased found on their devices (computers and mobile devices) and their online accounts.

This special access is limited: it grants the fiduciary access to essentially collect the data and close the account; it doesn't allow for the account of the deceased account to survive forever. 

UFADAA also allows for data to be collected from the principal, accumulated by a designated custodian of the data, cataloged, and held in a trust. It also allows the principal to shield some kinds of data from their fiduciary.

Some companies are more progressive on these matters - like Facebook - allow you to identify legacy accounts: fiduciaries on Facebook that would presumably survive the deceased and could get access to the account to memorialize it. Most companies are far behind this curve of being able to identify others who could access their digital assets after death.

The court can assign data custodians and so can businesses and individuals. However, it's recommended that a will/Power of Attorney specifically declare UFADDA rights.

If you're concerned about this - and if you own a business, you'd want to be concerned about this - you'd want to speak to your attorney about including UFADDA rights into your succession planning.

Also, you'd want to check online services that offer legacy accounts (or some means of designating authorized survivors) and set those up.

And finally, you'd want to grant some degree of access to your password manager for the fiduciary following your demise. Most password manager services allow for a legacy account to be designated; otherwise, a master password, written on paper, stored in a sealed envelope, and safeguarded in a safe place, may also suffice (a broken seal may be a visual trigger to reset passwords).