And The Survey Says . . . GCs Need More Cybersecurity And Social Media Training

By Jeffrey Rosenthal

Social Media AppsBecoming better versed in issues surrounding cybersecurity and social media risk would greatly benefit general counsel at publicly traded companies, according to a recent survey of executive leadership.

In May 2015, a survey of 5,000 directors, board chairs and CEOs of publicly traded companies—sponsored by executive search firm BakerGilmore, and NYSE Governance Services—was released.  The survey was conducted in February and March of 2015.

Among the questions asked was the areas in which executives felt their general counsel would most benefit from gaining additional expertise so to add value to their company.  The overwhelming favorite: Cybersecurity risk—chosen by 67 percent of the executives surveyed.  The next closest answer was social media risk (39 percent), followed by crisis management (30 percent).

In fact, only 5 percent of respondents assessed their general counsel’s grasp of the issues surrounding cybersecurity as “excellent”; 44 percent characterized it as “good”; and 47 percent as only “fair.”  Likewise, only 7 percent rated their general counsel’s working knowledge of social media risk as “excellent.”

“Not surprisingly, as the corporate world continues to grapple with fallout in the modern cyber era, directors believe general counsel would most benefit from additional education in cybersecurity and social media, areas in which many directors are admittedly lacking in expertise,” wrote the survey’s authors.

But there was also positive news for in-house lawyers:  General counsel are “much more likely” to be considered key members of the management team nowadays, as compared to a decade ago.  “Overall, general counsel are being lauded for their strategic contributions as well as pragmatic ones, making them increasingly valued members of the executive team,” the survey concluded.

A copy of the survey, entitled “GCs” Adding Value to the C-Suite,” is available here.

California Passes New Law Protecting Consumers From Data Breaches

By Jeffrey Rosenthal

123196886In response to high-profile intrusions at Target Corp., Neiman Marcus, Home Depot, Inc. and a host of other retailers, California recently passed new legislation implementing small but significant changes to its privacy laws.

On September 30, 2014, Governor Jerry Brown signed Assembly Bill 1710, authored by Assembly Members Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont).  AB 1710 enhances consumer protections by strengthening the requirements businesses must adhere to in the event of a breach.

“Recent breaches emphasized the need for stronger consumer protections and awareness.  The retailers affected by the recent mega data breaches are not the first nor will they be the last,” said Dickinson, Chair of the Assembly Banking and Finance Committee.  “AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information.”

Specifically, AB 1710:

  • Requires the source of the breach to offer identity theft prevention mitigation services at no cost to the affected person for no less than 12 months if a Social Security Number or Driver’s license number are breached;
  • Prohibits the sale of social security numbers, except when part of a legitimate business transaction; and
  • Provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information.

Earlier versions of AB 1710 placed limits on the amount of payment information a retailer could store in its system; it also mandated more stringent encryption standards.  But a coalition of business groups opposed the bill—claiming the data management rules were “onerous and unneeded,” and that it would be ineffective for protecting customer data.  Although these provisions were ultimately removed, Dickinson told news outlets he intends to pick up the notification issue during the next legislative session.  He will also pursue future legislation to tighten encryption standards in California.

Not surprisingly, such legislation follows closely on the heels of a report released by California Attorney General Kamala Harris in February of 2014.  Titled Cybersecuity in the Golden State, the report details how in 2012 more than 2.5 million California residents were victimized by data breaches—more than half of which would have been protected had companies implemented stricter encryption procedures when transmitting personal data.

In light of AB 1710, retailers and consumer-facing business that “maintain” personal information (even if they do not own or license such data) should familiarize themselves with the parameters of the new law to ensure their data security procedures satisfy the law’s “reasonable security” requirement.

A copy of AB 1710 is available here.  The Attorney General report is available here.

Wyndham Secures Interlocutory Appeal Challenging the FTC’s Authority to Regulate Cybersecurity Practices

By Steven Caponi

As part of our ongoing effort to advise clients on significant developments in cybersecurity that are likely to impact their businesses, we have been actively reporting on the case of in FTC v. Wyndham Worldwide Corporation, et al., pending before U.S. District Judge Esther Salas in New Jersey. In April of this year we issued a client alert discussing the much anticipated April 7, 2014, decision by Judge Salas, which rejected a direct challenge to the Federal Trade Commission’s (“FTC”) authority to police corporate cybersecurity practices.

In a surprising development, on June 23, 2014, Judge Salas issued a Memorandum Opinion and Order granting Wyndham’s motion seeking immediate appellate review of the April 7 decision—without holding oral argument. Judge Salas’ reasons for supporting Wyndham’s request to file an appeal are instructive and suggest the FTC’s authority to act as the nation’s chief cybersecurity enforcement agency is far from resolved. Following a careful analysis, the Court acknowledged that if its interpretation the FTC’s authority was incorrect, it would represent reversible error on appeal, requiring a grant of Wyndham’s motion to dismiss. …”

The FTC had sued Wyndham in New Jersey based, in part, on the belief the FTC possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” Moving to dismiss the action, Wyndham argued Congress, not the FTC, is the proper body to regulate cybersecurity and the FTC had failed to publish rules or regulations providing companies with fair notice of what protections are expected or acceptable.

In what was seen as a complete victory for the FTC, Judge Salas rejected Wyndham’s narrow interpretation of the FTC’s Section 5 powers. The Court concluded that Congress had vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” With regard to issue of fair notice, the Court concluded the FTC was not required to formally publish regulations on cybersecurity before bringing an enforcement action. Judge Salas noted that “courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”

To many, what was striking about Judge Salas’ April 7 decision was the manner in which Wyndham’s arguments were quickly dispatched in a straightforward and authoritative fashion. There appeared to be no equivocation or hesitation in the ruling. This led many commentators to suggest the legality of the FTC’s Section 5 powers was no longer seriously in doubt. So it came as a surprise when Judge Salas issued the June 23 Opinion granting the request to seek an interlocutory appeal and acknowledging the prior ruling may not necessarily be correct.

To place the most recent Opinion in context, it is important to note, as did Judge Salas, that “interlocutory certification should be used sparingly and that the District Court should serve as a diligent gatekeeper to prevent premature and piecemeal appeals.” Historically district and appellate courts have routinely relied upon this logic to quickly deny the vast majority of requests for interlocutory appeal. Before a party can seek an interlocutory appeal, it must first demonstrate under 28 U.S.C. § 1292(b): (i) there is a controlling issues of law; (ii) there is substantial ground for difference of opinion; and (iii) an immediate appeal may materially advance the ultimate determination of the litigation. Even if, however, all three criteria under Section 1292(b) are met, Judge Salas noted “the district court may still deny certification, as the decision is entirely within the district court’s discretion.”

In this instance, Judge Salas concluded all three prongs of Section 1292(b) had been satisfied. With regard to the first prong, the Court noted the April 7 decision involved two controlling issues of law: the FTC’s powers under Section 5 to regulate cybersecurity practices and whether the FTC must “formally promulgate regulations before bringing its unfairness claim under Section 5 of the FTC Act.” The Court further concluded an immediate appeal may advance the ultimate termination of the litigation because it would potentially reduce the scope of a trial, resolve complex issues before trial, and materially narrow the scope of discovery.

For those who have been “handicapping” the likelihood the FTC’s interpretation of its Section 5 powers will prevail, Judge Salas concluded Wyndham’s “statutory authority and fair-notice challenges confront this Court with novel, complex statutory interpretation issues that give rise to a substantial ground for difference of opinion.” Citing Reese v. BP Exploration (Alaska) Inc., 643 F.3d 681, 688 (9th Cir. 2011), the Court held this standard was met because the April 7 decision involved “novel legal issues…on which fair-minded jurists might reach contradictory conclusions.”

Although resolute in her prior ruling, by recognizing other “fair minded jurists” may reach a different conclusion, Judge Salas has sent a clear, cautionary message that the FTC’s authority to regulate cybersecurity practices is not a foregone conclusion. At this juncture, all eyes will be on the Third Circuit Court of Appeals to see if they grant Wyndham’s request for an interlocutory appeal and, if so, how they ultimately rule on the issues identified by Judge Salas. Even after the Third Circuit acts, the scope of the FTC’s authority will not have been definitely decided. For as noted in the June 23 Opinion, “fair minded jurists” sitting in districts outside the Third Circuit and other circuit courts of appeals may reach a different conclusion.

United States v. China: The Battle over Cyber-Espionage Results in Criminal Charges

By Steven Caponi

452686675(web)For those of us who have been active in cybersecurity, it is a well known fact that the Chinese government, acting through its military, has been the most prolific global perpetrators of cyber-espionage. Over the past several decades, China has emerged as a global power based on its economic prowess rather than its military might. As a result, the Chinese government sees the strength and health of its economy as directly tied to its national security, and by extension, the future of the ruling communist party. As an act of self-preservation, China has relied upon its military to engage in industrial espionage to ensure its companies remain competitive. This conduct has resulted in U.S. officials openly accusing China’s army of launching cyber attacks on American industrial and military targets for the purpose of stealing secrets or intellectual property. Driving this point home, Director James Comey told NBC News, “For too long, the Chinese government has blatantly sought to use cyber-espionage to obtain economic advantage for its state-owned industries.” China has aggressively denied these allegations.

Today, the war of words has moved from press releases and diplomatic protestations to the criminal charges and the courtroom. Marking a significant escalation, the United States has brought first-of-its kind cyber-espionage charges against five Chinese military officials accused of hacking into U.S. companies to gain trade secrets. The charges were lived against individuals who are believed to work for Unit 61398, the arm of the People’s Liberation Army known to specialize in cyber-warfare. Today’s indictment accuses the Chinese of targeting major U.S. private sector companies in the U.S. nuclear power, metals, and solar products industries.  Among the victims were Westinghouse Electric, U.S. subsidiaries of SolarWorld AG, U.S. Steel, Allegheny Technologies, and Alcoa.

When announcing the indictments, Attorney General Eric Holder said, “This is a case alleging economic espionage by members of the Chinese military and represent the first-ever charges against a state actor for this type of hacking.” He further stated, “The alleged hacking appears to have been conducted for no reason other than to advantage state-owned companies and other interests in China, at the expense of businesses here in the United States. … Our economic security and our ability to compete fairly in the global marketplace are directly linked to our national security.”  Eric Holder’s actions should not come as a surprise in light of comments earlier this years by John Carlin, recently installed as head of the Justice’s National Security Division, that cited prosecution of state-sponsored cyber-threats as a key goal for the Obama Administration.

Kentucky Finally Jumps on the Breach Notice Bandwagon, and Adds a Cloud Computing Twist

By Jennifer Daniels

Security Breach Notice

Until last week, Kentucky was one of only four states that had not enacted a security breach notice law. On April 10, 2014, Kentucky adopted HB 232, a law that is pretty standard as it relates to security breach notice obligations. It applies to companies doing business in Kentucky, but includes an exception for information holders that have separate security breach notice obligations under Gramm Leach Bliley or HIPAA.  “Personally identifiable information” includes first name or initial and last name, in combination with social security number, drivers’ license number, or account number, credit or debit card number, in combination with any required access code. So, Kentucky has not gone so far as to include health information or generic password information as personal information. Under the statute, notice is triggered by an unauthorized acquisition of unencrypted and un-redacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained in a database regarding multiple individuals that actually causes “or leads the information holder to reasonably believe has caused or will cause” identity theft or fraud against any resident of Kentucky.  So, as with many other state security breach notice laws, businesses suffering a security incident will need to contemplate whether it is reasonable to believe that the incident could lead to identity theft or fraud. Keep in mind when evaluating a security incident and whether to notify individuals, that if your business determines that the incident will not likely result in identity theft or fraud, it is important to document your decision-making process.  Under the new law, Kentucky does not require notice of a breach within a specified timeframe, but rather requires notice in the most expedient time possible and without unreasonable delay.

Cloud Computing of Student Data

At the end of 2013, Fordham Law School published a study finding that the contracts that schools enter into with service providers are weak in terms of privacy protections for student information shared with such service providers. According to the study, many schools do not contractually prohibit their vendors from selling or using personal information about students for marketing purposes. Schools have begun to use more and more digital learning programs, and without prohibitions on the nonacademic use of the information collected through such programs, there is a concern that such information may be made available to colleges or future employers without the knowledge or consent of the student or the parents.

To address the concerns around the data-mining of student information, Kentucky has now made it illegal for a cloud services provider to process K-12 student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing service, unless the parent consents to such processing. Kentucky HB 252 providesA cloud computing service provider shall not in any case process student data to advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose, and shall not sell, disclose, or otherwise process student data for any commercial purpose.” The statute defines “student data” as “any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services.” The term includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student. Accordingly, the definition is very broad. It is not clear whether a cloud provider would run afoul of the Kentucky statute if it analyzed aggregate, de-identified information for use for marketing purposes, in particular because the act of creating aggregate data is a form of processing. In addition, the definition of a “cloud computing service provider” under the statute is broad, including any person that operates a service that provides an educational institution with account based access to online computing resources.

Cloud service providers must certify to Kentucky K-12 educational institutions that they will comply with the provisions of HB 252.

Target Data Breach Suit By Banks Extends To Security Vendor

By Jeffrey Rosenthal

Target_logoDecember 18, 2013, was a dark day for Target Corp.  Nationally ousted as the victim of the largest retail data breach in history, Target’s CEO Gregg Steinhafel took pains to assure consumers “they will not be held financially responsible for any credit or debit card fraud.”

But according to a March 10, 2014, putative class action in the District of Minnesota, Case No. 0:14-cv-00643, by Umpqua Bank, Steinhafel’s statement “omits” the fact that “it is the nation’s financial institutions—and not Target—ensuring that this is the case.”  According to Umpqua’s complaint, financial institutions are the ones incurring the real costs associated with protecting customer accounts.  This includes providing notice to consumers, reissuing payment cards and refunding fraudulent charges.  The cost of card replacement alone is estimated to ultimately rest around $200 million.

Since then, two more banks, Trustmark National Bank and Green Bank, N.A., have launched a similar class action against the retail giant in the Northern District of Illinois, Case No. 1:14-cv-02069, for its failure to maintain adequate data security protocols—despite suffering two nearly identical breaches in the years preceding this one.   While largely similar, the Trustmark suit, filed March 24, 2014, departs from the aforementioned Umpqua suit in that it also seeks to hold security company Trustwave Holdings, Inc. liable as well.

“Trustwave failed to live up to its promises, or to meet industry standards,” the Trustmark complaint alleged.  It goes on to claim the vendor’s failure to timely discover and/or report the breach to Target (or the public) further drove up costs.  “The damage done to the banks and other class members is monumental,” the suit asserts.  The alleged cost to banks/retailers could eventually exceed $18 billion.

In a striking turn of events, Trustwave publicly denied having done any cyberthreat mitigation work for Target on March 29, 2014.  This denial came one day after the New-York based Trustmark National Bank filed a notice of voluntary dismissal without prejudice in the proposed class action.  The notice did state, however, that Texas-based Green Bank, N.A. would nevertheless continue with the suit.

When a company suffers a data breach—and especially one as large as Target’s—it is eminently clear that an entire gamut of persons/entities may ultimately be affected.  While the details of the Trustmark action appear largely unsettled, the fact that information security vendors are now being included in class actions is indicative of the expanding legal fallout associated with such data breaches.

The Umpqua Bank and Trustmark National Bank complaint(s):

FTC Prevails in Fight to Regulate Cybersecurity Practices

By Steven Caponi

On March 7, 2014, U.S. District Judge Esther Salas in New Jersey issued a much anticipated decision rejecting a direct challenge to the Federal Trade Commission’s (FTC) authority to police corporate cybersecurity practices.  Seeking to dismiss an FTC enforcement action, the hotel chain Wyndham Worldwide Corporation, which was supported by many prominent business groups, had argued the commission didn’t have the power to regulate corporate data-security practices.  While still subject to appellate review and not binding on other federal courts, Judge Salas’ decision paves the way for the FTC to seize the mantel as the top federal enforcement authority in the area of cybersecurity.

The FTC has argued that it possesses the authority to bring equitable actions challenging cybersecurity practices under Section 5 of the FTC Act, which prohibits “unfair and deceptive acts or practices.” The FTC further believes that Congress deliberately delegated broad powers to the FTC to address unanticipated developments in the economy including cybersecurity. Exercising this authority, in FTC v. Wyndham Worldwide Corporation, et al., the FTC initiated an action against Wyndham following a series of cyber breaches at several Wyndham-branded hotels where customer credit card information was exposed. The gravamen of the FTC’s action is the belief that Wyndham did not maintain “reasonable and appropriate” data security protections, and that a statement on Wyndham’s website confirming it uses “commercially reasonable efforts” to secure credit card information was deceptive. 

Filing a motion to dismiss the action, Wyndham argued that Congress, not the FTC, is the proper body to regulate cybersecurity, and that it alone has authority over data security standards. Wyndham also argued that Congress’ inability to pass a comprehensive cybersecurity law further undermined the FTC’s position, because Congress would not be grappling with the issue if it had already deputized the FTC to establish cybersecurity standards. Additionally, Wyndham noted that the FTC failed to publish rules or regulations providing companies with fair notice of what protections are expected. By using private enforcement actions, the FTC is, in essence, developing a body of de-facto regulations. Wyndham argued that businesses cannot ensure compliance with the unpublished requirements.

In return, Judge Salas stated: “Wyndham’s motion to dismiss demands that this Court carve out a data security exception to the FTC’s authority and that the FTC publish regulations before filing an unfairness claim in federal court. These demands are, in fact, what bring us into unchartered territory.” Through the balance of a 42-page decision, the court went on to explain in detail why Wyndham’s “demands are inconsistent with governing and persuasive authority.” Although siding with the FTC, Judge Salas was explicit in noting that the decision “does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked.” Rather, the decision should be viewed as limited to the facts alleged in the specific complaint against Wyndham.

On whether Section 5 permits the FTC to regulate cybersecurity practices, Judge Salas held that permitting the FTC to exercises authority over data security would not lead to a result “that is incompatible with more recent legislation” and thus would “plainly contradict congressional policy.”  Rejecting a narrow interpretation of the FTC’s power, Judge Salas concluded that when Congress created the commission in 1914, it vested the FTC with broad discretionary authority under Section 5 to “define unfair practices on a flexible, incremental basis.” With regard to the challenge to the lack of FTC notice, after analyzing the state of the law, the court concluded that the FTC was not required to formally publish regulations over cybersecurity before bringing an enforcement action under Section 5’s unfairness prong. Judge Salas noted that “[t]he courts have consistently held that where an agency, as in this case, is given an option to proceed by rulemaking or by individual adjudication the choice is one that lies in the informed discretion of the administrative agency.”

In light of this decision, companies seeking to avoid a run-in with the FTC would be wise to retain cybersecurity professionals to review their cybersecurity practices, compare practices against peers firms, and evaluate cyber protocols in light of all relevant FTC rulings and statements.

Cyber Legislation Advances on the State and Federal Level

By Steven Caponi

Last year, cyber attacks on computer networks increased to a record level, doubling the number recorded in 2012. According to cybersecurity research firm FireEye, the rate of attacks on enterprises occurred every 1.5 seconds last year, up from once every three seconds the previous year. In the face of this onslaught, it is no surprise that government officials are taking steps to pass cybersecurity legislation. Unfortunately, if the recent announcements by Kentucky and Senator Mark Warner are a harbinger of things to come, it appears that inability of Congresses to enact comprehensive reforms will result in a patchwork of state and federal laws/regulations.

For its part, the Kentucky Senate passed a bill to improve security of personal data located on government computers. Known as House Bill 5, the legislation requires state agencies to better protect private information stored on government computers and also requires state and local government agencies to notify people within 35 days if their personal information is stolen or mishandled. House Bill 5 is a top priority of State Auditor Adam Edelen, who noted, “Every cybersecurity expert agrees that it’s not a matter of if agencies will be hacked. It is just a matter of when.” He further stated that, “From social security numbers, to tax returns, health records, to credit cards, governments possess more sensitive, private data than any other single entity.” These comments are likely a greater reflection on the past than a prediction of the future as a consequence of the 2012 incident when the Kentucky state finance cabinet accidentally posted Social Security numbers and sensitive information on its website.

House Bill 5 cleared the GOP-controlled Senate without opposition and received final approval from the Kentucky House on March 28. So far, the process has been described as bipartisan, and with 74 co-sponsors, a signature from the Governor appears to be a sure thing.

At the federal level, U.S. Senators Mark Warner (D-Va.) and Mark Kirk (R-Ill.) announced that they will introduce a bipartisan amendment creating a law enforcement partnership between the United States and Ukraine to combat cybercrime and improve cybersecurity. This amendment will be attached to an aid package intended to help bolster the Ukrainian government. At first blush, attaching an amendment to an aid package for Ukraine and limiting its focus to fostering cooperation between two countries may seem puzzling. But Ukraine is a known international haven for hackers, as evidenced by the data breach directed at millions of U.S. customers of Target and other leading American retailers. Both attacks were ultimately traced to cybercrime syndicates operating in Ukraine.

The Warner/Kirk amendment to the Ukraine aid bill proposes the following:

1) The initiation of formal U.S.-Ukraine bilateral talks on cybercrime to be followed by multilateral talks that include other law enforcement partners such as Europol and Interpol.

2) The establishment of a U.S. standing senior-level working group to conduct regular dialogue on cybercrime concerns and share best practices between law enforcement agencies in the U.S. and Ukraine.

3) The expansion of cyber law enforcement capabilities through a program with Ukraine that includes sending FBI agents to assist Ukrainian investigations and improve law enforcement cooperation.

4) Improved extradition procedures. There currently is no U.S.-Ukraine extradition treaty, which makes Ukraine a safe haven for operators of international cybercrime activities syndicates.

Sen. Warner stated in support of the amendment, “As the United States works to support this new Ukrainian government and as the Senate considers this significant Ukrainian aid package, we have an excellent opportunity to create new structures of cooperation that will better protect American consumers and businesses by working together to crack down on international cybercrime.”

“Our nation is one of the most frequently targeted countries for major cybercrimes and data breaches, accounting for nearly half of the $11 billion of losses on payment cards worldwide,” Sen. Kirk added. “Ukraine is a known hub for cybercrime, and the United States should work with the Ukrainian government to create a framework of cooperation to deter, prevent and counter these cyber criminals and ensure the safety of the newly formed Ukrainian government and financial system.

Whether the amendment remains part of the aid package and achieves positive results remains to be seen. But if it even slightly diminishes the ability of hackers to operate freely in Ukraine, it will be deemed a success.

SEC Sets Agenda and Identifies Panelists for Its Cybersecurity Roundtable

By Steven Caponi

In February, the U.S. Securities and Exchange Commission (“SEC”) announced its intention to hold a March 26, 2014 roundtable addressing cybersecurity issues facing market participants and public companies.  In the past few days, the SEC finally released the agenda and panelists for the roundtable.  The event will be held at the SEC’s headquarters in Washington, D.C., and is open to the public on a first-come, first-served basis.  For those unable to attend, the event will be broadcasted live on the SEC website and archived for viewing at a later time.

The full day event begins at 9:30 a.m., concludes at 3:00 p.m., and will be divided into four panels:

Panel 1—The cybersecurity landscape starts at 9:30 a.m. and will be moderated by Thomas Bayer, Chief Information Officer; Keith Higgins, Director, Division of Corporation Finance; and James Burns, Deputy Director, Division of Trading and Markets.

Panel 2—Cybersecurity disclosure issues faced by public companies starts at 10:40 a.m. and will be moderated by Keith Higgins, Director, Division of Corporation Finance.

Panel 3—Cybersecurity issues faced by exchanges and other key market systems starts at 12:45 p.m. and will be moderated by James Burns, Deputy Director, Division of Trading and Markets.

Panel 4—A discussion of how broker-dealers, investment advisers, and transfer agents address cybersecurity issues, including those involving identity theft and data protection will start at 1:45 p.m. This panel will be moderated by David Grim, Deputy Director, Division of Investment Management; James Burns, Deputy Director, Division of Trading and Markets; and Andrew Bowden, Director, Office of Compliance Inspections and Examinations.

The complete agenda and list of panelists for the roundtable can be viewed here.

Does Obamacare Create a Hackers Pot of Gold?

By Steven Caponi

Adding to the controversy surrounding the Affordable Care Act, aka Obamacare, is a new 253-page Obamacare rule that requires state, federal, local agencies, and health insurers to share protected health information (“PHI”) on any individual seeking to join the new “healthcare exchanges.”  PHI includes individual medical histories, test and laboratory results, insurance information, and other personal health-related data.

Although PHI is already protected by various federal laws, the new Obamacare rule allows agencies to trade information in order to verify that applicants are receiving the appropriate level of health insurance coverage from the healthcare exchanges.  The ruling, however, does not require that applicants pre-approve the release of their PHI.  In fact, the Department of Health and Human Services already allows the exchange of some PHI without an individual’s pre-approval, especially when it’s for a “government program providing public benefits.”  Officials state that the swapping of information is simply meant to help determine the best insurance coverage for every Obamacare user.

If enacted as written, the new Obamacare rule will result in the creation of one of the largest collections of personal data in U.S. history whereby information will be managed and shared between numerous federal, state, and local governments.  This repository will undoubtedly be an irresistible “pot of gold” for every hacker and identity thief on the planet.

Nish Bhalla, CEO of Security Compass, is an ethical hacker specializing in web security for Fortune 500s, major banks, and well-known technology companies.  Drawing on his unique perspective, Bhalla noted that, “Typically, state governments do not have the same level of resources as the federal government when it comes to cybersecurity.  In fact, a recent study by Deloitte-NASCIO found that only 24 percent of state chief information security officers are confident they can thwart hack attacks.”

Speculating on how the vulnerable exchanges could be exploited, Bhalla believes we will “see a standard crop of web-based attacks directly targeting the state exchanges and federal data hub.  We’re also sure to see a lot of spam, phishing, and ‘waterholing’ attacks that target consumers.”  Aside from direct attacks on the exchanges themselves, hackers will seek softer targets, such as public computer terminals (i.e., libraries, schools, unions, small business associations, etc.) that will be made available for people to enroll in an exchange.  Other vulnerable targets include various “navigator” companies responsible for helping people enroll online.

While the healthcare exchanges have conducted security audits, the testing has not been as rigorous as one might expect given the amount of PHI at risk.  As with many aspects of Obamacare, security testing appears to have been rushed in order to meet specific deadlines.   Numerous news stories have already reported on the “glitches” with Obamacare’s online enrollment portal, surmising the evident conclusion that rushing any large project is likely to result in errors.

While it’s too soon to determine how secure our PHI will be in the hands of various government agencies, we do know that hackers will be unable to resist the temptation to grab at such low-hanging fruit.