cybersecurity Archives - Page 12 of 30

Legal Implications of Facebook Hearing for Whistleblowers & Employers – Privacy Issues on Many Levels

On Sunday, October 3rd, Facebook whistleblower Frances Haugen publicly revealed her identity on the CBS television show 60 Minutes. Formerly a member of Facebook’s civic misinformation team, she previously reported them to the Securities and Exchange Commission (SEC) for a variety of concerning business practices, including lying to investors and amplifying the January 6th Capitol Hill attack via Facebook’s platform.

Like all instances of whistleblowing, Ms. Haugen’s actions have a considerable array of legal implications — not only for Facebook, but for the technology sectors and for labor practices in general. Especially notable is the fact that Ms. Haugen reportedly signed a confidentiality agreement or sometimes call a non-disclosure agreement (NDA) with Facebook, which may complicate the legal process.

What are the Legal Implications of Breaking a Non-Disclosure Agreement?

After secretly copying thousands of internal documents and memos detailing these practices, Ms. Haugen left Facebook in May, and testified before a Senate subcommittee on October 5th. By revealing information from the documents she took, Facebook could take legal action against Ms. Haugen if they accuse her of stealing confidential information from them. Ms. Haugen’s actions raise questions of the enforceability of non-disclosure and confidentiality agreements when it comes to filing whistleblower complaints.

“Paradoxically, Big Tech’s attack on whistleblower-insiders is often aimed at the whistleblower’s disclosure of so-called confidential inside information of the company. Yet, the very concerns expressed by the Facebook whistleblower and others inside Big Tech go to the heart of these same allegations—violations of privacy of the consuming public whose own personal data has been used in a way that puts a target on their backs,” said Renée Brooker, a partner with Tycko & Zavareei LLP, a law firm specializing in representing whistleblowers.

Since Ms. Haugen came forward, Facebook stated they will not be retaliating against her for filing a whistleblower complaint. It is unclear whether protections from legal action extend to other former employees, as is the case with Ms. Haugen.

“Other employees like Frances Haugen with information about corporate or governmental misconduct should know that they do not have to quit their jobs to be protected. There are over 100 federal laws that protect whistleblowers – each with its own focus on a particular industry, or a particular whistleblower issue,” said Richard R. Renner of Kalijarvi, Chuzi, Newman & Fitch, PC, a long-time employment lawyer.

According to the Wall Street Journal, Ms. Haugen’s confidentiality agreement permits her to disclose information to regulators, but not to share proprietary information. A tricky balancing act to navigate.

“Big Tech’s attempt to silence whistleblowers are antithetical to the principles that underlie federal laws and federal whistleblower programs that seek to ferret out illegal activity,” Ms. Brooker said. “Those reporting laws include federal and state False Claims Acts, and the SEC Whistleblower Program, which typically feature whistleblower rewards and anti-retaliation provisions.”

Legal Implications for Facebook & Whistleblowers

Large tech organizations like Facebook have an overarching influence on digital information and how it is shared with the public. Whistleblowers like Ms. Haugen expose potential information about how companies accused of harmful practices act against their own consumers, but also risk disclosing proprietary business information which may or may not be harmful to consumers.

Some of the most significant concerns Haugen expressed to Congress were the tip of the iceberg according to those familiar with whistleblowing reports on Big Tech. Aside from the burden of proof required for such releases to Congress, the threats of employer retaliation and legal repercussions may prevent internal concerns from coming to light.

“Facebook should not be singled out as a lone actor. Big Tech needs to be held accountable and insiders can and should be encouraged to come forward and be prepared to back up their allegations with hard evidence sufficient to allow governments to conduct appropriate investigations,’ Ms. Brooker said.

As the concern for cybersecurity and data protection continues to hold public interest, more whistleblower disclosures against Big Tech and other companies could hold them accountable are coming to light.

During Haugen’s testimony during the October 5, 2021 Congressional hearing revealed a possible expanding definition of media regulation versus consumer censorship. Although these allegations were the latest against a large company such as Facebook, more whistleblowers may continue to come forward with similar accusations, bringing additional implications for privacy, employment law and whistleblower protections.

“The Facebook whistleblower’s revelations have opened the door just a crack on how Big Tech is exploiting American consumers,” Ms. Brooker said.

This article was written by Rachel Popa, Chandler Ford and Jessica Scheck of the National Law Review. To read more articles about privacy, please visit our cybersecurity section.

Ransom Demands: To Pay or Not to Pay?

As the threat of ransomware attacks against companies has skyrocketed, so has the burden on companies forced to decide whether to pay cybercriminals a ransom demand. Corporate management increasingly is faced with balancing myriad legal and business factors in making real-time, high-stakes “bet the company” decisions with little or no precedent to follow. In a recent advisory, the U.S. Department of the Treasury (Treasury) has once again discouraged companies from making ransom payments or risk potential sanctions.

OFAC Ransom Advisory

On September 21, 2021, the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory that updates and supersedes OFAC’s Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, issued on October 1, 2020. This updated OFAC Advisory follows on the heels of the Biden Administration’s heightened interest in combating the growing risk and reality of cyber threats that may adversely impact national security and the economy.

According to Federal Bureau of Investigation (FBI) statistics from 2019 to 2020 on ransomware attacks, there was a 21 percent increase in reported ransomware attacks and a 225 percent increase in associated losses. All organizations across all industry sectors in the private and public arenas are potential targets of such attacks. As noted by OFAC, cybercriminals often target particularly vulnerable entities, such as schools and hospitals, among others.

While some cybercriminals are linked to foreign state actors primarily motivated by political interests, many threat actors are simply in it “for the money.” Every day cybercriminals launch ransomware attacks to wreak havoc on vulnerable organizations, disrupting their business operations by encrypting and potentially stealing their data. These cybercriminals often demand ransom payments in the millions of dollars in exchange for a “decryptor” key to unlock encrypted files and/or a “promise” not to use or publish stolen data on the Dark Web.

The recent OFAC Advisory states in no uncertain terms that the “U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands.” OFAC notes that such ransomware payments could be “used to fund activities adverse to the national security and foreign policy objectives of the United States.” The Advisory further states that ransom payments may perpetuate future cyber-attacks by incentivizing cybercriminals. In addition, OFAC cautions that in exchange for payments to cybercriminals “there is no guarantee that companies will regain access to their data or be free from further attacks.”

The OFAC Advisory also underscores the potential risk of violating sanctions associated with ransom payments by organizations. As a reminder, various U.S. federal laws, including the International Emergency Economic Powers Act and the Trading with the Enemy Act, prohibit U.S. persons or entities from engaging in financial or other transactions with certain blacklisted individuals, organizations or countries – including those listed on OFAC’s Specially Designated Nationals and Blacked Persons List or countries subject to embargoes (such as Cuba, the Crimea region of the Ukraine, North Korea and Syria).

Penalties & Mitigating Factors

If a ransom payment is deemed to have been made to a cybercriminal with a nexus to a blacklisted organization or country, OFAC may impose civil monetary penalties for violations of sanctions based on strict liability, even if a person or organization did not know it was engaging in a prohibited transaction.

However, OFAC will consider various mitigating factors in deciding whether to impose penalties against organizations for sanctioned transactions, including if the organizations adopted enhanced cybersecurity practices to reduce the risk of cyber-attacks, or promptly reported ransomware attacks to law enforcement and regulatory authorities (including the FBI, U.S. Secret Service and/or Treasury’s Office of Cybersecurity and Critical Infrastructure Protection).

“OFAC also will consider a company’s full and ongoing cooperation with law enforcement both during and after a ransomware attack” as a “significant” mitigating factor. In encouraging organizations to self-report ransomware attacks to federal authorities, OFAC notes that information shared with law enforcement may aid in tracking cybercriminals and disrupting or preventing future attacks.

Conclusion

In short, payment of a ransom is not illegal per se, so long as the transaction does not involve a sanctioned party on OFAC’s blacklist. Moreover, the recent ransomware Advisory “is explanatory only and does not have the force of law.” Nonetheless, organizations should consider carefully OFAC’s advice and guidance in deciding whether to pay a ransom demand.

In addition to the OFAC Advisory, management should consider the following:

Ability to restore systems from viable (unencrypted) backups
Marginal time savings in restoring systems with a decryptor versus backups
Preservation of infected systems in order to conduct a forensics investigation
Ability to determine whether data was accessed or exfiltrated (stolen)
Reputational harm if data is published by the threat actor
Likelihood that the organization will be legally required to notify individuals of the attack regardless of whether their data is published on the Dark Web.

Should an organization decide it has no choice other than to make a ransom payment, it should facilitate the transaction through a reputable company that first performs and documents an OFAC sanctions check.

Article By Anjali C. Das with Wilson Elser Moskowitz Edelman & Dicker LLP.

For more articles about ransomware attacks, visit the NLR Cybersecurity, Media & FCC section.

Illinois Appellate Panel Splits the Difference for BIPA Statute of Limitations in Closely Watched Decision

Currently pending before the Seventh Circuit Court of Appeals is the important question of when a claim under the Illinois Biometric Information Privacy Act (“BIPA”) accrues. Cothron v. White Castle, No. 20-3202 (7th Cir.) In another litigation CPW previously identified, a panel for the Illinois Court of Appeals recently addressed whether BIPA claims are potentially subject to a one-, two-, or five-year statute of limitations. Tims v. Black Horse Carriers, Inc., 2021 IL App (1st) 200563 (Sep. 17, 2021). The answer is apparently “it depends,” based on the particular claims a plaintiff asserts under the statute.

The underlying facts of the case, as with many BIPA litigations, arose in the employer-employee context. Plaintiff filed a putative class action Complaint in March 2019. Plaintiff alleged that he worked for Defendant from June 2017 until January 2018. Plaintiff alleged that Defendant “scanned and was still scanning the fingerprints of all employees, including Plaintiff, and was using and had used fingerprint scanning in its employee timekeeping,” in violation of BIPA.

Count I of the Complaint alleged that Defendant violated Section 15(a) of BIPA by failing to institute, maintain, and adhere to a retention schedule for biometric data. Count II of the alleged that Defendant violated BIPA Section 15(b) by failing to obtain an informed written consent and release before obtaining biometric data. Finally, Count III of the Complaint alleged that Defendant violated BIPA Section 15(d) by disclosing or disseminating biometric data without first obtaining consent.

Defendant subsequently moved to dismiss the Complaint in its entirety, asserting that Plaintiff’s Complaint was filed outside BIPA’s limitation period. The motion noted that BIPA itself has no limitation provision and argued that the one-year limitation period for privacy actions under Illinois Code Section 13-201 applies to causes of action under the BIPA.

Plaintiff opposed, arguing that: (1) BIPA’s purpose is (in part) to prevent or deter security breaches regarding biometric data and therefore (2) in the absence of a limitation period expressly contained in BIPA itself, the five-year period in Illinois Code Section 13-205 for all civil actions not otherwise provided for should apply. Plaintiff also argued that the one-year limitations period applied to actions only involving publication of information—which was not implicated for all claims under BIPA

The statute of limitations issue was eventually certified to a panel of the Illinois Court of Appeals. The Court noted at the onset that Section 15 of BIPA “imposes various duties upon which an aggrieved person may bring an action” and “[t]hough all relate to protecting biometric data, each duty is separate and distinct.”

The Court ultimately found the publication-based distinction raised in the parties’ briefing a useful construct for categorizing claims under BIPA: “[a] plaintiff could therefore bring an action under the Act alleging violations of section 15(a), (b), and/or (e) without having to allege or prove that the defendant private entity published or disclosed any biometric data to any person or entity beyond or outside itself. Stated another way, an action under section 15(a), (b), or (e) of the Act is not an action ‘for publication of matter violating the right of privacy.’” (quotation omitted).

The end result reached was that the Court held Section 13-201 (the one-year limitations period) governs BIPA actions under Section 15(c) and (d) while Section 13-205 (the five-year limitations period) governs BIPA actions under Sections 15(a), (b), and (e).

Although the shorter limitations period adopted for BIPA claims under Section 15(c) and 15(d) is a welcome ruling for defendants named in BIPA class actions, this ruling will have a limited impact on pending and future-filed BIPA cases. This is because with the statute’s generous liquidated damages, class actions (even if defined depending on the claim asserted to include only a 1-year period) will still potentially bring a significant payoff for determined class counsel. The bigger question—pending before the Seventh Circuit—is when BIPA claims accrue in the first place. For more on this, stay tuned. CPW will be there to keep you in the loop.

Article By Kristin L. Bryan of Squire Patton Boggs (US) LLP

For more on BIPA, visit the NLR Communications, Media & Internet section.

Get with The Program – China’s New Privacy Laws Are Coming

The People’s Republic of China (PRC) passed the Personal Information Protection Law (PIPL) on Friday the 20th of August 2021. The new privacy regime strengthens the protection around the use and collection of personal data and introduces a new requirement for user consent.

The PIPL, closely resembling the European Union’s General Data Protection Regulation, prevents the personal data of PRC nationals from being transferred to countries with lower standards of data security; a rule that may pose inherent problems for foreign businesses. The PIPL was introduced following an increase in online scamming and individual service price discrimination – where the same service is offered at different prices based on a user’s shopping profile. However, while businesses and some state entities face stronger collection obligations, the PRC state security department will maintain full access to personal data.

Although the final draft of the PIPL is yet to be released, the new law is set to commence on the 1st of November 2021. Companies will face fines of up to 50 million yuan ($7.6 million USD), or 5% percent of their annual turnover if they fail to comply. For an in-depth discussion of the Draft PIPL released in August 2020, see our K&L Gates publication here.

Ella Richards also contributed to this article.

Article by Cameron Abbott with K&L Gates.

For more articles on international privacy law, visit NLR Section Cybersecurity Media & FCC.

5 Cybersecurity Risks and 3 Obligations for Law Firms

Law firms have recently become prime targets for cybercriminals seeking to steal, expose, sell, or otherwise extort confidential information. Both the digitalization of law firms’ sensitive documents and the increase in means available to perpetrate an online crime exacerbate these risks. Law firms encounter various cybersecurity risks from “insiders”—personnel within the company—and external persons.

As a response, many law firms have adopted cybersecurity obligations to protect its clients’ data and the firm’s integrity and reputation.

Main Cybersecurity Risks Facing Law Firms

Law firms naturally handle sensitive client data and confidential company information. The lack of strong internal controls and compliance programs leaves law firms open to cyber-attacks. These attacks can be committed by insiders within the firm as well as external actors. Some examples of cybersecurity risks for law firms include the following:

Data breaches: This risk involves the theft of personal or sensitive data from law firms and can be perpetrated for a variety of reasons including financial gain or retaliatory purposes. Cyber criminals will typically execute these attacks by accessing the law firm’s computer from a remote location, collecting the personal or sensitive data, and distributing it to third parties.
Ransomware: Ransomware involves encrypting the law firm’s important files and demanding a fee—or ransom—in order for the cyber criminal to restore the file for the law firm’s use.
Phishing: This scam involves sending a scam message to an individual(s) in the hopes of getting them to send back confidential information. This risk is especially prevalent in law firms due to the high volume of emails sent from external persons. If severe, the attorney’s entire email account could be hacked, thus revealing mounds of sensitive client details.
Website attacks: Attorneys visit multiple legitimate websites in a day as a part of their daily responsibilities. Criminals and hackers exploit this by infecting the computers of individuals who visit less secured websites.
Miscellaneous cyber threats: Additional threats to law firms’ security include (1) malpractice lawsuits that follow a breach and (2) cyber-crimes committed by insiders. A client can file a malpractice lawsuit where they believe their attorney has failed to maintain adequate safeguards over their sensitive information. Further, insider threats can originate from former disgruntled employees or current personnel members and are often very challenging to detect because these individuals often have access to the computers storing the data.

“By the time law firms notice the breach, it may have already suffered financial loss, and, consequently, media attention and reputational harm. A robust cybersecurity compliance program would help the firm secure the data against improper access and use. In other words, maintaining strong cybersecurity policies within your firm is key to mitigating liability exposure.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.

2020 Statistics on Cybersecurity and Law Firms

The American Bar Association’s Legal Technology Resource Center compiles an annual report on cybersecurity for law firms that discusses the adoption of compliance programs, types of cyber risks, and injuries caused from cybersecurity breaches. The number of law firms reporting a security breach increased from 26% in 2019 to 29% in 2020. Some of these results may have been impacted by COVID-19 since many law firms moved operations online—thus necessitating virtual work environments and online communications.

Security breaches analyzed in the ABA’s report were broad and included stolen computers, exploiting vulnerabilities in websites, and hacking. Law firms experiencing viruses, spyware, or other infection within their company must expend significant amounts of time, energy, and money in correcting the issue.

A recent example, in 2019, a senior director of corporate law and lawyer at Apple was charged and indicted on insider trading charges. The indictment alleged that the lawyer traded confidential information during a blackout period where no stock can be bought or sold.

Legal Obligations for Law Firms: Statutes on Cybersecurity

There is no federal law regulating a law firm’s cybersecurity practices and policies. However, federal law does regulate specific industry practices. For instance, if a law firm has a client within the healthcare, accounting, or financial industry sectors, additional federal obligations may apply.

Clients in the financial industry sector may require that their law firms maintain extra security protection due to the sensitive nature of financial data. The same applies for healthcare companies who store confidential health records of the public. Clients that specialize in accounting practices must comply with the Sarbanes–Oxley Act of 2002, which could impose additional obligations on the law firms representing those clients.

The failure of the law firms to properly safeguard client data in these circumstances could lead to federal investigations, lawsuits, loss of future clients, fines and penalties, and significant reputational harm.

In addition to industry standards encompassed by federal law, each state has its own laws regulating data protection. Law firms in California must be mindful of the California Consumer Privacy Act, while law firms in New York must take account of the regulations of the New York State Department of Financial Services as well as the Stop Hacks and Improve Electronic Data Security (“SHEILD”) Act.

Law firms may also find it beneficial to adhere to cybersecurity guidelines. The National Institute of Standards and Technology (“NIST”) is a non-regulatory agency within the Department of Commerce that provides guidelines for cybersecurity regulations for the federal government. NIST standards are voluntary but compliance with NIST’s Cybersecurity Framework is good practice for law firms and provides good evidence that the law firm took sufficient measures to comply with cybersecurity-related laws and industry practices.

Ethical Obligations for Law Firms: Protecting Client Data and Maintaining Confidentiality

State boards are responsible for regulating the conduct of lawyers and law firms. To do this, state boards often issue ethical opinions to guide them on appropriate cybersecurity practices within their law firms. Specifically, U.S. law firms have to adhere to the ABA’s Model Rules of Professional Conduct.

Model Rule of Professional Conduct 1.4 requires attorneys to make sure that clients are “reasonably informed about the status of the matter” and to “explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”

Further, Model Rule of Professional Conduct 1.6 states that lawyers must make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 8 to Model Rule 1 explains that, in order to maintain the required knowledge and skill, lawyers should stay abreast of all changes “including the benefits and risks associated with relevant technology.”

ABA Formal Opinion 483 on “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” provides that lawyers have a duty to make “reasonable efforts to avoid data loss or to detect cyber-intrusion” and that an ethical violation may occur if the lawyer does not undertake these steps.

Thus, because law firms often do business with colleagues, opposing counsel, federal agencies, and clients via electronic communications, they have an obligation to ensure that all data is properly stored, secured, and safeguarded

Internal Obligations for Law Firms: Strengthening Cybersecurity from the Inside

Law firms are finding it beneficial to adopt or strengthen their internal practices to strengthen overall cybersecurity. Examples of supplements to a law firm’s cybersecurity include the following:

Cyber insurance
Cloud backup
Encryption software
Reboot and backup policies
Strong firewalls
Risk assessment and internal controls
Robust cybersecurity compliance program
Crisis response plan for cyberattacks
Reliable antivirus software
Strong password combination
Strict controls over personnel access to sensitive information
Using only secured Wi-Fi

Conclusion

Cybersecurity breaches of a law firm’s sensitive or confidential data can lead to lawsuits, investigations, fines and penalties, and unwanted media attention. It can not only hurt the law firm’s ability to attract clients in the future but also the reputation of the individual attorneys.

Attorneys implicated in data breaches and other cybersecurity risks undermine the attorney’s duties of competency and confidentiality.

To prevent such disastrous consequences that will follow from these breaches, many law firms follow strict legal, ethical, and internal obligations regarding strong cybersecurity practices. Obligations such as compliance with industry standards and state laws; ABA ethical rules, and internal best practices within the law firm enable the law firm to mitigate cybersecurity risk.

ARTICLE BY Dr. Nick Oberheiden of Oberheiden P.C.

For more articles on cybersecurity, visit the NLRCommunications, Media & Internet section.

Ancestry.com Prevails in Yearbook Database Class Action

This week, Ancestry.com Inc. prevailed in a class action which alleged that it misappropriated consumers’ images and violated their privacy by using such data to solicit and sell their services and products. The court granted Ancestry.com’s motion to dismiss the amended complaint with prejudice because the plaintiffs “did not cure the complaint’s deficiencies” after being granted leave to amend the first complaint.

As we previously wrote in November 2020, Ancestry.com was hit with a class action in the Northern District of California for “knowingly misappropriating the photographs, likenesses, names, and identities of Plaintiff and the class; knowingly using those photographs, likenesses, names, and identities for the commercial purpose of selling access to them in Ancestry products and services; and knowingly using those photographs, likenesses, names and identities to advertise, sell and solicit purchases of Ancestry services and products; without obtaining prior consent from Plaintiffs and the class.” In March 2021, the court dismissed the lawsuit based on lack of standing, but allowed the plaintiffs to amend and address the deficiencies. Although the plaintiffs added allegations of emotional harm, lost time, and theft of intellectual property, that didn’t sway the court. U.S. Magistrate Judge Laurel Beeler said that the new allegations “do not change the analysis in this court’s earlier order.” The court held that the plaintiffs still did not establish Article III standing because they had not alleged a concrete injury.

Additionally, the court noted that even if standing were established, Ancestry.com is immune from liability under the Communications Decency Act (CDA) because it is not a content creator. Magistrate Beeler said that Ancestry.com “obviously did not create the yearbooks [. . .] [i]nstead, it necessarily used information provided by another information content provider and is immune under [the CDA].”

ARTICLE BY Kathryn M. Rattigan of Robinson & Cole LLP

For more articles on cybersecurity litigation, visit the NLR Litigation / Trial Practice section.

“NAME:WRECK” Cybersecurity Vulnerability Highlights Importance of Newly Issued IoT Act

A recently discovered security vulnerability potentially affecting at least 100 million Internet of Things (“IoT”) devices[1] highlights the importance of the newly enacted IoT Cybersecurity Improvement Act of 2020 (the “IoT Act”). Researchers at the security firms Forescout Research Labs and JSOF Research Labs have jointly published a report detailing a security vulnerability known as “NAME:WRECK.” This is exactly the type of issue that the new IoT Act was and is designed to address at the governmental level, because the vulnerability can detrimentally affect the security of millions of interconnected IoT devices. As our recent blog “New Internet of Things (IoT) Cybersecurity Law’s Far Reaching Impacts” discussed, this is the type of cybersecurity risk that all organizations should consider and factor in to their supply chain risk assessments and mitigation measures. If your organization directly uses IoT devices, or contracts with vendors who supply IoT devices or software/systems using IoT devices, whether in the healthcare, manufacturing, retail, financial services, hospitality or employment context, you should be evaluating your cybersecurity programs for protecting IoT devices.

The “NAME:WRECK” vulnerability was discovered as part of Forescout’s and JSOF’s efforts to understand underlying problems related to the Domain Name System (DNS). The DNS is responsible for routing internet traffic and as such is a critical element of infrastructure. Referred to as the “phonebook of the internet,” the DNS is a decentralized system and protocol that allows devices to access the internet using domain names (such as “google.com”). It has the potential to be exploited by malicious parties because of its open and distributed nature. Communications between devices on the Internet could not reach their intended destination without DNS.

The “NAME:WRECK” vulnerability affects software and firmware that implements the DNS, including software that uses DNS protocols that “parse” or “compress” domain names. As the researchers explain, “WRECK” gets its name because of “how the parsing of domain names can break—‘wreck’—DNS implementations[.]” An attacker leveraging this vulnerability can gain remote control of an IoT device to inject malicious code on a target and achieve Denial of Service or Remote Code Execution, thereby allowing the exfiltration of information and other attacks. As with other DNS-based vulnerabilities, the attacker may exploit “WRECK” using a man-in-the-middle attack, or other methods, as covered in our Lawline webinar “Protecting Your Domain Name System (DNS) Security To Avoid Data Loss & Insider Threat”, and our blog, “Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat.”

The implications of “NAME:WRECK” are significant. In their report, Forescout and JSOF identified popular software components affected by the vulnerability: FreeBSD, IPNet, NetX and Nucleus Net, which led the Cybersecurity & Infrastructure Security Agency (CISA) to issue an alert. Nucleus NET is used in over 3 billion devices including, defibrillators, ultrasound machines, avionics navigation, and MediaTek IoT chipsets and baseband processors used in smartphones and other wireless devices. The researchers found that not all devices running the above software are vulnerable; however, they conservatively estimate that over 100 million devices are at risk. The researchers noted that FreeBSD is widely used in high-performance servers in millions of IT networks. Indeed, the researchers warned, “exploitation of NAME:WRECK also will work to detect exploitation on other TCP/IP stacks and protocols that we could not yet analyze.”

The cybersecurity of IoT devices presents particular challenges because it is difficult to inventory all of the software/firmware running on the devices and to patch when vulnerabilities occur. Moreover, depending on the device, patches may need to be manually applied by the user, if the device is not centrally managed. Patching IoT devices becomes even more difficult where the IoT device, such as a medical device or industrial control system, cannot be easily taken offline due to its mission-critical nature. Among other things, the IoT Act addresses these patching difficulties and processes with respect to the acquisition and use by the federal government of IoT devices capable of connecting to the Internet.

Organizations that have devices that are susceptible to the “NAME:WRECK” vulnerability should conduct a risk assessment and take risk reduction measures, if vulnerabilities are identified, particularly if they are government contractors or subject to regulatory standards to protect sensitive information. Forescout and JSOF have identified mitigation recommendations in their report that including identifying vulnerable devices and updating the software. Recommended risk reduction measures include segmenting networks to reduce the risk of vulnerable IoT devices, implementing “a remediation plan for your vulnerable asset inventory balancing business risk and business continuity requirements” and monitoring external DNS traffic.

From the perspective of any purchaser or user of IoT devices, the recent “NAME:WRECK” report highlights supply chain risk and the unavoidable reality that vulnerabilities will continue to be exploited by wrong-doers. Organizations subject to regulatory standards to protect personal, health and other sensitive information (e.g., Gramm-Leach Bliley, HIPAA, NY SHIELD Act, California Civil Code §1781.5, Massachusetts data protection regulation, Illinois Personal Information Protection Act and Biometric Information Protection Act) are already required to use reasonable safeguards to protect IoT devices that may affect the security of protected information. The IoT Act mandates future systemic improvements for the acquisition and use of IoT devices in information systems owned or controlled by the federal government. The IoT Act and these regulatory requirements, and the “NAME:WRECK” vulnerability highlight how in our interconnected world legal standards and technology increasingly intersect. It is therefore critical that organizations plan for the cybersecurity of their IoT devices and systems in their information security and compliance programs and take reasonable steps to ensure that IoT vulnerabilities are addressed in a timely manner consistent with risk.

[1] IoT devices “have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood, and can function on their own and are not only able to function when acting as a component of another device, such as a processor.” The wide range of IoT devices that connect to the Internet include security cameras and systems, geolocation trackers, smart appliances (e.g., tvs, refrigerators), fitness trackers and wearables, medical device sensors, driverless cars, industrial and home thermostats, biometric devices, manufacturing and industrial sensors, farming sensors and other smart devices.

ARTICLE BY Brian G. Cesaratto and Alexander J. Franchilli of

Epstein Becker & Green, P.C.

For more articles on cybersecurity, visit the NLR Communications, Media & Internet section.

Guarding the Grid: DOE Releases 100-Day Cybersecurity Pilot Program

The February 2021 hack into Oldsmar, Florida’s water treatment system is a frightening reminder that critical infrastructure systems can be vulnerable to cyberattacks and that cyberattacks can jeopardize health and safety. In this case, the hack may have spurred government action. On Tuesday, the Biden administration announced a 100-day plan “to advance technologies and systems that will provide cyber visibility, detection, and response capabilities for industrial control of electric utilities.”

In a coordinated effort among the Department of Energy (“DOE”), the Cybersecurity and Infrastructure Security Agency (“CISA”), and the electricity industry, the plan lays out four areas of focus for the next 100 days: (1) enhancement of mechanisms for detection, mitigation, and forensic activities; (2) “concrete milestones” for the industry to develop “situational awareness and response capabilities in critical industrial control systems (ICS) and operational technology networks (OT)”; (3) reinforcement of overall cybersecurity in critical infrastructure information technology networks; and (4) voluntary industry participation programs “to deploy technologies to increase the visibility of threats in ICS and OT systems.”

The plan’s success likely hinges on the government’s ability to develop sustainable, cooperative relationships with the relevant industries. “Public-private partnership is paramount to the Administration’s efforts,” said National Security Council (“NSC”) Spokesperson Emily Horne in response to Tuesday’s announcement, “because protecting our Nation’s critical infrastructure is a shared responsibility of government and the owners and operators of that infrastructure.” It appears that similar plans are being developed for additional critical infrastructure industries, including water, the chemical sector, and natural gas.

The previous administration responded to the escalating threat of cyberattacks from foreign adversaries^[1] in part with Executive Order 13920, which declared a national emergency with regard to electric grid security and gave the Secretary of Energy the authority to prohibit certain transactions involving electric equipment potentially controlled by a foreign adversary. Relying on EO 13920, the DOE issued a Prohibition Order in December 2020 barring “Critical Defense Facilities” and any supporting facilities from purchasing or installing electricity generation equipment manufactured in China (“December Prohibition Order”).

On January 20, 2021, President Biden’s DOE issued a 90-day suspension of EO 13920 and the December Prohibition Order to allow the DOE and the Office of Management and Budget to consider methods of “protect[ing] against high-risk electric equipment transactions by foreign adversaries while providing additional certainty to the utility industry and the public.” Tuesday’s announcement from the DOE revoked the December Prohibition Order, effective immediately, but EO 13920 will remain in place until it expires on May 1, 2021.

The DOE has now opted to revoke the December Prohibition Order in an effort to “create a stable policy environment” while the DOE further develops its cybersecurity strategy for the electricity sector. However, utilities are still encouraged to “act in a way that minimizes the risk of installing electric equipment and programmable components that are subject to foreign adversaries’ ownership, control, or influence” while the DOE develops further recommendations.

To assist in cybersecurity strategy development, along with the DOE’s 100-day plan announcement, the DOE issued a Request for Information (“RFI”) “focused on preventing exploitation and attacks by foreign threats to the U.S. supply chain.” Interested parties are encouraged to submit input to the DOE by June 7, 2021 regarding the development of “a long-term strategy that includes technical assistance needs, supply chain risk management, procurement best practices, and risk mitigation criteria” as well as the “depth and breadth of a future prohibition authority.” Instructions for submitting comments can be found on the DOE’s website.

The DOE is still hammering out many details of the 100-day plan, and some details may never be released to the public – expansions of DOE’s Cyber Testing for Resilient Industrial Control Systems program, for example, will be classified to avoid oversharing with foreign intelligence. While the DOE works to develop its 100-day plan, utilities should evaluate cybersecurity infrastructure within their own systems. For example, utilities could make renewed efforts to take inventory of software and hardware used across any systems touching critical infrastructure, and ensure that all technology is secure and up to date. If defense, detection, and prevention systems do not meet the DOE’s suggested standards, a utility could consider implementing additional measures or strengthening current systems now.

Additionally, a utility could consider whether and how its organization might participate in an information-sharing program. Any thoughts regarding guardrails and disclosure limitations for such a program could be submitted as comments to the RFI. Also, a utility could consider how its current approach to communicating with internal and external stakeholders about cyber issues might impact participation in information sharing.

^[1] The new 100-day plan comes not only in the wake of the Oldsmar water system hack but also just days after the administration announced sanctions against Russia for its role in the Solar Winds hack.

ARTICLE BY Philip J. Bezanson, Claire E. Cahoon, Catherine P. McCarthy and Joshua C. Zive of Bracewell LLP

For more articles on cybersecurity, visit the NLR Communications, Media & Internet section.

IT Security Trends in the Era of COVID: Our Top Five Tips for Making Your Network Safer in 2021

As the COVID era drags on, it is clear that work life “post-COVID” may be very different from life “pre-COVID.” This is especially true as it relates to IT security. More and more employees have shifted to a telecommuting work model, and for many businesses that may be the case for an indefinite period of time. This raises important questions as to which security improvements or other changes IT departments need to make in 2021 to keep their businesses and client data safer from cyberattacks.

Here are five potential IT defense measures that your business can implement to protect your organization’s data as well as your clients’ data:

Ensure your network only accepts connections through an encrypted Virtual Private Network (VPN). Preparing your network for long-term telecommuting connectivity and ensuring that your employees can only access your company’s network by using an encrypted VPN is an important first step. When properly configured, VPNs provide an encrypted “tunnel” between an employee and the company’s internal network (and back), which provides a secure connection as employees continue to remotely access their employers’ networks over the long haul.
Invest in and enact mandatory multi-factor authentication techniques. Multi-factor authentication (MFA) involves validating the identity of a person and is critical to defending a network against many types of cyber threats, including phishing and credential stuffing attacks. MFA helps to protect against unauthorized network access even if an employee has had their account log-in credentials compromised. According to TechRepublic, the use of MFA increased by 18% in 2020. This also includes a 27% increase in the use of biometric data for security purposes. MFA has emerged as a key tool to combat the threat and expense of cyberattacks; as such, organizations of all sizes would be well served in making MFA implementation a top priority.
Implement mandatory employee social awareness training. According to the 2019 Verizon Data Breach Investigations Report, approximately one-third of all cybersecurity breaches stemmed from phishing attacks, with that number rising to almost 80% in cyber espionage attacks. There is no better time to prepare your employees on how to recognize and avoid phishing attacks. One cost-effective measure to combat phishing attacks is to tag all emails originating outside the company as “external.” This creates more awareness and helps to prevent employees clicking on bad links or opening infected attachments that appear to come from fellow colleagues.
Implement “layered” security for your network, also known as “Defense in Depth.” In addition to requiring a user to log in with solely their credentials, consider “layering” your network security by encompassing additional security measures such as MFA, password hashing and salting, biometric verification, application whitelisting and/or secure network logging and auditing. According to Help Net Security, in the second quarter of 2020, approximately 70% of all cyber-attacks involved “zero day” malware. This means 70% of all cyberattacks are using malware that does not yet have an anti-virus signature – a 12% increase from just the first quarter of 2020. To help defeat these “zero day” attacks, the more “layers” of network defense will work to strengthen a company’s ability to detect and prevent a developing cyberattack. Diversifying network defenses can pay dividends.
Recognize and minimize the insider threat. “Insider” cyberattacks have increased by approximately 50% over the last two years. According to the Verizon Data Breach Report, over 30% of all reported cyberattacks and data breaches are directly attributable to company insiders. To alleviate this threat, it is critical to have your IT department identify and eliminate employee “privilege creep.” Insider attacks often stem from employees having excessive access and privileges to parts of the company network to which they do not need access. In short, it is critical to take the time to ensure that employees only have access to the data they actually need, and nothing more.

This list is by no means exhaustive, and there are certainly many other tactics, defenses and strategies companies can implement to protect their networks and data from external and internal cyber threats and attacks. Nevertheless, these “top five” recommendations are foundational to any type of network security improvements and should be considered as part of any upgrades for network cyber defenses in 2021.

ARTICLE BY Jason G. Weiss, Peter Baldwin and Amy Grewal Dunn of Faegre Drinker

For more, visit the NLR Communications, Media & Internet section.

Ransomware Payments Can Lead to Sanctions and Reporting Obligations for Financial Institutions

With cybercrime on the rise, two U.S. Treasury Department components, the Office of Foreign Assets Control (“OFAC”) and the Financial Crimes Enforcement Network (“FinCEN”), issued advisories on one of the most insidious forms of cyberattack – ransomware.

Ransomware is a form of malicious software designed to block access to a system or data. The targets of ransomware attacks are required to pay a ransom to regain access to their information or system, or to prevent the publication of their sensitive information. Ransomware attackers usually demand payment in the form of convertible virtual currency (“CVC”), which can be more difficult to trace. Although ransomware attacks were already on the rise (there was a 37% annual increase in reported cases and a 147% increase in associated losses from 2018 to 2019), the COVID19 pandemic has exacerbated the problem, as cyber actors target online systems that U.S. persons rely on to continue conducting business.

OFAC

The OFAC advisory focuses on the potential sanctions risks for those companies and financial institutions that are involved in ransomware payments to bad actors, including ransomware victims and those acting on their behalf, such as “financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response.” OFAC stresses that these payments may violate US sanctions laws or OFAC regulations, and encourage future attacks.

OFAC maintains a consolidated list of sanctioned persons, which includes numerous malicious cyber actors and the digital currency addresses connected to them.^[1] Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party. The advisory states that “OFAC has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for these activities.”

In addition to violating sanctions laws, OFAC warned that ransomware payments with a sanctions nexus threaten national security interests. These payments enable criminals to profit and advance their illicit aims, including funding activities adverse to U.S. national security and foreign policy objectives. Ransomware payments also embolden cyber criminals and provide no guarantee that the victim will regain access to their stolen data.

Any payment to those organizations or their digital currency wallets or addresses, including the payment of a ransom itself, is a violation of economic sanctions laws regardless of whether the parties involved in the payment knew or had reason to know that the transaction involved a sanctioned party.

OFAC encourages financial institutions to implement a risk-based compliance program to mitigate exposure to potential sanctions violations. Accordingly, these sanctions compliance programs should account for the risk that a ransomware payment may involve a Specially Designated National, blocked person, or embargoed jurisdiction. OFAC encouraged victims of ransomware attacks to contact law enforcement immediately, and listed the contact information for relevant government agencies. OFAC wrote that it considers the “self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.” OFAC will also consider a company’s cooperation efforts both during and after the ransomware attack when evaluating a possible outcome.

Such cooperation may also be a “significant mitigating factor” in determining whether and to what extent enforcement is necessary.

FinCEN

FinCEN’s advisory also encourages entities that process payments potentially related to ransomware to report to and cooperate with law enforcement. The FinCEN advisory arms these institutions with information about the role of financial intermediaries in payments, ransomware trends and typologies, related financial red flags, and effective reporting and information sharing related to ransomware attacks.

According to FinCEN, ransomware attacks are growing in size, scope, and sophistication. The attacks have increasingly targeted larger enterprises for bigger payouts, and cybercriminals are sharing resources to increase the effectiveness of their attacks. The demand for payment in anonymity-enhanced cryptocurrencies has also been on the rise.

FinCEN touted “[p]roactive prevention through effective cyber hygiene, cybersecurity controls, and business continuity resiliency” as the best ransomware defense. The advisory lists numerous red flags designed to assist financial institutions in detecting, preventing, and ultimately reporting suspicious transactions associated with ransomware payments. These red flags include, among others: (1) IT activity that shows the existence of ransomware software, including system log files, network traffic, and file information; (2) a customer’s CVC address that appears on open sources or is linked to past ransomware attacks; (3) transactions that occur between a high-risk organization and digital forensics and incident response companies or cyber insurance companies; and (4) customers that request payment in CVC, but show limited knowledge about the form of currency.

Finally, FinCEN reminded financial institutions about their obligations under the Bank Secrecy Act to report suspicious activity, including ransomware payments. A financial institution is required to file a suspicious activity report (“SAR”) with FinCEN if it knows, suspects, or has reason to suspect that the attempted or completed transaction involves $5,000 or more derived from illegal activity. “Reportable activity can involve transactions . . . related to criminal activity like extortion and unauthorized electronic intrusions,” the advisory says. Given this, suspected ransomware payments and attempted payments should be reported to FinCEN in SARs. The advisory provides information on how financial institutions and others should report and share the details related to ransomware attacks to increase the utility and effectiveness of the SARs. For example, those filing ransomware-related SARs should provide all pertinent available information. In keeping with FinCEN’s previous guidance on SAR filings relating to cyber-enabled crime, FinCEN expects SARs to include detailed cyber indicators. Information, including “relevant email addresses, Internet Protocol (IP) addresses with their respective timestamps, virtual currency wallet addresses, mobile device information (such as device International Mobile Equipment Identity (IMEI) numbers), malware hashes, malicious domains, and descriptions and timing of suspicious electronic communications,” will assist FinCEN in protecting the U.S. financial system from ransomware threats.

^[1] https://home.treasury.gov/news/press-releases/sm556

ARTICLE BY Kevin McCart, Claiborne (Clay) W. Porter and Elizabeth Weil Shaw of Squire Patton Boggs (US) LLP

For more articles on cybersecurity, visit the National Law Review Communications, Media & Internet section.

Category: cybersecurity