In Largest Known Data Breach Conspiracy, Five Suspects Indicted in New Jersey

DrinkerBiddle

On July 25, 2013, the United States Attorney for the District of New Jersey announced indictments against five men alleging their participation in a global hacking and data breach scheme in which more than 160 million American and foreign credit card numbers were stolen from corporate victims, including retailers, financial institutions, payment processing firms, an airline, and NASDAQ.  The scheme is the largest of its kind ever prosecuted in the United States.

The Second Superseding Indictment alleges the defendants (four Russian nationals and one Ukrainian national) and other uncharged co-conspirators targeted corporate victims’ networks using “SQL [Structured Query Language] Injection Attacks,” meaning the hackers identified vulnerabilities in their victims’ databases and exploited those weaknesses to penetrate the networks.  Once the defendants had access to the networks, they used malware to create “back doors” to allow them continued access, and used their access to install “sniffers,” programs designed to identify, gather and steal data.

Once the defendants obtained the credit card information, they allegedly sold it to resellers all over the world, who in turn sold the information through online forums or directly to individuals and organizations.  The ultimate purchasers encoded the stolen information on blank cards and used those cards to make purchases or withdraw cash from ATMs.

The defendants allegedly used a number of methods to evade detection.  They used web-hosting services provided by one of the defendants, who unlike traditional internet service providers, did not keep records of users’ activities or share information with law enforcement.  The defendants also communicated through private and encrypted communication channels and tried to meet in person.  They also changed the settings on the victims’ networks in order to disable security mechanisms and used malware to circumvent security software.

Four of the defendants are charged with unauthorized access to computers (18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i)) and wire fraud (18 U.S.C. § 1343).  All of the defendants are charged with conspiracy to commit these crimes.

Two of the defendants have been arrested, with one in federal custody and the other awaiting an extradition hearing.  The other three defendants, two of whom have been charged in connection with hacking schemes, remain at large.

This conspiracy is noteworthy for its massive scale, and for the patience the hackers demonstrated in siphoning data from the networks.  The U.S. Attorney “conservatively” estimates more than 160 million credit card numbers were compromised in the attacks, and alleges that the hackers had access to many victims’ computer networks for more than a year.  Many prominent retailers were targets, including convenience store giant 7-Eleven, Inc.; multi-national French retailer Carrefour, S.A.; American department store chain JCPenney, Inc.; New England supermarket chain Hannaford Brothers Co.; and apparel retailer Wet Seal, Inc.  Payment processors were also heavily targeted, including one of the world’s largest credit card processing companies, Heartland Payment Systems, Inc., as well as European payment processor Commidea Ltd.; Euronet, Global Payment Systems and Ingenicard US, Inc. The hackers also targeted financial institutions such as Dexia Bank of Belgium, “Bank A” of the United Arab Emirates; the NASDAQ electronic securities exchange; and JetBlue Airways.  Damages are difficult to estimate with precision, but they total several hundred million dollars at least.  Just three of the corporate victims suffered losses totaling more than $300 million.

Article By:

of

Survey Says: Fortune 500 Disclosing Cyber Risks

Mintz Logo

Ever since our 2013 prediction, an ever increasing number of public companies are adding disclosure related to cybersecurity and data breach risks to their public filings.  We previously analyzed how the nation’s largest banks have begun disclosing their cybersecurity risks.   Now, it appears that the rest of the Fortune 500 companies are catching on and including some level of disclosure of their cyber risks in response to the 2011 SEC Guidance.

The recently published Willis Fortune 500 Cyber Disclosure Report, 2013 (the “Report”), analyzes cybersecurity disclosure by Fortune 500 public companies.  The Report found that as of April 2013, 85% of Fortune 500 companies are following the SEC guidance and are providing some level of disclosure regarding cyber exposures.  Interestingly though, only 36% of Fortune 500 companies disclosed that such risk was “material”, “serious” or used a similar term, and only 2% of the companies used a stronger term, such as “critical”.

Following the SEC’s recommendation in its guidance, 95% of the disclosing companies mentionedspecific cyber risks that they face.  The top three cyber risks identified by those companies that disclosed cyber risks were:

1)      Loss or theft of confidential information (65%).

2)      Loss of reputation (50%).

3)      Direct loss from malicious acts (hackers, viruses, etc.) (48%).

Surprisingly, 15% of Fortune 500 companies indicated that they did not have the resources to protect themselves against critical attacks and only 52% refer to technical solutions that they have in place to defend against cyber risks.

The Report notes that despite the large number of Fortune 500 companies that acknowledge cyber risks in their disclosure, only 6% mentioned that they purchase insurance to cover cyber risks.  This number runs contrary to a survey published by the Chubb Group of Insurance Companies in which Chubb indicates that about 36% of public companies purchase cyber risk insurance.  For whatever reason, it appears that many of the Fortune 500 companies are simply not disclosing that they purchase cyber risk insurance as a means of protecting against cyber risk.

Almost two years after its issuance, the Report findings indicate that the 2011 SEC Guidance is in full swing and making its way into reality.  As more large companies disclose cyber risks in their public filings, this will continue to trickle down to the smaller companies that rely on those filings for precedent and guidance.  The Report provides a clear snapshot of where things stand in cyber risk disclosure by Fortune 500 public companies.  The scope of the Report is expected to expand to include Fortune 1000 companies, and it will be interesting to see how this data changes, if at all, when comprised of a larger pool of public companies.

Stay tuned!

Article By:

 of

Basic Guidelines for Protecting Company Trade Secrets

Lewis & Roca

Under the Uniform Trade Secrets Act (UTSA), “trade secrets” are generally defined as confidential proprietary information that provides a competitive advantage or economic benefit. Trade secrets are protected under the Economic Espionage Act of 1994 (EEA) at the federal level, and the vast majority of states have enacted statutes modeled after the UTSA (note that some jurisdictions, such as California, Texas and Illinois, have adopted trade secret laws that differ substantially from the UTSA; thus, businesses should research laws in the relevant jurisdiction(s).). Under the UTSA, to be protectable as a trade secret, information must meet three requirements:

i. the information must fall within the statutory definition of “information” eligible for protection;

ii. the information must derive independent economic value from not being generally known or readily ascertainable by others using appropriate means; and

iii. the information must be the subject of reasonable efforts to maintain its secrecy.

Trade secret theft continues to accelerate among U.S. companies, and can have drastic consequences. To combat this threat, Congress and certain state legislatures have recently enacted legislation to broaden trade secret protection. As a result, it is paramount that companies safeguard all proprietary information that may qualify as protectable trade secrets. This blog post explains some key trade secrets concepts, and offers pointers on how to identify and protect trade secrets.

(1) Determine Which Data Constitutes “Information”

The UTSA-type statutes generally define “information” to include:

Financial, business, scientific, technical, economic, and engineering information;

Computer code, plans, compilations, formulas, designs, prototypes, techniques, processes, or procedures; and

Information that has commercial value, such as customer lists or the results of expensive research.

Courts have similarly interpreted “information” to cover virtually any commercially valuable information. Examples of information that has been found to constitute trade secrets includes pricing and marketing techniques, customer and financial information, sources of supplies, manufacturing processes, and product designs.

(2) “Valuable” and “Not Readily Ascertainable” Information

To be protectable, information must also have “economic value” and not be “readily ascertainable” by others. Courts generally determine whether information satisfies this standard by considering the following factors:

Reasonable measures have been put in place to protect the information from disclosure;

The information has actual or potential commercial value to a company;

The information is known by a limited number of people on a need-to-know basis;

The information would be useful to competitors and would require a significant investment to duplicate or acquire the information; and

The information is not generally known to the public.

(3) Take Reasonable Measures to Maintain Secrecy

Businesses should implement technical, administrative, contractual and physical safeguards to keep secret the information sought to be protected. Companies should identify foreseeable threats to the security of confidential information; assess the likelihood of potential harm flowing from such threats; and implement security protocols to address potential threats. Examples of security measures might include restricting access to confidential information on a need-to-know basis, employing computer access restrictions, circulating an employee handbook that outlines company policies governing confidential information, conducting entrance interviews for new hires to determine whether they are subject to restrictive covenants with former employers, conducting exit interviews with departing personnel to ensure that the employee has returned all company materials and agrees to abide by post-employment obligations, encrypting confidential information, limiting access to confidential information through passwords and network firewalls, track all access to network resources and confidential information, restrict the ability to email, print or otherwise transfer confidential information, employ security personnel, limit visitor access, establish surveillance procedures, and limit physical access to areas that may have confidential information.

Conclusion

This blog post is intended to provide some broad guidelines to identifying and protecting company trade secrets. Most if not all companies have confidential information that may be protectable as a trade secret. But certain precautions need to be in place to ensure that the information is protectable. Because each company and situation is different, you should seek advice about your specific circumstances.

Article By:

 of

New Data Breach Class Action has Two Million Plaintiffs

RaymondBannerMED

Cyber breaches resulting in the release of personal identifiable information (PII) are increasingly common and now we are starting to see class action lawsuits filed as a result. In what will likely be the beginning of a wave of lawsuits filed as a result of cyber breaches, Schnucks Markets, operator of 100 supermarkets across the Midwest, recently removed a class action lawsuit filed against it to federal court stemming from a data breach that occurred in March in which 2.4 million credit card numbers were stolen.

The Class action complaint alleges Schnucks failed to properly and adequately safeguard its customer’s personal and financial data. In addition to common law negligence and disclosure, the plaintiffs allege a violation of the Illinois Personal Information Protection Act which requires a data collector of personal information to notify individuals in the most expedient manner possible and without unreasonable delay. The complaint alleges Schnucks waited over two weeks to notify its customers and then did so only through a press release as opposed to providing actual notice to individual consumers. Apparently Schnucks struggled to find the source of the breach and this delay may have continued to expose the PII of people who shopped at its stores.

cybercrime graphicSchnuck’s notice of removal to federal court states the grounds for removal include a class size of more than 100 people and damages at issue are greater than $5 million. Schnucks also explains that the data breach was the result of criminals hacking into its electronic payment systems at 23 stores. Further, during the relevant period, 1.6 million credit or debit card transactions took place at these stores. Schnucks calculates that 500,000 unique credit or debit cards were involved thus the putative class has at least 500,000 members.

Damages alleged by the plaintiffs include having their credit card data compromised, incurring numerous hours cancelling their compromised cards, activating replacement cards and re-establishing automatic withdrawal payment authorizations as well as other economic and non-economic harm. Given that data breaches are becoming increasingly common it is likely that there will be more lawsuits filed similar to Schnucks in the near future. Legal counsel experienced in cyber risk and insurance can assist retailers and insurance companies with handling such problems as they arise.

Round Up – Intellectual Property and Cyber Security Things You May Have Missed (Including Some Good Summer Cocktail Banter Material)

Giordano Logo

Cyber Security Report – Earlier this year, Verizon released its 2013 Data Breach Investigations Report.  The report analyzes and presents data regarding the current state of various data breaches and network attacks.  Some of the results are surprising.

  •             92% of breaches are perpetrated by outsiders
  •             19% of breaches are attributed to state-affiliated actors
  •             76% of network intrusions exploit weak or stolen credentials
  •             66% took months or more to discover

Do Trademark Lawyers Matter? – An empirical study, published in the Stanford Technology Law Review, provided the results of a grueling analysis of 25 years worth of data from the United States Patent and Trademark Office records on whether being represented by a trademark attorney makes a difference in the likelihood of success in getting your mark registered.  The results?  YES!  It turns out that, overall, trademark applicants who are represented by an attorney are 50% more likely to have their marks registered.  The results are even more dramatic when an application faces an obstacle (e.g., an office action).  In those instances, applicants were found to be 68% more likely to proceed to publication when represented by counsel.  Perhaps its time for a national trademark lawyer appreciation day! (I’m not holding my breath).

Does Keyword Advertising Really Work?  eBay recently released a study, entitled “Consumer Heterogeneity and Paid Search Effectiveness: A Large Scale Field Experiment” which analyzed the effectiveness of eBay’s keyword advertising efforts.  So does keyword advertising really work?  Not so much.  According to the study, for well known brands (like eBay), new and infrequent users may be more influenced by keyword triggered advertisements.  But more experienced searchers and otherwise loyal brand users are not influenced by the ads.  When eBay stopped its keyword advertising, almost all of the traffic lost from the absence of the ad was picked up in the native search results.  It’s important to note, however, that this study was focused on a single well known brand.  The results may be quite different for other brands or for less well known brands.  Moreover, the study says nothing about the use of a trademark by a competitor as a keyword to drive traffic to the competitor’s website.

Marketing Your Mobile App – The FTC has released guidelines for mobile app developers when advertising their software.  The plain language guide is very high level, but does include some helpful tid bits to remember.  Highlights include:

  • Advertising is everything a company tells a prospective buyer about its app (whether its in the formal ad campaign or in other communications).
  • Don’t bury key disclosures in “dense blocks of legal mumbo jumbo” or behind hyperlinks.
  • Build in privacy by design, including principles used in selecting default settings.
  • If you change your privacy policy, you need to get user’s consent.  Merely editing the language of the policy isn’t enough.

Effective Disclosures in Digital Advertising – The FTC also released guidelines for online advertising.  This new guidance focuses on the peculiarities and challenges associated with online advertising.  Where this adds new value is in its analysis and detail (with examples!) of the following areas:

  • Proximity and Placement – where disclosures have to be placed to be effective
  • Hyperlinks – including proper labeling and placement
  • Prominence – including use of size, color and graphics
  • Distractions – risks from graphics, sounds and links that may distract from disclosures
  • Multimedia – use of audio and video

Attack on “Happy Birthday” Copyright.  Salon.com reported yesterday that a class action suit has been filed to attack the copyright in the popular birthday celebration tune.  According to the report, the lawsuit was prompted by a documentary uncovering evidence that the song was originally published as early as 1893 and that the current copyright is based on a 1924 publication date which grants the work 95 years of copyright protection.  Based on my count, there’s only about 6 years left in the alleged copyright to begin with.  Hopefully the lawsuit gets resolved before then.

Article By:

 of

New Cybersecurity Guidance Released by the National Institute of Standards and Technology: What You Need to Know for Your Business

Mintz Logo

The National Institute of Standards and Technology (“NIST”)1 has released the fourth revision of its standard-setting computer security guide, Special Publication 800-53 titled Security and Privacy Controls for Federal Information Systems and Organizations2 (“SP 800-53 Revision 4”), and this marks a very important release in the world of data privacy controls and standards. First published in 2005, SP 800-53 is the catalog of security controls used by federal agencies and federal contractors in their cybersecurity and information risk management programs. Developed by NIST, the Department of Defense, the Intelligence Community, the Committee on National Security Systems as part of the Joint Task Force Transformation Initiative Interagency Working Group3over a period of several years with input collected from industry, Revision 4 “is the most comprehensive update to the security controls catalog since the document’s inception in 2005.”4

Taking “a more holistic approach to information security and risk management,5” the new revision of SP 800-53 also includes, for the first time, a catalog of privacy controls (the “Privacy Controls”) and offers guidance in the selection, implementation, assessment, and ongoing monitoring of the privacy controls for federal information systems, programs, and organizations (the “Privacy Appendix”).6 The Privacy Controls are a structured set of standardized administrative, technical, and physical safeguards, based on best practices, for the protection of the privacy of personally identifiable information (“PII”)7 in both paper and electronic form during the entire life cycle8of the PII, in accordance with federal privacy legislation, policies, directives, regulations, guidelines, and best practices.9 The Privacy Controls can also be used by organizations that do not collect and use PII, but otherwise engage in activities that raise privacy risk, to analyze and, if necessary, mitigate such risk.

Description of the Eight Families of Privacy Controls

The Privacy Appendix catalogs eight privacy control families, based on the widely accepted Fair Information Practice Principles (FIPPs)10 embodied in the Privacy Act of 1974, Section 208 of the E-Government Act of 2002, and policies of the Office of Management and Budget (OMB). Each of the following eight privacy control families aligns with one of the eight FIPPs:

  1. Authority and Purpose. This family of controls ensures that an organization (i) identifies the legal authority for its collection of PII or for engaging in other activities that impact privacy, and (ii) describes the purpose of PII collection in its privacy notice(s).
  2. Accountability, Audit, and Risk Management. This family of controls ensures that an organization (i) develops and implements a comprehensive governance and privacy program; (ii) documents and implements a privacy risk management process that assesses privacy risk to individuals resulting from collection of PII and/or other activities that involve such PII; (iii) conducts Privacy Impact Assessments (“PIAs”) for information systems, programs, or other activities that pose a privacy risk; (iv) establishes privacy requirements for contractors and service providers and includes such requirements in the agreements with such third parties; (v) monitors and audits privacy controls and internal privacy policy to ensure effective implementation; (vi) develops, implements, and updates a comprehensive awareness and training program for personnel; (vii) engages in internal and external privacy reporting; (viii) designs information systems to support privacy by automating privacy controls, and (ix) maintains an accurate accounting of disclosures of records in accordance with the applicable requirements and, upon request, provides such accounting of disclosures to the persons named in the record.
  3. Data Quality and Integrity. This family of controls ensures that an organization takes reasonable steps to validate that the PII collected and maintained by the organization is accurate, relevant, timely, and complete.
  4. Data Minimization and Retention. This family of controls addresses (i) the implementation of data minimization requirements to collect, use, and retain only PII that is relevant and necessary for the original, legally authorized purpose of collection, and (ii) the implementation of data retention and disposal requirements.
  5. Individual Participation and Redress. This family of controls addresses implementation of processes (i) to obtain consent from individuals for the collection of their PII, (ii) to provide such individuals with access to the PII, (iii) to correct or amend collected PII, as appropriate, and (iv) to manage complaints from individuals.
  6. Security. This family of controls supplements the security controls in Appendix F and are implemented in coordinating with information security personnel to ensure that the appropriate administrative, technical, and physical safeguards are in place to (i) protect the confidentiality, integrity, and availability of PII, and (ii) to ensure compliance with applicable federal policies and guidance.
  7. Transparency. This family of controls ensures that organizations (i) provide clear and comprehensive notices to the public and to individuals regarding their information practices and activities that impact privacy, and (ii) generally keep the public informed of their privacy practices.
  8. Use Limitation. This family of controls addresses the implementation of mechanisms that ensure that an organization’s scope of use of PII is limited to the scope specified in their privacy notice or as otherwise permitted by law.

Some of the Privacy Controls, such as Data Quality and Integrity, Data Minimization and Retention, Individual Participation and Redress, and Transparency also contain control enhancements, and while these enhancements reflect best practices which organizations should strive to achieve, they are not mandatory.11 The Office of Management and Budget (“OMB”), tasked with enforcement of the Privacy Controls, expects all federal agencies and third-party contractors to implement the mandatory Privacy Controls by April 30, 2014.

The privacy families must be analyzed and selected based on the specific operational needs and privacy requirements of each organization and can be implemented at various operational levels (e.g., organization level, mission/business process level, and/or information system level12). The Privacy Controls and the roadmap provided in the Privacy Appendix will be primarily used by Chief Privacy Officers (“CPO”) or Senior Agency Officials for Privacy (“SAOP”) to develop enterprise-wide privacy programs or to improve an existing privacy programs in order to meet an organization’s privacy requirements and demonstrate compliance with such requirements. The Privacy Controls supplement and complement the security control families set forth in Appendix F (Security Control Catalog) and Appendix G (Information Security Programs) and together these controls can be used by an organization’s privacy, information security, and other risk management offices to develop and maintain a robust and effective enterprise-wide program for management of information security and privacy risk.

What You Need to Know

The Privacy Appendix is based upon best practices developed under current law, regulations, policies, and guidance applicable to federal information systems, programs, and organizations, and by implication, to their third-party contractors. If you provide services to the federal government, work on government contracts, or are the recipient of certain grants that may require compliance with federal information system security practices, you should already be sitting up and paying attention. This revision puts privacy up front with security.

Like other NIST publications, this revision will be looked at as an industry standard for best practices, even for commercial entities that are not doing business with the federal government. In fact, over the last few years, we have seen increasing references to compliance with NIST 800-53 as setting a contractual baseline for security. We expect that this will continue, and now will include both the Security Controls and the Privacy Controls. As such, general counsel, business executives and IT professionals should become familiar with and conversant in the Privacy Controls set forth in the new revision to SP 800-53. At a minimum, businesses should undertake a gap analysis of the privacy controls at their organization against these Privacy Controls to determine if they are up to par or if they have to enhance their current privacy programs. And, if NIST 800-53 appears in contract language as the “minimum standard” to which your company’s policies and procedures must comply, the gap analysis will at least inform you of what needs to be done to bring both your privacy and security programs up to speed.


1 The National Institute of Standards and Technology is a non-regulatory agency within the U.S. Department of Commerce, which, among other things, develops information security standards and guidelines, including minimum requirements for federal information systems to assist federal agencies in implementing the Federal Information Security Management Act of 2002.

2 See Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53,
Rev. 4 (April 30, 2013), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

3 The Joint Task Force Transformation Initiative Interagency Working Group is an interagency partnership formed in 2009 to produce a unified security framework for the federal government. It includes representatives from the Civil, Defense, and Intelligence Communities of the federal government.

4 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm. Revision 4 of
SP 800-53 adds a substantial number of security controls to the catalog, including controls that address new technology such as digital and mobile technologies and cloud computing. With the exception of the controls that address evolving technologies, the majority of the cataloged security controls are policy and technology neutral, focusing on the fundamental safeguards and countermeasures required to protect information during processing, while in storage, and during transmission.

5 See NIST Press Release for SP 800-53 Revision 4 at http://www.nist.gov/itl/csd/201304_sp80053.cfm.

6 See Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. Appendix J was developed by NIST and the Privacy Committee of the Federal Chief Information Officer (CIO) Council.

7 Personally Identifiable Information is defined broadly in the Glossary to SP 800-53 Revision 4 as “Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or likable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). See page B-16 of Appendix B, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. However, as stated in footnote 119 in Appendix J, “the privacy controls in this appendix apply regardless of the definition of PII by organizations.”

8 Collection, use, retention, disclosure, and disposal of PII.

9 See page J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

10 See NIST description and overview of Fair Information Practice Principles at http://www.nist.gov/nstic/NSTIC-FIPPs.pdf.

11 See pages J-4 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

12 See page J-2 of Appendix J, Privacy Control Catalog to Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publ. (SP) 800-53, Rev. 4 (April 30, 2013),http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

“Actually, Someone Knows You are a Dog”– the Chinese Regulation Efforts on Private Data Protection

Sheppard Mullin 2012

Do you have privacy in the era of information?

“On the Internet, nobody knows you’re a dog.” First published in The New Yorker on July 5, 1993, this widely known and recognized saying has been quoted many times to describe the anonymous feature of Internet. However, now this description has been drifting from the truth.

The truth is that, some people using the Internet may know you better than yourself. When you log on Amazon, not only will the site greet you by name, the homepage will also suggest certain purchases. Surprisingly, you will be interested in at least one third of them. Your addresses have been recorded and Amazon will automatically calculate the delivery period. Besides those online shopping sites, getting visitors’ information is the common practice of online service and/or information providers. Youku and Netflix suggest videos to watch. Weibo and Facebook suggest friends to follow. Douban and IMDB suggest movie tickets to buy and parties to attend.

On one hand, these recommendations might give you convenience in your life and entertainment; while on the other hand, this can be really intruding and make you anxious by knowing you so much. For example, you just bought an apartment and even did not get the keys. However, decoration companies and contractors give you calls telling you the decoration designs for the new apartment have been done. You just submitted some resumes for a job. Even before the interview, insurance companies and training companies give you calls and emails to make sales. Have you wondered how strangers know your private, personal information?

Every time you log on a website, make a call or buy a ticket by showing ID card, computer systems will track you down, and record everything you have clicked and purchased. Data analyzing systems will collect, characterize, store your information, and take further actions based on the information. Some entities even purchase and resell personal data for profit. The reason why personal data become commodities is because direct marketing based on private data is profitable. Marketing communications are only classified as “direct marketing” where they are addressed to a specific person by name or where a phone call is made to a specific person, and the use of private data is the foundation of direct marketing. The newly issued Hong Kong Personal Data (Privacy) Amendment Ordinance contains a number of new provisions regulating the use of personal data in connection with direct marketing activities in Hong Kong, which has come into force since April 1, 2013. Apart from Hong Kong, there are over fifty countries and regions which have laws and regulations protecting personal data.

What is the new trend in China to protect personal data?

In order to safeguard the legitimate rights and interests of Chinese citizens concerning private data protection, the Ministry of Industry and Information Technology of China (“MIIT”) announced the Provisions on the Protection of Personal Information of Telecommunication and Internet Users (Draft for Comments) (“PPI Rules”) and the Provisions on the Registration of True Identity Information of Telephone Users (Draft for Comments) (“RTII Rules”) and sought for public comments. The deadline for submitting comments is May 15, 2013.

The PPI Rules and RTII Rules are a breakthrough with respect to legislation of personal information protection. Although these two rules are not officially a personal information protection law, they are a good beginning and call for a complete set of rules.

The PPI Rules and RTII Rules are designed to protect personal information from two perspectives. While the PPI Rules regulates the collection and utilization of users’ private information, the RTII Rules requests “real-name registration” of telephone users for the prohibition of direct or indirect marketing using no-name telephone numbers. Specifically, the PPI Rules requires that telecommunication service providers and Internet information service providers (“Service Providers”) shall not collect or use the users’ personal information without their consent. Service Providers shall also clearly notify the users of the purpose, method and scope of collection and utilization of the users’ personal information, retention period of such information, ways to access and modify such information, and consequences of refusal to provide such information.

Meanwhile, the “real-name registration” required by RTII Rules is a double-edged sword. Not only are telephone users required to supply their true identity information, some Internet services, for example, the Chinese Twitter Weibo, also require users’ true identity information. On one hand, it will reduce the risk of private information abuse by no-name telephones and Weibo bloggers. One the other hand, the “real-name registration” regime means it is legitimate for telephone and some Internet service providers to collect their users’ information. Although RTII Rules prohibits the sales and illegal provision of users’ information, it doesn’t mean those providers will not utilize the users’ information to make profits and provide such information to government or other compulsive entities. This “real-name registration” may limit the health development of Internet and even harm users’ right to free speech. Is “real-name registration” the only way to protect personal information? This is a controversial topic.

What can enterprises do to avoid violations of personal data protection rules in China?

Putting the controversial topic aside, let’s talk about what the enterprises doing business in China can do regarding new rules to protect personal information. Those enterprises may not be limited to Internet/telecommunication service providers, because the regime may expand in the future to regulate more entities that may get access to citizens’ personal data.

First, the concerned enterprises can log on MITT official websites and submit comments if any. They can make their voice heard since the rules are in the “draft for comments” period.

Second, thorough study of the new rules and other anticipated rules in this area is needed. The concerned enterprises need to provide proper training to their employees regarding the users’ information protection, since this is not only required by the new rules, but the enterprises might also have joint and several obligations with the employees who abuse the users’ information.

Third, proper drafts of disclaimer/declaration/agreement are needed when the enterprises want to collect and utilize the users’ private information. The enterprises need to make sure that they have obtained the users’ consents concerning the information collection and utilization. Proper preparations are needed to avoid future risks.

 of

The “Reasonable” Perils of Data Security Law

Your House Counsel Logo

The following is drawn from the materials to be presented at the 17th Annual America’s Claims Event 2013 conference in the “Cyber-Liability and Data Loss Claims: A Case Study from Notice of Occurrence Through Conclusion” session on June 20, 2013 in Austin, Texas.

NEGLIGENCE. “The omission to do something which a reasonable man, guided by those ordinary considerations which ordinarily regulate human affairs, would do, or the doing of something which a reasonable and prudent man would not do.”1

“When we think about data breaches, we often worry about malicious minded computer hackers exploiting software flaws, or perhaps Internet criminals seeking to enrich themselves at our expense. But the truth is that errors and negligence within the workplace are a significant cause of data breaches that compromise sensitive personal information.”2

According to a recent privacy institute study by the Ponemon Institute, only 8% of the surveyed data breach incidents were due to external cyber attack, while 22% could be attributed in part to malicious employees or other insiders. Loss of laptops or other mobile devices containing sensitive data topped the survey, while mishandling of data “at rest” or “in motion” were also major contributors.3 A later study showed that 39% of surveyed organizations identified negligence as the root cause of their data breaches, while 37% were attributed to malicious or criminal attack.4

Negligent document disposal is a clear source of preventable negligence. On December 7, 2012, at least eight garbage bags were left unattended on a dirt road in Hudson, Florida, containing credit applications to Rock Bottom Auto Sales with names, driver’s license information, and Social Security numbers. Three days later, in Pittsburgh, Pennsylvania, job placement documents were found in a dumpster from the West Pittsburgh Partnership, all containing names and SSN’s.5 For that matter, the Internal Revenue Service in 2008 was found to have disposed of taxpayer documents in regular waste containers and dumpsters, and that a follow-up investigation revealed that IRS officials failed to consistently verify whether contract employees who have access to taxpayer documents had passed background checks.6

Convincing users to back up their laptops has been difficult enough in practice; getting them to encrypt them voluntarily is much more daunting a task. A 2010 Ponemon Institute study, admittedly biased towards large corporations, concluded that of those surveyed typically 46% of the laptops held confidential data, while only 30% had their contents encrypted. A startlingly low 29% of the laptops had backup/imaging software installed, which implies that more than two thirds of all laptops if lost or stolen would leave no backup of work in progress.7

Even though more devices are coming to market with built-in encryption capabilities, these features may simply be left switched off by their users despite the fact that lost laptops, tablets, smartphones, USB “thumb” drives and other portable devices with unencrypted contents continue to provide a wealth of information to identity thieves.

On March 22, 2013, a laptop used by clinicians at the University of Mississippi Medical Center was discovered to be missing. It contained patient names, social security numbers, addresses, diagnoses, birthdates and other personal information, protected only by a password.8

On January 8, 2013, an unencrypted flash drive was stolen from a Hephzibah Georgia middle school teacher’s car, containing student SSN’s and other information.9 TD Bank had two unencrypted backup tapes with customer and their dependent names, SSN’s, addresses, account, credit and debit card numbers go missing while being transported between two TD Bank offices in March 2012, but public notice was not made until March 4, 2013.10

An examination of reported data security incidents with potential or actual data privacy breaches reveals that the scope of what is deemed “reasonable” ranges from ordinary care in the disposal of documents containing personally identifiable information (“PII”) and personal health information (“PHI”), to sophisticated data encryption, access authentication and other highly technical data security practices that the “reasonably prudent” persons, companies and governmental agencies are now expected to employ to protect the personal data that they have collected.

On October 10, 2012, the South Carolina Department of Revenue was informed of a potential cyber attack involving the personal information of taxpayers.11 The origin of the attack was traced to a state Department of Revenue employee who clicked on an embedded link in a “salacious” email and compromised his computer.12 The subsequent investigation revealed that “outdated computers and security flaws at the state’s Department of Revenue allowed international hackers to steal 3.8 million tax records”, according to Governor Nikki R. Haley. Apparently South Carolina did not encrypt Social Security Numbers, and once the outer perimeter security was compromised the hackers were able to log in as tax officials and read the data.13

Users of online services will routinely provide personal information as a matter of course to shop or obtain other services, all of which gets recorded and tracked. Data privacy laws are intended to promote and enforce a number of fair information practices to give individuals the ability to find out what personal information is being kept and by whom, opportunities to correct or remove such information, assurances that reasonable measures will be undertaken to protect such information from disclosure and to properly dispose of such information when appropriate, and may include remedial measures to be undertaken in the event of a data breach.

In the United States, there is no single comprehensive statute for data privacy laws.14 Instead, a number of sector-specific federal laws have been enacted to address the particular sensitivity of information generally recorded by companies in that market sector, and forty six states have enacted data breach notification statutes. If there is a data breach, you may be liable under state law to provide notice to those affected.15 In some jurisdictions, you may be required to provide notice to all consumer credit reporting agencies as well.16

The financial exposure to a data breach by a company may be insurable to some degree using various forms of “cyber liability” insurance, which expand and supplement many forms of more standard insurance coverages underwritten today. Policy premiums for such policies, however, are dependent upon the extent of data security practices implemented.

Conducting a data security risk assessment before encountering a data breach should identify measures that can be taken at the corporate level to provide additional protection not only to sensitive data, but also mitigate the consequences of a security incident where company data is disclosed, lost or stolen. Encrypted data in many cases may not be considered “exposed” for purposes of mandated notice to affected individuals.

In the event of a data security incident, please consider obtaining a data forensic team to not only identify the source and extent of the breach, but to preserve evidence in the event that a potential prosecution may be possible.

We will discuss a data breach case study from inception through enforcement, resolution and potential mitigation through cyber liability insurance at our presentation at ACE 2013. We hope to see you then.


1 BLACK’S LAW DICTIONARY 1184 (4th ed. 1968).

2 Privacy Rights Clearinghouse, Are the Businesses You Frequent or Work For Exposing You to an Identity Thief?, (Mar. 6, 2012), https://www.privacyrights.org/workplace-identity-theft-quiz-alert-2012

3 The Human Factor in Data Protection, 3 PONEMON INSTITUTE LLC (January 2012), available athttp://www.ponemon.org/local/upload/file/The_Human_Factor_in_data_Protection_WP_FINAL.pdf.

4 2011 Cost of Data Breach Study: United States, 7 PONEMON INSTITUTE LLC (March 2012),available at http://   www.ponemon.org/local/upload/file/2011_US_CODB_FINAL_5.pdf.

5 http://www.privacyrights.org/data-breach/new (check Breach Type “PHYS”, Organization Type “BSR” and Year “2012”).

6 Increased Management Oversight of the Sensitive but Unclassified Waste Disposal Process Is Needed to Prevent Inadvertent Disclosure of Personally Identifiable Information, TREASUR INSPECTOR GENERAL FOR TAX ADMINISTRATION (May 8, 2009), http://www.treas.gov/tigta/auditreports/2009reports/200930059fr.pdf.

7 The Billion Dollar Lost Laptop Problem 6 PONEMON INSTITUTE LLC (Sept. 30, 2010), availableat http://newsroom.intel.com/servlet/JiveServlet/download/1544-8-3132/The_Billion_Dollar_Lost_Laptop_Study.pdf.

8 http://www.privacyrights.org/data-breach/new (check Breach Type “PORT”, Organization Type “EDU” and Year “2013”).

9 http://www.privacyrights.org/data-breach/new (check Breach Type “PORT”, Organization Type “EDU” and Year “2013”).

10 http://www.privacyrights.org/data-breach/new (check Breach Type “PORT”, Organization Type “BSF” and Year “2013”).

11 Kara Durrette, SC Department of Revenue hacked; millions of SC residents affected, http://www.midlandsconnect.com/sports/story.aspx?id=817902#.UVyOdheYu7w (posted Oct. 26, 2012, updated Oct. 27, 2012).

12 Matthew J. Schwartz, How South Carolina Failed To Spot Hack Attack, INFORMATION WEEK, Nov. 26, 2012, http://www.informationweek.com/security/attacks/how-south-carolina-failed-to-spot-hack-a/240142543.

13 Robbie Brown, South Carolina Offers Details of Data Theft and Warns It Could Happen Elsewhere, N.Y. TIMES, Nov. 20, 2012, available at http://www.nytimes.com/2012/11/21/us/more-details-of-southcarolina-hacking-episode.html?_r=0.

14 PETER P. SWIRE & KENESA AHMAD, FOUNDATIONS OF INFORMATION PRIVACY AND DATA PROTECTION 41 (International Association of Privacy Professionals) (2012).

15 NYC Administrative Code § 20-117(c) (2013); NY CLS State Technology Law § 208(2) (NY state residents only); 73 Pa. Stat. § 2303 (PA residents).

16 73 Pa. Stat. § 2305; NY CLS State Technology Law §208(7)(b).

Article By:

of

Protect Your CEO’s Tweets and Posts from U.S. Securities Exchange Commission (SEC) Enforcement Action

vonBriesen

The U.S. Securities Exchange Commission (SEC) Enforcement Division altered the jet stream of blogosphere commentary last December by, for the first time, recommending legal action against a CEO on account of a Facebook post. Immediately after the announcement, a blizzard of articles, tweets, and blogs buried the mediascape with opinions about the critical role of CEO social media use in the new economy, the wisdom or foolishness of allowing CEO’s to Tweet or post, and whether the SEC should be time warped back to the Stone Age it seems to prefer.

Sweeping away the accumulated hyperbole reveals two important takeaways from the SEC’s announcement, applicable to both public and private companies: i) the more things change, the more they remain the same, and ii) this latest “grave threat” to the modern world is not a crisis, but an opportunity. Social media can be a valid, legal, and effective way to communicate with investors, if it’s done right.

About Regulation FD

The SEC’s action responded to a July 2012 Facebook post by CEO Reed Hastings stating that members watched over 1 billion hours on Netflix in June. Netflix estimated that Hastings had reached 200,000 people through his Facebook, Twitter, and LinkedIn accounts. The SEC felt this was material information for investors and that by announcing it through social media, rather than more traditional outlets, Netflix had violated Regulation Fair Disclosure (Reg. FD).

The SEC adopted Reg. FD in 2000 to fix a perceived lack of fairness in the public securities markets. Before Reg. FD, public companies could share material information with analysts who participated in conference calls or meetings not open to smaller investors. Well-connected investors got trading advantages over the general public. Reg. FD prohibits public companies from providing material information to limited groups of investors without simultaneously making the information available to the entire marketplace.

Under Reg. FD, public disclosures must be made by “filing or furnishing a Form 8-K, or by another method or combination of methods that is reasonably designed to effect broad, non-exclusionary distribution of the information to the public.” The “other method” most often employed is a press release to an array of media outlets likely to disseminate the information broadly and quickly. Individuals and companies violating Reg. FD risk injunctions and monetary penalties.

Use of Social Media Growing, Creating Risks

Social media channels first became critical communication tools for companies after adoption of Reg. FD. A 2010 study of the 100 largest companies in the Fortune 500 found that 79% were using at least one of the four most popular social media platforms. See Burson-Marsteller Fortune Global 100 Social Media Study, Feb. 23, 2010, available at http://www.burson-marsteller.com/Innovation_and_insights/blogs_and_podcasts/BM_Blog/Lists/Posts/Post.aspx?ID=160

A 2012 Forbes article cited an IBM study saying 57% of surveyed CEO’s likely would be using social media by 2017. Mark Fidelman, IBM Study: If you Don’t Have a Social CEO, YourGoing to be Less Competitive, FORBES, May 22, 2012.

The SEC itself uses social media to disclose important information such as speeches, trading suspensions, litigation releases, and administrative proceedings.

While some CEOs see social media as “part of their job description,” others try to minimize risk by having employees write or review tweets before posting, and some CEOs have already tried social media and moved on. See Leslie Kwoh and Melissa Korn, 140 Characters of Risk: Some CEO’s Fear Twitter, WALL STREET JOURNAL, September 26, 2012.

Not everyone does, or should, use all forms of social media. The point of Twitter, for example, is to provide information contemporaneously with the occurrence of a thought or an event. This promptness is both the differentiating touchstone of the medium and its source of danger. Quick, unconsidered, unscripted communications by senior executives of public companies pose risks in the form of leaked intellectual property, disclosed business plans, angered customers, litigious investors, and frothy regulators. The SEC Netflix announcement demonstrates the potential for liability arising from disclosures of information requiring consideration through social media focused solely on promptness. A Facebook post subjected to prior review might have been a better choice.

Even where the SEC does not act, executives may be at risk. In May 2012, retailer Francesca’s Holdings Corporation fired its CFO, Gene Morphis after he tweeted: “Board meeting. Good numbers = Happy Board.” Mr. Morphis, who was also active on other social media outlets, had a history of postings about earnings calls, road shows, and other work related matters. Morphis lost his job even though the SEC took no action. Rachel Emma Silverman, Facebook and Twitter Postings Cost CFO His Job, WALL STREET JOURNAL, May 14, 2012.

Social Media Without Big Risk

The SEC has never issued guidance about the use of social media, but it has issued guidance that websites could be deemed sufficiently “public” to satisfy Reg. FD when: (1) it is a recognized channel of distribution, (2) posting on the web site disseminates the information in a manner making it available to the securities marketplace in general, and (3) there has been a reasonable waiting period for investors and the market to react to the posted information. Indeed, “for some companies in certain circumstances, posting … information on the company’s web site, in and of itself, may be a sufficient method of public disclosure,” SEC Release No. 34-58288 (Aug. 7, 2008) at 18, 25.

This is an example of how “the more things change, the more they stay the same” when it comes to the intersection of law and technology. The purpose of Reg. FD is to make sure that all investors have access to the same information roughly simultaneously. The specific communications method is not important so long as the principle of public disclosure to the general market, not subsets of investors, is served. Because 8-K filings and press releases were the most common ways to quickly and broadly disseminate information in the past, investors knew where to look for them and could monitor those information outlets. Now, when companies establish their websites as well-known places to find press releases, SEC filings, and supplemental information, they, too, have become acceptable means for Reg. FD disclosures.

The same analysis applies to social media, as well as any new communications technology that may exist in the future. The critical question is: has the company sufficiently alerted the market to its disclosure practices based on the regularity, prominence, accuracy, accessibility, and media coverage of its disclosure methods? If so, social media should be just as acceptable as any other communication tool.

One company seems to have found the right balance. Alan Meckler, CEO of WebMediaBrands Inc. drew the SEC’s attention after a pattern of regularly disclosing company information through social media back in December 2010. The SEC’s Division of Corporation Finance questioned whether Mr. Meckler’s Tweets “conveyed information in compliance with Regulation FD.”SEC letter dated December 9, 2010. Despite, the investigation, the SEC brought no enforcement action.

To use social media with minimum SEC risk, the company must educate investors so that they know such communications will always occur at a particular place and at least simultaneously with other outlets. This is done by a regular pattern of social media disclosure and links to other sources, such as SEC filings, showing the way. A company should not force investors to win a shell game, finding the nut of important information in Twitter this time, on Facebook the next time, and Instagram after that. Consistency, predictability, and transparency are key. Used this way, social media present an opportunity to communicate with investors in new ways, not a source of legal problems.

©2013 von Briesen & Roper, s.c

Administration Launches Strategy on Mitigating Theft of U.S. Trade Secrets

The National Law Review recently published an article, Administration Launches Strategy on Mitigating Theft of U.S. Trade Secrets, written by Lauren M. Papenhausen with McDermott Will & Emery:

McDermottLogo_2c_rgb

 

The strategy announced on February 20, 2013, should serve as both a wake-up call from the government and an offer of assistance.  Given the losses that can arise from competitors’ purposeful theft of trade secrets, entities should review the announcement and decide whether they need to be more active in protecting their trade secrets.  The strategy also offers opportunities for increased collaboration with the government.

On February 20, 2013, the White House announced an “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets.”  Companies should view the announcement of this strategy as both a wake-up call from the government and an offer of assistance.  Given the losses that can arise from competitors’ purposeful theft of trade secrets, entities should review this government announcement and decide whether they need to be more active in protecting their trade secrets.

The administration strategy articulates a broad governmental commitment to addressing an “accelerating” threat to U.S. intellectual property.  The strategy encompasses five action items:

  • Focusing diplomatic efforts to protect trade secrets through diplomatic pressure, trade policy and cooperation with international entities
  • Promoting voluntary best practices by private industry to protect trade secrets
  • Enhancing domestic law enforcement, including through outreach and information-sharing with the private sector
  • Improving domestic legislation to combat trade secret theft
  • Improving public awareness and stakeholder outreach

Three main themes emerge from the administration strategy that are important for U.S. businesses.

First, the strategy and its supporting documentation highlight how frighteningly real the prospect of trade secrets theft is.  The White House report is peppered with references to household name companies that have been victimized by trade secrets theft over the past few years, often at a cost of tens of millions of dollars or more.  Mandated reports from the defense industry to the government indicate a 75 percent increase between FY2010 and FY2011 in reports of suspicious activity aimed at acquiring protected information.  Coupled with a recent New York Times article asserting Chinese government involvement in more than 100 attempted cyber attacks on U.S. companies since 2006, these reports warrant sitting up and taking notice.  According to a report by the Office of the National Counterintelligence Executive, particular targets include companies that possess the following:

  • Information and communications technologies
  • Business information that relates to supplies of scarce natural resources or that gives foreign actors an edge in negotiations with U.S. businesses or the U.S. government
  • Military technologies, particularly in connection with marine systems, unmanned aerial vehicles and other aerospace/aeronautic technologies
  • Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy, health care and pharmaceuticals, advanced materials and manufacturing techniques, and agricultural technology

Second, the government alone cannot solve the problem.  The administration commits to making the investigation and prosecution of trade secret theft a “top priority” and states that the Federal Bureau of Investigation has increased the number of trade secret theft investigations by 29 percent since 2010.  On its face, however, a 29 percent increase in investigations cannot keep pace with a 75 percent increase in attempted trade secret thefts.  Historically, as a result of limited resources, the government has been able to address only a tiny fraction of trade secret thefts, and there is no indication that there will be the massive influx of resources necessary to change this dynamic materially.  Indeed, the administration strategy recognizes the need for public-private partnerships on this issue and asks companies and industry associations to develop and adopt voluntary best practices to protect themselves against trade secret theft.  And, of course, there are significant drawbacks to any after-the-fact solution, whether relying on government intervention or a private lawsuit.

The best solution is to prevent a trade secret theft from ever occurring.  Even if that is not possible, having taken strong measures to protect trade secrets will aid success both in any civil litigation against the perpetrator and in any criminal action the government may bring.  Entities should consider at least the following types of protective measures:

  • Research and development compartmentalization, i.e., keeping information on a “need to know” basis, particularly where outside contractors are involved in any aspect of the process
  • Information security policies, e.g., requiring multiple passwords or multi-factor authentication measures and providing for data encryption
  • Physical security policies, e.g., using controlled access cards and an alarm system
  • Human resources policies, e.g., using employee non-disclosure agreements, conducting employee training on the protection of trade secrets and performing exit interviews.

It also will be important in any future litigation that a company has clearly designated as confidential any materials it may wish to assert are trade secrets.

Third, the new administration approach to trade secrets offers some opportunities for U.S. companies.

The government interest in enhancing law enforcement operations indicates that businesses may have a better chance of encouraging the government to investigate and bring criminal charges under the Economic Espionage Act (EEA) against the perpetrators of trade secret thefts.  The possibility of seeking government involvement is a powerful tool that should be considered and discussed with counsel any time there is a significant suspected trade secret theft.  Obtaining government involvement in specific instances of trade secret theft can allow businesses to take advantage of information learned via government tactics such as undercover investigations and search warrants.  It also can significantly enhance any civil litigation—for example, a finding of criminal liability can make a civil outcome a foregone conclusion.

The administration strategy’s focus on improving domestic legislation and increasing communication with the private sector suggests that there is an opportunity for the private sector to collaborate with government actors in communicating industry needs and shaping policy.  For example, it is possible that the time is ripe for an amendment to the EEA (currently a federal criminal statute that offers no private right of action) to create a federal, private cause of action for misappropriation of trade secrets.  A bill to this effect was introduced in Congress in 2012 and did not progress, but two other amendments to strengthen the EEA that passed overwhelmingly in December 2012, plus the recently issued administration strategy, suggest there may be gathering momentum for such a change.

In an executive order signed on February 12, 2013, entitled “Improving Critical Infrastructure Cybersecurity,” President Obama outlined government plans to significantly increase the amount of information that the government shares with private sector entities about cyber threats.  Specifically, the order directs government agencies to develop procedures to create and disseminate to targeted entities unclassified reports of cyber threats that identify them as targets, to disseminate classified reports of cyber threats under certain circumstances to “critical infrastructure entities,” and to expand the Enhanced Cybersecurity Services program (previously available only to defense contractors to assist in information-sharing about cyber threats and protection of trade secrets) to “eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.”  The directives in the executive order are in addition to and complement various information-sharing tactics set forth in the administration strategy designed to provide warnings, threat assessments and other information to industry.  Companies, particularly those involved in the power grid or the provision of other utilities or critical systems, should be aware of the possibility of obtaining additional information from the government about threats to protected information.

© 2013 McDermott Will & Emery