| ▲ | ninjagoo 5 hours ago |
| At some point Insurance is going to require companies to obtain paper copies of any documentation/policies, precisely to avoid this kind of situation. It may take a while to get there though. It'll probably take a couple of big insurance losses before that happens. |
|
| ▲ | kevincloudsec 5 hours ago | parent | next [-] |
| Insurance is already moving that direction for cyber policies. Some underwriters now require screenshots or PDF exports of third-party vendor security attestations as part of the application process, not just URLs. The carriers learned the hard way that 'we linked to their SOC 2 landing page' doesn't hold up when that page disappears after an acquisition or rebrand. |
| |
| ▲ | pwg 3 hours ago | parent [-] | | > when that page disappears after an acquisition or rebrand. Sadly, it does not even have to be an acquisition or rebrand. For most companies, a simple "website redo", even if the brand remains unchanged, will change up all the URL's such that any prior recorded ones return "not found". Granted, if the identical attestation is simply at a new url, someone could potentially find that new url and update the "policy" -- but that's also an extra effort that the insurance company can avoid by requiring screen shots or PDF exports. | | |
|
|
| ▲ | dahcryn 3 hours ago | parent | prev | next [-] |
| We already require all relevant and referenced documents to be uploaded in a contract lifecycle management system. Yes we have hundreds of identical Microsoft and Aws policies, but it's the only way. Checksum the full zip and sign it as part of the contract, that's literally how we do it |
|
| ▲ | seanmcdirmid 5 hours ago | parent | prev | next [-] |
| Digital copies will also work I don’t understand why they just don’t save both the URL and the content at the URL when last checked. |
| |
| ▲ | ninjagoo 5 hours ago | parent | next [-] | | I think maybe because the contents of the URL archived locally aren't legally certifiable as genuine - the URL is the canonical source. That's actually a potentially good business idea - a legally certifiable archiving software that captures the content at a URL and signs it digitally at the moment of capture. Such a service may become a business requirement as Internet archivability continues to decline. | | |
| ▲ | leni536 3 hours ago | parent | next [-] | | Apparently perma.cc is officially used by some courts in the US. I did use it in addition to the wayback machine when I collected paper trail for a minor retail dispute, but I did not have to use it. I don't know how exactly it achieves being "legally certifiable", at least to the point that courts are trusting it. Signing and timestamping with independent transparency logs would be reasonable. https://perma.cc/sign-up/courts | | |
| ▲ | ninjagoo 3 hours ago | parent [-] | | This is an interesting service, but at $10 for 10 links per month, or $100 for 500 links per month, it might be a tad bit too expensive for individuals. |
| |
| ▲ | staticassertion 3 hours ago | parent | prev | next [-] | | The first thing you do when you're getting this information is get PDFs from these vendors like their SOC2 attestation etc. You wouldn't just screenshot the page, that would be nuts. Any vendor who you work with should make it trivial to access these docs, even little baby startups usually make it quite accessible - although often under NDA or contract, but once that's over with you just download a zip and everything is there. | | |
| ▲ | thayne 2 hours ago | parent [-] | | > You wouldn't just screenshot the page, that would be nuts. That's what I thought the first time I was involved in a SOC2 audit. But a lot of the "evidence" I sent was just screenshots. Granted, the stuff I did wasn't legal documents, it was things like the output of commands, pages from cloud consoles, etc. | | |
| ▲ | staticassertion 2 hours ago | parent [-] | | To be clear, lots of evidence will be screenshots. I sent screenshots to auditors constantly. For example, "I ran this splunk search, here's a screenshot". No biggie. What I would not do is take a screenshot of a vendor website and say "look, they have a SOC2". At every company, even tiny little startup land, vendors go through a vendor assessment that involves collecting the documents from them. Most vendors don't even publicly share docs like that on a site so there'd be nothing to screenshot / link to. |
|
| |
| ▲ | inetknght 3 hours ago | parent | prev [-] | | Is it digitally certifiable if it's not accessible by everyone? That is: if it's not accessible by a human who was blocked? | | |
| ▲ | macintux 3 hours ago | parent [-] | | Or if it potentially gives different (but still positive) results to different parties? |
|
| |
| ▲ | trollbridge 5 hours ago | parent | prev [-] | | What if the TOS expressly prohibits archiving it, and it's also copyrighted? | | |
| ▲ | pixl97 5 hours ago | parent | next [-] | | Then said writers of TOS should be dragged in front of a judge to be berated, then tarred and feathered, and ran out of the courtroom on a rail. Having your cake and eating it too should never be valid law. | | |
| ▲ | croes 4 hours ago | parent [-] | | Maybe we should start with those who made such copyright claims a possibility in the first place | | |
| |
| ▲ | seanmcdirmid 2 hours ago | parent | prev [-] | | I don’t think contracts and agreements that both parties can’t keep copies of are valid in any US jurisdiction. |
|
|
|
| ▲ | layer8 5 hours ago | parent | prev | next [-] |
| More likely, there will be trustee services taking care of document preservation, themselves insured in case of data loss. |
| |
| ▲ | ninjagoo 5 hours ago | parent [-] | | Isn't the Internet Archive such a trustee service? Or are you thinking of companies like Iron Mountain that provide such a service for paper? But even within corporations, not everything goes to a service like Iron Mountain, only paper that is legally required to be preserved. A society that doesn't preserve its history is a society that loses its culture over time. | | |
| ▲ | layer8 5 hours ago | parent [-] | | The context was regulatory requirements for companies. I mean that as a business you pay someone to take care of your legal document preservation duties, and in case data gets lost, they will be liable for the financial damage this incurs to you. Outsourcing of risk against money. | | |
|
|
|
| ▲ | mycall 5 hours ago | parent | prev [-] |
| Also, getting insurance to pay for cybercrimes is hard and sometimes doesn't justify their costs. |
