2014 Intelligence Authorization Act requires contractors to report cybersecurity breaches (Hogan Lovells, 18 July 2014) – [T]he president signed into law the Intelligence Authorization Act for Fiscal Year (FY) 2014 ( Pub. L. 113-126 ), which requires intelligence contractors with security clearances to promptly report network and information system penetrations and provide government investigators access to such systems. This new statutory cybersecurity reporting requirement for cleared intelligence contractors is largely consistent with a reporting requirement applicable to cleared U.S. Department of Defense (DoD) contractors under the National Defense Authorization Act (NDAA) for FY 2013. * * *

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/David Castillo.

Chinese hackers extending reach to smaller US agencies (NYT, 15 July 2014) – After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies. Law enforcement and cybersecurity analysts in March detected intrusions on the computer networks of the Government Printing Office and the Government Accountability Office, senior American officials said this week. The printing office catalogs and publishes information for the White House, Congress and many federal departments and agencies. It also prints passports for the State Department. The accountability office, known as the congressional watchdog, investigates federal spending and the effectiveness of government programs. The attacks occurred around the same time Chinese hackers breached the networks of the Office of Personnel Management , which houses the personal information of all federal employees and more detailed information on tens of thousands of employees who have applied for top-secret security clearances. Some of those networks were so out of date that the hackers seemed confused about how to navigate them, officials said. But the intrusions puzzled American officials because hackers have usually targeted offices that have far more classified information.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/taesmileland.

Discussion paper: Lawyers professional liability insurance versus cyber liability insurance (Stuart Pattison, May 2014) – Over the last few years, law firms have been making significant investments in network hardware and software for the operation of their business, including the protection of client data. There is now also increased interest by law firms in purchasing Cyber Liability Insurance, primarily in response to increased scrutiny by clients as to what steps they are taking to improve security of data. In some cases, clients will even audit law firms to ensure compliance with their required standards. Buying Cyber Insurance can provide clients comfort that data security issues are being addressed since insurers have an interest in learning what steps are being taken to mitigate the risk for claims that could fall within the terms of the policy. In addition, Cyber Insurance provides a source of recovery in the event the client incurs financial loss due to a data breach emanating from the law firm. A second driver for these investments is reputational risk and the belief by law firms that loss of client confidence could have significant negative consequences. Of course, law firms have always had an ethical obligation to keep their clients information confidential and secure; indeed it is the cornerstone of the attorney-client relationship and the advent of the internet has not changed those duties. What has changed is the ease by which large amounts of data can be stored, managed and transmitted, and the increased opportunities for third parties to steal information. [ Polley : Interesting paper. Stuart has been involved in the evolution of cyberinsurance-for-lawyers from the very beginning.]

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Stuart Miles.

FTC told to disclose the data security standards it uses for breach enforcement (Computerworld, 2 May 2014) – The Federal Trade Commission (FTC) can be compelled to disclose details of the data security standards it uses to pursue enforcement action against companies that suffer data breaches, the agency’s chief administrative law judge ruled Thursday. The decision came in response to a motion filed by LabMD, a now-defunct medical laboratory that has been charged by the FTC with unfair trade practices for exposing sensitive information belonging to 10,000 patients in 2010. LabMD has accused the FTC of holding it to data security standards that do not exist officially at the federal level. It has maintained that the agency must publicly disclose the data security standards it uses to determine whether a company has reasonable security measures in place. The judge held that while LabMD may not inquire about the FTC’s legal standards or rationale, it has every right to know what data security standards the commission uses when pursuing enforcement action. The FTC’s Bureau of Consumer Protection “shall provide deposition testimony as to what data security standards, if any, have been published by the FTC or the Bureau upon which [it] intends to rely on at trial,” Chappell ruled. [ Polley : Steptoe writes : “LabMD is surely hoping that having the FTC acknowledge on the record that it does not actually have “data security standards” will underscore – for the ALJ, for courts, for Congress, and the public – LabMD’s contention that the FTC is acting as a lawless bully.”]

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Victor Habbick.

Wyndham decision affirms FTC jurisdiction and assertive role on “thorny” cyber and data security issues (Wiley Rein, 8 April 2014) – The Federal Trade Commission (FTC) has just won the first major round of its fight with Wyndham Hotels over data security. In FTC v. Wyndham Worldwide Corp., et al., No. 13-1887 (D.N.J.), the FTC’s jurisdiction to punish companies for allegedly lax data security practices was challenged when Wyndham moved to dismiss the FTC’s unfair and deceptive practices claims. On April 7, 2014, after briefing, oral argument, and several amicus submissions, federal judge Esther Salas rejected all of Wyndham’s arguments and affirmed the FTC’s jurisdiction. In doing so, she noted that the case highlights “a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future.” The court affirmed the FTC’s jurisdiction and its discretion to proceed by enforcement action, rejecting Wyndham’s argument that ‘the FTC’s “‘failure to publish any interpretive guidance whatsoever’ violates fair notice principles and “bedrock principles of administrative law.’” (quoting briefing). The court found the unfairness proscriptions in Section 5 to be flexible and noted that the FTC had brought “unfairness actions in a variety of contexts without preexisting rules or regulations.” In this sense, the Court found “inapposite” Wyndham’s reference to evolving frameworks at the Department of Homeland Security (DHS) and the National Institute of Standards and Technology (NIST) as examples of what the FTC should be expected to do. (See February 13, 2014 Client Alert ). The court analogized the FTC’s enforcement action to case-by-case approaches used by the National Labor Relations Board (NLRB) and Occupational Safety and Health Administration (OSHA), despite Wyndham’s argument that the “rapidly-evolving nature of data security” made those agencies’ actions poor examples. The court also rejected the challenge to the deceptive practices claim, finding that the FTC had adequately pled it under whatever standard applied.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Stuart Miles.

Hackers lurking in vents and soda machines (NYT, 7 April 2014) – Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business’s vast computer network. Security experts summoned to fix the problem were not allowed to disclose the details of the breach, but the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities. Hackers in the recent Target payment card breach gained access to the retailer’s records through its heating and cooling system. In other cases, hackers have used printers , thermostats and videoconferencing equipment. Companies have always needed to be diligent in keeping ahead of hackers – email and leaky employee devices are an old problem – but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines. Break into one system, and you have a chance to break into them all. Data on the percentage of cyberattacks that can be tied to a leaky third party is difficult to come by, in large part because victims’ lawyers will find any reason not to disclose a breach. But a survey of more than 3,500 global I.T. and cybersecurity practitioners conducted by a security research firm, the Ponemon Institute, last year found that roughly a quarter – 23 percent – of breaches were attributable to third-party negligence. Security experts say that figure is low. Arabella Hallawell, vice president of strategy at Arbor Networks, a network security firm in Burlington, Mass., estimated that third-party suppliers were involved in some 70 percent of breaches her company reviewed.

Provided by MIRLN.

Image courtesy of FreeDigitalPhotos.net/Salvatore Vuono.