Data Security Law Journal

Focusing on legal trends in data security, cloud computing, data privacy, and anything E

Who’s The New Silicon Valley of the East Coast?

By Al Saikali on Posted in All Things E

Maybe it’s because I’m in New York City for a few days this week, but this article in the Wall Street Journal and this one in the New York Times caught my eye.  New York City has surpassed Boston as the #1 tech sector for Internet and mobile technologies on the east coast.  The story was based on a report released by the Center for an Urban Future.  Here are some of the key findings from the report:

  • “[T]here has been an explosion of tech start-ups in New York City, most of which are companies that leverage the Internet and mobile technologies.”  Specifically the Center for Urban Future identified 486 digital start-ups formed in NYC since 2007 that received angel, seed, or VC funding, and there are over 1,000 web-based technology start-ups in the city.
  • NYC was the only technology region in the country to see an increase in the number of venture capital deals between 2007 and 2011.
  • The start-ups located in NYC are growing significantly.  Fifteen have raised more than $50 million in investments, 27 have raised at least $25 million in investments, and 81 have raised at least $10 million.
  • The NYC technology sector has created 52,900 jobs in the past few years, a 28.7% increase for that sector (as compared to the 3.6 percent growth rate in the NYC private jobs sector generally).
  • This explosion in growth appears to be sustainable.  The start-ups are less focused on building new technology and more focused on applying existing technology to traditional industries like advertising, media, fashion, finance, and health care.

This last finding is perhaps the most significant because the application of existing technology to industries in which New York City already excels, appears to be lynchpin to the city’s strong tech growth and a distinguishing factor from the “dot com” bubble in the late 90’s.  The report is well worth reading as a case study of how and why a city develops a strong technology sector.  This is great news for my favorite city in the world!

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Federal Data Breach Notification Laws

By Al Saikali on Posted in Data Breach, Data Breach, Data Security

The title of this blog entry is somewhat of a misnomer because there is no single national data breach notification law that governs all information the same way as the state data breach notification laws do.  So, for the time being, companies and consumers are forced to determine which state data breach notification laws apply to them and what the differences are between them.  Nevertheless, there are federal laws that require disclosure of data breaches in certain instances, and usually these laws are “industry specific.”

Examples of federal laws that require data breach notification are two laws governing the health care industry – the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).  Together, these laws require “covered entities” and many of their service providers to maintain administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of “protected health information” (commonly referred to as “PHI”).  A covered entity is a health plan, a health clearinghouse, or a health care provider who transmits health information.

If there is a breach, the covered entity must notify the individuals whose information has been accessed (and law enforcement) without unreasonable delay and no later than 60 days after the breach was discovered.  (The law also requires notification to the media in cases where the breach affects more than 500 individuals).  Whether there is a breach that triggers the duty to notify depends on whether, with some exceptions, there was an impermissible use or disclosure that compromises the security or privacy of the PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.  The notice must state what occurred, what type of information was accessed by the breach, what steps individuals should take in response, what is being done to investigate, mitigate, and protect against further harm, and contact information should be provided.  HITECH imposes these same notification requirements on the covered entity’s vendors and service providers.

Another example of a federal data breach notification requirement is found within the Gramm-Leach-Bliley Act (GLB), which governs companies engaged in financial services.  Under GLB, when a financial institution becomes aware of an incident of unauthorized access to sensitive customer information, the institution should conduct an investigation to determine the likelihood that the information has been or will be misused.  If there is a determination that the misuse has occurred or is reasonably possible, the institution must notify the affected customer as soon as possible, save a law enforcement determination that notification will interfere with a criminal investigation.

Sometimes a company’s duty to disclose may be required by a government agency.  For example, publicly traded companies need to be aware of the October 13, 2011, SEC Disclosure Guidance:  Topic No. 2.  Although the guidance is not the law but rather an agency’s interpretation of the law, it clearly states that publicly traded companies should report significant instances of cyber incidents to the SEC. The company must determine whether a reasonable investor would consider information about the incident important to an investment decision.  In making this determination, a company should consider several factors, set forth in the guidance, in determining whether to make the disclosure.  The guidance also states what information should be in the disclosure.

These examples and the descriptions of them are admittedly very superficial and are not meant to capture the entire universe of federal laws requiring data breach notification.  The point of this post is that there is no uniform federal data breach notification law.  Data breach notification requirements at the federal level arise from a variety of laws and other legal authority.  As a result, a company that believes it may have suffered a data breach must consult the laws of any state where any of its customers reside, a variety of federal legal sources that regulate the company’s industry, and—as will be explained in an upcoming post—international law. If your company has customers overseas, it will need to be aware of data breach notification requirements abroad.  The next part of this series on data breach notification laws will focus on Europe as a case study of how data breaches notifications are addressed in other countries.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

State Data Breach Notification Laws

By Al Saikali on Posted in Data Breach, Data Breach, Data Security

In 2005, a company called ChoicePoint, which collected personal and financial information for millions of consumers, was the victim of a security breach.  Criminals stole from ChoicePoint personal information for more than 145,000 individuals.  The floodgates opened and a variety of other corporations and organizations revealed similar data breaches that had resulted in unauthorized access to the personal information of 52 million individuals.

As a result of the ChoicePoint breach, states began enacting data breach notification laws that required companies and organizations to disclose major data breaches.  California was the first such state, and its law has been the model for data breach notification laws all over the country.  See  Cal. Civ. Code §§ 56.06, 1785.11.2, 1798.291798.82   In fact, the only states that do not currently have data breach notification laws are Alabama, Kentucky, New Mexico, and South Dakota.

This blog post discusses how these data breach notification laws operate generally, keeping in mind that there are some differences from state to state.  The most important issues are who/what is protected by the laws, when is a data breach considered to have occurred so that the law is triggered, when should notification take place and what must the notice contain, and what are the penalties for failure to comply with the laws.

What/who is protected by data breach notification laws?  The laws protect the “personal information” of a state’s residents.  Personal information is usually defined as a person’s name in combination with some other private information such as a social security number, driver’s license number, account/credit card number, medical information, or health insurance information.  Some states have expanded the definition to include biometric data, fingerprints, retina images, and DNA profiles.  Personal information does not include publicly available information such as publicly available property information or criminal records.  The laws apply to any person or business that conducts business in the state where the law exists, including businesses not located in the state that are collecting information about the state’s residents, and any state agency that owns or licenses personal information.

When are the data breach notification laws triggered?  Data breach laws typically apply when there is an unauthorized acquisition of computerized data.  It includes a wide range of activity, from the intentional (hacking, theft, and corporate espionage, for example) to the negligent (losing a hard drive containing private customer information, or misdirecting electronic information).  Most data breach notification laws, however, do not apply to data that is encrypted (though the level of encryption and whether encryption is required at rest and/or in motion, is not clear) and sometimes the laws do not apply if the information is redacted.

When should notification of the data breach take place?  Once a company has determined that it was a victim of a data breach, it must usually provide notice of the breach to those individuals whose data has been accessed in an unauthorized manner.  Some states provide a specific deadline for when notice must take place, but many states simply require that disclosure take place within “the most expedient time possible and without unreasonable delay.”  An organization’s disclosure can usually be delayed if it would impede an ongoing criminal investigation.  In some states, notice is not required if, after an independent investigation or consultation with law enforcement, there is a determination that the breach did not result in harm to consumers.  In certain states there is a requirement for service providers who suffer data breaches to notify the companies that hired them of the breach.

What must be in the notice?  If a determination is made that notice must be provided, then the data breach notification laws usually provide how that notice must be provided (i.e., what information should be in the notice).  The notice should be clear, and as easy to understand as possible.  The notice should explain what information was accessed and it may need to include a credit reporting agency’s telephone number.  Many states require that notice of the breach also be provided to the state Attorney(s) General.

What are the penalties for failure to comply?  If an organization does not comply with the requirements of a data breach notification statute it can be subject to significant administrative penalties of thousands of dollars per day after the disclosure deadline.  Additionally, many states have created a private cause of action (i.e., you can be sued) for not following the data breach notification requirements.

In short, it is important, once an organization suspects that it might be the victim of a data breach, to immediately engage legal counsel to assist in determining whether the breach requires disclosure and, if so, how and when the disclosure should take place.  It should be evident from the above information that the data breach notification laws vary from state to state, so any disclosure notice should be tailored with all relevant state and federal data breach notification laws in mind.  The fact that there are so many different data breach notification statutes is a compelling reason why Congress should step in and pass legislation that makes the data breach notification requirements more uniform.  Congress previously considered such legislation, but it did not become law.

Speaking of federal data breach notification laws, in addition to the state laws governing data breach notifications, there are also federal and international laws that govern data breaches.  Those laws impose even more notification requirements.  They will be discussed in the next post.  Stay tuned.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Video Interview: Discussing the Global Payments Inc. Data Breach with LXBN TV

By Al Saikali on Posted in Data Breach, Data Breach, Data Security

Yesterday I had the opportunity to speak with Colin O’Keefe of LXBN TV regarding the recent major data breach involving Global Payments Inc. In the interview, I explain the background of the breach, which impacted all major credit cards, the lessons companies can learn from the breach and exactly who bears the burden—financially and otherwise—of the unfortunate situation.

 

DISCLAIMER:  The opinions expressed in the video represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Hacking the “Middle Man”

By Al Saikali on Posted in Data Breach, Data Breach, Data Security

Another massive high profile data breach was in the news this past week. MasterCard, Visa, American Express, and Discover, as well as other banks and franchises were affected.  Significantly, the breadth of the effect was not a result of separate attacks against each bank, but rather a hacking of one common third-party service provider—Global Payments Inc—which processes credit card payments and acts as a “middle man” between the consumer and the bank. The extent of the data breach is not yet fully known, but MasterCard, Visa, and American Express all suffered decreases in the value of their stocks when news of the data breach broke.  Global Payments released a statement that the intrusion was limited to North America and affected up to 1.5 million cards.

If you are a business that maintains sensitive client and proprietary information, there are several important lessons to be learned from this data breach:

  • When you hire a third-party service provider or vendor, you need to know what measures that vendor is taking to protect your data and the data of your customers.  What policies and procedures has the vendor implemented to maintain the security of data you share with it?  What contractual or other legal remedies do you have against the vendor should something happen to the data?  Is the vendor insured for such a loss?
  • Your company’s defenses to a data breach are only as strong as its weakest link. For example, it may not matter very much that your company has adopted the most state-of-the-art, expensive, top-flight security measures if a service provider is not taking equally strong measures to protect the same data.  As Tom Kellerman, a vice-president at Trend Micro, a computer security company, told the New York Times:  “Hackers are well aware that these [payment processing] systems don’t have the same sophisticated levels of security as the banks.  The payment processors have become their Achilles’ heel.”  According to that same article, this was the second known breach that Global Payments has suffered within the last 12 months.
  • It is interesting how the news of this data breach broke — it appears to be the result of a blog post on Krebs on Security, rather than as a result of the work of a major national newspaper or other traditional news entity.  The work of bloggers in this sphere is increasingly impressive. Krebs is just one example.  Databreaches.net is another blog that maintains an impressive record of significant data breaches and further demonstrates the continued explosion of data breaches worldwide.  I would also recommend author Christopher Danzig, who writes frequently for Above the Law and other national and regional publications.
  • It is wrong to simply assume that because the breach occurred, it could have been prevented, or that Global Payments was not doing all it could to prevent the breach from occurring in the first place.  Again, a quote from the NYT article is instructive because it shows the complicated relationship between the banks, the payment processors, the merchants, and the customers:  “‘These folks work night and day to secure their systems, but they are connected to millions of merchants around the country and nothing is absolutely foolproof,’ said Thomas Goldsmith, a spokesman for the Electronic Transactions Association, a trade group.”
  • According to Krebs on Security, the Global Payments breaches occurred as early as January 2011 and then again between January 21, 2012, and February 25, 2012, and at least the first breach appears to have been a “sustained breach” (hackers captured data about 24 million unique transactions on an ongoing basis for the last year), yet news of the breach was not made public until now.  Indeed, were it not for the blog post, one might wonder how long it would have taken for this information to otherwise become public. It may be that Global Payments could not confirm that it had in fact suffered a breach and did not know the source or extent of the intrusion until very recently.  In any event, interesting issues relating to whether, when, and how Global Payments should have disclosed the information are all implicated.
  • Another issue is who will bear the financial burden for the breach? The banks? Global Payments?  The hosting provider for Global Payments?  The merchants? The consumers?  Perhaps a combination of some or all.  The financial burden does not simply mean potential legal liability, but also includes the far greater costs of public relations consequences, damage to reputation and brand, and the cost of remediation and implementing new security measures.  The issue of the financial and public relations fallout will be interesting to follow.

In short, the Global Payments data breach is another example of a high profile data breach that corporations worldwide would do well to learn from.  Arguably the most important lesson? KNOW WHAT YOUR VENDORS ARE DOING TO KEEP YOUR DATA SAFE!

5/6/12 UPDATE:  A May 3, 2012, article in the Wall Street Journal reveals that Global Payments may have underestimated the number of cardholders who were affected by the recent data breach as well as the breadth of the breach.  Initially, Global Payments stated that less than 1.5 million card numbers were accessed.  Now, it appears the breach may have affected as many as 7 million users.  The increase appears to be a result of new information showing that the hackers had access to the customer data since the spring of 2011, far earlier than the January 2012 estimate provided by Global Payments.  As the Journal points out, “[t]he data breach’s wider scope underscores how hard it is to assess the damage that follows hacker attacks.”

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Foreign Economic Cyber-Espionage (Part 3)

By Al Saikali on Posted in Data Breach, Data Security

This final blog entry in the series about economic cyber-espionage focuses on what, if anything, the government can do and is doing to limit cyber attacks that result in the theft of billions dollars worth of intellectual property and confidential proprietary information.

The issue of cyber-espionage is receiving attention from the highest levels of government.  For example, the report that was the basis for this series was prepared by the Office of the National Counterintelligence Executive, which is part of the Office of the Director of National Intelligence.  It is staffed by senior counterintelligence and other specialists from across the national intelligence and security communities.  The Intelligence Authorization Act for Fiscal Year 1995 requires that the President biennially submit to Congress updated information on the threat to U.S. industry from foreign economic collection and industrial espionage.  This report was submitted to Congress pursuant to that obligation.

The issue is gaining significant attention in the U.S. media, for legitimate reasons.  Loren Thompson, a contributor for Forbes magazine recently authored an article entitled “U.S. headed for Cyberwar Showdown with China in 2012.”   In it, Mr. Thompson points out that even though cyber-espionage is “being executed by a relatively small number of agents linked to the general staff of China’s People’s Liberation Army, the damage they are inflicting on U.S. security and economic competitiveness is judged to be extensive.”  But as Thompson points out, the question is what, if anything, can be done about it.

Part of the problem appears to be identifying precisely who is engaging in these cyber attacks.  According to a report by Siobhan Gorman in the Wall Street Journal the Obama Administration has had some success in identifying some of the key operatives in the Chinese cyber campaign (though the Chinese claim that such allegations are “totally ungrounded” and that Chinese law “clearly prohibits hacking”).  I highly recommend the article to anyone interested in a deeper investigation into allegations of Chinese cyber-espionage.

Yet, Mr. Thompson with Forbes posits, the administration has taken little offensive action against China because “it doubts confrontational tactics will produce positive results.” But given the billions dollars in economic information being lost to the Chinese intrusions and the possibility of far worse attacks, it is far more likely that the administration will be forced to be more openly aggressive.

In addition to the issue increasingly gaining the attention of the executive branch, Congress is considering competing legislation that would seek to limit the risk or cyber attacks.  The Cybersecurity Act of 2012 (S.2105), introduced by Senators Lieberman and Rockefeller, would give the Department of Homeland Security regulatory authority over companies with computer systems crucial to the nation’s economic and physical security.  Republicans have proposed alternative legislation called the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act (“SECURE IT”).  Crudely defined, the Republican alternative relies on companies voluntarily sharing threat data through certain cybersecurity centers.  In exchange, companies would receive incentives, such as protection from civil lawsuits and exemption from public disclosure.  It is unclear whether Congress will ultimately pass either piece of legislation.

UPDATE:  60-Minutes recently aired a very interesting story on the Stuxnet virus, which is a virus believed to have been used offensively to attack Iranian nuclear plants.  The piece is particularly relevant to this series of blog entries because it discusses the increased trend in international espionage through cyber attacks.  I highly recommend the story to those of you interested in this issue.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Foreign Economic Cyber-Espionage (Part 2)

By Al Saikali on Posted in Data Security

This series of blog entries on foreign economic cyber-espionage arose from a recent government report detailing the source, extent, and threat of cyber-espionage to the U.S. economy.  This entry focuses on the cost of this espionage to the U.S. and global economy.

The National Counterintelligence Executive report finds that the threat of cyber-espionage applies to all U.S. economic activity and technology, but the greatest threats are to:

  • Information and communications technology, which forms the backbone of nearly every other technology.
  • Business information that pertains to supplies of scarce natural resources or that provides foreign actors an edge in negotiations with U.S. businesses or the U.S. Government.
  • Military technologies, particularly marine systems, unmanned aerial vehicles, and other aerospace/aeronautic technologies.
  • Civilian and dual-use technologies in sectors likely to experience fast growth, such as clean energy and healthcare/pharmaceuticals.

With respect to the health care and pharmaceutical industry, the report specifically notes that, “The massive R&D costs for new products in these sectors—up to $1 billion for a single drug—the possibility of earning monopoly profits from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable U.S. healthcare, pharmaceutical, and related information.”

Cyber-espionage has cost tens or hundreds of millions of dollars in potential profits to U.S. entities, but the report also identifies several factors that affect the cost of cyber-espionage:

  • Many victims of economic espionage are unaware of the crime until years after loss of the information.
  • Even when a company knows its sensitive information has been stolen by an insider or that its computer networks have been penetrated, it may choose not to report the event to the FBI or other law enforcement agencies. No legal requirement to report a loss of sensitive information or a remote computer intrusion exists, and announcing a security breach of this kind could tarnish a company’s reputation and endanger its relationships with investors, bankers, suppliers, customers, and other stakeholders.
  • A company also may not want to publicly accuse a corporate rival or foreign government of stealing its secrets out of fear of offending potential customers or business partners.
  • Finally, it is inherently difficult to assign an economic value to some types of information that are subject to theft. It would, for example, be nearly impossible to estimate the monetary value of talking points for a meeting between officials from a US company and foreign counterparts.

Nicole Perlroth, a reporter for the New York Times Bits column, writes regularly on data privacy and data security issues.  She recently reported on the issue of economic cost of economic cyber-espionage in greater depth.  In an article titled “How Much Have Foreign Hackers Stolen?” she points out that nobody really knows how much has been stolen and, predictably, companies are reluctant to discuss any security breaches they have suffered.  Her research, however, identified Congressional testimony by the Assistant Director of the U.S. Secret Service estimating that in 2010 “cyberthieves abroad stole 867 terabytes of data from the United states, or nearly four times the amount of data collected in the archives of the Library of Congress.”  That amount is now stolen on a daily basis, according to the former Director of National Intelligence.  Any computer system of consequence has been compromised by an advanced persistent threat.

The problem will only get worse as foreign technology improves, more data is moved into “the cloud”, and workers make it easier to steal trade secrets by carrying them around with them on their personal devices.  Ms. Perlroth wrote a separate article called “Traveling Light in a Time of Digital Thievery” that describes the extent to which companies are going to protect their data when their employees travel abroad.  Such measures include bringing loaner devices that are wiped clean before they leave the U.S. and immediately upon return to the U.S., disabling Bluetooth and Wi-Fi when overseas, and copying and pasting passwords from a separate USB thumb drive.  The article is well worth a read for anyone traveling overseas with a mobile device that is used to access corporate data in the United States.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Foreign Economic Cyber-Espionage (Part 1)

By Al Saikali on Posted in Data Security

This blog entry begins a multi-part series on the rise of foreign economic cyber-espionage.  In October 2011, the U.S. Office of the National Counterintelligence Executive issued a report to Congress entitled “Foreign Spies Stealing U.S. Economic Secrets in Cyberspace.”  The report was significant because it was one of the first formal documents in which the U.S. government took a clear position that elements in China and Russia are actively and intentionally stealing U.S. economic secrets through the use of cyber attacks.  The Chairman of the House Intelligence Committee told the New York Times that “[t]he biggest threat, when it comes to cyber-espionage today, is the sheer volume with which China seeks to steal our intellectual property for its own prosperity.”

The report details the “cyber collection” of information by foreign actors, which can take many forms, like simple visits to a U.S. company’s website for the collection of openly available information, a corporate insider’s downloading of proprietary information onto a thumb drive at the behest of a foreign rival, or intrusions launched by foreign intelligence services or other actors against the computer networks of a private company, federal agency, or an individual.

The report provides examples of how a massive number of computer network intrusions have been used to attack U.S. corporations, primarily in the health care, pharmaceutical, and defense industries.  The report concedes, however, that attribution to a specific country can be difficult because it is often based on circumstantial evidence, such as the fact that the IP addresses for these computer network intrusions originate in that country.

Some examples of cyber-espionage documented in the report include:

  • In a February 2011 study, McAfee attributed an intrusion set they labeled “Night Dragon” to an IP address located in China and indicated the intruders had exfiltrated data from the computer systems of global oil, energy, and petrochemical companies. Starting in November 2009, employees of targeted companies were subjected to social engineering, spear-phishing e-mails, and network exploitation. The goal of the intrusions was to obtain information on sensitive competitive proprietary operations and on financing of oil and gas field bids and operations.
  • In January 2010, VeriSign iDefense identified the Chinese Government as the sponsor of intrusions into Google’s networks. Google subsequently made accusations that its source code had been taken—a charge that Beijing continues to deny.
  • Mandiant reported in 2010 that information was pilfered from the corporate networks of a US Fortune 500 manufacturing company during business negotiations in which that company was looking to acquire a Chinese firm. Mandiant’s report indicated that the US manufacturing company lost sensitive data on a weekly basis and that this may have helped the Chinese firm attain a better negotiating and pricing position.
  • Participants at an Office of National Counterintelligence Executive conference in November 2010 from a range of US private sector industries reported that client lists, merger and acquisition data, company information on pricing, and financial data were being extracted from company networks—especially those doing business with China.

In addition to Chinese economic espionage, the report also cites the June 2010 arrest of ten Russian foreign intelligence service employees who were tasked with collecting economic and technology information.  In certain cases, according to the report, allies and other countries enjoy broad access to U.S. Government agencies and the private sector and conduct economic espionage to acquire sensitive U.S. information and technologies.

Future entries in this series will focus on the cost of these cyber attacks on the U.S. economy and what is being done to limit it.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Limitations of the SEC Guidance on Disclosure of Cyber Security Risks

By Al Saikali on Posted in Data Security

My previous post discussed the SEC’s Division of Corporation Finance’s recent Corporate Finance Disclosure Guidance which provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.  There are limitations to this Guidance, and this post attempts to address some of those limitations.

One limitation is the legally binding effect of the Guidance.  The Guidance states that it “is not a rule, regulation, or statement of the Securities and Exchange Commission.  Further, the Commission has neither approved nor disapproved its content.”

Another limitation is to whom the Guidance applies.  The Guidance applies to registrants with the SEC (i.e., publicly traded companies).  These are entities that must file registration statements under the Securities Act of 1933 and periodic reports under the Securities Exchange Act of 1934.

The Guidance also limits what information must be disclosed.  For example, a company is not required to disclose information that would compromise a registrant’s cybersecurity.  “Instead, registrants should provide sufficient disclosure to allow investors to appreciate the nature of the risks faced by the particular registrant in a manner that would not have that consequence.”

The Guidance also limits the amount of detail that must be provided as part of the disclosure in an effort to prevent providing a roadmap that would make future cyber attacks easier:  “We are mindful of potential concerns that detailed disclosures could compromise cybersecurity efforts – for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security – and we emphasize that disclosures of that nature are not required under the federal securities laws.”

In short, a company that has suffered a cyber attack or risks of a cyber attack, should consider the application of the CF Disclosure Guidance:  Topic No. 2, but the company should not automatically assume that the Guidance applies to them, and care should be taken to ensure that, to the extent a disclosure is required, it is narrowly tailored to provide the type of information required by the Guidance.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Obligation to Disclose Security Risks

By Al Saikali on Posted in Data Security

What obligation does a publicly traded company have to disclose security breaches?  On October 13, 2011, the Securities and Exchange Commission took an important step towards answering this question when it issued a guidance that attempts to clarify a company’s obligations to disclose cybersecurity risks in registration statements and periodic reports required by the Securities Exchange Commission.

The “CF Disclosure Guidance: Topic No. 2” provides the SEC’s Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks.  Publicly traded companies are required to disclose timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.  The guidance clarifies that this same obligation may apply to cybersecurity risks and incidents if the issues those risks/incidents raise “are among the most significant factors that make an investment in the company speculative or risky.”

In determining whether a risk factor disclosure is required, a company should consider the severity and frequency of prior cyber incidents, including the potential costs and other consequences resulting from misappropriation of sensitive information, corruption of data, or operational disruption.  The company should also consider “the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”

The guidance also provides instruction on what an appropriate disclosure should contain once a company has determined that a disclosure is necessary:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.

In my next post, we will look at the limitations of the Guidance.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.