Data Law Insights

Data Law Insights

Legal insights on navigating privacy, data protection, cybersecurity, information governance, and e-discovery

Former IT Administrator Sentenced to Prison for Hacking Canadian Pacific Railway Network

Posted in Cybersecurity / Data Security
Stephanie Reiter

Yesterday, U.S. District Judge Patrick Schiltz sentenced a former IT administrator to 366 days in federal prison following a Consumer Fraud and Abuse Act conviction.

Christopher V. Grupe was employed as an IT professional by Canadian Pacific Railway from September 2013 to December 2015. In December of 2015, Grupe was suspended for insubordination after a confrontation with his supervisor. After learning that Canadian Pacific Railway planned to terminate him, Grupe issued a letter of resignation in which he stated he would return company-owned devices to the Minneapolis, MN headquarters. Prior to returning his company-issued laptop and remote access token, Grupe leveraged his administrator credentials, which were still active, to infiltrate the transcontinental railway system’s core switches. Once inside, he deleted key permissions, passwords, and files on the network hardware, resulting in outages across parts of Canadian Pacific Railway’s system. Although Grupe wiped his laptop’s hard drive before returning it, Canadian Pacific Railway hired an outside security company to identify the source of the intrusion and forensically link Grupe’s activity to the outage. A jury found Grupe guilty to one count of intentional damage to a protected computer. 

As we noted in March of 2017, the prevalence of cyberattacks perpetrated at the workplace, particularly in the context of employee separations, is increasing. Companies should develop comprehensive insider risk programs that focus on potential threats and key vulnerabilities in both virtual and physical environments. This may include the use of policies, training, technology, behavioral analysis, and stakeholder support to detect, prevent, and respond to such threats. Insider threat mitigation programs should define the behavioral expectations of the workforce through clear and consistently enforced policies that articulate defined consequences for violating them. Companies should trust their employees, but balance that trust with independent verification to avoid a single point of failure.

 

National Archives Issues New, But Limited, CUI Contract Guidance

Posted in Cybersecurity / Data Security
Michael GrudenKate M. Growley

The Information Security Oversight Office (“ISOO”) within the National Archives and Records Administration (“NARA”) recently issued guidance for all non-executive branch entities  (such as elements of the legislative or judicial branches of the Federal Government; state, tribal or local government elements; and private organizations including contractors) concerning controlled unclassified information (“CUI”).  Specifically, the ISOO  issued CUI Notice 2018-01, which provides CUI guidance regarding information sharing agreements with non-executive branch entities (herein “IS agreements”) that are not governed by the forthcoming CUI Federal Acquisition Regulation (“FAR”) Clause.  Examples of applicable IS agreements include certain contracts, grants, licenses, memoranda of understanding, and information-sharing arrangements.  The ISOO guidance provides both mandatory and recommended language for inclusion in IS agreements:

Continue Reading

Fourth Circuit Raises Bar for DMCA Safe Harbor Defense

Posted in Advertising & Product Risk Management, Cybersecurity / Data Security, Litigation, Uncategorized
Joe MeadowsChristopher A. Cole

Last Thursday, the Fourth Circuit decided a closely followed case on one of the safe harbor defenses under the Digital Millennium Copyright Act (DMCA). See BMG Rights Management (US) LLC v. Cox Communications, Inc., No. 16-1972 (4th Cir. Feb. 1, 2018). The court also addressed the intent standard for contributory copyright infringement.

BMG, an owner of copyrights in digital music files, sued Cox, an internet service provider, for contributory copyright infringement by Cox subscribers engaging in “peer-to-peer” music file sharing. The district court held that Cox was not entitled to the safe harbor defense under Section 512(a) of the DMCA because Cox did not satisfy the conditions under Section 512(i)(1)(A) that it “adopted and reasonably implemented … a policy that provides for the termination in appropriate circumstances of subscribers … who are repeat infringers.” At trial, a jury found Cox liable and awarded BMG $25 million.

Continue Reading

U.K. Announces Fines Up To $24M For Cyber Noncompliance

Posted in Cybersecurity / Data Security
Maida Oringher LernerMaarten StassenMichael Gruden

The United Kingdom’s National Cyber Security Centre (“NCSC”) recently announced guidance whereby industries could be fined up to $24 million (£17 million) for not having effective cybersecurity measures in place.  The penalties apply to critical infrastructure sectors including energy, transportation, water and healthcare.  While the U.K. government stated that these penalties will be “a last resort,” the government will employ “sector-specific regulators” to monitor cybersecurity compliance across these critical infrastructure disciplines. 

Concurrently, the NCSC released Network and Information Systems (“NIS”) Guidance, which dovetails with the European Union’s NIS Directive for an EU bloc-wide cybersecurity deadline by May 9, 2018.  The NCSC’s guidance is based on “14 key principles” and align with current cybersecurity standards.  NCSC is due to provide a Cyber Assessment Framework by late April 2018, which should provide a systematic methodology that critical industry can use to meet compliance with the 14 requisite cybersecurity principles.

Created in 2017, the NCSC functions as the cybersecurity technical expert and advisor to the U.K. government and industry.  They are serving as the point of contact for the United Kingdom’s NIS implementation efforts. The NCSC is also the notification point of contact for all cyber-related incident reporting.

 

 

New GDPR Guidance from EU Commission

Posted in GDPR
Maarten StassenMichael Gruden

The European Commission has recently released a new website providing guidance on the General Data Protection Regulation (“GDPR”) implementation requirements.  The website provides a plethora of resources both to industry looking to become compliant with GDPR standards as well as to citizens looking to understand their data protection rights.  Highlights of the website include a resource library containing guidance on application of the GDPR; an infographic that explains the core requirements of the regulation; as well as a rules for business repository which provides definitions, examples and reference documents for GDPR terminology.  With almost 100 days remaining until the GDPR becomes enforceable on May 25, 2018, this new resource is a timely addition for those seeking to comply with the regulation.

For additional information concerning GDPR compliance, please consult C&M’s European General Data Protection Regulation website here.  For further counsel, please contact your local C&M representative or one of the attorneys listed above.  

 

LEARN ABOUT OPPORTUNITIES, RISKS OF BIG DATA IN CROWELL & MORING’S 2018 LITIGATION FORECAST COVER STORY: “DATA, DATA EVERYWHERE”

Posted in Litigation
Crowell & Moring

Crowell & Moring has issued its “Litigation Forecast 2018: What Corporate Counsel Need to Know for the Coming Year.”

 The Forecast cover story, “Data, Data Everywhere,” takes an in-depth look at the opportunities and challenges general counsel face in navigating the Big Data revolution.

 While data is a driver for innovation – with the development of artificial intelligence (AI), chat bots, the Internet of Things (IoT), autonomous vehicles, and other technologies – the article examines how it also carries new and unintended implications for regulatory enforcement, product liability, cybersecurity, and intellectual property.

 Be sure to follow the conversation on Twitter with #LitigationForecast.

 

FERC Proposes to Require Expanded Cyber Security Incident Reporting

Posted in Cybersecurity / Data Security, Data Breach, Government Agencies, Uncategorized
Evan D. WolffMaida Oringher LernerDeborah A. CarpentierMatthew B. WellingMichael Gruden

The Federal Energy Regulatory Commission (“FERC”) recently proposed that the North American Electric Reliability Corporation (“NERC”), which is responsible for promulgating and enforcing FERC-approved mandatory electric reliability standards, revise its Critical Infrastructure Protection (“CIP”) standards to require additional circumstances under which reporting of cybersecurity incidents is mandatory.   FERC’s goal is to enhance the awareness of existing or developing threats, including incidents that might enable future harm to the nation’s bulk electric system.

NERC’s current CIP reliability standard, CIP-008-5 (Cyber Security – Incident Reporting and Response Planning), requires incidents to be reported only if they have compromised or disrupted one or more reliability tasks (i.e., core activities of a responsible entity). Both FERC and NERC expressed concerns that the current standard might understate the scope of cyber-related threats facing the bulk electric system.

In light of concerns that the current standard might understate the scope of cyber-related threats facing the bulk electric system, FERC issued a notice of proposed rulemaking (“NOPR”) directing NERC to broaden CIP-008-5 to:

  1. Include mandatory reporting of cybersecurity incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter or Electronic Access Control and Monitoring System;
  2. Specify the required information in cybersecurity incident reports to improve the quality of reporting and ease of comparison by standardizing information; and
  3. Establish a deadline for responsible entities to submit a detailed report following a compromise or disruption, or an attempted compromise or disruption, is identified.

FERC suggests that the detailed report should be provided to the E-ISAC, similar to the current initial incident reporting scheme, and not to FERC. The new rule would also require reports be sent to the Industrial Control Systems Cyber Emergency Response Team (“ICS-CERT”) and require NERC to file an annual, public and anonymized summary of the reports with FERC. Comments to the NOPR are due February 26, 2018.

FTC Settles First Connected Toy Case With VTech After Massive Data Breach

Posted in Cybersecurity / Data Security, Data Breach, Privacy
Peter B. MillerLauren B. Aronson

On January 8, 2018, the FTC announced settlement of its first connected toy case with VTech Electronics Ltd (“VTech”) for violating the Children’s Online Privacy Protection Act (COPPA) Rules by failing to properly collect and protect personal information about and from children and violating the FTC Act by misrepresenting its security practices. In addition to paying a $650,000 civil penalty, VTech agreed to comply with COPPA, implement and maintain a comprehensive information security program with regular third-party security audits for the next twenty years, and not misrepresent its privacy and data security practices.

The settlement comes more than two years after VTech learned that a hacker had gained remote access to databases for its interactive electronic learning products (ELPs), including for its Kid Connect chat application, in what was described at the time as the largest known hack targeting children. According to the FTC’s Complaint, the hacker accessed VTech’s databases “by exploiting commonly known and reasonably foreseeable vulnerabilities,” and VTech was unaware of the intrusion until it was informed by a reporter. Continue Reading

Comment Period Extended for NIST SP 800-171 Assessment Guide

Posted in Cybersecurity / Data Security, Government Agencies, Government Contracting, Government Regulations & FISMA, Information Management, Public Sectors
Kate M. Growley

Less than two weeks after the National Institute of Standards and Technology (NIST) published a draft version of NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, on November 28, the National Archives and Records Administration (NARA) announced today that the comment period has been extended to January 15, 2018.  This gives interested parties an extra three weeks from the original deadline to provide input on what contractors and their customers may use as a guide to assessing future compliance with the security standard and – importantly – the government contracts regulations that incorporate that standard, including DFARS 252.204-7012 and FAR 52.204-21.

Ninth Circuit: Disclosure of video viewing history constitutes harm sufficient to confer standing in federal court

Posted in Litigation, Privacy
Nathanial J. Wood

The Ninth Circuit Court of Appeals has joined the Third and Eleventh Circuits in ruling that any disclosure of an individual’s online viewing history along with their personally identifiable information confers standing to bring a suit for violation of the Video Privacy Protection Act (VPPA) in federal court.  The case, Eichenberger v. ESPN, Inc., Case No. 15-35449, concerned ESPN’s alleged practice of disclosing to Adobe Analytics the device serial numbers and viewing history of consumers who used its “WatchESPN Channel” application on Roku streaming devices.  Adobe is alleged to have used the information provided by ESPN, in combination with information gathered from other sources, to identify the subscribers and then provide aggregated data to ESPN that was in turn shared with advertisers.  The plaintiff alleged that this practice violated the VPPA’s prohibition on knowing disclosure of personally identifiable information of consumers.  ESPN attacked plaintiff’s claim on two fronts: first, arguing that he did not have standing because he had not suffered an injury, and second, that even if he had standing, it had not shared his “personally identifiable information.”  The district court ruled in his favor on the second point, and the Ninth Circuit took up both issues on appeal.

With respect to the threshold issue of whether the plaintiff had standing to bring a claim based on a bare violation of the statute, the Ninth Circuit ruled that such a violation was sufficient to confer Article III standing.  The court distinguished the case from the Supreme Court’s decision in Spokeo, Inc. v. Robins, where the high court ruled that a procedural violation of a statute, without more, did not grant a plaintiff standing to seek redress in federal court.  Here, in contrast, according to the Ninth Circuit, ESPN’s alleged conduct violated the substantive provisions of the VPPA—the right to “retain control over their personal information.”  In so ruling, the court rejected ESPN’s argument that the VPPA requires an allegation of some harm in addition to the privacy violation.

Plaintiff, however, did not fare so well on the second issue presented in the appeal—whether his Roku device serial number constituted “personally identifiable information” under the statute.  The court observed that this term can cover information that can be used to determine a person’s identity, but ultimately concluded that it was not to expansive as to include the serial number of a device, even if a data aggregator could use that number to ferret out an individual’s identity.  The court adopted the Third Circuit’s “ordinary person” test, which asks whether an ordinary person could use the information to identify an individual.  Concluding that an ordinary person could not use a serial number to identify the owner of the device, the Ninth Circuit affirmed the district court’s dismissal of the action.

This decision automatically confers standing on plaintiffs in the states covered by the Ninth Circuit to bring actions against video content providers who share their personally identifiable information without authorization, even absent some other form of harm.  But, it provides some room for those providers to share such information with third parties if an “ordinary person” would not be able to use the information to identify an individual, apparently even if it is disclosed to a third party expressly for the purpose of de-anonymizing it.  Internet video content providers located within the Ninth Circuit would do well to review their data-sharing practices and privacy disclosures in light of this decision, particularly given the steep statutory penalties available to consumers for violation of the VPPA.