SEC Announces 2nd Round of Cyber Exams; Judge Certifies Target Class Action; DHS Cybersecurity Improvements Needed; DoD Official Calls for Culture Change; Obama to Raise Cyber Concerns with Chinese President

SEC Announces 2nd Round of Cybersecurity Exams

The Securities and Exchange Commission (SEC) issued a Risk Alert indicating that it would begin a second round of cybersecurity-related exams to identify cybersecurity risks and assess cybersecurity preparedness among advisors and dealer-brokers.  The exams are intended to address concerns regarding the integrity of the market system and customer data protection in light of recent breaches and continuing threats against the financial industry.  For key takeaways on the exams, see our recent alert   The SEC conducted its first round of cybersecurity exams after issuing a Risk Alert last April, and firms failing to adopt required cybersecurity policies and procedures potentially face investigation and charges following examination.

Judge Certifies Banks’ Class Action Over Target Breach

A Minnesota federal judge certified a class action brought by financial institutions that issued cards compromised in Target Corp’s massive data breach in 2013.  In doing so, the judge rejected a number of arguments raised by Target, including that the banks’ injuries (like those of consumers in prior cases) were speculative even though the banks involved had reissued nearly all cards affected by the breach and had incurred the costs of doing so.  Target previously agreed to a settlement with institutions that issue Visa cards that could be worth as much as $67 million, but a proposed $19 million settlement with MasterCard fell through when not enough banks accepted the agreement.

Continue Reading Key Privacy & Cybersecurity Developments: September 14 – 20, 2015

DOE Hit by Cyber Attacks; DHS Reports Efforts to Hack Critical Infrastructure; US and EU Data Deal Reached; DHS Awards $11M Info Sharing Grant; Cal State Hack Exposes 80k Students; 9th Cir. Rules for Sony on Data Retention; Fiat Chrysler Recalls 8000 More

Department of Energy Hit by Cyber Attacks

A review of federal records revealed that cyber attackers targeted U.S. Department of Energy (DOE) computer systems more than 1,100 times between 2010 and 2014, with 159 of those attacks successfully compromising the security of those systems.  Incident reports submitted by federal officials and contractors to DOE’s Joint Cybersecurity Coordination Center show that systems containing sensitive data about the nation’s power grid (which DOE does not directly control), nuclear weapons and energy labs were targeted.  However, DOE officials have not announced whether any sensitive data was accessed or stolen or any theories as to the parties involved.  Over the same time period, the National Nuclear Security Administration, a semi-autonomous agency within DOE responsible for managing and securing the nation’s nuclear weapons stockpile, experienced 19 successful attacks.

DHS Report Reveals “Concerted Effort” to Hack Critical Infrastructure Systems

The U.S. Department of Homeland Security’s (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a report advising that skilled hackers made a “concerted effort” to access critical systems in the chemical, manufacturing and energy sectors over this past summer.  In particular, the report focuses on the exploitation of a previously unknown flaw in Adobe Flash Player that was used to hijack victims’ computers after they visited compromised websites.  The hackers behind this threat are also believed to have been behind a series of attacks in 2014, and ICS-CERT warns against advanced persistent Spear Phishing campaigns continuing against these sectors.

Continue Reading Key Privacy & Cybersecurity Developments: September 7, 2015 – September 13, 2015

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in privacy and cybersecurity.

I.D. Experts Awarded $300+ Million Contract for ID Theft Services for OPM Breach I.D. Experts received an initial award of $133 million to provide identity theft protection services to victims of the Office of Personnel Management (OPM) breach; the contract is ultimately estimated to be worth more than $329.8 million through December 2018.  The 21.5 million victims of the largest known breach of federal personnel data will begin receiving notifications at the end of September and, unlike the first round of notifications, the communications will come directly from the federal government rather than from the contractor.  Resources available to victims will include credit monitoring, ID theft monitoring, ID theft insurance, and ID restorations services for three years.  The General Services Administration also announced the winners of a $500 million five-year award for providing general ID protection services as needed to federal government agencies going forward.  Those service providers included Bearak Reports (also known as “Identity Force”) and Ladlas Prince, along with I.D. Experts.

Russia, China Reportedly Using Data to Blow Covers

Foreign spy services – especially Russia and China – are reportedly busy aggregating and cross-indexing data collected from hacked U.S. databases to identify U.S. intelligence officers.  Reports are that at least one network of American engineers and scientists providing technical assistance to undercover operatives and agents overseas has already been compromised.  Such efforts are the result of state actors combining efforts with criminal hackers to collect troves of personal data for such purposes.

Continue Reading Key Privacy & Cybersecurity Developments: August 31, 2015 – September 6, 2015

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in privacy and cybersecurity.

3rd Circuit Affirms FTC’s Authority to Regulate Companies’ Data Security

On Monday, the Third Circuit issued its much-awaited decision in FTC v. Wyndham Worldwide et al. and held that the Federal Trade Commission (FTC) has statutory authority under Section 5 of the FTC Act to bring enforcement actions against defendants for allegedly “unfair” data security practices.  Upholding the New Jersey district court’s decision not to dismiss the case, the Third Circuit supported the FTC’s broad interpretation of its enforcement authority.  For more detailed analysis of this decision click here.

OMB Proposes Cybersecurity Guidance

Open for comment until September 10, the recently released OMB cybersecurity guidance, Improving Cybersecurity Protections in Federal Acquisitions, marks another attempt by the Obama Administration to improve our nation’s cybersecurity through the regulation of federal contractors. Although it addresses key areas concerning cybersecurity risk management, Crowell & Moring attorneys explain in this Law360 article why the proposed guidance may generate more problems than it resolves by creating the potential for even more inconsistency across agency standards.

FTC Announces PrivacyCon and Issues Call to Whitehat Researchers

The Federal Trade Commission (FTC) announced that it plans to host a conference in January to examine research and trends in protecting consumer privacy and security.  The FTC’s First Ever “PrivacyCon” will bring together “whitehat” researchers, academics, industry representatives, federal policy makers and consumer advocates to discuss privacy and cybersecurity challenges posed by emerging technology and ways to address them. For our blog post about PrivacyCon, click here.

Continue Reading Key Privacy & Cybersecurity Developments: August 23, 2015 – August 30, 2015

Yesterday, the DoD published an Interim Rule that, if finalized as drafted, would expand the already onerous requirements of the DFARS Safeguarding Clause to a broader array of potentially 10,000 defense contractors.  Citing “recent high-profile breaches of federal information,” the DoD’s Interim Rule emphasizes the need for clear, effective, and consistent cybersecurity protections in its contracts.  The Interim Rule proposes to significantly expand the scope of covered information and to require subcontractors to report cyber incidents directly to the DoD (in addition to prime contractors).  Together, these changes will likely increase the scope of potential liability for government contractors and subcontractors who fail to implement adequate cybersecurity measures.

The Interim Rule seeks to enhance cybersecurity protections primarily by expanding the application of the DFARS Safeguarding Clause, which was once itself a heated point of debate.  Currently, the DFARS Safeguarding Clause imposes two sets of requirements on covered defense contractors.  First, they must implement “adequate security” on certain information systems, typically by implementing dozens of specified security controls.  Second, they must report various cyber incidents to the DoD within 72 hours of their discovery.  These requirements, however, apply only to information systems housing “unclassified controlled technical information” (UCTI), which is generally defined as controlled technical or scientific information that has a military or space application. 

The Interim Rule would expand that application to information systems that possess, store, or transmit “covered defense information” (CDI).  CDI would encompass UCTI, meaning that most contractors subject to the DFARS Safeguarding Clause would remain subject to the Interim Rule.  But CDI goes beyond the DFARS Safeguarding Clause by also including information critical to operational security, export controlled information, and “any other information,  marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government policies.”  Significantly, the Interim Rule lists “privacy” and “proprietary business information” as examples of the latter, leaving many covered contractors to wonder exactly how far the definition of “covered defense information” goes.  To keep up with its new application, the Interim Rule would change the name of Clause 252.204-7012 from “Safeguarding Unclassified Controlled Technical Information” to “Safeguarding Covered Defense Information and Cyber Incident Reporting.”

Continue Reading Interim Rule Could Expand Already Onerous DFARS Cyber Requirements

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in privacy and cybersecurity.

FTC Settles 13 Safe Harbor Violations

The FTC charged 13 companies with deceiving consumers about their certification status as part of the Safe Harbor framework, a popular method by which companies can transfer data from Europe to the United States.   Companies who have settled with the FTC are subject to a 20-year consent order, which requires the companies to, among other things, keep precise records of the FTC’s overview.  For more information key lessons learned from these settlements, read Chris Hoff’s blog on the issue here.

Class Certification Denied in Apple Intercept Litigation

Plaintiffs in a Northern District of California suit against Apple have been denied class certification. Plaintiffs have accused Apple intercepting certain iMessages, because of a bug.  The Court found that the proposed class was “unascertainable.”  It was too uncertain to tell, the court noted, “whether a third party sender used iMessage, whether it was before or after a proposed class member attempted de-registration, and whether the proposed class member did or did not receive the text message.”

Continue Reading Key Privacy & Cybersecurity Developments: August 15, 2015 – August 23, 2015

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in privacy and cybersecurity.

Plaintiffs Ask the Court to Order CareFirst to Implement Particular Data Security Protocols

The relief sought by Plaintiffs in a recent data breach class action against CareFirst of Maryland includes a declaratory judgment finding that CareFirst’s current security measures do not meet its contractual obligations and its duty of care.  If Plaintiffs’ judgment is granted, it would require CareFirst to “implement and maintain reasonable security measures” by, among other things, engaging third-party security auditors/penetration testers to test its system, segmenting consumer data by creating firewalls and access controls, and purging, deleting, and destroying consumer data not necessary for services in a reasonably secure manner.

Inter-Agency Report Advocates Support for International Cybersecurity Standards

A draft report by an interagency working group sets out objectives and recommendations for the development of international cybersecurity standards.  According to the report, the U.S. government should encourage federal agency participation in standards development and should collaborate with  private industry, academic, organizations, and consumers.  The report also provides guidance for agencies to participate more actively in international cybersecurity standards development.

Continue Reading Key Privacy & Cybersecurity Developments: August 9, 2015 – August 15, 2015

Crowell & Moring is proud to announce that the ABA Public Contract Law Section has recognized Partner David Bodenheimer, along with Maureen Kelly of Northrop Grumman and Annejanette Pickens of General Dynamics, for their exceptional efforts as co-chairs of the Section’s Committee on Cybersecurity, Privacy, and Data Protection.  The Section recently presented the Committee with

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in privacy and cybersecurity.

Class Action Filed Against Fiat-Chrysler and Harman over Hacking Vulnerabilities

On Tuesday, August 8 plaintiffs in the Southern District of Illinois filed a class action lawsuit against Fiat-Chrysler and Harman International Industries, the maker of the Uconnect dashboard, alleging hacking vulnerabilities.  This suit comes on the heels of a voluntary recall of 1.4 million Chrysler vehicles in July.

FDA Warns that Drug-Administering Pump Can Be Hacked

Last Friday, July 31, 2015, the U.S. Food and Drug Administration (FDA) warned that the Hospira Symbiq infusion pump, which administers drugs, may be at risk of getting hacked through hospital networks.  According to FDA, vulnerabilities “could allow an unauthorized user to control the device and change the dosage the pump delivers.”   This warning follows similar warnings that FDA made about other Hospira pumps in May of this year.

DefCon Hacking Conference – Researchers Warn of Vulnerabilities in Medical Devices and Keyless Entry

During DefCon, the world’s largest computer hacking conference, researchers Mark Collao and Scott Erven warned that internet-connected medical devices are particularly vulnerable to hackers.  According to Collao and Erven, unencrypted medical information often travels from these devices across the web, making it easily susceptible to snooping.  Similarly, Samy Kamkar warned that his $32.00 radio device, called RollJam, is able to intercept information from keyless entry systems, allowing the user to use the device as a fob to access cars, trucks, garages, and other places that use keyless entry systems.

Continue Reading Key Privacy & Cybersecurity Developments: August 1, 2015 – August 8, 2015

Litigation and regulation surrounding privacy and cybersecurity is continuously developing, both within the government and the private sector.  This digest summarizes the most notable events in privacy and cybersecurity.

Indiana Attorney General Urges Everyone in State to Freeze Their Credit

Indiana Attorney General Greg Zoeller urged every single citizen of Indiana to freeze their credit after news of a data breach at Medical Informatics Engineering (MIE) which may have impacted 1.5 million Indiana residents (3.9 million nationwide). Information which was allegedly breached may have included social security numbers, lab results, medical conditions, and health plan information.

Google Will Not Apply EU “Right to Be Forgotten” Order Globally

In 2014, Google was ordered by the European Court of Justice to allow Europeans to delist search result links they felt were harmful to their privacy. Since then, Google has removed the qualifying links from all European versions of its search engine; but the French data protection authority told Google last month to remove those links from all versions of its search engine – everywhere in the world. Google has now officially declined to do so, stating that, “We’ve worked hard to implement the right to be forgotten ruling thoughtfully and comprehensively in Europe, and we’ll continue to do so. But as a matter of principle, we respectfully disagree with the idea that a national data protection authority can assert global authority to control the content that people can access around the world.”

Continue Reading Key Privacy & Cybersecurity Developments: July 26-August 1, 2015