5.6 Million Fingerprints Stolen in OPM Hack; US and China Agree to Economic Cyber Pact; SEC Charges Firm for Failing to Protect Against Hack; EU Court Advisor Says Safe Harbor Agreement Invalid; SEC Commissioner:  Smaller Companies More Targeted for Hacks; NIST Awards 3 Cybersecurity Grants

OPM Cyberattack Update:  5.6 Million Fingerprints Stolen

The Office of Personnel Management (OPM) initially estimated that 1.1 million individuals’ fingerprints were stolen as part of the hacks first reported in June.  That estimate has now grown to 5.6 million individuals’ fingerprints stolen.  While the breach impacted 21.5 million  individuals in total, biometric data like fingerprints are reportedly of particular concern to experts because of their permanence and uncertainty about the long-term effects as technology advances to allow further misuse.

US and China Agree to Deal Against Cyber Economic Espionage

The U.S. and China reportedly reached agreement on a pact that neither country will conduct economic espionage in cyberspace.  The reported agreement also calls for a process to ensure compliance on an issue that has been a major source of tension between the countries.  The U.S. has previously accused China of stealing billions of dollars’ worth of intellectual property and trade secrets from American companies, used for the benefit of Chinese firms.  China has long denied such claims.  The agreement did not address other cyber matters, such as traditional espionage.

SEC Charges Advisory Firm for Failure to Protect Against Cyber Attacks

The SEC announced that St. Louis-based investment advisory firm R.T. Jones Capital Equities Management will pay $75,000 to settle civil charges that it failed to protect its clients from a July 2013 cyberattack.  The attack was later traced to China.  The SEC found that R.T. Jones failed to establish cybersecurity policies required under the SEC’s “Safeguard Rule” in advance of the breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals.  For more coverage of this, see our recent alert here.

Advisor to Top EU Court Opines that US Data-Share Deal Should Be Invalid

Yves Bot, Advocate General at the European Court of Justice (ECJ), advised the court that the Safe Harbor agreement enabling trans-Atlantic data transfers between the U.S. and European Union should be deemed invalid.  Bot’s opinion states that the agreement does not adequately protect the privacy rights of EU citizens and is rendered invalid by the surveillance carried out by U.S. intelligence services.  In response, the United States Mission to the European Union (U.S. Mission) issued a statement to address “numerous inaccurate assertions” in Bot’s opinion.  For more coverage of this and related Safe Harbor issues, see our recent alert here.

SEC Commissioner: Smaller Companies More Targeted by Cybercrime

SEC Commissioner Luis A. Aguilar stated that the majority of cyberattacks in 2014 were directed at small and midsize business.  The reason being that smaller companies pose easier targets than larger organizations because of their more limited resources.  Aguilar voiced concern that these companies were not taking these threats as seriously as they should and advocated they take a more proactive approach to deal with increasingly sophisticated cybercriminals.