Little Recourse for Victims of Private Data Theft

By Steven Caponi

Earlier this week I was a guest analyst on the CBS Evening News, discussing the legal ramifications of the recent celebrity hacking scandal. It was a pleasure working with CBS to address this important issue and raise awareness on the need update our 20th century laws to combat a significant 21st century problem.



Did Russian Hackers Really Amass over a Billion Passwords?

By Steven Caponi

459367595 (1)It was widely reported yesterday in The New York Times and elsewhere that a sophisticated Russian crime ring was holding a massive cache of stolen Internet credentials.  According to the private security firm Hold Security, a Russian cybercriminal gang called CyberVor has accumulated 4.5 billion stolen records, including 1.2 billion unique usernames and passwords belonging to more than 500 million email addresses.  CyberVor allegedly obtained the confidential material by raiding 420,000 websites.  Hold Security maintains the breached websites include some very large companies that are “household names.”  The New York Times article notes Hold Security “has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems.”

Over the past 24 hours, the reaction to the Hold Security press release has gone from shock and surprise, to doubt and skepticism. The trepidation is a result of Hold Security’s decision to not name the victims, citing confidentiality concerns.  But, according to an article appearing in The Guardian, Hold Security initially offered a commercial “breach notification” service requiring consumers and companies to pay an up-front fee to see if they had been affected.  Although the company offered a commercial security services as part of its report, Hold Security has since said it would allow consumers to check for free whether their usernames or passwords had been stolen.

In light of Hold Security to failure to completely disclose its findings, cybersecurity experts caution the report should be taken with a grain of salt.  To date, the claims have not been vetted or the findings verified by third party security experts.  Additionally, it is somewhat troubling that no major companies have so far come forward to urge their user to change credentials.  Given the alleged magnitude of the breach—nearly 5 billion passwords—and the global coverage it has received, one would expect to have at least a few companies to have issued public statements if its users are at risk.

Seeking to address these concerns, Hold Security permitted a third party security expert to analyze their findings at the request of The New York Times.  According to The New York Times, the expert confirmed the data was authentic.

While the validity of the claim by Hold Security is being viewed cautiously for now, as new facts emerge over the next few days and the cybersecurity industry investigates, Hold Security will either be vindicated or suffer an embarrassing black eye.

Delaware Adopts Law Requiring the Destruction of Consumers’ Personally Identifiable Information

By Steven Caponi & Elizabeth Sloan

On July 1, 2014, Delaware Governor Jack Markell signed into law Delaware House Bill 295, which amends Section 6 of the Delaware Code relating to trade and commerce. The new law, 6 Delaware Code §§50C-101 thru 50C-401, places new obligations on commercial entities with respect to the destruction of records containing the personally identifiable information of consumers. Importantly, the law exposes companies to new civil lawsuits by consumers and administrative enforcement actions by the Delaware Department of Justice.  The new law is effective on January 1, 2015.

The heart of the new law is the obligation of “commercial entities” to take “all reasonable steps” to destroy consumers’ personal identifying information that is “no longer to be retained by the commercial entity” by “shredding, erasing, or otherwise destroying or modifying the personal identifying information in those records to make it entirely unreadable or indecipherable through any means. …”  By adopting a broad definition of “commercial entity,” the new requirements impact all corporations, business trusts, estates, trusts, partnerships, limited partnerships, limited liability partnerships, limited liability companies, associations, organizations, joint ventures, or other legal entity—whether or not for-profit.  Importantly, the law does not specify when documents must be destroyed, but rather, addresses how records should be destroyed when they will no longer be “retained” by a company.

In light of the definition of “commercial entity,” a company’s size, revenues, number of employees, and charitable status are irrelevant to the impact of the new requirements. The definition, however, raises the question of whether the new requirements apply just to entities doing business in Delaware, or if it also extends to entities formed in Delaware regardless of where they transact business. Given the number of companies incorporated in Delaware, the resolution of this ambiguity could have significant implications nationally.  Evidencing some degree of restraint, the law does not apply to financial institutions that are subject to the Gramm-Leach-Bliley Act; health insurers or healthcare facilities that are subject to the Health Insurance Portability and Accountability Act; consumer reporting agencies that are subject to the Federal Credit Reporting; and any government, governmental subdivision, agency, or instrumentality.

The Act also defines personal identifying information as “a consumer’s first name or first initial and last name in combination with any of the following data elements, when either the name or the data elements are not encrypted: social security number, passport number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information or confidential health care information.”  Also, “record” is defined equally broad so as to encompass information “inscribe[d] on a tangible medium, or that is stored in an electronic or other medium. …” Combined, the two definitions extend the scope of the new law to cover the destruction of both paper documents and all forms of electronic records, including records located on back-up tapes, local storage devices, and those stored in “the cloud.”

Reflecting a bias towards consumer rights, the law provides for both a public and private cause of action. Consumers who incur actual damages due to a reckless or intentional violation may bring a civil action against the commercial entity and obtain treble damages. Additionally, the Attorney General, through the Division of Consumer Protection of the Department of Justice, may bring an enforcement action in law or through an administrative proceeding if a violation has occurred and the Attorney General believes an enforcement action would be in the “public interest.”

A copy of the law and the relevant legislative history can be found at:

Goodwill Investigating Possible Data Breach

By Steven Caponi

Yesterday it was announced that a number of financial institutions reported tracking what could be a series of credit card breaches involving various Goodwill locations nationally. Goodwill operates more than 2,900 stores nationwide and has annual retail sales of $3.79 billion. Goodwill issued a statement indicating it is working with the U.S. Secret Service to investigate the possible breaches. At this juncture the scope of the breach remains unknown, but early reports suggest Goodwill’s systems could have been compromised as far back as the middle of 2013.

Banking sources have also reported the potential fraud involves retail stores in Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington, and Wisconsin. Because Goodwill consists of a network of 165 independent agencies with separate regional headquarters in the United States, there is no centralized database containing customer credit card information. While this will make an investigation more difficult, it will also limit the scope of a breach and number of customers impacted.

In a statement sent to Krebs on Security, Goodwill said it first learned about a possible incident Friday, July 18.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email. “Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

Cybersecurity—There Is an App for That!

By Steven Caponi

Many of our readers and those active in cybersecurity have been following ThreatWatch from Nextgov. This highly informative site provides a daily snapshot of the data breaches impacting organizations and individuals on a global level. Although not an authoritative list of cyber attacks, ThreatWatch provides a good overview of the most prevalent cyber events on a rolling basis. In addition to identifying the target, the alerts name the suspected attackers and their methods of penetration, highlight patterns of activity, and note emerging trends/threats.

The information found at ThreatWatch is now available in the palm of your hand in the form of a new iPhone app, which includes some additional features. Aside from a daily rundown of the latest reported breaches hitting agencies, retailers, and every other sector, you now also receive threat level scores and story feeds from around the globe. For example, today’s threat level is a 12 on a 100-point scale, according to data analytics company HackSurfer. On an industry basis, utilities are at a level 3, financials are at a level 5, and information technology is at a level 81. Under the “Breaches” tab, there is an article discussing how a system engineer hired by a staffing agency copied and sold personal data from 7.6 million contracts with the Japanese education firm Benesse Corp. Included within the “Newsfeed” tab, you will have access to technology security articles from Guardian, Wired, and other reputable publications that are streamed constantly, along with commentary from cyber firms, such as Sophos and Malwarebytes.

The app is free and available for download at the Apple iTunes store.

Wyndham Secures Interlocutory Appeal Challenging the FTC’s Authority to Regulate Cybersecurity Practices

By Steven Caponi

As part of our ongoing effort to advise clients on significant developments in cybersecurity that are likely to impact their businesses, we have been actively reporting on the case of in FTC v. Wyndham Worldwide Corporation, et al., pending before U.S. District Judge Esther Salas in New Jersey. In April of this year we issued a client alert discussing the much anticipated April 7, 2014, decision by Judge Salas, which rejected a direct challenge to the Federal Trade Commission’s (“FTC”) authority to police corporate cybersecurity practices.

In a surprising development, on June 23, 2014, Judge Salas issued a Memorandum Opinion and Order granting Wyndham’s motion seeking immediate appellate review of the April 7 decision—without holding oral argument. Judge Salas’ reasons for supporting Wyndham’s request to file an appeal are instructive and suggest the FTC’s authority to act as the nation’s chief cybersecurity enforcement agency is far from resolved. Following a careful analysis, the Court acknowledged that if its interpretation the FTC’s authority was incorrect, it would represent reversible error on appeal, requiring a grant of Wyndham’s motion to dismiss. …”

The FTC had sued Wyndham in New Jersey based, in part, on the belief the FTC possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” Moving to dismiss the action, Wyndham argued Congress, not the FTC, is the proper body to regulate cybersecurity and the FTC had failed to publish rules or regulations providing companies with fair notice of what protections are expected or acceptable.

In what was seen as a complete victory for the FTC, Judge Salas rejected Wyndham’s narrow interpretation of the FTC’s Section 5 powers. The Court concluded that Congress had vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” With regard to issue of fair notice, the Court concluded the FTC was not required to formally publish regulations on cybersecurity before bringing an enforcement action. Judge Salas noted that “courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”

To many, what was striking about Judge Salas’ April 7 decision was the manner in which Wyndham’s arguments were quickly dispatched in a straightforward and authoritative fashion. There appeared to be no equivocation or hesitation in the ruling. This led many commentators to suggest the legality of the FTC’s Section 5 powers was no longer seriously in doubt. So it came as a surprise when Judge Salas issued the June 23 Opinion granting the request to seek an interlocutory appeal and acknowledging the prior ruling may not necessarily be correct.

To place the most recent Opinion in context, it is important to note, as did Judge Salas, that “interlocutory certification should be used sparingly and that the District Court should serve as a diligent gatekeeper to prevent premature and piecemeal appeals.” Historically district and appellate courts have routinely relied upon this logic to quickly deny the vast majority of requests for interlocutory appeal. Before a party can seek an interlocutory appeal, it must first demonstrate under 28 U.S.C. § 1292(b): (i) there is a controlling issues of law; (ii) there is substantial ground for difference of opinion; and (iii) an immediate appeal may materially advance the ultimate determination of the litigation. Even if, however, all three criteria under Section 1292(b) are met, Judge Salas noted “the district court may still deny certification, as the decision is entirely within the district court’s discretion.”

In this instance, Judge Salas concluded all three prongs of Section 1292(b) had been satisfied. With regard to the first prong, the Court noted the April 7 decision involved two controlling issues of law: the FTC’s powers under Section 5 to regulate cybersecurity practices and whether the FTC must “formally promulgate regulations before bringing its unfairness claim under Section 5 of the FTC Act.” The Court further concluded an immediate appeal may advance the ultimate termination of the litigation because it would potentially reduce the scope of a trial, resolve complex issues before trial, and materially narrow the scope of discovery.

For those who have been “handicapping” the likelihood the FTC’s interpretation of its Section 5 powers will prevail, Judge Salas concluded Wyndham’s “statutory authority and fair-notice challenges confront this Court with novel, complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.” Citing Reese v. BP Exploration (Alaska) Inc., 643 F.3d 681, 688 (9th Cir. 2011), the Court held this standard was met because the April 7 decision involved “novel legal issues…on which fair-minded jurists might reach contradictory conclusions.”

Although resolute in her prior ruling, by recognizing other “fair minded jurists” may reach a different conclusion, Judge Salas has sent a clear, cautionary message that the FTC’s authority to regulate cybersecurity practices is not a foregone conclusion. At this juncture, all eyes will be on the Third Circuit Court of Appeals to see if they grant Wyndham’s request for an interlocutory appeal and, if so, how they ultimately rule on the issues identified by Judge Salas. Even after the Third Circuit acts, the scope of the FTC’s authority will not have been definitely decided. For as noted in the June 23 Opinion, “fair minded jurists” sitting in districts outside the Third Circuit and other circuit courts of appeals may reach a different conclusion.

Is the Password Finally Dead? Fernando Corbató Hopes So.

By Steven Caponi

As noted in a recent article in the Wall Street Journal, although his impact on our daily lives arguably rivals that of Bill Gates, Mark Zuckerberg, and other giants in the computer industry, the name Fernando Corbató remains obscure. He is, however, the father of the modern computer password. While toiling away at the Massachusetts Institute of Technology in the early 1960s, Mr. Corbató and his colleagues developed the password in order to control access to files on a large, shared computer. Little did they know that over 50 years later, billions of people across the globe would be forced to remember countless passwords and type them into devices ranging from their personal computers to ATMs, smartphones, tablets, and even home appliances. One cannot “Like a friend” on Facebook, check a bank balance, review a child’s school grades, or bid in an online auction for that completely unnecessary item that is destined to sit in the back of a closet, without first entering at least one password.

While designed to help manage and secure files, the ubiquitous nature of the password has rendered it the most significant security risk to computers. In the wake of Heartbleed, and recent attacks on eBay, Yahoo, and Target, it is not surprising that the voices calling for the death of the password are growing louder. Just listen to John Proctor, Microsoft’s Vice President of Global Cybersecurity, who wrote a blog post on this subject last week, stating, “Allowing users to log in simply with a username and password is a grave error… Frankly, the password is dead.” Using equally blunt terms, Jeremy Grant, the head of the National Strategy for Trusted Identities in Cyberspace, stated, “Passwords are awful and need to be shot.” How did Mr. Corbató respond to these attacks on his invention? The 87-year-old retired researcher expressed the view shared by many—“It’s become a kind of a nightmare.”

Despite the nearly universal distain for the password, finding a replacement that would be accepted by the computer industry is not easy because the password is cheap to use and is a fundamental aspect of the architecture of most websites. Making things even more difficult are inertia and human behavior. Using a password has become a daily, routine part of human behavior, to the point where entering a personal identification number (“PIN”) has become second nature. And even in the face of a known breach such as Heartbleed, people refuse to change their passwords because they are typically easy to remember and used across many accounts.

The dissatisfaction with the password begs the question: What will the replacement look like?  There are currently many contenders waiting to supplant the password. These include hardware options such as fingerprint readers (i.e., Apple iPhone 5), iris scanners, and USB keys. There are also software options by companies such as BioCatch Inc., which is located in Boston, that verify a person’s identity by measuring how they hold a smartphone or drag a mouse across a screen. Recently, U.S. Bank announced it was joining other large financial institutions in testing voice biometrics as a potential replacement for the traditional password. This group, which includes Wells Fargo & Co. and Barclays Plc., are adopting voice biometrics software that requires users to login to an application or website by speaking a word or phrase. The word or phrase is compared to a previous recording the customer has made to verify it’s the same user.

One option that is gaining traction for its combination of security and simplicity is multifactor authentication (“MFA”). The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a computer system or network. This is achieved by combining two or three independent credentials: what the user knows (knowledge-based authentication), what the user has (security token or smart card), and what the user is (biometric verification). Single-factor authentication, in contrast, only requires knowledge that the user possesses (e.g., a PIN, phone number, Social Security number, etc.). For instance, some Google accounts use two-factor authentication that require smartphones to run an app that randomly generates a number that resets every 30 seconds. This number is required to login to your account.

Whatever security feature may lie ahead, it is safe to suggest that it will not be the much maligned password. While Mr. Corbató’s invention has served us well for the past fifty years, the frequency of major hacks and sophistication of cyber criminals have overwhelmed the password’s ability to serve as an effective gatekeeper to our data. When the inventor, users, and companies maintaining sensitive data all agree that change is needed, it is only a matter of time before the password is able to R.I.P.


United States v. China: The Battle over Cyber-Espionage Results in Criminal Charges

By Steven Caponi

452686675(web)For those of us who have been active in cybersecurity, it is a well known fact that the Chinese government, acting through its military, has been the most prolific global perpetrators of cyber-espionage. Over the past several decades, China has emerged as a global power based on its economic prowess rather than its military might. As a result, the Chinese government sees the strength and health of its economy as directly tied to its national security, and by extension, the future of the ruling communist party. As an act of self-preservation, China has relied upon its military to engage in industrial espionage to ensure its companies remain competitive. This conduct has resulted in U.S. officials openly accusing China’s army of launching cyber attacks on American industrial and military targets for the purpose of stealing secrets or intellectual property. Driving this point home, Director James Comey told NBC News, “For too long, the Chinese government has blatantly sought to use cyber-espionage to obtain economic advantage for its state-owned industries.” China has aggressively denied these allegations.

Today, the war of words has moved from press releases and diplomatic protestations to the criminal charges and the courtroom. Marking a significant escalation, the United States has brought first-of-its kind cyber-espionage charges against five Chinese military officials accused of hacking into U.S. companies to gain trade secrets. The charges were lived against individuals who are believed to work for Unit 61398, the arm of the People’s Liberation Army known to specialize in cyber-warfare. Today’s indictment accuses the Chinese of targeting major U.S. private sector companies in the U.S. nuclear power, metals, and solar products industries.  Among the victims were Westinghouse Electric, U.S. subsidiaries of SolarWorld AG, U.S. Steel, Allegheny Technologies, and Alcoa.

When announcing the indictments, Attorney General Eric Holder said, “This is a case alleging economic espionage by members of the Chinese military and represent the first-ever charges against a state actor for this type of hacking.” He further stated, “The alleged hacking appears to have been conducted for no reason other than to advantage state-owned companies and other interests in China, at the expense of businesses here in the United States. … Our economic security and our ability to compete fairly in the global marketplace are directly linked to our national security.”  Eric Holder’s actions should not come as a surprise in light of comments earlier this years by John Carlin, recently installed as head of the Justice’s National Security Division, that cited prosecution of state-sponsored cyber-threats as a key goal for the Obama Administration.

FTC Letter is a Reminder for All M&A Deals

By Jennifer Daniels

On April 10, 2014, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, wrote a letter to both Facebook, Inc. and WhatsApp Inc. warning the companies that the FTC expects both companies to honor the privacy promises made by WhatsApp prior to its acquisition by Facebook.  In late February, Facebook announced that it would acquire the stock of WhatsApp, a company that offers instant messaging services with hundreds of millions of users worldwide.  WhatsApp has built a reputation for its privacy promises.  Conversely, Facebook’s privacy reputation is not a stellar one, as Facebook is the subject of a twenty year Consent Agreement with the FTC arising from a settlement of past allegations of deceptive practices in handling user data.  The April 10 letter from Ms. Rich offers a reminder to companies engaging in acquisitions to plan for the handling of personally identifiable information.

In the April 10 letter, Ms. Rich points out that the privacy promises made by WhatsApp in its privacy statement exceed the protections currently promised to Facebook users.  Ms. Rich explains that, if the acquisition is completed and WhatsApp fails to honor its promises, both companies could be in violation of Section 5 of the FTC Act and, possibly, the FTC order against Facebook.  Ms. Rich highlights other cases that the FTC has brought charging that companies failed to keep their privacy promises, including In re Genelink, Inc., In re Upromise, Inc., and In re Twitter, Inc.  In addition, the FTC made clear in in re Gateway Learning Corp. 

that, absent affirmative express consent by a consumer, a company cannot use data in a manner that is materially inconsistent with promises made at the time the data were collected.

Accordingly, Facebook and WhatsApp are not permitted to amend the WhatsApp privacy statement going forward and have the amended privacy statement apply to data that were collected by WhatsApp prior to the amendment.  If the companies want a modified privacy statement to apply retroactively to data that had been collected by WhatsApp in the past, they will need to obtain an opt-in consent from the impacted consumers.  Further,  Ms. Rich indicates in her letter that, because Facebook and WhatsApp are now making promises that the companies will not modify WhatsApp’s privacy practices following the acquisition, if the companies do decide to change WhatsApp’s privacy practices following the transaction, the FTC recommends that the companies offer existing users the ability to opt out of the future collection of their information, or at least make it clear to consumers that they have the ability to stop using the WhatsApp service.

The letter from Ms. Rich is an important reminder to companies that process personally identifiable consumer data that the handling of those data is an important consideration in any M&A transaction. When looking at structuring an acquisition, the parties must consider whether the privacy statements or consents under which personal data were collected allow disclosures of that data to a third party acquirer.  If they do not, then an asset acquisition may not be possible without violating those privacy statements and consents, because an asset acquisition necessarily involves a change in the legal entity that owns the data.  Companies must also anticipate this issue when preparing privacy statements and consents, and must include language that allows personal information to be disclosed to the purchaser of the business.  Further, even in a stock purchase where the target legal entity collecting and holding the data does not change (so there is arguably no disclosure of the data to a third party acquirer), the buyer should conduct diligence on the privacy promises of the seller to ensure that the buyer can live with the promises made regarding the data, understanding that any material change in the uses and disclosures of the data following the acquisition may require opt-in consent from the impacted consumers, which in many instances is nearly impossible to obtain.

Verizon’s Data Breach Report Reveals The Nine Most Pressing Corporate Security Threats

By Jeffrey Rosenthal

VerizonreportAs April comes to a close, it’s time once again for Verizon Enterprise Solutions’ Data Breach Investigations Report to remind us just how important data security is to the corporate world.

Released Wednesday, the report, now in its tenth year, concluded that hackers and cybercriminals have gotten faster at breaching corporate website defenses than companies’ ability to detect attacks—meaning many attacks were already complete before victims could even respond.

Verizon, which received contributions from 50 organizations worldwide, recorded nearly 63,500 “security incidents”—i.e., any attempt to attack a corporate computer system, successful or not—as well as 1,300 confirmed data breaches.  According to Verizon, nine out of ten security incidents in 2013 fell within nine basic categories, as discussed below:

1. Point-Of-Sale Intrusions.

Despite the widespread-publicity of the recent Target Corp. breach (resulting in hackers gaining access to the credit card numbers of around 40 million customers), the occurrence of point-of-sale intrusions has actually been trending downward over the last several years, Verizon claims.  But retailers and hotel companies in particular still need to be concerned about this kind of intrusion, as even a single attack can be devastating.

2. Web App Attacks.

Described as the “proverbial punching bag of the Internet,” web application attacks are by far the most common type of breach.  Accomplished by phishing techniques, installing malware, and correctly guessing security questions, Verizon insists better protection for Internet-facing applications starts with stronger passwords and two-factor authentication.

3. Insider And Privilege Misuse.

Common examples of insider misuse include employees using forbidden devices/services to send intellectual property to personal accounts, or sending messages while posing as another employee to get that person fired.  Verizon observed that while many of the people committing these crimes are payment chain personnel and end users, C-suite managers were more to blame in prior years.

4. Physical Theft And Loss.

Corporate assets (phones, laptops etc.) are stolen from offices more often than from homes or vehicles.  The primary cause is simple carelessness.  To counter, Verizon suggests companies back up data, encrypt devices and encourage employees to closely guard devices.

5. Miscellaneous Errors.

Sending an email with sensitive information to the wrong recipient is the most common example of unintentional data disclosure.  Other examples include accidentally posting non-public information to a company’s web server, or mailing documents to the wrong physical address.  While some human error is unavoidable, Verizon says data loss prevention software and tighter processes around postings can reduce occurrences.

6. Crimeware.

Crimeware consists of any illicit activity that does not fall under espionage or point-of-sale.  Most crimeware occurs when users download malicious files.  But it can also happen via “drive-by infections,” whereby a virus is downloaded when a user unknowingly clicks a deceptive pop-up window.  Corporations’ best defense against crimeware is to maintain the most up-to-date browsers and software.

7. Payment Card Skimmers.

This type of attack is mainly directed at ATMs and gas pumps.  Because it requires a skimming device be physically added to a machine, it’s considered a relatively crude manner of intrusion.  According to Verizon, the most-recent development is that, rather than retrieve the skimming device itself, criminals can remotely collect data via wireless means, like Bluetooth.  Although modern ATMs are mostly tamper-free, this is still a concern in certain parts of the world.

8. Denial-Of-Service.

Commonly referred to as DDoS attacks, these threats include attacks aimed at compromising networks and systems availability to shut down corporate, consumer-facing websites.  Primarily directed at the financial, retail and public sectors, potential motives include extortion, protest, or simple amusement.

9. Cyber-Espionage.

Unauthorized network/system access associated with state-affiliated actors tripled from last year.  Espionage also had the widest variety of “threat actions”—meaning once intruders gain access, they are engaging in multiple types of illegal activities.  About 21% of reported incidents originated from Eastern Europe.

While, at first glance, the increasing volume of cyber attacks may seem disheartening, there is a silver-lining here.  Because most attacks tend to follow one of the above nine patterns, companies stand a better chance of resisting intrusions if they take steps to combat the type of attack most common to their industry.  Recognizing your company’s greatest vulnerability and prioritizing the most likely type of cyber attack can mean the difference between preventing the intrusion altogether, or becoming the next Target.

Once again: a little knowledge can be a powerful tool when defending against mounting cyber attacks.

A copy of Verizon’s complete 2014 Data Breach Investigations Report is available here, with the Executive Summary available here.

Heartbleed Adds to Corporate Cybersecurity Heartache

heartbleedIn the wake of several massive point of sale consumer data breaches over the holiday season, companies must now face Heartbleed, a bug that potentially infects 50% of the entire Internet. Blank Rome attorneys, Grant Palmer and Michael Iannucci, have written an article that addresses the Heartbleed bug and suggests a plan of action for companies dealing with cyber threats and data breaches.

You can find the article here.

Kentucky Finally Jumps on the Breach Notice Bandwagon, and Adds a Cloud Computing Twist

By Jennifer Daniels

Security Breach Notice

Until last week, Kentucky was one of only four states that had not enacted a security breach notice law. On April 10, 2014, Kentucky adopted HB 232, a law that is pretty standard as it relates to security breach notice obligations. It applies to companies doing business in Kentucky, but includes an exception for information holders that have separate security breach notice obligations under Gramm Leach Bliley or HIPAA.  “Personally identifiable information” includes first name or initial and last name, in combination with social security number, drivers’ license number, or account number, credit or debit card number, in combination with any required access code. So, Kentucky has not gone so far as to include health information or generic password information as personal information. Under the statute, notice is triggered by an unauthorized acquisition of unencrypted and un-redacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained in a database regarding multiple individuals that actually causes “or leads the information holder to reasonably believe has caused or will cause” identity theft or fraud against any resident of Kentucky.  So, as with many other state security breach notice laws, businesses suffering a security incident will need to contemplate whether it is reasonable to believe that the incident could lead to identity theft or fraud. Keep in mind when evaluating a security incident and whether to notify individuals, that if your business determines that the incident will not likely result in identity theft or fraud, it is important to document your decision-making process.  Under the new law, Kentucky does not require notice of a breach within a specified timeframe, but rather requires notice in the most expedient time possible and without unreasonable delay.

Cloud Computing of Student Data

At the end of 2013, Fordham Law School published a study finding that the contracts that schools enter into with service providers are weak in terms of privacy protections for student information shared with such service providers. According to the study, many schools do not contractually prohibit their vendors from selling or using personal information about students for marketing purposes. Schools have begun to use more and more digital learning programs, and without prohibitions on the nonacademic use of the information collected through such programs, there is a concern that such information may be made available to colleges or future employers without the knowledge or consent of the student or the parents.

To address the concerns around the data-mining of student information, Kentucky has now made it illegal for a cloud services provider to process K-12 student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing service, unless the parent consents to such processing. Kentucky HB 252 providesA cloud computing service provider shall not in any case process student data to advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose, and shall not sell, disclose, or otherwise process student data for any commercial purpose.” The statute defines “student data” as “any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services.” The term includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student. Accordingly, the definition is very broad. It is not clear whether a cloud provider would run afoul of the Kentucky statute if it analyzed aggregate, de-identified information for use for marketing purposes, in particular because the act of creating aggregate data is a form of processing. In addition, the definition of a “cloud computing service provider” under the statute is broad, including any person that operates a service that provides an educational institution with account based access to online computing resources.

Cloud service providers must certify to Kentucky K-12 educational institutions that they will comply with the provisions of HB 252.

Joint Antitrust Policy Statement on Sharing Cybersecurity Information

By Steven Caponi

The Federal Trade Commission (“FTC”) and the Department of Justice (“DOJ”) recently issued a policy statement on the sharing of cybersecurity information that “makes clear that properly designed cyber threat information sharing is not likely to raise antitrust concerns and can help secure the nation’s networks of information and resources.”

The policy statement is intended to address a long-recognized roadblock to the aspirational goal of combating cyber threats by encouraging private entities to share confidential threat awareness information. To date, this objective has been thwarted by the realistic concern that the sharing of non-public information between competitors could violate antitrust laws or trigger an antitrust review.

FTC Chairwoman Ramirez notes that “[t]his statement should help private businesses by making it clear that antitrust laws do not stand in the way of legitimate sharing of cybersecurity threat information.” Sharing this viewpoint, Deputy Attorney General James M. Cole recognized that “[p]rivate parties play a critical role in mitigating and responding to cyber threats, and this policy statement should encourage them to share cybersecurity information.”

Although a step in the right direction, the policy statement is unlikely to materially impact the practices of many businesses because of its lack of specificity. Rather than provide a clear set of guidelines, the policy is merely an analytical framework to be used by the antitrust agencies to determine if the sharing of information crosses the line from permissible to impermissible. For example, the policy notes that “[t]he Agencies do not believe that antitrust is – or should be – a roadblock to legitimate cybersecurity information sharing” and their “primary concern in this context is that the sharing of competitively sensitive information – such as recent, current, and future prices, cost data, or output levels… .”

In the absence of a uniform legislative solution by Congress, businesses should view the policy statement’s invitation to share cyber threat information with caution.  Given the number of employees at the FTC and DOJ, their varying personalities, individual agendas, and autonomy, the subjective “analytical framework” will most likely not be applied in a uniform or predictive fashion.

Target Data Breach Suit By Banks Extends To Security Vendor

By Jeffrey Rosenthal

Target_logoDecember 18, 2013, was a dark day for Target Corp.  Nationally ousted as the victim of the largest retail data breach in history, Target’s CEO Gregg Steinhafel took pains to assure consumers “they will not be held financially responsible for any credit or debit card fraud.”

But according to a March 10, 2014, putative class action in the District of Minnesota, Case No. 0:14-cv-00643, by Umpqua Bank, Steinhafel’s statement “omits” the fact that “it is the nation’s financial institutions—and not Target—ensuring that this is the case.”  According to Umpqua’s complaint, financial institutions are the ones incurring the real costs associated with protecting customer accounts.  This includes providing notice to consumers, reissuing payment cards and refunding fraudulent charges.  The cost of card replacement alone is estimated to ultimately rest around $200 million.

Since then, two more banks, Trustmark National Bank and Green Bank, N.A., have launched a similar class action against the retail giant in the Northern District of Illinois, Case No. 1:14-cv-02069, for its failure to maintain adequate data security protocols—despite suffering two nearly identical breaches in the years preceding this one.   While largely similar, the Trustmark suit, filed March 24, 2014, departs from the aforementioned Umpqua suit in that it also seeks to hold security company Trustwave Holdings, Inc. liable as well.

“Trustwave failed to live up to its promises, or to meet industry standards,” the Trustmark complaint alleged.  It goes on to claim the vendor’s failure to timely discover and/or report the breach to Target (or the public) further drove up costs.  “The damage done to the banks and other class members is monumental,” the suit asserts.  The alleged cost to banks/retailers could eventually exceed $18 billion.

In a striking turn of events, Trustwave publicly denied having done any cyberthreat mitigation work for Target on March 29, 2014.  This denial came one day after the New-York based Trustmark National Bank filed a notice of voluntary dismissal without prejudice in the proposed class action.  The notice did state, however, that Texas-based Green Bank, N.A. would nevertheless continue with the suit.

When a company suffers a data breach—and especially one as large as Target’s—it is eminently clear that an entire gamut of persons/entities may ultimately be affected.  While the details of the Trustmark action appear largely unsettled, the fact that information security vendors are now being included in class actions is indicative of the expanding legal fallout associated with such data breaches.

The Umpqua Bank and Trustmark National Bank complaint(s):

FTC Prevails in Fight to Regulate Cybersecurity Practices

By Steven Caponi

On March 7, 2014, U.S. District Judge Esther Salas in New Jersey issued a much anticipated decision rejecting a direct challenge to the Federal Trade Commission’s (FTC) authority to police corporate cybersecurity practices.  Seeking to dismiss an FTC enforcement action, the hotel chain Wyndham Worldwide Corporation, which was supported by many prominent business groups, had argued the commission didn’t have the power to regulate corporate data-security practices.  While still subject to appellate review and not binding on other federal courts, Judge Salas’ decision paves the way for the FTC to seize the mantel as the top federal enforcement authority in the area of cybersecurity.

The FTC has argued that it possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” The FTC further believes that Congress deliberately delegated broad powers to the FTC to address unanticipated developments in the economy including cybersecurity. Exercising this authority, in FTC v. Wyndham Worldwide Corporation, et al., the FTC initiated an action against Wyndham following a series of cyber breaches at several Wyndham-branded hotels where customer credit card information was exposed. The gravamen of the FTC’s action is the belief that Wyndham did not maintain “reasonable and appropriate” data security protections, and that a statement on Wyndham’s website confirming it uses “commercially reasonable efforts” to secure credit card information was deceptive. 

Filing a motion to dismiss the action, Wyndham argued that Congress, not the FTC, is the proper body to regulate cybersecurity, and that it alone has authority over data security standards. Wyndham also argued that Congress’ inability to pass a comprehensive cybersecurity law further undermined the FTC’s position, because Congress would not be grappling with the issue if it had already deputized the FTC to establish cybersecurity standards. Additionally, Wyndham noted that the FTC failed to publish rules or regulations providing companies with fair notice of what protections are expected. By using private enforcement actions, the FTC is, in essence, developing a body of de-facto regulations. Wyndham argued that businesses cannot ensure compliance with the unpublished requirements.

In return, Judge Salas stated: “Wyndham’s motion to dismiss demands that this Court carve out a data security exception to the FTC’s authority and that the FTC publish regulations before filing an unfairness claim in federal court. These demands are, in fact, what bring us into unchartered territory.” Through the balance of a 42-page decision, the court went on to explain in detail why Wyndham’s “demands are inconsistent with governing and persuasive authority.” Although siding with the FTC, Judge Salas was explicit in noting that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Rather, the decision should be viewed as limited to the facts alleged in the specific complaint against Wyndham.

On whether Section 5 permits the FTC to regulate cybersecurity practices, Judge Salas held that permitting the FTC to exercises authority over data security would not lead to a result “that is incompatible with more recent legislation” and thus would “plainly contradict congressional policy.”  Rejecting a narrow interpretation of the FTC’s power, Judge Salas concluded that when Congress created the commission in 1914, it vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” With regard to the challenge to the lack of FTC notice, after analyzing the state of the law, the court concluded that the FTC was not required to formally publish regulations over cybersecurity before bringing an enforcement action under Section 5’s unfairness prong. Judge Salas noted that “[t]he courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”

In light of this decision, companies seeking to avoid a run-in with the FTC would be wise to retain cybersecurity professionals to review their cybersecurity practices, compare practices against peers firms, and evaluate cyber protocols in light of all relevant FTC rulings and statements.