Data Security Law Journal

Focusing on legal trends in data security, cloud computing, data privacy, and anything E

Data Security Remains Top Concern in Corporate Boardrooms

Posted in Data Security, Surveys and studies

Last August, I wrote about a survey by Corporate Board Member and FTI Consulting, Inc., showing that data security was the top legal risk for corporate directors and general counsel.

That same survey was taken again in 2013, and the results were released last week in a report entitled “Law in the Boardroom.” The gist of the report is that “the newest area of major concern continues a trend noted in last year’s study:  data security and IT risk is one of the most significant issues for both directors and general counsel.”

Here are some other significant findings in the survey:

  • More than one-quarter of director and general counsel respondents earmarked cyber risk as an area that will require their attention in 2013.
  • The average annualized cost of cybercrime jumped 6% to $8.9 million in 2012.
  • Interestingly, general counsel do not seem to think directors will be spending as much time on this topic as the legal department itself will.
  • Only one-third of general counsel felt “very confident” in their company’s ability to respond, and less than one-quarter of directors agree.   Only 51% of GCs are at least somewhat confident in their company’s ability to handle a breach.

In short, a company’s preparation for and response to cyber threats remain top concerns for general counsel and directors alike.  Fortunately, more companies are taking proactive measures, like mapping or inventorying data to apply the most stringent security safeguards to the most sensitive information.  Other proactive measures companies should consider include reviewing and revising information security policies, evaluating how to more effectively incorporate privacy and security concerns into the corporate culture, and refreshing employees on the risks and best practices in collecting, storing, using, and disposing of sensitive consumer and proprietary information.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

What Does A Cyber Attack Look Like?

Posted in All Things E, Data Breach, Data Security

The phrase “cyber attack” elicits thoughts of a compromised information system, a crashed computer network, or inappropriate access to sensitive electronic information.  It doesn’t usually conjure up images of machinery setting on fire, and smoke emerging from a factory.  Nevertheless, here is a video of an experimental cyber attack named Aurora, which took place on a generator in a manufacturing plant.

 

The experiment, which took place approximately five years ago, demonstrated potential vulnerabilities that could be used to attack much larger generators that produce the country’s electric power.  It is an interesting reminder of the impact that cyber attacks can have on critical infrastructure.

Data Breaches – Who is Causing Them, How, and What Can Companies Do About It?

Posted in Data Security, Surveys and studies

One of the leading annual studies analyzing the causes of data breaches was released earlier today.  The 2013 Verizon Data Breach Investigations Report analyzes what is causing data breaches, how the breaches are occurring, who are the hackers and the victims, and what trends can be gleaned from this information.  The report has become a “must read” for those in the data security industry and is often cited in board meetings, presentations, and by the media (the NY Times has already published a story about it). Those who do not have time to review the report may want to check out the Executive Summary.

The report studied 621 confirmed data breaches and more than 47,000 security incidents from all over the world.  Here is a summary of the most important findings:

  • Who is perpetrating the breaches?  A large majority (92%) of breaches are perpetrated by outsiders, and one out of every five are attributed to state-affiliated actors (95% of the state-affiliated espionage attacks relied on phishing in some way).  When breaches are perpetrated by insiders, more than 50% are a result of former employees taking advantage of their old accounts or backdoors that weren’t disabled, and more than 70% are committed within 30 days of resignation.
  • Who are the victims of breaches?  Larger organizations are increasingly becoming victims of breaches., and they are not isolated to any particular industry.  Manufacturing (33%), transportation (15%), professional (24%), and a variety of other industries (28%) are the targets of espionage attacks.
  • What assets are perpetrators targeting?  The most vulnerable assets are ATMs (30%), desktop computers (25%), file servers (22%), and laptops (22%).
  • How are breaches happening?  With respect to cyber breaches, they usually (76%) occur as a result of exploited weak or stolen credentials
  • Why are breaches happening?  The attackers are primarily seeking financial gain (75%), they are opportunistic (75%), and they prefer intrusions that are low in difficulty (78%).
  • How and when are breaches being discovered?  69% of breaches are discovered by an external party (9% are discovered by customers).  Perhaps more scary is the fact that 66% of breaches take months or years to discover, which is longer than it has taken to discover breaches in previous years.

The report provides some recommendations for what organizations can do to minimize some of the risks, some of which are commonly accepted best practices.  I noticed the emphasis in these recommendations on detection more so than prevention.  The report is driven by the (realistic) assumption that organizations are already operating in a compromised environment.  While organizations should continue trying to prevent breaches from occurring in the first place, they cannot entirely eliminate them.  Therefore, organizations should focus more of their efforts and resources on the detection of intrusions and protection of assets.

Here is a list of recommended practices from the report:

  • Eliminate unnecessary data; keep tabs on what’s left
  • Ensure essential controls are met; regularly check that they remain so
  • Collect, analyze, and share incident data to create a rich data source that can drive security program effectiveness
  • Collect, analyze, and share tactical threat intelligence, especially indicators of compromise, that can greatly aid defense and detection
  • Without deemphasizing prevention, focus on better and faster detection through a blend of people, processes, and technology
  • Regularly measure things like “number of compromised systems” and “mean time to detection” in networks.  Use them to drive security practices
  • Evaluate the threat landscape to prioritize a treatment strategy.  Don’t bury into a one-size-fits-all approach to security
  • If you’re a target of espionage, don’t underestimate the tenacity of your adversary.  Nor should you underestimate the intelligence and tools at your disposal.

These statistics, findings, and recommended practices should be considered by any organization that collects, uses, stores, and disposes sensitive information.  The threats to that information are real, they affect companies in all industries, and they are difficult to prevent.  Companies should evaluate and be prepared to respond to these increasing risks by adopting proactive administrative, technical, and physical security safeguards.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Data Breach Lawsuits – Revisiting the Risks

Posted in Data Breach, Data Breach, Data Privacy, Data Security, Lawsuits

Until recently, individuals whose information was compromised as a result of a company suffering a data breach faced an uphill battle when suing the company in a class action lawsuit.  Far more often than not, Courts dismissed the lawsuits or entered summary judgment in favor of defendants on grounds that the plaintiffs could not establish a cognizable injury, preemption by breach notification statutes, or lack of evidence that the data breach (as opposed to some other act of identity theft) caused the plaintiff’s damages.  I’m still convinced that the pro-defendant environment remains the norm.  Nevertheless, four recent cases are being used to support the argument that the tide may be turning in favor of plaintiffs.

Burrows v. Purchasing Power, 12-cv-22800-UU (S.D. Fla.)

The most recent example is a proposed settlement in a class action lawsuit against Winn-Dixie and one of its service providers arising from a breach of personally identifiable information of Winn-Dixie grocery store employees.  The employees’ personally identifiable information was allegedly compromised when an employee of a company that provided an employee benefit program to Winn-Dixie employees misused his access to the PII and filed fraudulent tax returns with it.

Approximately 43,500 employees filed a class action lawsuit in the Southern District of Florida against Winn-Dixie and its employee benefits service provider.  The lawsuit includes counts of negligence, violation of Florida’s Deceptive and Unfair Trade Practice statute, and invasion of privacy.  Plaintiffs alleged that Defendants failed to adequately protect and secure the plaintiffs’ personally identifiable information, and that the defendants failed to provide the plaintiffs with prompt and sufficient notice of the breach.

The defendants’ attempts to defeat the plaintiffs lawsuit on the pleadings failed.  Winn-Dixie was subsequently voluntarily dismissed from the lawsuit and the case proceeded against the service provider, which ultimately entered into a proposed settlement with the plaintiffs, agreeing to pay approximately $430,000 ($225,000 towards a settlement fund, $200,000 in attorney’s fees and costs, and a $3,500 incentive aware to the named plaintiff).  The settlement states that it was entered into “for the purpose of avoiding the burden, expense, risk, and uncertainty of continuing to litigate the Action, . . . and without any admission of any liability or wrongdoing whatsoever.”

The settlement requires the service provider to maintain rigorous security safeguards to minimize the risk of a similar incident in the future.  The settlement fund will be divided into four groups:  (1) a tax refund fraud fund (class members who show they were victims of tax refund fraud can be compensated for a portion of lost interest); (2) a tax preparer loss fund (class members can be compensated for fees paid to tax preparers for notifying the IRS of a tax fraud claim or assisting in resolving issues arising from the tax refund fraud, not to exceed $100); (3) a credit card fraud fund (class members who show they were victims of identity theft other than tax refund fraud that resulted in fraudulent credit card charges that the credit card company did not waive, up to $500); and, (4) a credit monitoring fraud (class members who receive compensation in any of the previous three groups may receive credit monitoring services for one year).  To “prove” they were victims of fraud, plaintiffs must prepare a statement under penalty of perjury regarding the facts and circumstances of their stolen identity.

The settlement was preliminarily approved by the court on April 12, 2013, and a fairness hearing is scheduled for October 4, 2013.  The amount of money being paid to plaintiffs and their lawyers in this case should give corporate counsel monitoring these lawsuits pause for concern.  The District Court’s order allowing the case to proceed beyond the pleadings phase will likely be used as an instruction manual for plaintiffs in future data breach cases.

Resnick v. AvMed, Inc., 1:10-cv-24513-JLK (S.D. Fla.)

I previously blogged about the Eleventh U.S. Circuit Court of Appeal’s opinion that allowed a data breach class action to proceed where the plaintiffs claimed they were victims of identify theft arising from the theft of a laptop computer containing their personal information.  I encourage corporate counsel to read that post to learn more about the factors the Eleventh Circuit looked to in allowing that case to proceed beyond the pleadings phase. That lawsuit remains pending in the U.S. Southern District of Florida.

Harris v. comScore, Inc., No. 11-C-5807 (N.D. Ill. Apr. 2, 2013)

Another recent legal development considered by many to be favorable to plaintiffs was a decision by the U.S. District Court for the District of Chicago court certifying a class of possibly more than one million people who claim that the online data research company comScore, Inc. collected personal information from the individuals’ computers and sells it to media outlets without consent.  Although the lawsuit did not arise from a data breach, some of the arguments regarding lack of injury and whether class certification is appropriate are the same.  The plaintiffs allege violations of several federal statutes including the Electronic Communications Privacy Act and the Stored Communications Act. The court rejected comScore’s arguments challenging class certification, including its argument that the issue of whether each plaintiff suffered damages from comScore’s actions precludes certification.  The lawsuit remains pending.

Tyler v. Michaels Stores Inc., SJC-11145, 2013 WL 854097 (Mass. Mar. 11, 2013)

The Massachusetts Supreme Judicial Court broadened the definition of the term “personal information” to include ZIP codes.  The court held that because retailers can use ZIP codes to find other personal information, retailers where prohibited by Massachusetts law (the Song-Beverly Credit Card Act) from collecting ZIP codes.  The court also ruled that the plaintiffs did not have to prove identity theft to recover under the statute.  They could instead rely on the fact that they received unwanted marketing materials and that their data was sold to a third party.  The fact that plaintiffs can proceed with their lawsuit without having to show that their information was actually compromised will undoubtedly be used by plaintiffs in data breach litigation to argue that the threshold for injury in such cases is lower that in other cases.

What’s the Takeaway?

What should corporate counsel take from these cases? It is still too early to tell if these cases are outliers or if they mark a new trend in favor of plaintiffs in privacy and data breach cases that will embolden the plaintiffs’ bar.  The most important takeaway for corporate counsel at this stage is that they must, at a minimum, monitor the litigation risks associated with data breaches and other privacy violations so they can advise their companies about these risks, which can in turn consider these risks when building security and privacy into various products and services.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The Cybersecurity Executive Order – Have Your Say!

Posted in Data Security

On February 12th, President Obama issued an Executive Order on Cybersecurity that seeks to improve critical infrastructure cybersecurity in the United States by encouraging sharing of important cybersecurity information between the government and owners and operators of critical infrastructure.  “Critical infrastructure” means systems and assets so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.  Examples can be found here.    

To establish this partnership between the government and the private sector, the Order requires that:  (1) the Department of Homeland Security (DHS) must identify critical infrastructure; (2) the National Institute of Standards and Technology (NIST) must develop a framework of standards and procedures to help owners and operators of critical infrastructure identify, assess, and manage cyber risks; and (3) the DHS must work with sector-specific agencies to promote voluntary adoption of the Framework.

Now, pursuant to the Executive Order, private entities affected by the Order are being given an opportunity to have their say in what the standards, procedures, and incentives created by the governmental entities implementing the Order should look like.  The Department of Commerce and NIST have published two documents seeking input from operators and owners of critical infrastructure (and the private sector, generally) on how to develop a cybersecurity framework and promote incentives to improve critical infrastructure cybersecurity. 

NIST Request for Information

On February 26th, NIST issued a request for information from the public (particularly critical infrastructure owners and operators) in an effort to start developing the framework of standards, processes, procedures, and methodologies necessary to reduce cyber risks to critical infrastructure.  The request for information “is looking for current adoption rates and related information for particular standards, guidelines, best practices, and frameworks to determine applicability throughout the critical infrastructure sectors.  The [request] asks for stakeholders to submit ideas, based on their experience and mission/business needs, to assist in prioritizing the work of the Framework, as well as highlighting relevant performance needs of their respective sectors.”

The request includes thirty-three questions in three different subject areas:  current risk management practices; use of frameworks, standards, guidelines, and best practices; and, specific industry practices.  The questions seek opinions on issues like the greatest challenges in improving cybersecurity, the role of national and international standards in critical infrastructure cybersecurity, the use of specific security safeguards, and the existence of current governmental and private security standards. 

Comments in response to this request for information are due by April 8th.  Companies seeking to respond should keep in mind that the responses are a matter of public record, so confidential business or personal information should not be included. 

Department of Commerce’s Notice of Inquiry

The Executive Order required the Department of Commerce to recommend incentives designed to promote participation in the voluntary cybersecurity program.  On March 28th, in an effort to improve its recommendations, the Department of Commerce published a notice of inquiry seeking input from stakeholders on twenty different issues relating to current incentives to strengthen cybersecurity and ways in which those incentives can be improved.  Significantly, responses to this notice will also be used to develop a broader set of recommendations that apply to U.S. industry as a whole, not just critical infrastructure operators and owners.  Some of the issues raised in the notice include the best ways to encourage businesses to invest in cybersecurity; any existing barriers or disincentives that inhibit cybersecurity investments; the differences in incentives for small businesses; how liability structures can be used as incentives; and how to keep incentives updated.

Comments to this response are due by April 29th.  Companies that respond should be aware that their responses are a matter of public record, so comments should not include confidential, proprietary, or business sensitive information.

The Takeaway

The standards/procedures/incentives that will be implemented as a result of the Executive Order on Cybersecurity will be, for the time being, voluntary and limited to critical infrastructure.  Over time, however, we can expect to see “standards creep.”  The standards may be applied to companies that are not owners and operators of critical infrastructure.  Also, the standards will likely become the yardstick by which the reasonableness of a company’s actions to limit cybersecurity risks will be measured, so if the standards do not become legislatively mandatory, they could become mandatory by practice.  The private sector and other organizations that will be affected by these standards, procedures, and incentives have a rare opportunity now to help shape them.  Everyone will benefit from corporate participation in responding to some or all of the questions in these notices.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Busy Day for Cybersecurity in D.C.

Posted in All Things E, Data Security

I’m a big fan of Bloomberg West.  Perhaps more so than almost any other television news program, it does a terrific job of providing both depth and breadth on issues that are important to the technology industry.  Tonight’s report by Megan Hughes about breaking developments on the cybersecurity front today was no exception.  Watch it here:

President Obama Seeks CEO Input on Cyber Battle: Video – Bloomberg.

The highlights:

  • President Obama met with CEO’s of major multinational corporations, financial leaders, and big players in critical infrastructure  at the White House . . . in the Situation Room.  The parties allegedly discussed the need for cybersecurity legislation and the President’s recent Executive Order on cybersecurity.
  • First Lady Obama’s personal information has allegedly been compromised.  The President used the development to create awareness of the problems posed by hackers and the proliferation of websites where stolen credit card numbers are sold on the black market.
  • The President of Mandiant will be testifying before the U.S. Senate next week.  No doubt, this report by Mandiant will be a significant topic of discussion.
  • The Director of National Intelligence has said that cyberattacks are now considered the #1 threat to U.S. security, replacing terrorism at the top of the list.
  • There were three separate Congressional hearings relating to Cybersecurity today, ranging from criminal prosecution and the FBI to Homeland Security and critical infrastructure to issues relating to funding for cyber initiatives.

In short, the Cyber Battle is on, and it’s going to take a united front between the  Executive branch, Congress, and the private sector for the U.S. to minimize the risks associated with cyber attacks.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

 

 

New U.S. Supreme Court Decision Will Likely Impact Data Breach Litigation

Posted in Data Breach, Data Security, Lawsuits

The following Data Security Law Journal post was authored by Becky Schwartz, my law partner at Shook Hardy & Bacon.  Becky is an experienced class action litigator who has developed a specialty in privacy litigation.  In this post, Becky discusses a recent U.S. Supreme Court decision that may make it more difficult for consumers to sue companies that suffer data breaches.  Special thanks to Becky for writing about this recent development in the law:

On February 26, 2013, the United States Supreme Court in Clapper v. Amnesty International confirmed a demanding threshold showing for plaintiffs suing based on increased risk of harm in privacy-related litigation.  The decision effectively resolves a circuit split over the application of the Article III standing requirement in data breach cases.  Plaintiffs must show that the threatened harm that establishes their standing to sue is “certainly impending,” not merely “possible.”  Given that many consumers cannot plead or prove that exposure of their data has resulted, or will result, in identity theft or any other financial injury, the high court’s recent decision should prove very useful to companies seeking early dismissal of individual or class action data breach litigation.

The Decision

Clapper involved issues of constitutional privacy arising out of a challenge to a 2008 amendment to the Foreign Intelligence Surveillance Act of 1978 (“FISA”), 50 U.S.C. §1881a.  FISA allows the federal government to conduct surveillance on the electronic communications of non-U.S. persons located outside the United States, but only after obtaining approval from a Foreign Intelligence Surveillance Court (“FISC”).  Plaintiffs in Clapper were several attorneys and human rights, labor, legal, and media organizations who sued to obtain a declaration that FISA is unconstitutional, and to obtain a prospective injunction against the surveillance on the grounds that it would encompass plaintiffs’ own sensitive international communications with individuals believed to be likely targets of the federal government.

Under the well-established Supreme Court precedent of Lujan v. Defenders of Wildlife, to establish Article III standing plaintiffs are required to show an “invasion of a legally protected interest” that is both “concrete and particularized” and “actual or imminent, not conjectural or hypothetical,” along with a causal connection between the injury alleged and the conduct complained of.  The district court dismissed the Clapper complaint upon concluding that plaintiffs had failed to show the requisite “injury in fact” necessary to confer Article III standing.  The Second Circuit reversed, holding that the injuries plaintiffs claimed were sufficiently concrete and imminent.

In the Supreme Court, the Clapper plaintiffs offered two arguments to support their claim of Article III standing.  First, they argued that there was an “objectively reasonable likelihood” that their communications would be monitored under §1881a at some point in the future, thus satisfying the imminent injury requirement.  Second, they claimed that in order to avoid having their confidential communications compromised by surveillance that might occur under §1881a, they had incurred actual harm by undertaking costly and burdensome measures, including international travel to conduct meetings in person, in order to avoid that surveillance.

The Supreme Court rejected both arguments.  First, the Court held that any threatened injury sufficient to confer Article III standing must be “certainly impending,” not merely “possible.”  It found that plaintiffs had not met this standard because their standing argument relied on a “speculative chain of possibilities,” including assumptions about the actions of an independent third party (in that case FISC) – actions that could not be predicted.  The Court expressly refused to “endorse standing theories that rest on speculation about the decisions of independent actors.”

Plaintiffs’ second argument was equally ill-fated.  The Court declined to accept the notion that plaintiffs could “manufacture standing by inflicting harm on themselves based on fear of hypothetical future harm that is not certainly impending.”  Were it to do so, it noted, “an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”

Justice Alito wrote for the majority in this 5-4 decision.

Key Takeaways

Notwithstanding its particular focus on governmental intrusions into privacy, Clapper broadly reinforces a stringent Article III standing requirement applicable in every data breach case where plaintiffs purport to have standing based solely on an increased risk of future harm.

Companies facing data breach litigation can and should consider moving to dismiss the complaint on the grounds that plaintiffs lack Article III standing, and may rely on Clapper to argue that:

  • The mere possibility that a third party criminal might someday misuse information obtained in a data breach is too speculative to demonstrate the “imminent” harm required to establish standing;
  • The actions of third-party hackers and/or criminals are utterly unpredictable; any assertion of standing premised on the probable acts of such persons improperly assumes the existence of a criminal who has both the ability and the desire to act on information obtained by way of a security breach;
  • Consumers cannot be permitted to “manufacture” standing for purposes of data breach litigation by voluntarily incurring costs to monitor their credit or otherwise guard against the mere possibility of harm that has yet to—and may never—materialize.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali or Rebecca Schwartz and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Rebecca Schwartz, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Cyber Espionage — The Threat and The Response

Posted in Data Security, Surveys and studies

Cyber attacks and cyber espionage have been the focus of media attention (again) lately. In addition to the news of Apple, Facebook, the New York Times, the Wall Street Journal, and Twitter all suffering cyber attacks,  two important documents were released this past week.  The first, a report by the data forensic investigation firm, Mandiant, is an in-depth analysis of the threats that Advanced Persistent Threats (APTs) pose to major U.S. companies.  The report received a significant amount of media attention, including this very good New York Times article.  The second document released this week was a report by the Obama administration outlining its strategy in response to the APT threats and the individuals/governments who engage in theft of U.S. trade secrets and cyber espionage.

Mandiant’s Report on Chinese Cyber Attacks

On February 18th, Mandiant issued a report in which it accused the Chinese military of years of cyber attacks (APTs) against over 140 companies, a majority of them American.  The report’s conclusions were based on hundreds of investigations Mandiant conducted, which convinced Mandiant that the groups engaging in these security breaches are based primarily in China and are known by the Chinese government.

Mandiant tracks dozens of APT groups around the world.  APT1 is the most prolific of these groups in terms of quantity of information stolen and has engaged in a cyber espionage campaign against an array of victims since 2006.  APT1 is able to wage such a sustained and extensive cyber espionage campaign because it receives direct government support, Mandiant found.

Here are some other conclusions from Mandiant’s report:

  • APT1 is believed to be a part of the Chinese People’s Liberation Army identified as Unit 61398, which is staffed by hundreds or thousands of people.  The personnel in this unit are trained in computer security and computer network operations.  APT1’s activity has been traced to four large networks in Shanghai.
  • APT1 has systematically stolen hundreds of terabytes of data from at least 141 organizations in 20 major industries, and has demonstrated the capability and intent to steal from dozens of organizations simultaneously.
  • APT1 maintained access to victims’ networks for an average of 356 days, with the longest time period being four years and ten months.
  • APT1 focuses on compromising organizations across a broad range of industries in English-speaking countries.  APT1’s targets are industries that China has identified as strategic to their growth.
  • APT1 maintains an extensive infrastructure of computer systems around the world, with 937 command and control servers hosted on 849 distinct IP addresses in 13 countries.  The majority of these IP addresses are registered to Chinese organizations.
  • Mandiant has released more than 3,000 indicators (domain names, IP addresses, and MD5 hashes of malware) to help victims and potential victims bolster their defenses against APT1 operations.  These defenses can be downloaded here.

Why did Mandiant expose APT1?  Even though exposing APT1 would likely interfere with Mandiant’s ability to secretly collect intelligence on that particular group, Mandiant claims that it exposed APT1 in an effort to arm and prepare security professionals to combat the threat effectively and provide information that would lead to increased understanding and coordinated action in countering APT network breaches generally.  Mandiant “expect[s] reprisals from China as well as an onslaught of criticism” as a result of the report.

The Obama Administration’s Report On Trade Secret Theft

On February 20th, the U.S. Attorney General released a report entitled “Administration Strategy on Mitigating the Theft of U.S. Trade Secrets”, which outlines the Obama Administration’s strategy to promote improved coordination within the U.S. government to protect U.S. trade secrets. The report sets forth the following five-pronged strategy:

  1. Focus diplomatic efforts to protect trade secrets overseas – the Obama administration promises to continue applying sustained and coordinated diplomatic pressure on foreign countries to discourage trade secret theft.
  2. Promote voluntary best practices by private industry to protect trade secrets – examples of areas where private industries could consider voluntary best practices include research and development compartmentalization, information security policies, physical security policies, and human resources policies.
  3. Enhance domestic law enforcement operations – the Department of Justice and FBI will prioritize investigations and prosecutions of corporate and state sponsored trade secret theft.  Law enforcement and intelligence will share information regarding the number and identity of foreign governments involved in trade secret misappropriation, the industrial sectors and types of information and technology targeted by such espionage, the methods used to conduct such espionage, and the dissemination, use, and associated impact of information lost in trade secret misappropriation.
  4. Improve domestic legislation – increasing the criminal penalties for those who engage in economic espionage and other trade secret crimes.
  5. Public awareness and stakeholder outreach – encouraging all stakeholders, including the general public, to be aware of the detrimental effects of misappropriation on trade secret owners and the U.S. economy.  To this end, the administration will conduct educational and outreach efforts through the internet, forums for the private sector, and public outreach by the FBI.

I highly recommend that in house counsel who are concerned about cyber espionage read the report in full.  It is filled with interesting vignettes of how major U.S. based companies have been the victims of cyber espionage, and it includes links to some very valuable resources including this one, which was one of the first major reports to outline the extent of cyber espionage affecting major companies in the U.S.  These resources can help your company learn more about the threats of cyber espionage and ways to minimize those risks.

The Takeaways

So what are the takeaways?  First, cyber espionage is an increasing threat to major U.S. companies, particularly those in the technology, science, pharmaceutical, and defense industries.  Second, a growing body of evidence shows us that the APT groups primarily responsible for cyber espionage are originating in China and may be supported directly by the Chinese government.  Perhaps most importantly, however, there are steps that companies can and must take proactively to limit the risks associated with APTs, including the adoption of administrative safeguards (policies, procedures, and employee training that limit the likelihood that APTs, particularly those that target social behavior, will penetrate a company’s network) and technical safeguards (like the resources provided by Mandiant in its report, the establishment of firewalls, and the installation of spam filtering, monitoring and anti-malware software).

Given the findings of the Mandiant report and the Obama administration’s steps towards fighting cyber espionage, businesses cannot close their eyes to this threat and hope it will go away or won’t happen to them.  They must begin defending themselves now.

UPDATE:  Demonstrating the timeliness of this subject, the NY Times just went to press with this important article about the political implications of this issue.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

The White House Issues Executive Order On Cybersecurity

Posted in Data Security

Yesterday, President Obama issued an Executive Order to improve critical infrastructure cybersecurity in the United States.  The Order attempts to facilitate sharing of important information between the federal government and certain critical infrastructure in an effort to protect that infrastructure against cyber intrusions.  The Order, which was formally announced and became effective during the President’s State of the Union address, requires the following:

  • Within 120 days, the Attorney General, the Secretary of Homeland Security (Secretary), and the Director of National Intelligence must each issue instructions to ensure the timely production and rapid dissemination of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity.
  • Within 120 days, the Secretary shall establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors.  This voluntary information sharing program will provide classified cyber threat and technical information from the government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.
  • Define and identify critical infrastructure, within 150 days, where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.
  • The Secretary must expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators.
  • The Secretary shall expand the use of programs that bring private sector subject-matter experts into federal service on a temporary basis, so that those individuals can provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.
  • Establish certain privacy and civil liberties protections, requiring that agencies and the Department of Homeland Security coordinate activities under the Order to ensure that privacy and civil liberties protections are incorporated into their activities.
  • Information submitted voluntarily by private entities under the Order must be protected from disclosure.
  • The Secretary must establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure.

Within 240 days, the National Institute of Standards and Technology will publish a framework to reduce cyber risks to critical infrastructure.  By February 12, 2014, a final version of this framework shall be published. This framework must do the following:

  • Include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks.
  • Incorporate voluntary consensus standards and industry best practices to the fullest extent possible.
  • Be consistent with voluntary international standards when such international standards will advance the objectives of the Order, and shall meet the requirements of certain federal legislation.
  • Provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk.
  • Focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure.
  • Identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations.
  • Provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks.
  • Include guidance for measuring the performance of an entity in implementing the framework.
  • Include methodologies to identify and mitigate impacts of the framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties.
  • The Secretary must establish a Voluntary Critical Infrastructure Cybersecurity Program to support the adoption of this framework.

It will be interesting to see what standards are adopted by NIST as a result of this Order and how those standards are received by affected organizations; whether those security standards become the new method for measuring whether a company’s security measures are “reasonable”; and whether there will be any constitutional challenges to the order (i.e., that the Order is essentially legislation, within the purview of Congress, not the President).

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Identity Theft –Who Is A Victim?

Posted in Data Security, Lawsuits

Are you a victim of identity theft when your personally identifiable information is stolen?  Is the theft alone, and the risk that your information may be misused, sufficient?  Does your information have to be misused in some fraudulent manner before you can be considered a victim?

A federal appellate court recently weighed in on these issues and decided that the theft of personally identifiable information, and even the sale of personally identifiable information, are not enough for someone to be considered a “victim” under criminal sentencing guidelines.

In U.S. v. Hall, No. 11-14698 (11th Cir. Jan. 16, 2013), the United States Court of Appeals for the Eleventh Circuit addressed the issue of what it means to be an identity theft victim.  The criminal defendant in Hall was an office assistant at a gynecological and obstetric health care office.  As part of her job, she was authorized to access patient files and copy patient information to fulfill her job duties.  Sensitive information in the files included patient names, dates of birth, social security numbers, and medical information.  The defendant provided this information via text messages to unauthorized individuals who in turn provided the information to organizers of the criminal scheme.  The defendant was promised $200 for each individual’s information or $1,000 if the information was successfully used to create a fraudulent account.  In total, the defendant received only $200, but she provided information about 65 to 141 individuals.  The defendant pled guilty to conspiracy to commit bank fraud, conspiracy to commit identity theft and access device fraud, and wrongfully obtaining and transferring individually identifiable health information for personal gain.

At sentencing, the District Court increased the defendant’s sentence because it found that the offense involved more than 50 victims.  The court rejected the defendant’s argument that the mere transfer or sale of the identifying information did not equate to the actual “use” of the information, so there were only 12 victims.

On appeal, the Eleventh Circuit reversed the District Court and held that while the 12 individuals whose information was used to obtain fraudulent credit cards are victims, the remaining individuals whose information was merely transferred or sold but not actually used for fraudulent purposes were not victims.  The court recognized a “paucity of helpful case law” on the issue.  Nevertheless, the court interpreted the term “use” to require the type of “action and implementation” that did not occur in this case.  Here, the mere sale of the information to the co-conspirators did not implement the purpose of the conspiracy (to obtain cash advances and purchase items by using fraudulent credit cards).  Accordingly, the court ruled that “[t]he personal identifying information was not used, as that term is ordinarily understood, until [the defendant’s] co-conspirators secured the fraudulent credit cards.  At that point, the 12 individuals whose personal information was compromised became victims.”  The sentence imposed by the District Court was therefore reversed.

What Are The Takeaways?

A few important takeaways should be drawn from this decision:

  • The underlying facts are a reminder that employee misconduct continues to be a significant point of exposure for companies that maintain sensitive information.  The sale of personally identifiable information on the black market can be a lucrative incentive for some employees to misuse their access to sensitive information.  Shore up your administrative and technical safeguards!
  • The decision may be used to support the proposition that, at least within the Eleventh Circuit, the mere access, acquisition, transfer, or sale of your personally identifiable information does not make you an identity theft victim.  It is the use of the information for fraudulent purposes that makes you an identity theft victim.  Keep in mind, however, this interpretation is for the sole purpose of defining the term “identity theft victim” for sentencing guideline purposes.
  • Finally, it will be interesting to see what impact, if any, the Eleventh Circuit’s definition of identity theft victim has on the issue of what constitutes cognizable harm for civil litigation purposes?  (The Eleventh Circuit recently allowed this data breach class action to proceed).


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.