Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector. This digest summarizes the most notable events in privacy and cybersecurity.
I.D. Experts Awarded $300+ Million Contract for ID Theft Services for OPM Breach I.D. Experts received an initial award of $133 million to provide identity theft protection services to victims of the Office of Personnel Management (OPM) breach; the contract is ultimately estimated to be worth more than $329.8 million through December 2018. The 21.5 million victims of the largest known breach of federal personnel data will begin receiving notifications at the end of September and, unlike the first round of notifications, the communications will come directly from the federal government rather than from the contractor. Resources available to victims will include credit monitoring, ID theft monitoring, ID theft insurance, and ID restorations services for three years. The General Services Administration also announced the winners of a $500 million five-year award for providing general ID protection services as needed to federal government agencies going forward. Those service providers included Bearak Reports (also known as “Identity Force”) and Ladlas Prince, along with I.D. Experts.
Russia, China Reportedly Using Data to Blow Covers
Foreign spy services – especially Russia and China – are reportedly busy aggregating and cross-indexing data collected from hacked U.S. databases to identify U.S. intelligence officers. Reports are that at least one network of American engineers and scientists providing technical assistance to undercover operatives and agents overseas has already been compromised. Such efforts are the result of state actors combining efforts with criminal hackers to collect troves of personal data for such purposes.
White House Considering Sanctions Against China for Cyberthefts
The Obama administration is reportedly developing a package of economic sanctions against Chinese companies and individuals who benefit from the Chinese government’s theft of valuable U.S. trade secrets. The sanctions would be based on an Executive Order signed by President Obama in April, which gives the administration the ability to sanction entities worldwide for taking part in cyberattacks against the U.S. See our earlier post for a summary of the April Executive Order. No timeline has been announced for a final decision on implementation of the sanctions.
California Governor Creates Cybersecurity Agency to Prevent Attacks on State Agencies
Gov. Jerry Brown signed an executive order creating the California Cybersecurity Integration Center to reduce the likelihood of online attacks that could leave the state or its residents vulnerable to data breaches. The center will be a branch of the Governor’s Office of Emergency Services and will be made up of representatives from other agencies, such as the California Highway Patrol, California Military Department, Office of the Attorney General and academic institutions. The center will serve as the central hub for the state’s online security and coordinate with state departments, federal agencies and other organizations to provide warnings of cyberattacks and assess the risk to the state. The center will also pull security personnel from various agencies and into one office. The Governor’s directive calls for the center to develop a statewide strategy to improve how the state identifies cybersecurity threats and shares information among state agencies, businesses and consumers.
Department of Defense Issues Interim Rule on Cyber Incident Reporting and Cloud Services
The Department of Defense (DoD) issued an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement contractor reporting on cyber incidents. Under the rule, contractors must notify the Pentagon within 72 hours of discovery of any cyber incident and prepare to provide DoD with digital evidence on the incident. The interim rule also provides standard contract language for acquiring cloud computing services. See our recent postings for more information about the Interim Rule’s impact on incident reporting and on acquisition of cloud services.
Sony Settles Employees’ Breach Class Action
A class representing nearly 50,000 current and former employees of Sony Pictures Entertainment whose private personal, financial and medical information was posted following a massive data breach last year has reached a settlement with Sony. The announcement came through a filing in a federal lawsuit seeking class action status, but the settlement’s terms or how many people are covered by it have not yet been announced.
Uber Hires Hackers Who Wirelessly Hijacked a Jeep
Charlie Miller and Chris Valasek – the two hackers who developed the digital attack to wirelessly hijack an Internet-connected Jeep – will now be employed by Uber’s Advanced Technology Center. Miller and Valasek spent the last three years developing digital attacks on cars and trucks, with their research culminating in the much-covered full, over-the-Internet takeover of a 2014 Jeep Cherokee that led to a recall of 1.4 million vehicles (the first known automotive recall for a cybersecurity vulnerability). The duo will reportedly help Uber with its future-focused efforts to develop its own fleet of self-driving cars and in keeping them safe from malicious hackers.