Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Foley and Lardner LLP

Major cybersecurity attacks of increased sophistication — and calculated to maximize the reputational and financial damage caused to the corporate targets — are now commonplace. These attacks have catapulted cybersecurity to a top priority for senior executives and board members.

To help these decision makers get their arms around cybersecurity issues, Foley Partners Chanley T. Howell, Michael R. Overly, and James R. Kalyvas have published a comprehensive white paper entitled: Taking Control of Cybersecurity — A Practical Guide for Officers and Directors.

The white paper describes very practical steps that officers and directors should ensure are in place or will be in place in their organizations to prevent or respond to data security attacks, and to mitigate the resulting legal and reputational risks from a cyber-attack. The authors provide a blueprint for managing information security and complying with the evolving standard of care. Checklists for each key element of cybersecurity compliance and a successful risk management program are included.

Excerpt From Taking Control of Cybersecurity: A Practical Guide for Officers and Directors

Sony, Target, Westinghouse, Home Depot, U.S. Steel, Neiman Marcus, and the National Security Agency (NSA). The security breaches suffered by these and many other organizations, including most recently the consolidated attacks on banks around the world, combined with an 80 percent increase in attacks in just the last 12 months, have catapulted cybersecurity to the top of the list of priorities and responsibilities for senior executives and board members.

The devastating effects that a security breach can have on an enterprise, coupled with the bright global spotlight on the issue, have forever removed responsibility for data security from the sole province of the IT department and CIO. While most in leadership positions today recognize the elevated importance of data security risks in their organization, few understand what action should be taken to address these risks. This white paper explains and demystifies cybersecurity for senior management and directors by identifying the steps enterprises must take to address, mitigate, and respond to the risks associated with data security.

Officers and Directors are Under a Legal Obligation to Involve Themselves in Information Security

The corporate laws of every state impose fiduciary obligations on all officers and directors. Courts will not second-guess decisions by officers and directors made in good faith with reasonable care and inquiry. To fulfill that obligation, officers and directors must assume an active role in establishing correct governance, management, and culture for addressing security in their organizations.

Download This White Paper

ARTICLE BY

Consent Isn’t the Only Consideration: NY Comic Con Attendees Disagree that Hijacking Twitter Accounts Makes the Event “100x cooler! For realz.”

MintzLogo2010_Black

The comic book industry is no stranger to displays of heroic anger and berserker rage, but over the weekend New York Comic Con (NYCC) was on the receiving end of considerable fan fury after it began ghostwriting effusive tweets about NYCC and posting on the Twitter pages of NYCC attendees in a way that made it appear as though the attendee was the author of the tweet.

During the event registration process, NYCC attendees were given the option of linking RFID badges to their Twitter account through the event’s mobile application interface.  During the application registration process, attendees were asked to authorize NYCC to access their Twitter accounts.  At this point, attendees arguably consented to having NYCC impersonate the attendee when posting about NYCC on the attendee’s Twitter feed.

The NYCC website page explaining the ID badge technology and the site’s registration page did not mention that NYCC would be posting to attendee Twitter pages on the attendee’s behalf.  Rather, the registration process is explained as a method for giving the attendee access to enhanced social media content, while helping NYCC protect against fraudulent credentials.  The activation terms provided that NYCC could use the information collected through the badge “for internal purposes” and to contact the user about future events.  After a user registered his or her badge and elected to link a Twitter account, the user was presented with an opt-in notice (a screenshot of which can be seenhere), specifying that following authorization, the application would be able to, among other things, “post Tweets for you”.  This type of warning is not uncommon.  For example, any website that allows users to click to share news articles or stories on their Twitter pages requires this type of access.

In spite of the opt-in warning, the wide-spread surprise among attendees suggests that the opt-in language did not draw a clear distinction between posting tweets for a user and posting tweets as a user.  Moreover, the failure to mention this practice when explaining the registration process could have led attendees to conclude that even if they were agreeing to provide this type of access, NYCC would not be taking the unusual step of pretending to be the attendee when it published tweets on the user’s page.

NYCC’s initial response was a brief tweet telling attendees not to “fret” over the ghostwritten posts and informing attendees that the “opt-in feature” had been disabled.  However, after anger continued to spread, NYCC issued a longer statement apologizing for any “perceived overstep.”

This type of disconnect between online service providers and users is becoming increasingly common as advances in technology permit mobile device and social media data to be accessed and used in new ways.  Earlier this year, for example, Jay-Z and Samsung stepped into a public relations debacle when the “JAY Z Magna Carta” mobile application required that the user, in exchange for receiving a free music download, authorize the application to have extensive access to phone data and social media accounts. The response from NYCC attendees also underscores the lesson learned by Googleearlier this month, that consent provided by users who do not fully understand what they are consenting to may not be consent at all.

As your online business finds new and innovative ways to deliver products and services to your users, it is important to take a step back and consider whether additional communications in different formats, such as just-in-time notifications, are necessary to ensure that the only surprise your customers have is how great your products and services are.   Or, to put it another way, “with great power comes great responsibility.”

Article By:

 of

Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security

When:

Where:

Cyber Security Summit – October 22-23, 2013

The National Law Review is pleased to bring you information about the upcoming Cyber Security Summit.

cyber security

When:

Where:

Doing Business In Latin America: Does Your Local Supplier Have Best Practices In Place So That Your Company Can Avoid Liability Under The Foreign Corrupt Practices Act (FCPA)?

Sheppard Mullin 2012

Imagine yourself the CEO of a successful multinational company. In the past few years, you have overseen ACME’s expansion into Latin America – a market whose demographic profile holds the promise of mouthwatering profits for your company, particularly with the upcoming holiday season. As they say, la vida es buena!

In planning for the Latin America expansion, you knew about the rules and prohibitions of the Foreign Corrupt Practices Act (“FCPA”) and implemented measures to ensure your employees do not run afoul of the law. However, you may not have known that the company can incur FCPA liability for payments made by third parties, such as such as suppliers, logistics providers, and sales agents, with whom your company works. In fact, a company can be held liable if it knows or should know that a third-party intends to make a corrupt payment on behalf of or for the benefit of the company. Because a company can be responsible for conduct of which it should have known, a conscious disregard or deliberate ignorance of the facts will not establish a defense.

To protect your company from third party liability, it is essential to perform due diligence on potential business partners. This is not to say that you cannot consider the recommendations of local employees in selecting business partners. Relying on those recommendations alone, however, could expose the company to FCPA liability if that company does not conduct itself with the same level of integrity that you do. The amount of diligence necessary varies from one potential business partner to the next and can include an anti-corruption questionnaire, document review, reference interviews, or local media review, among other things.

That’s all well and good, but what about companies with whom you are already doing business and whom you now realize you may not have adequately investigated? Asking to review those companies’ FCPA compliance policies is a good first step. If you determine that a policy is inadequate, you may ask the company to provide FCPA training to its employees. You should also carefully monitor the company’s contract performance to ensure compliance. In particular, you should consider evidence of unusual payment patterns, extraordinary “commissions,” or a lack of transparency. The key question is: how is the company spending your money?

When in doubt, experienced legal counsel can assist you in navigating these and other FCPA issues. For example, Sheppard Mullin offers Spanish language training on the provisions of the FCPA and advice for successfully implementing internal safeguards and controls to protect against FCPA liability.

With a solid FCPA plan in place, your thoughts wander back to the upcoming holiday season and your company’s projected profits for the new Latin America division and you smile to yourself. La vida es buena.

 of

In Largest Known Data Breach Conspiracy, Five Suspects Indicted in New Jersey

DrinkerBiddle

On July 25, 2013, the United States Attorney for the District of New Jersey announced indictments against five men alleging their participation in a global hacking and data breach scheme in which more than 160 million American and foreign credit card numbers were stolen from corporate victims, including retailers, financial institutions, payment processing firms, an airline, and NASDAQ.  The scheme is the largest of its kind ever prosecuted in the United States.

The Second Superseding Indictment alleges the defendants (four Russian nationals and one Ukrainian national) and other uncharged co-conspirators targeted corporate victims’ networks using “SQL [Structured Query Language] Injection Attacks,” meaning the hackers identified vulnerabilities in their victims’ databases and exploited those weaknesses to penetrate the networks.  Once the defendants had access to the networks, they used malware to create “back doors” to allow them continued access, and used their access to install “sniffers,” programs designed to identify, gather and steal data.

Once the defendants obtained the credit card information, they allegedly sold it to resellers all over the world, who in turn sold the information through online forums or directly to individuals and organizations.  The ultimate purchasers encoded the stolen information on blank cards and used those cards to make purchases or withdraw cash from ATMs.

The defendants allegedly used a number of methods to evade detection.  They used web-hosting services provided by one of the defendants, who unlike traditional internet service providers, did not keep records of users’ activities or share information with law enforcement.  The defendants also communicated through private and encrypted communication channels and tried to meet in person.  They also changed the settings on the victims’ networks in order to disable security mechanisms and used malware to circumvent security software.

Four of the defendants are charged with unauthorized access to computers (18 U.S.C. §§ 1030(a)(2)(C) and (c)(2)(B)(i)) and wire fraud (18 U.S.C. § 1343).  All of the defendants are charged with conspiracy to commit these crimes.

Two of the defendants have been arrested, with one in federal custody and the other awaiting an extradition hearing.  The other three defendants, two of whom have been charged in connection with hacking schemes, remain at large.

This conspiracy is noteworthy for its massive scale, and for the patience the hackers demonstrated in siphoning data from the networks.  The U.S. Attorney “conservatively” estimates more than 160 million credit card numbers were compromised in the attacks, and alleges that the hackers had access to many victims’ computer networks for more than a year.  Many prominent retailers were targets, including convenience store giant 7-Eleven, Inc.; multi-national French retailer Carrefour, S.A.; American department store chain JCPenney, Inc.; New England supermarket chain Hannaford Brothers Co.; and apparel retailer Wet Seal, Inc.  Payment processors were also heavily targeted, including one of the world’s largest credit card processing companies, Heartland Payment Systems, Inc., as well as European payment processor Commidea Ltd.; Euronet, Global Payment Systems and Ingenicard US, Inc. The hackers also targeted financial institutions such as Dexia Bank of Belgium, “Bank A” of the United Arab Emirates; the NASDAQ electronic securities exchange; and JetBlue Airways.  Damages are difficult to estimate with precision, but they total several hundred million dollars at least.  Just three of the corporate victims suffered losses totaling more than $300 million.

Article By:

of

Survey Says: Fortune 500 Disclosing Cyber Risks

Mintz Logo

Ever since our 2013 prediction, an ever increasing number of public companies are adding disclosure related to cybersecurity and data breach risks to their public filings.  We previously analyzed how the nation’s largest banks have begun disclosing their cybersecurity risks.   Now, it appears that the rest of the Fortune 500 companies are catching on and including some level of disclosure of their cyber risks in response to the 2011 SEC Guidance.

The recently published Willis Fortune 500 Cyber Disclosure Report, 2013 (the “Report”), analyzes cybersecurity disclosure by Fortune 500 public companies.  The Report found that as of April 2013, 85% of Fortune 500 companies are following the SEC guidance and are providing some level of disclosure regarding cyber exposures.  Interestingly though, only 36% of Fortune 500 companies disclosed that such risk was “material”, “serious” or used a similar term, and only 2% of the companies used a stronger term, such as “critical”.

Following the SEC’s recommendation in its guidance, 95% of the disclosing companies mentionedspecific cyber risks that they face.  The top three cyber risks identified by those companies that disclosed cyber risks were:

1)      Loss or theft of confidential information (65%).

2)      Loss of reputation (50%).

3)      Direct loss from malicious acts (hackers, viruses, etc.) (48%).

Surprisingly, 15% of Fortune 500 companies indicated that they did not have the resources to protect themselves against critical attacks and only 52% refer to technical solutions that they have in place to defend against cyber risks.

The Report notes that despite the large number of Fortune 500 companies that acknowledge cyber risks in their disclosure, only 6% mentioned that they purchase insurance to cover cyber risks.  This number runs contrary to a survey published by the Chubb Group of Insurance Companies in which Chubb indicates that about 36% of public companies purchase cyber risk insurance.  For whatever reason, it appears that many of the Fortune 500 companies are simply not disclosing that they purchase cyber risk insurance as a means of protecting against cyber risk.

Almost two years after its issuance, the Report findings indicate that the 2011 SEC Guidance is in full swing and making its way into reality.  As more large companies disclose cyber risks in their public filings, this will continue to trickle down to the smaller companies that rely on those filings for precedent and guidance.  The Report provides a clear snapshot of where things stand in cyber risk disclosure by Fortune 500 public companies.  The scope of the Report is expected to expand to include Fortune 1000 companies, and it will be interesting to see how this data changes, if at all, when comprised of a larger pool of public companies.

Stay tuned!

Article By:

 of

Federal Trade Commission (FTC) Settles with HTC America Over Charges it Failed to Secure Smartphone Software

RaymondBannerMED

Smartphone manufacturer HTC agreed in February to settle Federal Trade Commission (FTC) charges that the company failed to take reasonable steps to secure software it developed for its mobile devices including smartphones and tablet computers. In its complaint, the FTC charged HTC with violations of the Federal Trade Commission Act.  On July 2 the FTC approved a final order settling these charges.

trade FTC smartphone HTC

The FTC alleged HTC failed to employ reasonable security measures in its software which led to the potential exposure of consumer’s sensitive information. Specifically, the FTC alleged HTC failed to implement adequate privacy and security guidance or training for engineering staff, failed to follow well-known and commonly accepted secure programming practices which would have ensured that applications only had access to users’ information with their consent. Further, the FTC alleged the security flaws exposed consumers to malware which could steal their personal information stored on the device, the user’s geolocation information and the contents of the user’s text messages.

HTC is a manufacturer of smartphones but it also installs its own proprietary software on each device. It is this software that the FTC targeted. While HTC smartphones run Google’s Android operating system, the HTC software allegedly introduced significant vulnerabilities which circumvented some of Android’s security measures.

As part of the settlement consent order, HTC agreed to issue security patches to eliminate the vulnerabilities. HTC also agreed to establish a comprehensive security program to address the security risks identified by the FTC and to protect the security and confidentiality of consumer information stored on or transmitted through a HTC device. HTC further agreed to hire a third party to evaluate its data and privacy security program and to issue reports every two years for the consent order’s 20 year term. The implication of the FTC’s policy makes it clear that companies must affirmatively address both privacy and data security issues in their custom applications and software for consumer use.

Basic Guidelines for Protecting Company Trade Secrets

Lewis & Roca

Under the Uniform Trade Secrets Act (UTSA), “trade secrets” are generally defined as confidential proprietary information that provides a competitive advantage or economic benefit. Trade secrets are protected under the Economic Espionage Act of 1994 (EEA) at the federal level, and the vast majority of states have enacted statutes modeled after the UTSA (note that some jurisdictions, such as California, Texas and Illinois, have adopted trade secret laws that differ substantially from the UTSA; thus, businesses should research laws in the relevant jurisdiction(s).). Under the UTSA, to be protectable as a trade secret, information must meet three requirements:

i. the information must fall within the statutory definition of “information” eligible for protection;

ii. the information must derive independent economic value from not being generally known or readily ascertainable by others using appropriate means; and

iii. the information must be the subject of reasonable efforts to maintain its secrecy.

Trade secret theft continues to accelerate among U.S. companies, and can have drastic consequences. To combat this threat, Congress and certain state legislatures have recently enacted legislation to broaden trade secret protection. As a result, it is paramount that companies safeguard all proprietary information that may qualify as protectable trade secrets. This blog post explains some key trade secrets concepts, and offers pointers on how to identify and protect trade secrets.

(1) Determine Which Data Constitutes “Information”

The UTSA-type statutes generally define “information” to include:

Financial, business, scientific, technical, economic, and engineering information;

Computer code, plans, compilations, formulas, designs, prototypes, techniques, processes, or procedures; and

Information that has commercial value, such as customer lists or the results of expensive research.

Courts have similarly interpreted “information” to cover virtually any commercially valuable information. Examples of information that has been found to constitute trade secrets includes pricing and marketing techniques, customer and financial information, sources of supplies, manufacturing processes, and product designs.

(2) “Valuable” and “Not Readily Ascertainable” Information

To be protectable, information must also have “economic value” and not be “readily ascertainable” by others. Courts generally determine whether information satisfies this standard by considering the following factors:

Reasonable measures have been put in place to protect the information from disclosure;

The information has actual or potential commercial value to a company;

The information is known by a limited number of people on a need-to-know basis;

The information would be useful to competitors and would require a significant investment to duplicate or acquire the information; and

The information is not generally known to the public.

(3) Take Reasonable Measures to Maintain Secrecy

Businesses should implement technical, administrative, contractual and physical safeguards to keep secret the information sought to be protected. Companies should identify foreseeable threats to the security of confidential information; assess the likelihood of potential harm flowing from such threats; and implement security protocols to address potential threats. Examples of security measures might include restricting access to confidential information on a need-to-know basis, employing computer access restrictions, circulating an employee handbook that outlines company policies governing confidential information, conducting entrance interviews for new hires to determine whether they are subject to restrictive covenants with former employers, conducting exit interviews with departing personnel to ensure that the employee has returned all company materials and agrees to abide by post-employment obligations, encrypting confidential information, limiting access to confidential information through passwords and network firewalls, track all access to network resources and confidential information, restrict the ability to email, print or otherwise transfer confidential information, employ security personnel, limit visitor access, establish surveillance procedures, and limit physical access to areas that may have confidential information.

Conclusion

This blog post is intended to provide some broad guidelines to identifying and protecting company trade secrets. Most if not all companies have confidential information that may be protectable as a trade secret. But certain precautions need to be in place to ensure that the information is protectable. Because each company and situation is different, you should seek advice about your specific circumstances.

Article By:

 of

China’s First-Ever National Standard on Data Privacy – Best Practices for Companies in China on Managing Data Privacy

Sheppard Mullin 2012

Companies doing business in China should take careful notice that China is now paying more attention to personal data privacy collection. This would be an opportune time for private companies to internally review existing data collection and management practices, as well as determine whether these fall within the new guidelines, and where necessary, develop and incorporate new internal data privacy practices.

The Information Security Technology-Guide for Personal Information Protection within Public and Commercial Systems (“Guidelines”), China’s first-ever national standard for personal data privacy protection, came into effect on February 1, 2013. The Guidelines, while not legally binding, are just what they purport to be – guidelines – some commentators view these as technical guidelines. However, the Guidelines should not be taken lightly as this may be a pre-cursor of new legislation ahead. China is not quite ready to issue new binding legislation, but there are indications it seeks to develop consistency with other internationally accepted practices, especially following recent data legislation enacted in the region by neighboring Hong Kong and other Asian countries.

What should companies look for when examining existing data privacy and collection policy and practices? As the Guidelines provide for rules on collecting, handling, transferring and deleting personal information, these areas of a company’s current policies should be reviewed.

“Personal Information”

What personal information is subject to the Guidelines? The Guidelines define “personal information” as “computer data that may be processed by an information system, relevant to a certain natural person, and that may be used solely or along with other information to identify such natural person.”

“General” and “Sensitive” Personal Information

The Guidelines makes a distinction on handling “general” as opposed to “sensitive” personal information. Sensitive personal information is defined as “information the leakage of which will cause adverse consequences to the subject individual” e.g. information such as an individual’s identity card, religious views or fingerprints.

Consent Required

If an individual’s personal information is being collected, that individual should be informed as to the purpose and the scope of the data being collected; tacit consent must be obtained- the individual does not object after being well informed. With “sensitive” personal information being collected, a higher level of consent must be obtained prior to collection and use; the individual must provide express consent and such evidence be retained.

Notice

Best practices dictate a well-informed notice be given the individual prior to collection of any personal information. The notice should clearly spell out, among other items, what information is being collected, the purpose for which the information will be used, the method of collection, party to whom the personal information will be disclosed and retention period.

Cross Border Transfer

The Guidelines further limit the transfer of personal information to any organization outside of P.R. China except where the individual provides consent, the government authorizes the transfer or the transfer is required by law. It is unclear as to which law applies where transfer is “required by law”- PRC law or law of any other country.

Notification of Breach

There is a notification requirement. The individual must be notified if personal information is lost, altered or divulged. If the breach incident is material, then the “personal information protection administration authority.” The Guidelines, however, do not define or make clear this administration authority is here.

Retention and Deletion

Best practices for a company is to minimize the amount of personal information collected. Personal information once used to achieve their intended purpose should not be stored and maintained, but immediately deleted.

The Guidelines may not be binding authority, but at a minimum sets certain standards for the collection, transfer and management of personal information. Especially for companies operating in China, the Guidelines is a call to action, and for implementation of best practices relating to data privacy. Companies should take this opportunity to assess their data privacy and security policies, review and revise customer information intake procedures and documentation, and develop and implement clear, company-wide internal data privacy policies and methods.

Article By:

 of