Genelink, Inc. Must Improve Safeguards of Consumers’ Sensitive Information

By Jennifer Daniels

Two marketers of genetically customized nutritional supplements have agreed to settle Federal Trade Commission (“FTC”) charges of deceptive advertising claims and lax information security practices.  Apparently, the main purpose of the FTC’s investigation had to do with unsubstantiated advertising claims about Genelink’s products, but the FTC took the opportunity to also question the security processes employed by Genelink.  The FTC’s complaint charges that Genelink deceptively and unfairly claimed that it had taken reasonable and appropriate security measures to safeguard and maintain personal information from nearly 30,000 consumers.  Genelink collected genetic information, social security numbers, bank account information, and credit card numbers.  The complaint alleges that Genelink did not require service providers to have appropriate safeguards for personal information, and failed to use readily available security measures to limit wireless access to its network.  The proposed order requires Genelink to establish and maintain a comprehensive information security program and to submit to security audits by an independent auditor every other year for 20 years.  As I have said before, sometimes the ongoing compliance obligations are much more burdensome and costly than any fines or penalties imposed by regulators.

Breach by Dermatology Practice Results in Fine and Corrective Action Plan with HHS

By Jennifer Daniels

A dermatology practice called Adult & Pediatric Dermatology, P.C. (“Covered Entity”) reported a security breach as required by the Health Insurance Portability and Accountability Act (“HIPAA”) to the Department of Health and Human Services (“HHS”) on October 7, 2011.  The Covered Entity reported that an unencrypted thumb drive was stolen from the vehicle of a member of its workforce, and that the drive contained the protected health information (“PHI”) of approximately 2,200 individuals.  The thumb drive was never recovered.  The Covered Entity notified the impacted patients of the theft as required by applicable law, and provided notice to HHS in accordance with the breach notification rules under HIPAA / HITECH.

As is often the cast, HHS decided to investigate the Covered Entity following notice of the security breach.  The HHS investigation revealed:

  • The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security process until October 2012.
  • The Covered Entity did not fully comply with the requirements of the HIPAA breach notification rules because it did not have written policies and procedures regarding its breach notification process, nor did it train members of its workforce regarding the breach notice requirements until February 2012.
  • On September 14, 2011, the Covered Entity impermissibly disclosed the PHI of 2,200 individuals by permitting an unauthorized individual access to the PHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one of its workforce members.

The Covered Entity agreed to pay HHS $150,000 to resolve the investigation, and agreed to enter into and comply with a Corrective Action Plan.

Sometimes, the fine is not as significant as the ongoing cost of the corrective actions required by the regulators.  Here, the agreed upon Corrective Action Plan gives the Covered Entity one year to conduct a comprehensive risk analysis of its security risks and vulnerabilities that incorporates all of the Covered Entity’s electronic media and systems, and to develop a risk management plan to address and mitigate the risks and vulnerabilities identified.  The risk analysis, risk management plan, and any revised policies and procedures must be forwarded to the HHS Office of Civil Rights (“OCR”) for review and approval within 60 days of the date completed by the Covered Entity.  OCR will review the submission and may require revisions.  Upon approval by OCR, the Covered Entity must train its workforce on the revised policies and procedures within 30 calendar days.   During the time period covered by the Corrective Action Plan, if any workforce member fails to comply with the policies and procedures, the Covered Entity must investigate and report such noncompliance to OCR, including any actions taken by the Covered Entity to mitigate the resulting harm and to prevent recurrence.

Ultimately, the Covered Entity must provide OCR with an Implementation Report describing how the Covered Entity implemented its security management process, and an attestation from an officer of the Covered Entity that any revisions required by OCR were fully implemented and its workforce members were completely trained.  An uncured breach of the Corrective Action Plan can lead to the imposition of Civil Monetary Penalties.

The House Advances Cybersecurity Legislation?

post_progressBy Steven Caponi

Despite the steady increase of cyber crime, the public recognition of the threat and a steady clamoring for legislation addressing the threat, Washington has yet to meaningfully respond.  Not surprising, given the increasing levels of partisanship and heated fights over even mundane issues.  In this environment, the House Homeland Security Committee’s (“HSC”) October 29, 2013 approval of two bills, H.R. 3107 and H.R. 2952, falls into the category of “be thankful for small miracles.”  While not the comprehensive or even meaningful action sought, the bills are a step in the right direction—a step that will hopefully lead to bigger and bolder action in the future.

Contrary to its current title, “Homeland Security Cybersecurity Boots-on-the Ground Act.”, H.R. 3107 does not directly address cybersecurity or put additional “boots-on-the-ground.”  Rather, the bill directs the Department of Homeland Security (“DHS”) to develop uniform job titles, long-term hiring strategies, and training regiments commensurate with the cybersecurity threat.  Specifically, H.R. 3107 directs the Secretary of Homeland Security to develop:

  • occupation classifications for individuals performing activities in furtherance of the cybersecurity mission of DHS and to ensure that the such classifications may be used throughout DHS and are made available to other federal agencies;
  • a workforce strategy that enhances the readiness, capacity, training, recruitment, and retention of the DHS cybersecurity workforce, including a multi-phased recruitment plan and a 10-year projection of federal workforce needs; and
  • a process to verify that employees of independent contractors who serve in DHS cybersecurity positions receive initial and recurrent information security and role-based security training commensurate with assigned responsibilities.

The bill also requires the DHS Chief Human Capital Officer and Chief Information Officer to assess the readiness and capacity of DHS to meet such mission; and the Secretary to provide Congress with annual updates regarding such strategies, assessments, and training.  At first glance, H.R. 3107 will be of greater interest to human resource officers than chief information security officers.

H.R. 2952, dubbed the Critical Infrastructure Research and Development Advancement Act, comes closer to addressing current needs by focusing the Homeland Security Act of 2002 on critical infrastructure.  Unfortunately, this bill also addresses long-term planning and process more than it address immediate needs.  On the positive side, the bill does directly require the Science and Technology Directorate to develop within 180 days, a strategic plan to guide “the overall federal physical security and cybersecurity technology research and development efforts for protecting critical infrastructure.”  Providing some insight into the thinking in Congress, the bill requires the strategic plan include specific elements such as:

  • An identification of critical infrastructure security risks and the associated security technology gaps.
  • A set of critical infrastructure security technology needs that is prioritized based on risk and gaps identified under paragraph.
  • An identification of laboratories, facilities, modeling, and simulation capabilities that will be required to support the research, development, demonstration, testing, evaluation, and acquisition of the security technologies.

Like its sister bill, H.R. 2952 has a reporting requirement directing the Secretary for Science and Technology to report to Congress on DHS utilization of “public-private research and development consortiums for accelerating technology development for critical infrastructure protection.”

While not the comprehensive solution so many are seeking, these two bills prove some in Congress are willing to address this important issue.  Hopefully the bills portent a new level of cooperation in Washington that is built on the need to address the growing cybersecurity threat.

NIST Releases “Voluntary” Preliminary Cybersecurity Framework

By Jennifer Daniels

As called for in President Obama’s Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” the National Institute of Standards and Technology (“NIST”) has released the Preliminary Cybersecurity Framework for improving critical infrastructure cybersecurity (the “Framework.”)  The Executive Order required NIST to develop a Framework that would provide “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to assist organizations responsible for critical infrastructure to manage cybersecurity risk.

The Executive Order requires the Secretary of the Department of Homeland Security (“DHS”) to coordinate with the Sector Specific Agencies to establish a voluntary program to support the adoption of the Framework by owners and operators of critical infrastructure.  In issuing the preliminary Framework, the head of NIST again emphasized the voluntary nature of the Framework.  Of course, as required by the Executive Order, the Sector Specific Agencies have published their preliminary recommendations for incentives to adopt the Framework, including the suggestions that adoption of the Framework be a condition for receiving a federal critical infrastructure grant, government services to those who implement the Framework be expedited, and Framework participants be publicly recognized.  It remains to be seen whether an entity in the critical infrastructure can remain competitive without adopting the “voluntary” Framework.  Further, as with many industry standards, compliance with the Framework may effectively become mandatory if courts look to it as what is reasonable security in the industry.  If entities in the critical infrastructure (and beyond) adopt the Framework as the standard for vendor audits, then companies will need to become fluent in using the Framework to communicate about their cybersecurity readiness.

The Framework is intended to help organizations establish a cybersecurity program, assess their already existing cybersecurity program, and communicate cybersecurity requirements or expectations with business partners and service providers.  The Framework is built around five functions described as the Framework “Core Functions”: Identify, Protect, Detect, Respond, and Recover.  Each Core Function is broken down into Categories and Subcategories, with NIST providing Informative References for each Subcategory, which are existing standards, guidance, and practices that are basically resources to look to for help with that Subcategory.  The five Core Functions lead an organization through the process of (1) conducting a risk assessment taking into consideration your organization’s mission objectives, systems, assets, regulatory requirements, and capabilities, as well as the operational environment to discern the likelihood of a cybersecurity event that could impact your organization; (2)  developing and implementing appropriate safeguards to protect the organization’s systems, data, and assets; (3) developing and implementing activities to detect a cybersecurity event; (4) developing and implementing activities to take action regarding a detected cybersecurity event; and (5) developing and implementing activities to restore capabilities or critical infrastructure services that were impaired by a cybersecurity event.  The second through fifth Core Functions (steps 2-5 in the process) are approached taking into consideration the current and target profiles created by the organization in the first step of the process—“Identify.”  The “Identify” function allows the organization to prioritize.

The preliminary Framework released on Tuesday includes an appendix that presents a methodology to address privacy and civil liberties considerations around the deployment of cybersecurity activities and the protection of personally identifiable information, which is based on the Fair Information Practice Principles (“FIPPs”) referenced in the Executive Order.  The appendix includes Informative References related to privacy and civil liberties standards, guidance, and best practices, as well.

The preliminary Framework is open for public comment, with the next version planned for February 2014.

Does Obamacare Create a Hackers Pot of Gold?

By Steven Caponi

Adding to the controversy surrounding the Affordable Care Act, aka Obamacare, is a new 253-page Obamacare rule that requires state, federal, local agencies, and health insurers to share protected health information (“PHI”) on any individual seeking to join the new “healthcare exchanges.”  PHI includes individual medical histories, test and laboratory results, insurance information, and other personal health-related data.

Although PHI is already protected by various federal laws, the new Obamacare rule allows agencies to trade information in order to verify that applicants are receiving the appropriate level of health insurance coverage from the healthcare exchanges.  The ruling, however, does not require that applicants pre-approve the release of their PHI.  In fact, the Department of Health and Human Services already allows the exchange of some PHI without an individual’s pre-approval, especially when it’s for a “government program providing public benefits.”  Officials state that the swapping of information is simply meant to help determine the best insurance coverage for every Obamacare user.

If enacted as written, the new Obamacare rule will result in the creation of one of the largest collections of personal data in U.S. history whereby information will be managed and shared between numerous federal, state, and local governments.  This repository will undoubtedly be an irresistible “pot of gold” for every hacker and identity thief on the planet.

Nish Bhalla, CEO of Security Compass, is an ethical hacker specializing in web security for Fortune 500s, major banks, and well-known technology companies.  Drawing on his unique perspective, Bhalla noted that, “Typically, state governments do not have the same level of resources as the federal government when it comes to cybersecurity.  In fact, a recent study by Deloitte-NASCIO found that only 24 percent of state chief information security officers are confident they can thwart hack attacks.”

Speculating on how the vulnerable exchanges could be exploited, Bhalla believes we will “see a standard crop of web-based attacks directly targeting the state exchanges and federal data hub.  We’re also sure to see a lot of spam, phishing, and ‘waterholing’ attacks that target consumers.”  Aside from direct attacks on the exchanges themselves, hackers will seek softer targets, such as public computer terminals (i.e., libraries, schools, unions, small business associations, etc.) that will be made available for people to enroll in an exchange.  Other vulnerable targets include various “navigator” companies responsible for helping people enroll online.

While the healthcare exchanges have conducted security audits, the testing has not been as rigorous as one might expect given the amount of PHI at risk.  As with many aspects of Obamacare, security testing appears to have been rushed in order to meet specific deadlines.   Numerous news stories have already reported on the “glitches” with Obamacare’s online enrollment portal, surmising the evident conclusion that rushing any large project is likely to result in errors.

While it’s too soon to determine how secure our PHI will be in the hands of various government agencies, we do know that hackers will be unable to resist the temptation to grab at such low-hanging fruit.

Cybersecurity Reform Derailed by Snowden and Budget Battles

By Steven Caponi

This year began with a massive security leak by Edward Snowden, then turned to talk of war with Syria, and now looks to be ending in a budget stalemate that has all but crippled the federal government.  In the face of these events, it is no surprise that meaningful cybersecurity reform legislation is unlikely to make its way into law.  The lack of progress comes a year after the failed effort to advance cybersecurity reform, and months after President Obama called on lawmakers to advance legislation.  The tepid pace of reform seems unlikely to change despite the continuing assault on our nations’ IT infrastructure by the Chinese, Iranians, and Syrians.

The fate of cybersecurity reform continues to be bogged down by lingering disputes over protections for information sharing, litigation reform, and privacy standards.  Earlier this year, the House passed the Cyber Intelligence Sharing and Protection Act (“CISPA”).  The bill went nowhere after drawing objections from Senate Democrats and the White House, who backed a different bill but failed to woo skeptical Republicans and critical interest groups.  For its part, the Senate has yet to draft a major cybersecurity bill.

Dianne Feinstein (D-Calif.) and Saxby Chambliss (R-Ga.), who led the Senate’s intelligence efforts, have not released a draft bill, despite extensive negotiations.  Instead, they have been preoccupied with the fallout from Snowden’s surveillance leaks and the debate over reforming the National Security Agency.  On a substantive level, Chambliss acknowledged that a major hang-up includes the fight over lawsuit immunity for companies that act on government data that proves to be incorrect.

As for the House, there have been efforts to modify CISPA to overcome the Democrats’ concerns and to secure additional support.  Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) tightened CISPA’s privacy protections, but remained unable to obtain support from the Administration and Senate Democrats.  Rep. Adam Schiff (D-Calif.), a member of the House Intelligence Committee, noted “I do think we’ve been too slow to deal with this issue,” and that it has been “much more difficult” to pass cybersecurity legislation for reasons including Snowden’s leaks.

For its part, the White House is too preoccupied with the budget stalemate to spend its precious resources on cybersecurity legislation.  “The most important thing that Congress can do for the nation’s cybersecurity right now is to fund the entire government, including cybersecurity missions and operations,” a White House spokesman said.

Giving little room for optimism, when asked if a cybersecurity bill would become law this year, Rogers stated, “You might not expect it, but you ought to pray for it.”

To read more on delayed cybersecurity reform, click here for an article by Politico.

HIPAA Compliance in the Cloud

By Jennifer Daniels

Word on the street is that Google and Amazon have quietly started to offer business associate agreements (“BAAs”) to their healthcare customers using their cloud services.  As you probably know, the Health Insurance Portability and Accountability Act (“HIPAA”) now requires that cloud providers comply with the HIPAA Security Rule if they process protected health information (“PHI”) on behalf of a covered entity, regardless of whether they sign a business associate agreement.  So, while it is nice that these large cloud providers are beginning to execute such agreements, it is not a surprise, and it is probably to their benefit, as they will be responsible directly for HIPAA violations anyway, and such contracts offer them the opportunity to limit their liability as much as possible under the law.

Cloud providers are notorious for trying to disclaim as much liability as possible related to the services they provide.  By entering into these business associate agreements, it gives them the opportunity to state, once again, exactly what they will be responsible for and what they will not.  Further, Google stated publicly that if customers have not entered into a BAA with Google, they must not store PHI using Google services.  I imagine their contracts reflect this idea—that they will not be responsible for protecting PHI about which they do not know.

Unless a company is a larger customer with a lot of leverage, most companies have little power to negotiate responsibility for losses with cloud service providers.  Companies need to try to negotiate what cloud providers are responsible for, including what liabilities and at what levels.  Companies should push to conduct their typical vendor audits with cloud providers.  Some cloud providers will give representations as to outside security certifications, such as the Federal Information Security Management Act (FISMA), the International Organization for Standardization (ISO), and the Statement on Standards for Attestation Engagements (SSAE), which is helpful.  Further, realize that cloud providers may be outsourcing your data to still other cloud service providers.  Companies should therefore make sure that contracts with cloud providers, including BAAs, contemplate liability for downstream losses caused by subcontractors.

Vulna Adware Threatens Millions of Android Mobile Devices

Android VirusBy Steven Caponi

Researchers have confirmed that a widely used Android mobile ad library app poses a significant threat to mobile users.  The ad library has been dubbed “Vulna” (or “vulnerable and aggressive”), which allows attackers to “perform dangerous operations such as downloading and running new components on demand.”

The scope of the problem is significant—researchers “have analyzed all Android apps with over one million downloads on Google Play, and found that over 1.8% of these apps used Vulna.  These affected apps have been downloaded more than 200 million times in total.”

Developed by third-parties, mobile app libraries are used to display advertisements from other “host apps.”  This class of software also collects International Mobile Subscriber Identity (commonly referred to as “IMSI”) and International Mobile Equipment Identity (commonly referred to as “IMEI”) codes.  What makes Vulna dangerous, therefore, is its ability to amass call record details and SMS text messages, as well as allow for the execution of malicious code.

“Vulna is aggressive—if instructed by its server, it will collect sensitive information such as text messages, phone call history, and contacts.  It also performs dangerous operations such as executing dynamically downloaded code.  Second, Vulna contains a number of diverse vulnerabilities.  These vulnerabilities when exploited allow an attacker to utilize Vulna’s risky and aggressive functionality to conduct malicious activity, such as turning on the camera and taking pictures without user’s knowledge, stealing two-­factor authentication tokens sent via SMS, or turning the device into part of a botnet.”

Wichita Kansas E-Procurement Website Hacked

By Steven Caponi

The City of Wichita announced that it is cooperating with the FBI to investigate a recent hacking incident involving the city’s procurement website.  Preliminary indications suggest personal information of thousands of vendors and employees were exposed. This attack on a local government site could be an anomaly or suggest we are going to experience a wave of cyber attacks directed at vulnerable government web sites.

One of the city’s 14 web sites, its e-procurement website, was hacked over the weekend compromising the private financial information of vendors that have done business with the City and current or former employees who have been reimbursed for travel and other expenses since 1997.  As many as 29,000 vendors and employees may be affected.

The Attack affected the City’s procurement process and city officials are working with their e-procurement software vendor to make certain the procurement system is operating and secure.  The city issued the following statement

“The City of Wichita is deeply concerned about this breach of security and the impact it may have on our vendors and employees,” City Manager Robert Layton said. “Numerous steps are being taken to obtain more information about the incident, including the involvement of appropriate law enforcement agencies.”

Israel Opens New Cybersecurity Research Center

On September 3, Israeli Prime Minister Benjamin Netanyahu cut the ribbon on the Beer-Sheva Advanced Technologies Park (“ATP”), located at the Ben-Gurion University of the Negev (“BGU”).   Upon completion, the ATP will encompass sixteen buildings on twenty-three acres of land, with two million square feet of office and lab space, a conference center, and a hotel.

BGU is ATP’s academic research partner and the ideal location for ATP given its focus on cybersecurity matters—the city of Beer-Sheva is a growing hub of cybersecurity innovation, and is also home to Cyberlabs, Israel’s first cybersecurity incubator.  CyberLabs is located at the ATP near the Israeli army’s elite technology units, which include the main cybersecurity training center for the Israel Defense Forces.  A clear objective of the ATP is to pair the best talent in academia and the military in order to foster the growth of companies focused on cybersecurity initiatives and research.

Prime Minister Netanyahu declared the ATP “a national cyber centre that will maximize the resources of the University, the IDF, and the new high-tech tenants.”  ATP is already home to several international companies, including Oracle, Deutsche Telekom, EMC², RSA, and ECI Telecom.

To read more on the ATP, please click here.

Department of Energy Awards $30 million in Cybersecurity Grants

By Steven Caponi

U.S. energy officials recently announced that eleven projects will share $30 million in awarded grants to fund the development of new technologies that will strengthen and better protect the electric grid and oil-and-gas infrastructure from potential cyber attacks.

With support from the Department of Energy (“DOE”), energy sector organizations in California, Georgia, New Jersey, North Carolina, Tennessee, Virginia, and Washington will develop new systems, frameworks, and services to advance the DOE’s vision of more resilient energy delivery control systems.

The grants are the most recent effort by the DOE to help secure the nation’s critical energy infrastructure from cybersecurity threats.  According to the DOE, it has invested more than $100 million in cybersecurity research and development through awards and funding provided to industries, universities, and national laboratories since 2010.

Combined, the eleven projects will advance expertise in power system engineering and cybersecurity, with a focus on testing new products to demonstrate their effectiveness and interoperability.  The projects comport with the DOE’s cybersecurity Roadmap to Achieve Energy Delivery Systems Cybersecurity, which represents the joint efforts of the energy sector in coordination with the DOE.  The Roadmap represents a strategic framework for the design, installation, operation, and maintenance of a secure energy delivery system capable of sustaining a cyber incident.

The eleven projects selected for grant funding are:

ABB, Inc. – Cary, NC
DOE share: $ 2,765,733; Recipient share: $ 936,793
ABB will develop a system that allows substation devices to work together to validate the integrity of communications, such as commands to change a protective relay’s configuration, and assess the potential impact on grid operations.

Electric Power Research Institute, Inc. (“EPRI”) – Palo Alto, CA
DOE share: $ 1,524,959; Recipient share: $ 529,384
EPRI will develop a framework that allows utilities to centrally manage the remote configuration of their energy delivery system devices—regardless of vendor or age— more securely.

Foxguard Solutions, Inc. – Christiansburg, VA
DOE share: $ 3,298,893; Recipient share: $ 1,003,399
Foxguard will develop a service that allows utilities to simplify the process of keeping up-to-date with the most current firmware and software patches and updates.

Georgia Tech Applied Research Corporation – Atlanta, GA
DOE share: $ 3,283,063; Recipient share: $ 1,726,000
Georgia Tech Applied Research Corporation will develop a technology that evaluates energy delivery system control commands to anticipate their impact on power grid operations and, if needed, implement cybersecurity responses to prevent disruptions.

Grid Protection Alliance – Chattanooga, TN
DOE share: $ 2,213,000; Recipient share: $ 637,000
The Grid Protection Alliance will develop an architecture that enables more secure substation communications for data generated by legacy or modern energy delivery devices.

National Rural Electric Cooperative Association (“NRECA”) – Arlington, Virginia
DOE share: $ 3,620,725; Recipient share: $ 1,137,367
NRECA will develop a network that allows utilities and small electric cooperatives with limited resources to centrally manage their networks more securely.

Schweitzer Engineering Laboratories, Inc. – Pullman, WA
DOE share: $ 2,094,599; Recipient share: $ 845,140
Schweitzer will develop an integrated cyber-physical access control system that simplifies the process of managing access to energy delivery facilities.

Schweitzer Engineering Laboratories, Inc. – Pullman, WA
DOE share: $ 3,771,371; Recipient share: $ 1,068,807
Schweitzer will develop a radio platform for more secure “last mile” wireless communications used with remote energy delivery infrastructure, such as distribution substations.

Schweitzer Engineering Laboratories, Inc. – Pullman, WA
DOE share: $ 3,892,170; Recipient share: $ 1,248,207
Schweitzer will develop software that allows utilities to centrally manage their local area networks more securely, providing real-time awareness of cyber activity and rerouting network traffic in response to cyber intrusions.

TT Government Solutions, Inc. – Red Bank, NJ  
DOE share: $ 956,560; Recipient share: $ 324,205
TT Government Solutions will develop a technology that analyzes and visualizes smart meter wireless communications to quickly detect unusual behavior that could suggest a cyber attack.

Viasat, Inc. – Carlsbad, CA
DOE share: $ 3,250,000; Recipient share: $ 3,301,163
Viasat will develop an architecture that gives utilities awareness of the status of their energy delivery systems’ cybersecurity, and allows them to automatically respond to cyber intrusions as predetermined in the utility’s cybersecurity policy

New iPhone Security Feature Hacked by Chaos

By Steven Caponi

As with all Apple products, the launch of the iPhone 5s was heavily anticipated, overly hyped, and embraced with significant fanfare.  Unfortunately, a few individuals with more nefarious intentions were hidden within the long lines of Apple devotes seeking to buy the latest and greatest phone.  These individuals were members of the Chaos Computer Club (“CCC”), Europe’s self-proclaimed “largest association of hackers.”

Within hours of securing their iPhone 5s, the CCC claimed to have bypassed the Touch ID feature using some tried-and-true methods.  According to their claim, the CCC took a photograph of a user’s fingerprint that was left on a glass surface, created a latex recreation of said fingerprint, and held it against said user’s iPhone 5s to successfully authenticate their way into the device.

A more detailed account of how this hack was accomplished can be found in this article written by David Murphy and the team at P.C. Magazine.

Student Hacks Cripple $1 billion L.A. iPad Initiative

By Steven Caponi

In a stunning example of students besting their teachers, within days of receiving new school issued iPad, more than 300 Los Angeles students hacked through protective measures placed on the Apple tablets, giving them complete access to features — including Facebook, Twitter and other apps — that should otherwise have been blocked.  It appears students managed to bypass the security lock on the device by deleting a personal profile preloaded in the settings. Revelations of the massive hack all but brought a highly publicized $1 billion initiative to place iPads in the hands of nearly 650,000 students.

Tom Kaneshige of CIO has an informative article discussing the incident.

Board of Directors Liability for Cybersecurity

By Steven Caponi

The likelihood of a cybersecurity breach hitting a company in the near future is as certain as the subsequent drop in shareholder value, finger-pointing, fines, regulatory headaches, and civil litigation alleging the board was asleep at the wheel in the face of a known danger when that danger finally materializes.  The question every board member must answer is whether the actions they are currently taking to protect their company’s digital assets are sufficient to withstand the Monday morning quarterbacking that will occur after a cyber attack incident.

I recently published a series of three articles intended to help boards of directors better understand the breadth of their fiduciary obligation in managing looming cybersecurity threats.

In today’s world, many companies maintain their most valuable assets in digital form.  Thieves no longer need to physically enter a company’s facility to steal its valuables. Rather, an individual on the other side of the globe, or right next door, can, with equal impunity, silently steal a company’s most prized possessions by breaching its data network.  Due to the evolving nature of cyber risks, there is a lack of authority discussing the scope of a board’s obligation to address such attacks.

Obviously, directors’ fiduciary duties will extend to the protection of significant digital assets. The more difficult question to answer is: What are the contours of a director’s fiduciary obligation when it comes to cybersecurity?  As discussed in my articles, the answer to these vexing questions is almost always “it depends.”  As with all risks, the extent of a director’s obligation and the amount of attention an issue should receive at the board level will depend on such things as the nature of the company, the foreseeability of an attack, and the potential severity of a cyber breach.

Each of the three articles in my “Cybersecurity and the Board of Directors: Avoiding Personal Liability” series can be read in their entirety by clicking on the links below:

Part I:

Part II:

Part III:

Government Shutdown Increasing Cybersecurity Risks

By Steven Caponi

While the news runs countless stories detailing the closure of national parks, little attention has been paid to the impact of the ongoing government shutdown on our nations’ IT infrastructure.  As detailed in a recent article by Nicole Blake Johnston of the Federal Times, the widespread furlough of federal employees has left many critical security systems unmanned or of diminished usefulness.  This gap in our cybersecurity defenses is an opportunity that cyber criminals are likely to exploit.

Although the network and security operations centers operated by the Department of Homeland Security (“DHS”) remain staffed, the government’s lead defender of civilian computer networks is operating with fewer resources during the shutdown.

“DHS’ National Protection and Programs Directorate (“NPPD”), which contains many of the department’s cybersecurity personnel, is operating with nearly half of its staff gone, according to the agency’s Sept. 27 shutdown plan.  NPPD estimates 1,617, or 57 percent, of its 2,835 employees will continue working through a shutdown because they are either presidential appointees, law enforcement officers, paid with funds other than annual appropriations, or needed to protect life and property.”

Contrary to the impression created by the National Security Agency scandal, sophisticated computer algorithms are not the only drivers of our security systems.  It is necessary to have highly trained personnel analyzing the information that is flagged by cyber risk software so that they can make the critical decision to act when a security breach occurs.