Coming to a Government Contract Near You: Mandatory Information Safeguarding Requirements

Justin A. ChiarodoPhilip E. Beshara, and Heather L. Petrovich

The government recently finalized a sweeping amendment to the Federal Acquisition Regulation (“FAR”) that will impose basic information system safeguarding requirements on many federal acquisitions, marking the latest in the continuing government effort to regulate and enhance cybersecurity protections in the industry. The Final Rule, effective June 15, 2016, imposes fifteen basic safeguarding requirements for contractors with information systems containing information provided by, or generated for, the government under a federal contract.

Though many contractors likely maintain information security standards that meet or exceed the new rule, they should confirm their compliance status by assessing these requirements against their current cybersecurity compliance program (to help mitigate the risk of a breach of contract claim or more serious enforcement action). This should include confirming that the requirement is flowed down to subcontractors where appropriate.

The new Rule (available here) broadly applies to all federal contractors and subcontractors with information systems that process, store, or transmit “federal contract information” (i.e., information provided by, or generated for, the government under a federal contract). These safeguarding requirements will be imposed on most acquisitions (including acquisitions below the simplified acquisition threshold and commercial item procurements). The only exception is the acquisition of commercial-off-the-shelf (“COTS”) items. Contractors and subcontractors must also flow down the requirements to all subcontracts where the subcontractor may have federal contract information residing in—or transiting through—its information systems.

While the Rule imposes 15 new requirements, they are characterized as “basic” security controls. Indeed, many companies will already be familiar with these standards, as most, if not all, are employed as standard best practices. Several are drawn directly from the National Institute of Standards and Technology (“NIST”) guidelines applicable to federal agencies. Importantly, the Rule does not impact the considerably higher safeguarding standards governing contractors dealing with Controlled Unclassified Information (“CUI”) or classified information.

Compliance with these safeguards may not only shield a contractor from liability in the event of an inadvertent release of information, but as the government indicated in its commenting on the Rule, the failure of a contractor to maintain the required safeguards may constitute a breach of a contract. Nonetheless, the security controls set forth in the Rule represent standard industry best practices and should be implemented by any prudent contractor regardless of the presence of covered information. To this end, any company doing business with the federal government should look to these guidelines as representative of the types of essential practices it should employ.

The Final Rule will be implemented through FAR Subpart 4.19 and a new contract clause (FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems”). The 15 requirements are set forth below:

  1. Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
  2. Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
  3. Verify and control/limit connections to and use of external information systems.
  4. Control information posted or processed on publicly accessible information systems.
  5. Identify information system users, processes acting on behalf of users, or devices.
  6. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  7. Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
  8. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
  9. Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.
  10. Monitor, control, and protect organizational communications (e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
  11. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
  12. Identify, report, and correct information and information system flaws in a timely manner.
  13. Provide protection from malicious code at appropriate locations within organizational information systems.
  14. Update malicious code protection mechanisms when new releases are available.
  15. Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

Unforeseen Consequences of Hacking: When Someone Wants To Use Your Cybercrime Misfortune Against You In A Litigation

Michelle Gitlitz Courtney and D. Morgan Barry

Companies that are hacked face a range of repercussions, such as notifying clients and customers that the privacy of their information has been compromised and implementing a new security system. In July 2015, it was highly publicized that the extramarital affair dating website Ashley Madison was hacked and the names of thousands of cheating men and women were disclosed to the public. While hacks often lead to the filing of class action complaints concerning inadequate cybersecurity measures, here, the plaintiffs’ counsel took an unprecedented position: they sought to use the content of press articles that cited to the leaked documents (including privileged documents) in the multidistrict class action lawsuit.[1]

The class action plaintiffs in the Ashley Madison litigation attempted to use the hacked documents to support their claims that Avid Dating Life (“Avid Dating”), the owner of the extramarital affair website, failed to properly secure users’ confidential information and committed fraud by maintaining fake female profiles on the website

Upon notice of Plaintiffs’ intention to use the documents, Avid Dating sought a restraining order to prevent Plaintiffs’ use of the documents that were disclosed as a result of the hack. Avid Dating asserted that the use of stolen documents in a litigation is against federal case law, state case law, the Rules of Professional Conduct, and ethics opinions. Supporting Avid Dating were the Amici Does, former users of the adultery website.

In response, Plaintiffs argued that they should be able to use news and media articles discussing the hacked documents (including privileged documents) in their class action complaint because Plaintiffs had no involvement in the hack, the documents were widely disseminated on the internet and in the media, Plaintiffs did not intend to use the stolen documents themselves, but instead use media reports that referenced the stolen documents, and the documents demonstrated Avid Dating’s own wrongful acts.

In a thoughtful, ten-page decision on April 29, 2016, Judge Ross of the Eastern District of Missouri ruled that Plaintiffs were not permitted to use the stolen documents or media reports referencing the documents.[2] Judge Ross did not consider Plaintiff’s innocence in the hack or the fact that the documents were already referenced in news publications to be influential in his decision. Because the documents were stolen and use of stolen documents compromises judicial integrity, Plaintiffs were not permitted to use the documents—end of story.

Judge Ross acknowledged the ethical dilemma in protecting from disclosure privileged hacked documents that showed wrongdoing on the part of Avid Dating: “[h]owever distasteful it may be that some of the e-mail communications between Avid and its counsel may show wrongful or inappropriate conduct, the Court cannot and will not allow Plaintiffs to take advantage of the work of hackers to access documents outside the context of formal discovery.”[3]

[1] In re Ashley Madison Customer Data Sec. Breach Litig., No. 4:15-md-02669 (E.D. Mo. Dec. 9, 2015).

[2] Id. pg. 8.

[3] Id.

The Biggest Cybersecurity Threat: The Energy Sector

Michael Krancer
Follow: @MikeKrancer 

Cybersecurity has been at the forefront of the news for several years. Coverage of the space usually focuses on a breach at a consumer-facing company, resulting in people’s credit cards, bank and personal records being stolen. As bad as these kinds of incidents are, however, we have thus far avoided cybersecurity threats that pose far larger and scarier problems. It’s cyber attacks on the energy space, not the consumer credit space, that could cripple the United States — or any country — as well as bring about a collapse of order and society that most of us associate with apocalyptical scenarios.

Hollywood has picked up on this theme, producing a film earlier this year, Blackhat, which Wired called “the best hacker movie ever made.” The movie’s premise centers on the meltdown of a Hong Kong nuclear plant as a result of targeting by hackers. It takes much of its inspiration from Stuxnet, a malicious computer worm that the United States used to destroy a fifth of Iran’s uranium-enriching centrifuges. But the threat currently facing the world isn’t one dreamed up by Hollywood; it’s real. A congressional commission estimated that a large-scale blackout, if prolonged, could lead to 90% of the United States’ population perishing from disease, lack of food and general societal breakdown.

My team and I recently detailed these threats in an article for The Legal Intelligencer. The analysis of the piece runs quite deep, delving into some arcane aspects of state-level and federal-level legislation that look to address the threat from cyber attacks on the energy sector. Our examination in The Legal Intelligencer provides for some critical takeaways. Along with my Blank Rome co-authors on the paper, Margaret Anne Hill and Tom Duncan, I have closely studied the kind of domino effects yielded by particularly potent attacks on the information systems of our energy infrastructure. The conclusions we put forth should give all of us pause.

One very interesting tidbit:

According to a Wall Street Journal report, a survey of 625 IT executives in the U.S., U.K., France, and Germany found that 48 percent said they think it is likely there will be a cyber-attack on critical infrastructure, including energy infrastructure, in the next three years that will result in the loss of life. The costs of cybersecurity are also increasing at an alarming rate. For example, JPMorgan Chase’s annual cybersecurity expenditures are expected to double to $500 million within the next five years.

What continues to be clear through all of this — be it our examination or even the movie Blackhat, whose plot isn’t as hyperbolic as some might think — is that putting controls and measures in place to ensure the cybersecurity of our energy infrastructure should be a task of paramount importance.

The United States used to worry about the Soviets approaching with their ballistic missiles and bombers from the top of the world, flying over the North Pole. While the Soviet threat has faded, the Russians now sport a potent capacity to attack silently via the Web with malicious code. Theirs is just one of the many state-sponsored and now terrorist-sponsored cells who can execute a debilitating cyber attack. Just as we used to meet the Soviets with our own national ingenuity and will (and fighter jets), we need to meet this newer threat with equal vigilance.

Michael L. Krancer is Partner & Energy, Petrochemical and Natural Resources Practice Group Leader at Blank Rome LLP and a former secretary of the Pennsylvania Department of Environmental Protection. His blog,Energy Trends Watch, follows developments in energy, petrochemical and natural resources.

“The Biggest Cybersecurity Threat: The Energy Sector,” by Michael L. Krancer, was published by Forbes on November 4, 2015. To read the article online, please click here.

Energy Sector Beware: Cybersecurity Now Top Security Threat

Michael L. Krancer, Margaret Anne Hill, Thomas M. Duncan, and Frank L. Tamulonis III

What is the No. 1 worldwide security threat? The answer is cybersecurity. This is especially so for our critical energy production and delivery infrastructure.

A cyberattack presents the risk of unfathomable asymmetrical physical damage to life and property, as well as the potential for flat-lining the enterprise value of any targeted company. A congressional commission has estimated that in a prolonged nationwide blackout (in the context of an electromagnetic pulse attack), about 90 percent of the U.S. population would be dead from disease, lack of food and resources, and societal breakdown. That 90 percent won’t care whether the nation was struck by an EMP attack or a cyberattack.

According to the U.S. Department of Homeland Security (DHS), over the past several years the energy sector has incurred the greatest number of cybersecurity incidents. The Pennsylvania Public Utility Commission held a multiagency summit on cybersecurity Oct. 1, which was intentionally timed with National Cybersecurity Awareness Month. The PUC, to its credit, gathered in one room the DHS, as well as state and local agencies including the Office of Administration, the Pennsylvania Emergency Management Agency, the Pennsylvania State Police, the Pennsylvania Office of Homeland Security, and several large utilities to vet this problem and talk about preparedness, prevention and solutions.

So far, so good in Pennsylvania in getting the job done to protect critical energy infrastructure from cyberattacks. But, the summit stressed that the danger is not going away and that we must constantly work together to stay vigilant. Indeed we must. According to a Wall Street Journal report, a survey of 625 IT executives in the United States and Europe found that 48 percent said they think it is likely there will be a cyberattack on critical infrastructure, including energy infrastructure, in the next three years that will result in the loss of life. The costs of cybersecurity are also increasing at an alarming rate.

What are the threats, you ask? They are too numerous to list in this article, but here are a few: the Havex Trojan targets industrial control systems after it is mistakenly downloaded by customers; malware called BlackEnergy has targeted systems used in nuclear power plants; and an Iranian hacking campaign is under way that the FBI believes may be targeting the energy and defense industries. The Chinese, Russians and North Koreans can be added to the list of “usual suspects” as cybercrime, cyberespionage and cybersabotage have increasingly become their weapons of choice lately—and recent events show they are good and getting better at it. ISIS is also considered a dire threat in this regard.

In fact, nationalized cyberweaponization has become the norm for our enemies. According to Director of National Intelligence James Clapper, Russia’s Ministry of Defence is establishing its own cyber-command, which is expected to conduct offensive cyberactivities such as inserting malware into enemy command and control systems. In May 2014, the U.S. Department of Justice indicted five officers from China’s People’s Liberation Army on charges of hacking U.S. companies.

The highly interconnected nature of the national power grid and the increasing pressure placed on grid reliability by federal and state policies, including the U.S. Environmental Protection Agency’s recently issued Clean Power Plan and states’ renewable portfolio standards, could exacerbate the impacts of a cyberattack on energy infrastructure and potentially lead to “cascading blackouts.”

Power generation and delivery are not alone, of course. The oil and gas sectors are inviting targets as well. Some experts say that particular vulnerabilities exist at “single-point” assets such as refineries, storage terminals and other buildings, as well as “networked features” such as pipelines and cybersystems. Enemies may focus on a large-scale attack with the goal of temporarily halting the supply of oil and gas or even to create an environmental disaster.

Reminiscent of the time after World War I in which the world’s powers were sucked up in the vortex of a naval arms race and in came the Washington Naval Treaty of 1922, today’s superpowers are now doing something similar. President Obama appeared with Chinese President Xi Jinping on Sept. 25 to announce that the United States and China had reached an agreement on a number of issues related to cybersecurity. This U.S.-China agreement comes on the heels of China’s May cybersecurity agreement with Russia, and China’s recent attempt to enact laws requiring foreign firms operating in China to use China-approved encryption and reveal all source code for inspection. In the agreement, the United States and China agreed to cooperate “with requests to investigate cybercrimes, collect electronic evidence, and mitigate malicious cyberactivity emanating from their territory” and “to provide updates on the status and results of those investigations.” To review the timeliness and quality of responses to these requests, both countries have agreed “to establish a high-level joint dialogue mechanism on fighting cybercrime and related issues.”

In addition to this recent agreement, the United States and China are believed to have a framework in place for a cyberwarfare agreement that would prohibit either country from launching an initial cyberattack on the other’s critical infrastructure during peacetime. One hopes for, but experience shows cannot count on, better success now on cybersecurity than with the Washington Naval Conference.

Additional American domestic efforts to improve national cybersecurity are coming from both the executive and legislative branches. Executive Order 13636 requires the National Institute of Standards and Technology, part of the U.S. Department of Commerce, to create a framework to reduce cybersecurity risk for organizations within critical infrastructure sectors, including the energy sector. The framework is based on existing standards, guidelines and practices. Compliance with the framework, however, is voluntary.

The Department of Energy’s Office of Electricity Delivery and Energy Reliability also focuses on cybersecurity and works with the DHS, industry, and other agencies to reduce the risk of energy disruptions from cyberattacks. The office designed the Cybersecurity for Energy Delivery Systems (CEDS) program to assist the energy sector asset owners (electric, oil and gas) by developing cybersecurity solutions for energy delivery systems through integrated planning and a focused research and development effort. CEDS co-funds projects with industry partners to make advances in cybersecurity capabilities for energy delivery systems.

The Department of Energy’s Oil and Natural Gas Subsector Cybersecurity Capability Maturity Model (ONG-C2M2), developed in partnership with the DHS, is an 83-page document that helps improve cybersecurity capabilities and includes reference material and implementation guidance specifically tailored for the oil and natural gas segments of the energy sector. The model can be used to strengthen cybersecurity capabilities in the ONG subsector; enable ONG organizations to effectively and consistently evaluate and benchmark cybersecurity capabilities; share knowledge, best practices and relevant references within the subsector as a means to improve cybersecurity capabilities; and enable ONG organizations to prioritize actions and investments to improve cybersecurity. The ONG-C2M2 is designed for use with a self-evaluation methodology and toolkit.

Before the Senate now is a bill sponsored by Sen. Richard Burr, R-North Carolina, S 754, the “Cybersecurity Information Sharing Act” (CISA), which requires the director of national intelligence, the DHS secretary, the secretary of Defense, and the U.S. attorney general to create a system to promote the sharing of a broad range of cybersecurity information.

CISA would give private entities, including oil and gas companies, greater liability protection for sharing personal data related to certain cybersecurity information. CISA has faced strong opposition, mainly due to concerns that it may impinge on individuals’ Fourth Amendment right to privacy. If agencies are to store personal information, they must maintain highly sophisticated cybersecurity systems. CISA, however, does not include any requirements or funds to promote these systems. Twenty-two amendments are on the Senate floor, many of which limit the events that provide legal immunity and reduce the ability for agencies to share information with one another. The DHS has expressed concern because the bill allows other agencies to collect this information, potentially reducing the DHS’s current role in this space.

Others have criticized CISA for not going far enough. CISA only creates a framework for information-sharing intended to allow agencies to identify how best to protect against future cyberattacks. What some expect, or hope, to follow CISA is ultimately the enactment of minimum standards for corporate cybersecurity systems. A vote on the bill is expected soon.

Pennsylvania is acting as well, with the PUC in particular showing exemplary leadership. Public utilities are required to develop and maintain a written cybersecurity plan under 52 Pa. Code Sections 101.1-101.7. The PUC took the occasion of its October cybersecurity summit to release its second edition of the PUC “Cybersecurity Best Practices for Small and Medium Pennsylvania Utilities.” The best-practices document is available on the PUC’s website ( The document is a magnum opus loaded with information including ways to prevent identity or property theft; how to manage vendors and contractors who may have access to a company’s data; what to know about antivirus software, firewalls and network infrastructure; how to protect physical assets, such as a computer in a remote location or a misplaced employee device; how to respond to a cyberattack and preserve forensic information after the fact; how to report incidents; the potential benefits of engaging a law firm in advance of a breach; and a list of federal cyberincident resources.

In light of the enormous asymmetrical physical and financial damage that cyberattacks can inflict, as well as our apparent vulnerability to those attacks, one thing is clear: A good defense (and perhaps even offense) against such mischief is going to require not only continued efforts, but also an ever-increasing amount of attention, teamwork, effort, and human and financial capital investment going forward.

“Energy Sector Beware: Cybersecurity Now Top Security Threat,” by Michael L. Krancer, Margaret Anne Hill, Thomas M. Duncan, and Frank L. Tamulonis III was published in The Legal Intelligencer on October 16, 2015. To read the article online, please click here.

Cybersecurity Claim Under CGL Policy Prevails Against Strong Insurance Industry Pushback, As Fourth Circuit Upholds Policyholder’s Coverage For Data Breach Claims

Kevin J. Bruno and Charrise L. Alexander

On April 11, 2016, the United States Court of Appeals for the Fourth Circuit made headlines by holding that a commercial general liability (“CGL”) policy covers the defense of a data breach-related class action lawsuit. In Travelers Indem. Co. of Am. v. Portal Healthcare Solutions, LLC, No. 13-1944 (4th Cir. Apr. 11, 2016), the Fourth Circuit affirmed a 2014 decision from the Eastern District of Virginia holding that Travelers Indemnity Company of America (“Travelers”) has a duty to defend its insured, Portal Healthcare Solutions, LLC (“Portal”), in a 2013 class action lawsuit filed in New York State Court. This is a major victory for policyholders, in particular for those with potential cybersecurity-related claims under CGL policies without a cybersecurity exclusion. Attempts by the insurance industry to downplay the significance of this ruling are unavailing, and contrary to the arguments made before the court by various insurance industry trade groups, which had warned that a ruling in the policyholder’s favor would “undermine the certainty and predictability” necessary for the proper functioning of the insurance marketplace. In addition, and although policyholders going forward are well-advised to consider purchasing cyber/data breach insurance policies given the prevalence of cyber-related exclusions in current CGL forms, the Fourth Circuit’s interpretation of the coverage-defining term “publication” will have a much broader, policyholder favorable application in many other insurance claim contexts.


Two patients of Glen Falls Hospital alleged that when they conducted a search for themselves on Google, the first link that appeared was a direct link to their respective Glen Falls medical records. The underlying class action followed in April 2013, which was filed in New York State Court, and alleged that Portal, a business specializing in the electronic safekeeping of medical records, failed to secure a server containing confidential records for patients, making the records available for anyone to view online. Specifically, plaintiffs alleged that Glen Falls patients’ medical records were “accessible, viewable, copyable, printable, and downloadable from the Internet by unauthorized persons without security restriction from November 2, 2012 to March 14, 2013.” Portal had two CGL polices, both issued by Travelers for the policy periods of 2012 and 2013. The policies provided coverage for the “electronic publication of material that…discloses information about a person’s private life.” Travelers denied coverage and preemptively sued Portal in Virginia Federal Court.

Procedural History

In the coverage case, Travelers moved for summary judgment seeking a declaration that it does not have a duty to defend Portal in the class action suit. Portal also moved for summary judgment seeking an order compelling Travelers to defend. In its August 2014 decision, U.S. District Judge Gerald Bruce Lee found that Travelers has a duty to defend Portal because “making confidential medical records publicly accessible via an Internet search does fall within the plain meaning of ‘publication,’” thereby triggering the personal and advertising injury coverage provision in the insurer’s CGL policy. Travelers appealed.

The Fourth Circuit’s Ruling

The Fourth Circuit affirmed the District Court’s decision and ruled that Judge Lee correctly followed the “eight corners” rule by comparing the allegations of the complaint to the language of the policy. Additionally, the Fourth Circuit found that Judge Lee properly recognized that insurers must “use ‘language clear enough to avoid…ambiguity’ if there are particular types of coverage that it does not want to provide.”

The Fourth Circuit held that “[p]ut succinctly, we agree with the opinion that Travelers has a duty to defend Portal against the class-action complaint,” and that “[g]iven the eight corners of the pertinent documents, Travelers’ efforts to parse alternative dictionary definitions [of ‘publication’] do not absolve it of the duty to defend Portal.” To better understand the Fourth Circuit’s ruling, it is best to analyze the District Court’s ruling in more detail. Judge Lee first noted that the policies contained two prerequisites to coverage. First, there must have been a “publication,” which is undefined in the policies. Second, the published material must “give unreasonable publicity” to or disclose information about a person’s private life. Applying Traveler’s proposed dictionary definition of “publication,” the District Court reasoned that exposing medical records online placed a patient’s information before the public, which fell within the plain meaning of “publication.” Second, Judge Lee concluded that public availability of a patient’s confidential medical record constitutes “unreasonable publicity” to a patient’s private life and “disclose[d]” information about the patient’s private life.”

Significantly, for this and related claims, the District Court also rejected Travelers’ arguments that because Portal did not intend to publish the medical information and because there is no evidence that any third parties viewed the information, the policy does not cover the underlying allegations. Instead, “unintentional publication is still a publication.” Furthermore, Judge Lee reasoned that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.”


Portal Healthcare is a victory for policyholders and highlights that coverage may exist under their CGL policies through the “personal and advertising liability” coverage for liabilities relating to the disclosure, or “publication,” of personal information. In a digital age, where companies and individuals increasingly rely on the Internet in their personal and commercial activities, this ruling is critical because the issue of what constitutes “publication” in an Internet context can and will arise in a multitude of situations. Simply put, data breaches are not all about third-party intentional “hacking” anymore. It is refreshing, and for many policyholders about time, that our courts have begun to recognize that the “old school” way of viewing what constitutes a “publication” in an insurance context must come into line with today’s reality, a reality that must fully account for the rather amorphous character of the Internet. In this regard, note the discussion before the court regarding the steps that must be taken by Google in order for material, including plaintiffs’ medical records, to be indexed and made fully searchable on the web.

We finish with a word of caution—while policyholders should be optimistic, they should also carefully evaluate their insurance policies and coverage needs. In more recent years (generally 2014), the CGL ISO policy form and many CGL polices have been amended and now contain exclusions, or other language that excludes coverage for data breaches or other cyber security risks. And as highlighted by the American Insurance Association and Complex Insurance Claims Litigation Associates, which both filed an amicus brief in this case, over the past several years there has been a growing market for policies specifically tailored for cyber related claims. Policyholders should be mindful of those exclusions in their CGL policies, carefully examine their risks and insurance needs, and may need to look to other coverage products, such as cybersecurity policies, to fill any gaps in coverage.

Data Breach Negligence Claims Not Recognized in Pennsylvania

By Steven L. Caponi and Elizabeth A. Sloan

163751742In an important and well-reasoned 12-page decision, Judge Wettick of the Court of Common Pleas of Allegheny County refused to create a common law duty to protect and secure confidential information. The decision was issued in the matter of Dittman v. UPMC, which was filed on behalf of over 62,000 plaintiffs. Although not binding state-wide, Judge Wettick’s decision represents an important step in the development of privacy law in Pennsylvania.

The complaint was filed against the University of Pittsburg Medical Center (“UPMC”) after names, birthdates, social security numbers, confidential tax information, addresses, salaries, and bank account information pertaining to current and former employees was stolen from UPMC’s computer systems. The plaintiffs alleged that UPMC had a common law “duty to protect the private, highly sensitive, confidential and personal financial information, and the tax documents of plaintiffs and the members of the proposed class.” The complaint claimed that UPMC violated this duty when it failed to “exercise reasonable care to protect and secure the information.”

Advocating for more than simple recognition of a general duty, the Dittman plaintiffs sought court imposition of very specific and onerous duties on UMPC. Given the nature of the employee/employer relationship, the plaintiffs argued that UPMC’s duties included the obligation to design, maintain, and test “its security systems to ensure that [] the members of the proposed Classes personal and financial information … was adequately secured and protected.” It was further argued that “UPMC [] had a duty to implement processes that would detect a breach of its security systems in a timely manner.” Lastly, the plaintiffs argued that UPMC should be liable for its failure to meet industry standards in the face of a risk that was reasonably foreseeable.

Judge Wettick’s decision is important not only for its ultimate holding, finding no common law cause of action for data breaches, but also for the three lines of thought relied upon to support his conclusion. Specifically, Judge Wettick found: (1) Pennsylvania’s economic loss doctrine precludes a negligence cause of action for economic loss stemming from a data breach; (2) public policy considerations mitigated against the creation of an affirmative duty of care in connection with data breach cases; and (3) the Pennsylvania General Assembly’s prior actions evidenced an intent not to impose such a duty.

With regard to the economic loss doctrine, the court noted that the UPMC employees sustained only economic losses resulting from the improper actions of third-party bad actors. With this finding in hand, the court turned to the economic loss doctrine and affirmed that “no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage.” Excavation Technologies, Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840, 841 (Pa. 2009). Seeking to overcome the economic loss doctrine, the Dittmer plaintiffs invoked Pennsylvania Supreme Court case law, including Seebold v. Prison Health Servs., Inc., 57 A.3d 1232 (Pa.2012), to suggest the court should impose a common law duty of care on those who maintain the confidential data of third parties. The court rejected this argument as an improper effort to undermine the economic loss doctrine.

The court went on, however, to consider the factors articulated in Seebold and concluded “the controlling factors are the consequences of imposing a duty upon the actor and the overall public interest in the proposed solution.” Recognizing the magnitude of the problem, the court noted that “data breaches are widespread … frequently occur because of sophisticated criminal activity of third persons … [and] [t]here is not a safe harbor for entities storing confidential information.” Judge Wettick further noted that the imposition of a new duty was unnecessary because entities who store confidential information already have a strong incentive to protect the data and avoid the disastrous operational consequences resulting from a breach.

Addressing the public policy component of Seebold, the court adopted a very practical approach.  Judge Wettick determined that the creation of a new duty would expose Pennsylvania courts to the “filing each year of possibly hundreds of thousands of lawsuits by persons whose confidential information may be in the hands of third persons”—a burden the courts are not equipped to handle. He further recognized that there is an absence of guidance as to what actions constitute reasonable care, and allowing juries to determine what constitutes reasonable care is not a “viable method for resolving the difficult issue of the minimum requirements of care that should be imposed in data breach litigation.” Lastly, the court took notice of the fact that creation of a new cause of action would require companies to expend substantial resources defending lawsuits even though the entities “were victims of the same criminal activity as the plaintiffs.”

The court concluded its analysis into the propriety of creating a common law duty by noting that the Pennsylvania General Assembly extensively considered the issues surrounding data breaches when enacting the Breach of Personal Information Notification Act (the “Act”). 73 P.S. § 2301, et seq. (effective June 20, 2006). Notably, the Act did not establish a duty of care or a private cause of action. Rather, the Act created only a notification obligation in the event of a breach.  Had the General Assembly wished to impose a new duty, it had the opportunity to do so.  Exercising judicial restraint, Judge Wettick concluded “[i]t is not for the courts to alter the direction of the General Assembly because public policy is a matter for the Legislature.”

While Judge Wettick’s decision will surely not be the last word on liability stemming from data breach cases in Pennsylvania, it is highly instructive, well-reasoned, and likely to be followed by other Pennsylvania courts. A copy of the Judge Wettick’s decision can be obtained here.

And The Survey Says . . . GCs Need More Cybersecurity And Social Media Training

By Jeffrey Rosenthal

Social Media AppsBecoming better versed in issues surrounding cybersecurity and social media risk would greatly benefit general counsel at publicly traded companies, according to a recent survey of executive leadership.

In May 2015, a survey of 5,000 directors, board chairs and CEOs of publicly traded companies—sponsored by executive search firm BakerGilmore, and NYSE Governance Services—was released.  The survey was conducted in February and March of 2015.

Among the questions asked was the areas in which executives felt their general counsel would most benefit from gaining additional expertise so to add value to their company.  The overwhelming favorite: Cybersecurity risk—chosen by 67 percent of the executives surveyed.  The next closest answer was social media risk (39 percent), followed by crisis management (30 percent).

In fact, only 5 percent of respondents assessed their general counsel’s grasp of the issues surrounding cybersecurity as “excellent”; 44 percent characterized it as “good”; and 47 percent as only “fair.”  Likewise, only 7 percent rated their general counsel’s working knowledge of social media risk as “excellent.”

“Not surprisingly, as the corporate world continues to grapple with fallout in the modern cyber era, directors believe general counsel would most benefit from additional education in cybersecurity and social media, areas in which many directors are admittedly lacking in expertise,” wrote the survey’s authors.

But there was also positive news for in-house lawyers:  General counsel are “much more likely” to be considered key members of the management team nowadays, as compared to a decade ago.  “Overall, general counsel are being lauded for their strategic contributions as well as pragmatic ones, making them increasingly valued members of the executive team,” the survey concluded.

A copy of the survey, entitled “GCs” Adding Value to the C-Suite,” is available here.

Old Dog New Tricks

By Steven L. Caponi and Kate B. Belmont


The maritime community is sitting on the precipice of disaster. While regarded as one of the oldest and most well respected industries on the planet, the maritime community as a whole has failed to protect itself against the growing threat of cybercriminals. Methods of daily business transactions have failed to evolve and the reliance on out-dated technology with little to no cybersecurity protection has left many sections of the maritime community vulnerable to cyber-attack. The bunker fuel industry, in particular, has been recently faced with growing and continual threats, due to its outmoded business practices and its failure to employ the most efficient and reliable forms of cybersecurity protection.

As technology has evolved, dependence on technology has also increased. While technological advances may make work easier or faster, it has also created new threats and vulnerabilities for industries that rely too heavily on it, without employing the proper protections. Unfortunately, the bunker fuel industry is a prime example of a community that relies on shared technology and communication information, but has failed to implement the appropriate cybersecurity protections. As a result, the bunker fuel industry is a current target for today’s cybercriminals.

Like money, bunker fuel is a highly valuable and fungible commodity. It is estimated that, by 2020, worldwide sales of bunker fuel will reach 500 million tonnes per year. Using an average price of approximately $750 per metric tonne (mt) of MDO, suggests there will be nearly $500 billion in annual bunker fuel sales. Without a doubt, the bunker industry is a critical component of the maritime community and the global economy. That said, industries that are slow to change take significant and daily risks when methods of doing business fail to evolve to meet the growing threat posed by more sophisticated criminals. In common military/security parlance, this makes the bunker fuel industry a ‘soft target’ for cyber criminals.

In the bunker fuel industry, thousands of daily quotations, sales and payment transactions take place electronically. The principle means of communications for these transactions is through email communications. This has been, and continues to be, the Achilles heel for the bunker fuel industry. The bunker fuel industry has been the victim of many recent cyber-attacks, due to its reliance on unsecured email communications for its daily business transactions. The common practice in the industry involves traders receiving emails from buyers requesting quotes. The trader responds to these requests and after a series of email communications with a potential buyer, the transaction is often consummated and confirmed through these same email communications. Eventually, the bunkers are loaded and a new series of emails are exchanged to facilitate payment.

It is at this stage where the cybercrime is usually committed. After the physical supplier provides bunkers to the customer’s vessel, the trader receives an emailed invoice which appears to be from the physical supplier. As this is common practice in the industry, the invoice is submitted for processing and the wire transfer is quickly made. Unfortunately, the invoice is fraudulent, the wire transfer information is fraudulent, and payment is made to the cybercriminal’s account. When the legitimate invoice does arrive from the supplier with the real wire information, in many cases the trader is forced to pay twice. This is just one example of how the bunkering community is so easily susceptible to cyber-attacks.

While a convenient method for transacting business, emails can represent a significant vulnerability that will be readily exploited by cybercriminals. The fundamental flaw with e-mail transactions is the unavoidable reality that each communication travels over multiple unsecured networks and passes through numerous computer systems, all of which are unknown to the email sender and recipient. This presents cybercriminals with the opportunity to intercept communications, dissect how a particular business manages its transactions and allows them to send e-mails impersonating legitimate individuals or businesses. Too frequently, businesses ignore these risks by falling victim to a false sense of security caused by three erroneous assumptions: (i) that cybercrime requires a high level of sophistication; (ii) that a successful attack is a time consuming endeavour; and (iii) that they are not big enough to be worth the criminals’ effort.

Make no mistake, cybercriminals are smart, determined and have a good understanding of how to use a computer. But they are far from the image of a highly sophisticated group of computer geniuses sitting in a dimly lit room using banks of cutting edge computers to sift through lines of source code. Rather, most cybercriminals are members of an organised crime group who have concluded they can steal more money using a mouse than a gun. Geographically, these groups operate out of Africa, Russia, South East Asia and various countries in Eastern Europe. They prefer locations that are economically challenged, and where local politicians and law enforcement can be compromised. Contrary to popular belief, they are not highly educated because they buy rather than develop the software used to facilitate their crimes.

The second and third assumptions are perhaps the most easily exposed. Cybercrime is not solely focused on large targets, because such targets necessitate time consuming effort requiring weeks of preplanning. In fact, cybercrime is the complete opposite – it is a crime of opportunity. This is reflected in the cybercriminals’ use of phishing emails. Phishing involves the use of what otherwise appears to be legitimate email messages or websites that trick users into downloading malicious software or handing over your personal information under false pretences. For example, by unknowingly downloading malware, a user provides the criminals with the ability to access their computer, read their files and send messages from their email account. Or, an employee may receive an email allegedly from the IT department stating they are performing routine security upgrades and asking that user confirm their user name and password in order to not be locked-out of the system.

Many reading this article may question the utility of using such an approach and believe reasonable people would not fall victim to a phishing attack. The figures tell a different story. Over 156 million phishing emails are sent every day. They are randomly generated using very basic software programs and transmitted 24/7 across the globe. Around 16 million of these e-mails make it past company security systems and 8 million are opened and read. This results in over 80,000 people, every day, clicking on the corrupted link, unknowingly downloading malware and providing user identification and log-on credentials. As a result, after an evening of sending millions of emails, cybercriminals have 80,000 new victims to choose from.

By now, many in the maritime community are aware of the cyber-attack that cost World Fuel Services (WFS) an estimated $18 million. The scam exposed the numerous flaws in the way most bunker fuel is sold. Impersonating the United States Defense Logistics Agency, cyber criminals used fake credentials to send an email seeking to participate in a tender for a large amount of fuel. WFS received the offer to participate in the tender, took the email at face value and purchased 17,000 mt of marine gas oil from Monjasa that was then delivered to a tanker known as the Ocean Pearl while it was off the Ivory Coast. Upon submission of the invoice, the government agency responded that it had no record of the fuel tender.

There are several facts about the bunker fuel industry that we know to be absolutely true: (i) the industry involves hundreds of billions of dollars in annual transactions; (ii) the transactions are consummated almost exclusively through electronic communications; (iii) there are minimal security protocols used to validate these transactions; (iv) cyber criminals pursue crimes of opportunity that present low risk; and (v) every organisation will at some point be compromised by malware or a phishing scam. This begs the question, what should be done to combat this threat? Fortunately for the bunker industry, there are several common sense steps that will dramatically reduce the potential for falling victim to a cybercrime.

The first and most obvious step is to retain professionals who can help harden your company against a cyber-attack. Both cybersecurity lawyers and consultants can provide assistance in developing systems and protocols to protect your company from cybercriminals and the potential liability that results from a cyber-attack. Being a hardened target means adopting the policies and procedures that will make your company less susceptible to an attack. Present cybercriminals with a choice between expending resources trying to overcome your defences or moving on to a more vulnerable victim. More often than not, they will choose to the path of least resistance.

Unfortunately, there is not one simple solution for becoming a hardened target, because each business operates differently with a different clientele. But there are things nearly all companies can do to become more secure and hardened. For example, do not rely solely on email communications to consummate large purchases or transactions. In addition to email, require a second channel of communication with the buyer, such as a phone call, fax or form of identification/authorisation not readily accessible to cybercriminals. There are other options such as utilising a secure web portal for bunker fuel transactions. Whatever path is taken, it is wise to remember that the more sophisticated and varied your procedures for consummating a transaction, the more work required by the criminals. The more work required by the criminals, the more likely they will select a different target.

To avoid the continued targeting by cybercriminals and the tremendous financial implications that result therefrom, the bunker fuel industry must evolve to meet the threats posed by reliance on unsecured shared technology and communication information, and work with cybersecurity professionals to develop or strengthen its cybersecurity practices. To date, the bunker fuel industry has failed to even moderately protect itself from cyber-attacks but must now act to arm itself or suffer continued disastrous financial implications.

“Old dog new tricks” appeared in Petrospot‘s December 2014/January 2015 edition of Bunkerspot. To read the article, please click here. Reprinted with permission from Petrospot.

Health Care Providers Responding to Ebola: HHS Issues Guidance Reminding Covered Entities that HIPAA Allows the Sharing of PHI in Emergencies

By Jennifer Daniels

163751742The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) has issued guidance to remind HIPAA-covered entities of the ways in which they are permitted under HIPAA to share protected health information (“PHI”) in emergencies, including information about diagnoses of Ebola.  HHS emphasizes that the “minimum necessary rule” still applies to these disclosures (except in the case of a disclosure for treatment purposes), and covered entities are still responsible for using safeguards that comply with the HIPAA Security Standards. Below is a list of the types of disclosures discussed in the guidance:

  • Disclosures for Treatment: Under the HIPAA Privacy Rule, covered health care providers may share PHI with other health care providers for treatment purposes, including to coordinate and manage health care and related services by one or more patients. No authorization from the patient is necessary.
  • Disclosures to Public Health Authorities: Covered entities may disclose PHI without patient authorization to public health authorities, like the Centers of Disease Control and Prevention (“CDC”) or state or local health departments for the purpose of preventing or controlling disease, injury, or disability. So, for example, a covered entity could disclose PHI to the CDC on an ongoing basis as needed to report all prior and prospective cases of patients exposed to or suspected or confirmed to have Ebola. Similarly, covered entities may disclose PHI at the direction of a public health authority to a foreign government agency that is acting in collaboration with the public health authority.
  • To a Person At Risk if Permitted under State Law: A covered entity may disclose PHI to a person at risk of contracting or spreading a disease or condition if other law, such as state law, authorizes the covered entity to notify such persons as necessary to prevent or control the spread of the disease or otherwise to carry out public health interventions or investigations.
  • To Family and Friends Involved in Patient’s Care: If a patient’s family or friends are involved in a patient’s care, and the covered entity has obtained the individual’s agreement or can reasonably infer from the circumstances that  the individual does not object, then the covered entity may disclose to a family member or friend PHI that is directly relevant to that person’s involvement in the patient’s care.
  • Disaster Relief Organizations: A covered entity may share PHI with disaster relief organizations that, like the American Red Cross, are authorized by law or by their charters to assist in disaster relief efforts, for the purpose of coordinating the notice to family members of a person’s location or condition.
  • Imminent Danger: Covered health care providers may disclose PHI to anyone as necessary to prevent or lessen serious and imminent threat to the health and safety of a person or the public consistent with applicable law and the provider’s standards of ethical conduct.
  • Disclosures to the Media: Upon request for information about a particular patient by name, a hospital or other health care facility may release limited facility directory information consistent with 45 CFR 164.510(a). In general, however, affirmative reporting to the media or the public about an identifiable patient, such as the details of test results or the patient’s condition, is not permitted without the patient’s authorization.

Health care providers should have policies and procedures in place that govern these types of disclosures under HIPAA so that such providers can act in an emergency in a manner that is necessary to protect public health but that is respectful of patient privacy.

BBB Watchdog Cites Five On-Line Companies for Failing to Adhere to Enhanced Notice of Third-Party Data Collection for Online Behavioral Advertising

By Jennifer Daniels


This week, the Online Internet-Based Advertising Accountability Program, a unit of the Better Business Bureau (“BBB”), released five decisions in which Answers Corporation, Best Buy, BuzzFeed,, and Yelp agreed to provide real-time “enhanced” notice and choice to website users whenever non-affiliates collect their information for personalizing ads.

A year ago, the BBB’s privacy watchdog issued a compliance warning that publishers must implement the transparency and consumer control requirements of the self-regulatory principles for online behavioral advertising (“OBA Principles”), or face a public compliance action. “Enhanced notice” requires companies to add a separate link that takes users directly to a site where they can opt out of receiving behaviorally targeted ads. The link itself generally appears beneath text like “Interest-based ads,” “About our ads,” or “AdChoices.”

Under the OBA Principles, including an opt-out mechanism in a privacy policy is not sufficient. Rather, the notice and choice must be provided at the time that information is being collected from consumers.  The OBA Principles apply to all segments of the advertising industry, from website publishers to third-party ad networks. The BBB and the Direct Marketing Association (“DMA”) coordinate to enforce the self-regulatory program by monitoring participating companies for program compliance, investigating, and reporting potentially non-compliant companies to appropriate regulatory agencies.

California Attorney General Releases Data Breach Report with Recommendations for Retailers and the Health Care Sector

By Jennifer Daniels


On October 28, 2014, the California Attorney General (“AG”) released its second annual report detailing the security breaches reported to the AG’s office in 2013, and provided recommendations to both the industry and lawmakers to reduce security breaches and the harm caused by them. The AG called out the payment card industry, retailers, and the healthcare industry to make specific improvements.  Here is an outline of the recommendations made in the report:

  • Retailers should:
    • Update point of sale terminals so that they are chip-enabled, and install software necessary to operate this technology: The United States has been slow to adopt chip technology for payment cards.  When the United Kingdom adopted the technology, counterfeit card fraud losses reportedly fell by 34%. The technology reduces fraud tied to face-to-face transactions, which still account for the vast majority of payment card transactions. Retailers will play a significant role in the implementation of chip technology in the U.S., but the incentive is there—not only due to the massive retailer breaches in 2014, but also because, in 2015, the payment card networks will shift liability to retailers for counterfeit fraud resulting from transactions involving a chip card used at a terminal that is not chip-enabled.
    • Implement encryption solutions to devalue payment card data that falls into unauthorized hands: Encryption technology will help to reduce fraud not only in face-to-face transactions, but also in online and mobile transactions. Data should be encrypted by retailers from the point of capture until the completion of transaction authorization. So long as the decryption key is not stolen, the value of stolen encrypted card data is reduced because the data is not readable.
    • Implement tokenization solutions to devalue payment card data that falls into unauthorized hands:Tokenization differs from encryption because, with tokenization, payment card data is replaced with a random number (the “token”) rather than using a mathematically reversible algorithm. Tokenization is effective in securing online and mobile transactions because the data captured by a hacker is not usable. In addition, it limits the amount of cardholder data that is stored in the retailers’ payment environment, which also makes PCI compliance simpler for the retailers.
    • Respond promptly to data breaches and notify affected individuals in the most expedient time possible, without unreasonable delay: The report points to notification delays by companies that sometimes last months.
    • Improve substitute notices regarding payment card breaches: The AG explains that retailers often must use a substitute notice method because retailers do not have access to the home addresses of their customers. The AG recommends that substitute notices be made more conspicuous on retailer websites, and that notices remain available for at least 30 days. Retailers should also update the notice as more information is known about the incident. Also, the notice should tell individuals how to protect themselves, and the advice should differ based on the type of data involved. For example, credit monitoring is very useful for breaches involving SSNs, but the AG indicates that the best response to a breach involving a debit card number is to cancel the card immediately.
  • Retailers and financial institutions should:
    • Work together to protect debit card holders in retailer breaches of unencrypted payment card data: The AG explains in the report that the impact to victims of debit card fraud is particularly severe, and that credit monitoring and online account monitoring are not sufficient protection to the consumer. Rather, the best action is to promptly cancel the card. The AG acknowledges that this course of action may result in additional burdens on the issuing banks, but the AG encourages those involved in the payment card industry to work together to resolve that issue.
  • The healthcare sector should:
    • Consistently use strong encryption to protect medical information on laptops and on other portable devices, and should consider the same for desktop computers:The AG report calls out the healthcare industry for frequently being the victim of lost and stolen mobile devices (including laptops) that contain unencrypted sensitive healthcare information. There are technologies to prevent these breaches, in particular full disk strong encryption. The AG strongly encourages those in the healthcare industry to employ encryption technologies to prevent future breaches.
  • All industries should:
    • Conduct risk assessments at least annually: Organizations handling sensitive personal information should annually review and update their privacy and security practices and policies. Technologies and business practices evolve rapidly, and the industry must respond to the changes. In particular, the AG recommends annual training of employees and service providers who handle sensitive information.
    • Use strong encryption to protect personal information in transit:Many breaches can be prevented by the use of strong encryption of data sent by email stored on laptops or portable media.
  • California legislature should:
    • Consider legislation to amend breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers, and require a final breach report to the AG:The AG notes that in responding to breaches, data owners and their vendors have different responsibilities under state breach notice laws. However, their roles are not very clear under those laws. Accordingly, the AG recommends legislation to clarify which entity is responsible for what action in the event that a breach involves both a data owner and its vendor.
    • Consider legislation to provide funding to support system upgrades for small California retailers.

Maritime Cybersecurity: A Growing Threat Goes Unanswered

By Steven L. Caponi and Kate B. Belmont

boatThe maritime industry may be one of the oldest in the world, but in-depth reports issued by the United States Accountability Office (“GAO”) and the European Network and Information Security Agency (“ENISA”) confirm that our industry is as susceptible to cyber­security risks as the most cutting-edge technology firms in Silicon Valley. With the ability to commandeer a ship, shut down a port or terminal, disclose highly confidential pricing documents, or alter manifests or container numbers, even a minor cyber attack can result in millions of dollars of lost business and third-party liability. Unfortunately, cybersecurity on board merchant vessels and at major ports is 10 to 20 years behind the curve compared with office-based computer systems and competing industries throughout the world. Like other industries critical to the global economy, such as the financial services sector and energy, it is time for the maritime industry to adopt a proactive response to the growing cybersecurity threat.

Economic and Security Perspectives

Although not yet treated as a significant business risk, cybersecurity has for some time been viewed as a considerable threat by the governmental agencies responsible for both national and international maritime security. In late 2011, ENISA issued a sobering report focused on the cybersecurity risks facing the maritime industry, and provided recommendations for how the maritime industry should respond. Unfortunately, the most recent report issued by the GAO in June of this year confirms that the threat has grown more significant, but that the maritime industry has failed to make cybersecurity a priority. Copies of both the ENISA and GAO reports can be obtained by visiting Blank Rome’s cybersecurity blog,

ENISA was prompted, in part, to issue its 2011 report because the maritime sector is universally viewed as critical to the security and prosperity of European society. ENISA noted that in 2010, 52 percent of the goods trafficked throughout Europe were carried by maritime transport, compared to only 45 percent a decade earlier. The ENISA report further noted that, throughout Europe, approximately “90% of EU external trade and more than 43% of the internal trade take place via maritime routes.” The industries and services belonging to the maritime sector are responsible for approximately three to five percent of EU Gross Domestic Product. This vast amount of trade flows into and out of the numerous ports located in 22 EU member states.

From both an economic and security perspective, the ability to disrupt the flow of maritime goods in Europe or the United States would have a tremendous negative impact on the respective local economies, and would also be felt worldwide. According to ENISA, “The three major European seaports (i.e., Rotterdam, Hamburg, and Antwerp) accounted in 2010 for 8% of overall world traffic volume, representing over 27.52 million TEUs.” Additionally, these ports “carried in 2009 17.2% of the international exports and 18% of the imports.” For its part, the GAO noted that, as an essential element of America’s critical infrastructure, the maritime industry “operates approximately 360 commercial sea ports that handle more than $1.3 trillion in cargo annually.” The Long Beach port alone services 2,000 vessels per year, carrying over 6.7 million TEUs, which accounts for one in five containers moving through all U.S. ports. Long Beach ranks among the top 21 busiest ports internationally, with significant connections to Asia, Australia, and Indonesia.

Given the interconnectivity of the maritime industry and paramount need to keep ports moving with speed and efficiency, a cyber attack on just one of the major EU or U.S. ports would send a significant negative ripple throughout the entire industry. With the ability to impact so many nations and peoples at once, the maritime industry presents a fruitful target for both private and political actors. Threats of cyber attacks can range from rival companies, to those wishing to advance a political or environmental agenda, to nation states advancing a national agenda, to terrorist organizations, and even cyber attacks from pirates or freelance hackers.

What Would a Cyber Attack Look Like?

Both the GAO and ENISA agree that the soft underbelly of the maritime industry is its reliance on Information and Communication Technology (“ICT”) in order to optimize its operations. As was clearly noted by ENISA, ICT is increasingly used by all levels of the maritime industry “to enable essential maritime operations, from navigation to propulsion, from freight management to traffic control communications, etc.” Examples of these technologies include terminal operating systems, industrial control systems, business operating systems, and access control and monitoring systems. ICT systems supporting maritime operations, from port operations management to ship communication, are commonly highly complex and utilize a variety of ICT technologies.

Further complicating cyber defense efforts, ICT systems used by ships, ports, and other facilities are frequently controlled remotely from locations both inside and outside of the U.S. Presenting an even higher level of concern, some ports have adopted the use of automated ground vehicles and cranes to facilitate the movement of containers.

Consistent with the threat facing other critical infrastructure sectors, cyber threats to the maritime industry come from a wide array of sources. As noted by the GAO, these include:

“Advanced persistent threats—where adversaries possess sophisticated levels of expertise and significant resources to pursue their objectives—pose increasing risk. Threat sources include corrupt employees, criminal groups, hackers, and terrorists.”

While the source of the threat may vary, there is no doubt that the desire and willingness to act against the maritime industry is real. Major shipping companies have already begun to suspect that they have been victims of deliberate hacking attacks. It is well known that between 2011 and 2013, there was a cyber attack on the port of Antwerp orchestrated by organized criminals who breached the port IT system, facilitating the smuggling of heroin and cocaine.

Government and Industry Response

Numerous governmental agencies in both the EU and U.S. are starting to respond to the cyber threats facing the maritime industry. They have not yet, however, promulgated concrete guiding plans and policies. Instead, the governmental agencies have assumed the role of loudly sounding a clarion call to action and taken a supporting role for industry participants.

Responsibility to actively defend against the risks of a cyber attack and be in a position to effectively respond to an incident rests squarely on the shoulders of individual ship owners, shipping companies, port operators, and others involved in the maritime industry. The failure to assume this responsibility will undoubtedly lead to serious and potentially devastating consequences, including government fines, direct losses, third-party liability, lost customers, and reputational damage that cannot be repaired.

Mitigating the Threat

Companies looking to learn more about the steps they can take to meet the evolving cyber threat head-on should consult with cybersecurity professionals and available literature. Widely available resources include the National Institute of Standards and Technology, which issues the Framework for Improving Critical Infrastructure Cybersecurity and the National Infrastructure Protection Plan (“NIPP”), developed pursuant to the Homeland Security Act of 2002 and Homeland Security Presidential Directive 7 (“HSPD-7”). These documents, along with numerous others, can assist companies in developing a risk management framework to address cyber threats and use proven risk management principles to prioritize protection activities within and across sectors.

California Passes New Law Protecting Consumers From Data Breaches

By Jeffrey Rosenthal

123196886In response to high-profile intrusions at Target Corp., Neiman Marcus, Home Depot, Inc. and a host of other retailers, California recently passed new legislation implementing small but significant changes to its privacy laws.

On September 30, 2014, Governor Jerry Brown signed Assembly Bill 1710, authored by Assembly Members Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont).  AB 1710 enhances consumer protections by strengthening the requirements businesses must adhere to in the event of a breach.

“Recent breaches emphasized the need for stronger consumer protections and awareness.  The retailers affected by the recent mega data breaches are not the first nor will they be the last,” said Dickinson, Chair of the Assembly Banking and Finance Committee.  “AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information.”

Specifically, AB 1710:

  • Requires the source of the breach to offer identity theft prevention mitigation services at no cost to the affected person for no less than 12 months if a Social Security Number or Driver’s license number are breached;
  • Prohibits the sale of social security numbers, except when part of a legitimate business transaction; and
  • Provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information.

Earlier versions of AB 1710 placed limits on the amount of payment information a retailer could store in its system; it also mandated more stringent encryption standards.  But a coalition of business groups opposed the bill—claiming the data management rules were “onerous and unneeded,” and that it would be ineffective for protecting customer data.  Although these provisions were ultimately removed, Dickinson told news outlets he intends to pick up the notification issue during the next legislative session.  He will also pursue future legislation to tighten encryption standards in California.

Not surprisingly, such legislation follows closely on the heels of a report released by California Attorney General Kamala Harris in February of 2014.  Titled Cybersecuity in the Golden State, the report details how in 2012 more than 2.5 million California residents were victimized by data breaches—more than half of which would have been protected had companies implemented stricter encryption procedures when transmitting personal data.

In light of AB 1710, retailers and consumer-facing business that “maintain” personal information (even if they do not own or license such data) should familiarize themselves with the parameters of the new law to ensure their data security procedures satisfy the law’s “reasonable security” requirement.

A copy of AB 1710 is available here.  The Attorney General report is available here.

China Launches Massive Cross-Platform Cyber Attack

By Steven Caponi

514513823The very tool (cell phones) that has allowed millions of previously disconnected people to coordinate large civil protests in numerous countries is now being used to quash dissent in Hong Kong. If recent reports are proven correct, it appears that the cell phones of pro-democracy protesters in Hong Kong are deliberately being targeted with an app that is used as a “Trojan Horse” to infect protesters’ phones with spyware dubbed as Xsser mRAT. The spyware is intended to allow “someone” to monitor the communications of the protesters.

Specifically, the spyware is spread when anonymous messages are sent via WhatsApp to smartphones stating, “Check out this Android app designed by Code4HK for the coordination of OCCUPY CENTRAL!” Occupy Central denies any association with the app or sypware. Once the app is downloaded, it implants spyware capable of accessing personal information, such as passwords and bank information, spying on phone calls and messages, and even tracking the physical location of the infected phone. An examination of the code suggests that the program was created by Chinese-speaking attackers. Because the target audience is the Hong Kong protesters and the code was written in Chinese, it suggests that the Chinese government and/or the highly-skilled cyber warfare arm of its military are behind the attack.

Lacoon Mobile Security was instrumental in exposing the effort to suppress the pro-democracy protests in Hong Kong. As discussed by Lacoon, the attack is rare in that it was launched on both the Android and iOS platforms. On its September 30 blog post, Lacoon noted:

Cross-Platform attacks that target both iOS and Android devices are rare, and indicate that this may be conducted by a very large organization or nation state. The fact that this attack is being used against protesters and is being executed by Chinese-speaking attackers suggests it’s first iOS trojan linked to Chinese government cyber activity.

The Xsser mRAT is itself significant because while there have been other iOS trojans found previously, this is the first and most advanced, fully operational Chinese iOS trojan found to date. Although it shows initial signs of being a targeted attack on Chinese protesters, the full extent of how Xsser mRAT is being used is anyone’s guess. It can cross borders easily, and is possibly being operated by a Chinese-speaking entity to spy on individuals, foreign companies, or even entire governments.

Attacking mobile devices instead of PCs should not come as a surprise in light of our increased dependence on smartphones. As these devises become the hub through which a vast majority of our daily communications flows, they will increasingly be targeted by those who wish to spy on or disrupt our communications. Governments may be early adopters of smartphone-based cyber attacks, but those engaged in for-profit hacks will not be far behind—especially if mobile payment systems such as Apple Pay and those promoted by Visa/MasterCard gain in popularity.

The Celebrity Hacking Scandal and You: 3 Takeaways for Everyone

By Steven Caponi

By now we all know a hacker accessed the personal iCloud accounts of dozens of A-list celebrities and leaked nude photos of stars such as Jennifer Lawrence, Kate Upton, Kirsten Dunst, and Victoria Justice. The anonymous hacker[s] posted the nude images first on 4Chan, but, the photographs spread quickly and went viral.

This cyber-incident has sparked a significant debate on various topics, ranging from our privacy laws, to speculation over who may have committed this deplorable act, to emotionally charged disagreements over whether the celebrities themselves should bear some of the blame. The scattershot debate has left the average person wondering “what does this mean for me?” and “what can I do to protect myself?” Below are three takeaways everyone should consider.

1. You Can’t Un-Ring the Bell

Unfortunately, for individuals who find their embarrassing moments, confidential information, or indiscretions strewn across the Internet, there is little hope of putting the genie back in the bottle. As much as we talk about the Internet as a singular object, it is in an amalgamation of millions of computers, servers, and websites, all controlled by different people located across the globe. As a result, the Internet has a long memory that is impossible to erase.

…there is little hope of putting the genie back in the bottle.

Compounding these structural difficulties is a cultural/legal mindset in the U.S. that generally values the free flow of information over personal privacy. The First Amendment allows the free flow of information, while relying on tort law, primarily libel, and invasion of privacy, to protect individuals’ rights. Search engines and Internet providers enjoy robust protections from liability for the content they provide unless they have direct knowledge it is false or violates copyright law. As a result, individuals cannot realistically seek redress against the thousands of websites that may contain embarrassing information and are stymied by various protections preventing the public from forcing the large content providers to block access to embarrassing content.

There is, however, a ray of hope for those who want greater privacy protections. In contrast to the U.S., the European Union and its member nations have chosen to follow a path where the privacy rights of individuals receive greater protections. Following a landmark decision by the European high court earlier this year, numerous search providers must consider individuals’ requests to remove links that they say infringe on their privacy. The decision has resulted in what is commonly referred to as the “right to be forgotten” movement. Currently, each nation in the E.U. has a data protection agency through which citizens can appeal for help in erasing their online histories. Whether the “right to be forgotten” movement takes hold in America remains to be seen.

2. The Law Offers Little Solace

For anyone looking to the courts for justice, they will likely find that the patchwork of 50 divergent laws and the absence of comprehensive federal legislation render an adequate judicial remedy a long shot at best.

Putting aside the breadth of the state and federal laws, there are several initial obstacles that must be overcome before one could consider legal action. First and most obvious is the inability to identify who stole or released your information. Hackers work in the shadows of the Internet, adopt catchy “street names,” and take extraordinary steps to hide their location. Even if the hacker can be identified, there are significant jurisdictional limitations that constrain cybercrime prosecution or litigation.

…it is very difficult to determine where a cybercrime was committed because the perpetrator, the victim, and the data at issue may be located in different jurisdictions.

The legal concept of jurisdiction involves territory, with the reach of a law being limited by the boundaries of the state or country. Thus, to apply a particular state law, the crime or tort must have occurred within the territorial boundaries of that state. Unfortunately, it is very difficult to determine where a cybercrime was committed because the perpetrator, the victim, and the data at issue may be located in different jurisdictions. This raises many questions, which largely remain unanswered: Where did the crime occur? Which state has jurisdiction over the crime? And, where is the hacker subject to personal jurisdiction?

These issues have sparked a push for comprehensive federal legislation governing cyberattacks, data breaches, and victims’ rights. Due to deep philosophical divisions in Washington, D.C., however, this much-needed legislation has failed to make any serious progress. Currently, hacking victims can invoke the Communications Decency Act of 1996 (“CDA”), but the CDA is drafted in a way that protects service providers and website operators more than the public. Section 20 of the CDA states that “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” Therefore, unless the provider, for example 4chan, was directly involved in the hacking and release of the racy photographs, it is not liable for damages.

Until the laws are updated, a criminal and civil remedy appears elusive.

3. Don’t Look to Your Cloud Provider

Much of the anger resulting from the celebrity hacking scandal has been directed toward “big Internet companies” generally, and Apple specifically. The arguments rest on the assumption that if the celebrity photographs were taken from a cloud, the operator of the cloud must be responsible. While this position holds a certain simplistic charm, it is unlikely to carry the day in court.

Although the exact method used by the hackers has yet to be identified, the response from Apple has been both swift and consistent with the position adopted by other cloud providers. Apple has vigorously denied its systems have been compromised and suggests the hackers accessed the accounts after obtaining the celebrities’ email and passwords. The implication of this argument is to suggest the celebrities’ computers were hacked, not Apple’s iCloud servers. As the party bearing the burden of proof in a civil trial, the celebrities will need to refute Apple’s argument by demonstrating how the hack occurred and that the hack could not have occurred but for an issue with Apple’s security protocols. This will be no easy task.

…if the celebrity photographs were taken from a cloud, the operator of the cloud must be responsible. While this position holds a certain simplistic charm, it is unlikely to carry the day in court.

Even if the celebrities manage to establish the hacker’s method, the ability to obtain any meaningful compensation will be severely limited by their cloud service agreements. Cloud providers often limit direct damages by capping the aggregate dollar amount for all claims under the service agreement. In the case of Apple, its cloud service agreement—which is ignored by most users—states that Apple cannot be “LIABLE TO YOU FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES… .”

With little ability to undo the damage caused by an embarrassing data breach, nearly insurmountable obstacles precluding a civil/criminal prosecution, and a cloud service agreement rendering a contract action against the provider illusory—what is the average person to do? The answer is as unsatisfying as it is simple. Keep your most confidential, valuable, and embarrassing items in a location that is not accessible to the Internet.