Category: cybersecurity

President Obama Authorizes Additional Sanctions on Russian Individuals and Entities: Executive Order 13964

russian sanctions, President ObamaPresident Obama authorized additional sanctions in response to the Russian Government’s harassment of U.S. officials and alleged cyber operations during the 2016 U.S. election. On December 29, 2016 the President amended Executive Order (EO) 13964, which, in April 2015, created a targeted authority for the Government to respond effectively to significant cyber threats. The President also authorized actions intended to respond to harassment of U.S. diplomatic personnel in Russia and the release of a Joint Analysis Report (JAR) prepared by the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) that contains declassified information on Russian malicious cyber activity.

Originally, EO 13964 focused on cyber-enabled malicious activities that harmed or significantly compromised the provision of services by entities in a critical infrastructure sector. This included significant disruptions to the availability of a computer or network of computers, or causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.

In light of Russia’s recent use of cyber means to undermine democratic processes, the president has amended the EO to cover additional activities, authorizing sanctions on individuals/entities who tamper with, alter, or cause misappropriation of information with the purpose or effect of interfering with or undermining election processes or institutions. Under this authority, the president has sanctioned nine entities and individuals, including two Russian intelligence services (the GRU and the FSB), four individual officers of the GRU and three companies that provided material support to GRU’s cyber operations.

These new sanctions highlight the importance of regular and diligent screening of transactions, as well as the need to periodically review existing screening practices to ensure that they are up to date. It is critical to remember that an individual who may have been an acceptable business partner one day may be on a sanctions list the next.

ARTICLE BY Joan Koenig & Mollie D. Sitkowski of Drinker Biddle & Reath LLP

©2016 Drinker Biddle & Reath LLP. All Rights Reserved

House Energy and Commerce Committee Holds Hearing on Security of Internet of Things

Internet of ThingsThe growing scale of cybersecurity concerns is prompting action from government leadership on the federal level. Before the Thanksgiving recess, the House’s Committee on Energy and Commerce got in on the act when two of its subcommittees–the Communications and Technology Subcommittee, chaired by Rep. Greg Walden (R-OR), and the Commerce, Manufacturing, and Trade Subcommittee, chaired by Rep. Michael C. Burgess, M.D. (R-TX)–held a joint hearing to investigate and consider the role of Internet-enabled devices (collectively referred to as the “Internet of Things,” or “IoT”) in high-profile online attacks. 

What the experts are saying.

The hearing was motivated by the revelation that cybersecurity is no longer just about protecting  laptops or securing digital data. IoT insecurity puts human safety at risk, as everything from home appliances to automobiles and medical technology are becoming connected to the Internet. Representatives from both committees pressed expert witnesses Mr. Dale Drew of Level 3 Communications, Dr. Kevin Fu of Virta Labs and the University of Michigan, and Mr. Bruce Schneier of the Harvard Kennedy School of Government for examples of legislation that could target the cybersecurity concerns related to the Internet of Things.

These experts shared conflicting opinions about whether it is in fact possible for the government to establish one set of security standards that covers all Internet-connected devices, as these devices do many different things and are powered by many different types of technology. Mr. Schneier reminded the subcommittees that “[your smartphone] is not a phone; it’s a computer that makes phone calls.” The same applies to a long list of devices including WiFi-connected baby monitors, thermostats, refrigerators, DVR players, GPS systems, children’s toys, and of course, electronic voting booths. In his testimony, Mr. Drew explained that “bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats.” Nevertheless, they agreed that a collaborative and, above all, proactive approach by both the government and manufacturers of these devices will be essential.

Fortunately, we already have a potential starting point. The National Institute of Standards and Technology recently issued a comprehensive set of guidelines and best practices for securing IoT devices and systems throughout their entire life cycle. But simply establishing these best practices on paper will not be enough. Dr. Fu reiterated the most important takeaway from the hearing: that proper security measures for IoT devices must be “built in, not bolted on.” Protective measures like encryption must be incorporated into the fundamental design of a device, not tacked on as an afterthought. They also must secure a device from its creation, through its life with a consumer, and after “retirement” since old but active devices are still vulnerable to hijacking by botnets like the one used in last month’s massive distributed denial of service (“DDoS”) attack on global Internet routing company Dyn.

Looking ahead to the future.

Currently, there are few market incentives to spend time and money producing more secure encrypted devices.  There are likewise no significant legal or economic penalties for selling devices to consumers that are insecure. In short, consumers are focused on buying sleek and affordable new products rather than on the networks that connect them. However, if massive DDoS attacks continue the same way that data breaches have in recent years, the priorities of consumers and manufacturers alike are bound to evolve.

Will a greater focus on security slow down the rate of technological innovation? Despite some concerns, Dr. Fu and Mr Schneier reassured the subcommittees that efforts to improve cybersecurity will spur innovation in the tech industry, not hold it back. As consumers and manufacturers become more aware of the implications of poorly secured devices, incorporating features like end-to-end encryption will be understood not as necessary obstacles, but as valuable solutions to very real and costly problems.

ARTICLE BY Cynthia J. Larose, Michael B. Katz & Joanne Dynak of Mintz Levin
©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Cybersecurity Due Diligence Is Crucial in All M&A—Including Energy M&A Transactions

Can a single data breach kill or sideline a deal? Perhaps so. Last month Verizon signaled that Yahoo!’s disclosure of a 2014 cyberattack might be a “material” change to its July $4.83 billion takeover bid—which could lead Verizon to renegotiate or even drop the deal entirely. Concern over cybersecurity issues is not unique to technology or telecommunications combinations. In a 2016 NYSE Governance Services survey of public company directors and officers, only 26% of respondents would consider acquiring a company that recently suffered a high-profile data breach—while 85% of respondents claimed that it was “very” or “somewhat” likely that a major security vulnerability would affect a merger or acquisition under their watch (e.g., 52% said it would significantly lower valuation).

Bottom Line: Cybersecurity should play a more meaningful role in the due diligence portion of any potential M&A deal. Certainly this is so when a material portion of the value in the acquisition comes from intangible assets that might be most vulnerable to hackers. Financial information comes to mind. Personal information of employees does as well. But companies also need to be concerned about their trade secrets, know-how and other confidential business information whose value inheres in its secrecy. Therefore, a merely perfunctory approach to cybersecurity can become very costly. The union of companies today is a union of information, malware and all.

Energy M&A Is Not Immune

To weather the plunge in prices, many oil companies have sought out new innovations to reduce the cost of extraction and exploration. Investments in digital technologies will likely only increase—a 2015 Microsoft and Accenture survey of oil and gas industry professionals found that “Big Data” and the “Industrial Internet of Things” (IIoT) are targets for greater spend in the next three to five years. Cybersecurity threats were perceived in the survey as one of the top two barriers to realizing value from these technologies.

These developments in energy industry—bigger data and bigger vulnerabilities—are here to stay. The proposed merger of General Electric and Baker Hughes also speaks to the growing importance of analytics to oil production. Commentators note that the acquisition would allow GE more fully to implement its Predix platform, an application of IIoT to connect everything from wellhead sensors to spreadsheets. However, as last month’s massive cyberattack on DNS provider Dyn, Inc. demonstrated, the IIoT holds unique challenges as well as great promise for operational efficiency. (In this attack, reportedly 400,000 internet-linked gadgets were hacked and used to reroute web traffic to overload servers.)

Bottom Line: Robust cybersecurity diligence should be de rigueur for energy M&A.

What Can Companies Do to Protect Deal Value?

For starters, energy companies should treat cybersecurity as a separate and more involved category for due diligence.

Liability for or damages from legacy data breaches or malware can become expensive—damages to systems, theft of information and liability from the release of personal or reputation-damaging information, to name a few. Therefore, anticipating problems post-merger, cataloguing past vulnerabilities and most importantly, discovering actual breaches before closing is crucial to avoid deals blowing hot and cold.

Companies should retain IT specialists who can do an objective assessment of the cybersecurity posture of a proposed merger or acquisition. This can help prospective acquirers better determine the adequacy of a target’s cybersecurity programs, such as its policies over incident response, how access to data is distributed, the extent of a company’s online presence and vulnerabilities, and how remediation of any potential cyberthreats or actual breaches may best proceed.

A cybersecurity questionnaire should also be developed, covering such topics as:

  • How and where has company data been stored?

  • Who has had access?

  • Have there been any actual or attempted intrusions into (or leaks) of company data?

An acquirer could further insist on specific representations and warranties from a target company regarding their cybersecurity compliance, as well as bargain towards indemnity for prior data breaches.

On the target side, energy companies should prepare (in turn) for more scrutiny over their data security and privacy practices. Among other benefits to “knowing thyself,” getting ahead of this process should offer targeted companies a better negotiating position. It would also allow them to take a more proactive role in defining the policies of the combined company post-merger. At the very least, these efforts could help avoid the kind of hiccups and uncertainties that lead to undervaluation. In any event, poor cybersecurity practices can give an impression that a target lacks risk management in other areas—not an ideal pose to strike in any bargain.

Parting Thoughts

It is a trope in cybersecurity writing to invoke figures like Sun Tzu and shoehorn in quotes about war stratagem. Well, these habits are in some ways unavoidable: For all intents and purposes, fighting anonymous hackers resembles battle prep—a method of self-awareness and readiness that defies box-checking.

Energy companies could take these words to heart from the inestimable Miyamoto Musashi, a samurai who won 60 duels: “If you consciously try to thwart opponents, you are already late.” (A sentiment echoed more recently by Mike Tyson’s truistic “Everyone has a plan until they get punched in the mouth.”)

And This Key Takeaway: Any cybersecurity program must go hand-in-hand with a corporate culture that respects data as among its most valued assets. Efforts in detection, reporting and remediation are challenges that fall throughout the ranks and, if reflexive to the unknown, stand the best chance of being fully realized.

Bottom Line: Mind Your Data!

ARTICLE BY Jeff C. DoddDouglas W. Rommelmann & Ross Campbell of Andrews Kurth Kenyon
© 2016 Andrews Kurth Kenyon LLP

Privacy and Data Security in the Trump Administration

data breach, privacyPrivacy and data security issues were prominent in the campaign. Allegations were even made that Russia was behind the DNC hack.

Despite it being front and center in the campaign, cybersecurity did not generate specific policies from the Trump campaign. One thing Donald Trump did promise was a top to bottom review of US cyber defense and security led by government, law enforcement, and private sector experts.  He also committed to establishing a Justice Department task force to coordinate responses to cyber attacks and a cyber review team to audit existing government IT systems.

Another area on which the President-elect spoke was the need to clamp down on the theft of US intellectual property, especially by foreign nations and competitors. Tools already exist to do that, of course: Economic Espionage Act of 1996.  Congress, which earlier this year enacted the Defend Trade Secrets Act, is likely to respond favorably to any additional resources or authorities the new administration might seek for this purpose.

Related to cyber security were Mr. Trump’s comments on encryption during Apple’s dispute with the Justice Department in the wake of the San Bernardino terrorist attack. Trump sided strongly with law enforcement, and we can expect Congress to return to the subject of encryption in the coming session.  Whether anything happens legislatively is uncertain, and some in Congress want to await the pending report of the National Academy of Science on encryption, which will remain a highly contentious issue.  Still, Candidate Trump’s comments show where he stands.  One wildcard in the debate may be how weakened is FBI Director Jim Comey, who has been leading the charge on encryption issues for law enforcement.

Also due for legislative consideration in 2017 is the renewal of section 702 surveillance authority under the FISA Amendments Act, which is due to sunset at the end of the year. Trump is likely to take a much more pro-surveillance position than either the current administration or Secretary Clinton might have taken.  Privacy advocates in both parties are likely to press for changes in the law, but at this point the odds would be against them.

Either on its own or in conjunction with the section 702 debate, Congress is likely to return to consideration of ECPA reform. The House passed the E-mail Privacy Act unanimously this Congress, but it stalled in the Senate due to privacy groups’ opposition to an amendment sought by Senator Cornyn.  The must-pass section 702 legislation is likely to provide a vehicle for e-mail privacy and related ECPA reform legislation if it does not move on its own.

Also in the mix on these issues is consideration of legislation clarifying and modernizing how domestic law enforcement accesses data across national borders. Legislation addressing that issue enjoys prominent support in Congress and may well get taken up in conjunction with ECPA reform or get lumped in with that in the context of section 702 renewal.

And the House Judiciary Committee is already moving ahead with a hearing scheduled to consider protecting geolocation data, setting up another area of dispute between law enforcement and privacy advocates.

Also in the mix legislatively will be proposals on how firms deal with data breaches and theft of information. The recently disclosed hack of Yahoo and the DNC hack have again raised the profile of data breach issues.  While there is consensus that something should be done, disagreement remains on the details, including whether a federal law should preempt state data breach laws.  There is little reason to expect that the disagreements can be bridged or that legislation will in fact move forward.

Finally and briefly, among other issues that Congress is likely to look at, though on which a legislative solution is unlikely are:

1) how to address distributed denial of service attacks, and the inter-related topic of the growth of the Internet of Things, on which several committees have already scheduled hearings in the wake of the recent significant DDOS attack. At this stage, Congress is likely to seek to continue to build its level of understanding of the issues here rather than act on anything;

2) how to address the recruitment of terrorists and the spread of violent extremism through social media; and

3) the implementation of last year’s Cybersecurity Information Sharing Act by the Department of Homeland Security.

One final point: the key players on these issues are likely to remain the same. One possible change would have Senate Judiciary ranking member Pat Leahy, just reelected, move to become ranking member of the Appropriations Committee, which could open the door for Senator Feinstein to become ranking member of the Judiciary Committee.  She would be more sympathetic to law enforcement and less aligned with the privacy advocates than Senator Leahy has been.  However, her move might allow tech-friendly Senator Mark Warner to become vice chairman of the Intelligence Committee, of which Senator Richard Burr will remain as chairman after his reelection.

ARTICLE BY Richard A. Hertling of Covington & Burling LLP

© 2016 Covington & Burling LLP

Legal Challenge to EU-US Privacy Shield Framework

EU-US Privacy ShieldAs widely expected, the EU-US Privacy Shield is being challenged before the European courts.

What is Privacy Shield?

In October 2015, the Court of Justice of the European Union (CJEU) ruledthat the European Commission’s decision on adequacy for the Safe Harbor scheme was invalid.  The European Union and the United States agreed a new framework for the exchange of personal data for commercial purposes called the Privacy Shield to replace Safe Harbor. The Privacy Shield Framework was deemed adequate for the transfer of personal data by the European Commission in a decision dated 12 July 2016. Adequacy is granted only where the standard of protection in a third country is “essentially equivalent” to the rights and freedoms guaranteed by the EU regime on data protection.

Safe Harbor was challenged on the grounds that public authorities in the US had access to the content of electronic communications originating within the EU. When ruling on the European Commission’s adequacy decision in respect of Safe Harbor, the CJEU considered that the requirements for adequacy cannot be met where a regime compromises the right to respect for private life and fails to allow an individual to pursue legal remedies and to have access to their personal data.

The EU Article 29 Working Party recently published its opinion on the EU-U.S. Privacy Shield. It said that, despite improving some of the areas of the Safe Harbor scheme which had been particularly criticised, Privacy Shield still did not sufficiently address “massive and indiscriminate surveillance of individuals” by the US national security authorities in the light of the fight against terrorism.  The Working Party further added that this “can never be considered proportionate and strictly necessary in a democratic society as is required under the protection offered by the applicable fundamental rights”.

The Legal Challenge

The legal challenge was filed in Europe’s General Court (the Court of First Instance) on 16 September 2016 by a privacy advocacy group called Digital Rights Ireland but was only recently made public.  The General Court’s website reveals little more of substance about the challenge saying only that there is an “action for annulment” and the subject matter is “area of freedom, security and justice”. Reuters has reported that Digital Rights Ireland seeks annulment of the European Commission’s approval of the adequacy decision on the Privacy Shield Framework.

It remains to be seen how the case will be decided, but in reviewing Safe Harbor the CJEU established rationale on what adequacy means in light of the transfer of personal data. The Privacy Shield will remain in effect until the courts decide otherwise, which could take up to a year.

Matt Buckwell is co-author of this article. 

ARTICLE BY Asel Ibraimova of Squire Patton Boggs (US) LLP

© Copyright 2016 Squire Patton Boggs (US) LLP

Cyber Security Awareness Needs To Last Beyond October

Cyber Security Awareness MonthThe U.S. Department of Homeland Security (DHS) has designed October as National Cyber Security Awareness Month. But as we leave October, remember that data security is an ongoing challenge that requires continued vigilance not just from information system hacking, but also from employee error and other threats. Setting up a comprehensive training and awareness program is critical – and this outline can help you continue keeping your organization aware of cyber security throughout the year.

DHS’ purpose is to engage and educate public and private sectors through events and initiatives that raise awareness about cybersecurity, make certain tools and resources available, and increase our resiliency in the event of a cyber incident. This is a great effort and DHS collects helpful information and a number of resources for visitors to its site. But by selecting October to draw attention to cyber security, surely DHS did not intend that October be the only month that we think about this important area.

Earlier this year, the FBI reported a significant increase in ransomware attacks. Late last year, the Wall Street Journal reported on a survey by the Association of Corporate Counsel (“ACC”) that found “employee error” is the most common reason for a data breach. Training and creating awareness to deal with these continued and growing risks is critical. In fact, for many organizations, doing so will help satisfy legal requirements for securing data. And, it is a mistake to believe that only organizations in certain industries like healthcare, financial services, retail, education and other regulated sectors have obligations to train employees about data security. A growing body of law coupled with the vast amounts of data most organizations maintain should prompt all organizations to assess their data privacy and security risks, and implement appropriate awareness and training programs.

Here are some questions to ask when setting up your own program, which are briefly discussed in the FBI report above:

  • Who should design and implement the program?

  • Who should be trained?

  • Who should conduct the training?

  • What should the training cover?

  • How often should training be provided to build awareness?

  • How should training be delivered?

  • Do we need to document the training?

No system is perfect, however, and even a good training and awareness program will not prevent data incidents from occurring. But in the absence of such a program, the question you will have to answer for your organizations likely will not be why didn’t the organization have a system in place to prevent all breaches. Instead, the question will be whether the organization had safeguards that were compliant and reasonable under the circumstances.

ARTICLE BY Joseph J. Lazzarotti of Jackson Lewis P.C.

Jackson Lewis P.C. © 2016

Schnucks Shakes Card Issuer Data Breach Class Action, For Now

A relatively new breed of data breach class action involves financial institutions suing merchants for expenses associated with credit card data breaches. Although merchants may not have contractual privity with the card issuers (and instead may have contractual privity with the credit card brands or payment processors), the financial institutions in these cases claim that the retailers should still compensate the financial institutions for costs associated with fraudulent charges and reissuance of credit cards as a result of a data breach. In the most recent decision involving these sorts of claims, an Illinois federal judge found the financial institutions’ claims against the Shnucks grocery store chain too vague to survive Rule 12 dismissal. See Cmty. Bank of Trenton v. Schnuck Mkts., 2016 U.S. Dist. LEXIS 133482 (S.D. Ill. Sept. 28, 2016). The court reasoned that although “the parties are charting relatively new territory in the data breach context by presenting a case between financial institutions and a merchant (as opposed to customers and a merchant), . . . the Court notes that the generality made it difficult to assess the plausibility of such claims.” Id.at *8-9.

Cop, Robber, data breach class actionThe financial institutions asserted 13 counts, which were addressed by the court as follows:

  • The court dismissed without prejudice the first three counts (RICO claims) for failure to allege predicate RICO acts with sufficient particularly. Id. at *19. According to the court, the financial institutions “rely on two theories of fraud–misrepresentation and cheating–but they do not allege with specificity what it was about Schnucks’s conduct that constituted these things.” Id. The court found the RICO conspiracy allegations similarly infirm.

  • As to breach of fiduciary duty, the court found insufficient allegations of a special relationship under Illinois law or a dominant/subservient relationship under Missouri law and thus dismissed that claim without prejudice. Id. at *31-32.

  • The court dismissed the negligent misrepresentation claim without prejudice because the plaintiffs had asserted insufficient allegations of concrete misrepresentations and duty and had not sufficiently addressed the economic loss doctrine under Illinois law, and the plaintiffs’ assumptions of and reliance on compliance with VISA and MasterCard security protocols were insufficient to plead the elements of negligent misrepresentation under Missouri law. Id. at *33-34.

  • As to negligence/gross negligence, the court found no duty to protect data owed by the defendant to the plaintiffs under the FTC Act or common law and thus dismissed the claim without prejudice. Id. at *36-37.

  • The court dismissed the negligence per se claim (with prejudice under Illinois law and without prejudice under Missouri law) because the plaintiffs failed to identify a statute violated, much less one imposing strict liability. Id. at *39-40.

  • As to breach of implied contract, the court dismissed without prejudice because of insufficient allegations of implicit contractual privity between the financial institutions and grocery store chain, and the allegations of pre-existing duty to VISA and MasterCard undercut an implied contract claim under Missouri law. Id. at *43-44.

  • The court dismissed without prejudice the breach of contract damaging third parties claim because of insufficient allegations that the plaintiffs were intended third-party beneficiaries of the grocery store chain and any other participants in the financial network, and the plaintiffs appeared to be incidental beneficiaries that could not recover under Missouri law. Id. at *44-47.

  • As to the Illinois Consumer Fraud and Deceptive Business Practices Act claim, the court dismissed without prejudice because of insufficient allegations of misrepresentation content, timing and nature of communication. Id. at *47-48.

  • The court dismissed the unjust enrichment/assumpsit claim because there were insufficient allegations that the defendant received some benefit from payment via credit card above and beyond payment by some other means. Id. at *48-49. Nor did the plaintiffs adequately articulate what they would have done had they known about the allegedly poor data security practices. Id. at *49-50.

  • As to equitable subrogation, the court dismissed without prejudice because of inadequate allegations that the plaintiffs had paid a third-party debt by reimbursing customers for fraudulent charges. Id. at *51-52.

  • Finally, because the court dismissed all the claims, it did not opine on the claim for declaratory and injunctive relief.

These sorts of cases are in their infancy, and it remains to be seen how they’ll ultimately fare in the face of Rule 12 Rule 23, and Rule 56 challenges. Stay tuned.

ARTICLE BY Blaine C. Kimrey of Vedder Price

© 2016 Vedder Price

Recent Studies Show Increasing Need For Employee Training in Data Security

employee trainingTwo recent studies show an increasing need for companies to better train their employees in data security to prevent data and monetary loss. On September 7, 2016, Wells Fargo Insurance released a study on cyber security showing some interesting trends in companies with $100 million or more in annual revenue. The second-annual study questioned 100 decision makers on issues of data, hackers, network vulnerabilities, and other cyber security matters. The study showed that companies were nearly twice as concerned with losing private data as they were with being hacked or having some other security breach disrupt their system.

In particular, Wells Fargo noted the surprising trend that companies are not more concerned with employee misuse of technology  (finding only 7% of companies believed that their employees’ misuse of technology posed a potential threat).  Yet this is a real issue. This was confirmed in another study released this month by the Ponemon Institute – 2016 Cost of  Insider Threats – which showed that organizations are spending on average $4.3 million annually to mitigate and resolve insider threats. “Companies perceive insider threats as mostly driven by malicious employees, but the fact is that a significant portion of the risk is due to insider carelessness.”

The Ponemon report polled 280 IT and security practitioners from medium and large organizations. It found a total of 874 insider incidents over the course of a year, 65% of which were caused by employee or contractor negligence, 22% by malicious employees or criminals, and about 10% by imposter fraud. The security incidents from negligence cost the respondents about $207,000 per incident and about $2.3 million annually.

But both studies point out that what companies are doing to combat what has been termed “the human factor,” or an employee’s misuse of technology, is not enough. As noted in the Ponemon report, the “training programs that companies have are just not very good. They are really focused on check-the-box compliance requirements to show everyone that [the] company [has] training on data protection.” Wells Fargo noted, “[c]yber risk management is first and foremost about education,” and this applies to companies both big and small. In the domain of imposter fraud alone, where a fraudster gains access to the email account of a company’s senior executive and then requests a payment, the professional risk practice at Well Fargo handles five to ten of these incidents each week, from clients that are not well-known brands.

In addition, the time to contain these insider-related incidents correlates directly to the total cost to the company. The Ponemon study showed that it took more than 60 days to contain the incident or attack for 58% of their sample, with another 20% experiencing containment within 30 days.

So what should companies be doing? Companies are most frequently using data loss prevention tools and mandatory user training and awareness. However, as the Ponemon study shows, deployment of user behavior analytics would result in the largest total cost savings, at $1.1 million (based on the mean value of $4.3 million), and could drive the most impact in terms of cost on investment. The recommendation is to focus on visibility and transparency – not on stringent controls – and to build “a layered defense that delivers a comprehensive range of capabilities across visibility, detection, context and rapid response.”

ARTICLE BY Mary Kathryn Curry of Polsinelli PC

© Polsinelli PC, Polsinelli LLP in California

New York Proposes First-Ever Cybersecurity Regulation for Financial Institutions

cybersecurity regulationThe New York Department of Financial Services recently announced a new proposed rule, which would require financial institutions and insurers to implement strong policies for responding to cyberattacks and data breaches.  Specifically, the rule would require insurers, banks, and other financial institutions to develop detailed, specific plans for data breaches; to appoint a chief privacy security officer; and to increase monitoring of the handling of customer data by their vendors.

Until now, various regulators have been advancing similar rules on a voluntary basis.  This is reportedly the first time that a state regulatory agency is seeking to implement mandatory rules of this nature.

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said New York Governor Cuomo. He added that the proposed regulation will ensure that the financial services industry upholds its commitment to protect customers and take more steps to prevent cyber-attacks.

The rule would go into effect in 45 days, subject to notice and public comment period.  Among other detailed requirements, it will mandate a detailed cybersecurity program and a written cybersecurity policy.  While larger financial institutions already likely have such policies in place, the rule puts more pressure on them to fully comply.  It also mandates the hiring of a Chief Privacy Officer at a time when privacy professionals are already in a very high demand.  To attract top talent, the financial institutions will need to allocate appropriate budgets for such hiring.

Additionally, the rules outline detailed requirements for the hiring and oversight of third-party vendors.  Regulated entities who allow their vendors to access nonpublic information will now have to engage in appropriate risk assessment, establish minimum cybersecurity practices for vendors, conduct due diligence processes and periodic assessment (at least once a year) of third-party vendors to verify that their cybersecurity practices are adequate.  More detailed specifications can be found here.  Other requirements include employment and training of cybersecurity personnel, timely destruction of nonpublic information, monitoring of unauthorized users, and encryption of all nonpublic information.  As DFS Superintendent Maria Vullo explained: “Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”

Among other notable requirements, the regulations further mandate that banks notify New York’s Department of Financial Services of any material data breach within 72 hours of the breach.  The regulations come at the time when cybersecurity attacks are on the rise.  The proposed rules also follow on the heels of recent legislative initiatives in 4 other states to bolster their cybersecurity laws, as we previously discussed.

The regulations are sweeping in nature in that they potentially affect not only New-York-based companies but also insurers, banks, and financial institutions who conduct business in New York or have customers who are New York residents.  If you are unsure about your company’s obligations and the impact of the proposed rules on your industry, contact Mintz Levin privacy team for a detailed analysis.

ARTICLE BY Cynthia J. Larose & Natalie A. Prescott of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Espionage and Export Controls: iPhone Hack Highlights New World of Warfare

iPhone HackLast week, researchers at Citizen Lab uncovered sophisticated new spyware that allowed hackers to take complete control of anyone’s iPhone, turning the phone into a pocket-spy to intercept communications, track movements and harvest personal data. The malicious software, codenamed “Pegasus,” is believed to have been developed by the NSO Group, an Israeli company (whose majority shareholder is a San Francisco based private equity firm) that describes itself as a “leader in cyber warfare” and sells its software — with a price tag of $1 million – primarily to foreign governments. The software apparently took advantage of three previously unknown security flaws in Apple’s iOS software, and was described by experts as “the most sophisticated” ever seen on the market. Apple quickly released a patch of its software, iOS 9.3.5, and urged users to download it immediately.

Citizen Lab learned about Pegasus from Ahmed Mansoor, a UAE human rights activist, who received text messages baiting him to click on a link to discover “new secrets about the torture” of Emirati prisoners. Mr. Mansoor had been prey to hackers before, so he contacted Citizen Lab. When researchers tested the link, they discovered software had been remotely implanted onto the phone, and brought in Lookout, a mobile security firm, to reverse-engineer the spyware. Citizen Lab later identified the same software as having been used to track a Mexican journalist whose writings have criticized Mexico’s President. Citizen Lab and Lookout also determined that Pegasus could have been used across Turkey, Israel, Thailand, Qatar, Kenya, Uzbekistan, Mozambique, Morocco, Yemen, Hungary, Saudi Arabia, Nigeria, and Bahrain, based on domains registered by NSO.

NSO Group, the architect of Pegasus, claims to  provide “authorized governments with technology that helps them combat terror and crime,” insisting that its products are only used in lawful ways., NSO spokesperson Zamir Dahbash told reporters that the company “fully complies with strict export control laws and regulations.” The Citizen Lab researcher who disassembled the malicious program, however, compared it to “defusing a bomb.” All of which raises the question – what laws or regulations govern the export of cyber-weapons by an Israeli firm (likely controlled by U.S. investors) to foreign governments around the world?

Cyber weapons are becoming increasingly interchangeable with traditional weapons. Governments (or terrorists) no longer need bombs or missiles to inflict large-scale destruction, such as taking down a power grid, since such attacks can now be conducted from anywhere there is a computer. Do export controls – which have long been used as foreign policy and national security tools, and which would regulate the transfer of traditional weapons – play any real role in regulating the transfer of weapons of cyber-surveillance or destruction? In fact, the legal framework underlying current export controls has not caught up (and maybe never will) to the capabilities of technological tools used in cyberwarfare. Proposals to regulate malware have been met with resistance from the technology industry because malware technology is often dual-use and the practical implications of requiring licenses would impede technological innovation and business activities in drastic ways.

The Wassenaar Arrangement

The Wassenaar Arrangement (WA) was established in 1996 as a multilateral nonproliferation regime to promote regional security and stability through greater transparency and responsibility in the transfer of arms and sensitive technologies. The United States is a member. Israel is not, but has aligned its export controls with Wassennaar lists.

In December 2013, the list of export controlled technologies under WA was amended to include commercial surveillance software, largely to curb human rights abuses by repressive governments’ use of spyware on citizens. Earlier this year, the Department of Commerce issued recommendations that the definition of “intrusion software” in the WA be modified to encompass the concept of “authorization” so that malware such as Pegasus, in which the user does not truly understand the nature of the consequences, would be controlled. Those proposals have not been implemented.

U.S. Export Controls of Malware

In 2015, following data breaches at the Officer of Personnel Management and several private companies, the Department of Commerce published proposed rules to harmonize concepts embedded in the WA into the U.S. regulatory framework for export controls. One critical proposal was a definition of “intrusion software” to require a license for the export and use of malware tools. But the definition covered much more than malware. Cybersecurity experts were alarmed by the rule’s over-inclusive and vague language. The rules would have impeded critical business activities, stifled international research and cross-border exchanges of technology, and hindered response to cyber threats.

NSO Group has been described by researchers as “incredibly committed to stealth, and  reportedly has close partnerships with other Israeli surveillance firms that seek to sell spyware, suggesting an inevitable increase in cyber mayhem. As malware becomes more sophisticated, widespread, and threatening, the need for strictly tailored export controls is not going to go away.

Regulating software is challenging at least in part, because there is no workable legal definition of what constitutes a cyber weapon. Because malware is largely dual-use, the only way to determine whether particular software constitutes a cyber weapon is retroactively. If software has been used as a weapon, it is considered a cyber weapon. But that definition arrives far too late to control the dissemination of the code. Moreover, controlling  components of that software would likely be over-inclusive, since the same code that can exploit flaws to break in to devices can also have benign uses, such as detecting vulnerabilities to help manufacturers like Apple learn what needs patching. Another challenge is that requiring  export licenses can take months, which, in the fast-moving tech world is as good as denial.

The revelation of the Pegasus iPhone spyware highlights questions that have perplexed national security and export control experts in recent years. As the use and sophistication of malware continue their explosive growth, not only must individuals and governments face the  chilling realities of cyber warfare, but regulators must quickly understand the technological issues, address the risks, and work with the cyber security and technological communities to find a path forward.

ARTICLE BY Fatema K. Merchant & Laura E. Jehl  of Sheppard, Mullin, Richter & Hampton LLP
Copyright © 2016, Sheppard Mullin Richter & Hampton LLP.