House Committee Warns Congress to Set Security Standards

Last week, members of the House Energy and Commerce Committee told Congress that they must set cyber security standards for all devices connected to the internet or else face the possibility of a major cyberattack that could cripple critical infrastructure throughout the United States. This hearing came on the heels of the widespread internet outage on October 21.

There are 6 billion internet-related devices today, but that figure is expected to grow to over 20-billion by 2020. With that looming growth, it is important to set those cyber security standards today as it will dictate how internet-connected devices will be made prospectively.

Many have questioned the direction the Trump administration will take in regulating cyber security, as heightened standards will certainly lead to increases costs for businesses. No one can answer that question with any certainty now, but cybersecurity should be a non-partisan issue. As Bruce Schneier, a cybersecurity expert, stated, “I’m not a regulatory fan. But this is the world of dangerous things….The choice is not between government involvement and no government involvement. It’s between smart government involvement versus stupid government involvement.” For now, the message is clear: increase cybersecurity standards or face some dangerous consequences.

IRS Data Breach Class Action Dismissed

Last week, the Internal Revenue Service successfully defeated a putative class action related to a data breach it suffered in 2015. The D.C. District Court’s decision dismissing the suit demonstrates the high bar required to hold a federal agency accountable for lapses in cybersecurity.

In Welborn v. IRS (Case No. 15-1352, D.D.C.), Plaintiffs Becky Welborn, Wendy Windrich and Beth DuPree, on behalf of a proposed class, sued the IRS in connection with a cyberattack on the agency’s website in which over 300,000 tax-related documents were stolen.

Plaintiffs alleged that the IRS violated their rights under the Privacy Act, 5 U.S.C. § 552a, the Administrative Procedure Act (APA), 5 U.S.C. § 701 et seq., and the Internal Revenue Code, 26 U.S.C. § 6103, by “disclosing or failing to prevent the disclosure of their personal identification information to third parties.”

Standing Sufficient Only Where Actual Injury and Causation Shown

As an initial matter, the court determined that only two of the three named plaintiffs had standing to bring suit. Mses. Welborn and Wendrich, who had suffered actual identity theft when someone filed false tax returns and claimed fraudulent refunds in their names, had shown sufficient injury-in-fact and causal connection to the IRS data breach to establish standing to sue for monetary damages.

Ms. DuPree’s claims, however, were dismissed for failure to show causation. Although Ms. DuPree alleged that (1) the IRS notified her that her personal information may have been hacked; (2) no other entity had informed her of a similar data breach; and, (3) she had been the victim of at least two instances of fraudulent activity in her financial accounts following the IRS data breach, the court ruled that there was no nexus showing that the data obtained from the IRS breach was necessarily used to perpetrate the fraud on her accounts. Simply alleging that the financial fraud happened after the data breach was insufficient.

Failure to State a Claim Under the Privacy Act and the Internal Revenue Code

The court also dismissed Plaintiffs’ claims under the Privacy Act for failure to state a claim for actual damages related to the IRS’s alleged failure to safeguard plaintiffs’ personal information. The court ruled that the fraudulent tax returns filed in plaintiffs’ names, the lost time and money spent dealing with data theft and future credit monitoring, and the heightened risk of further identity theft did not equate to actual pecuniary or material damage related to the IRS data breach. Sovereign immunity protects the Federal Government from liability for reputational or emotional harm. Similarly, sovereign immunity barred Plaintiffs’ claims under the Internal Revenue Code.

Finally, the Court ruled that Plaintiffs had no standing to sue for equitable relief under the APA as there was no allegation of an ongoing threat to their personal information, and that there is no private right of action under the Federal Information Security Modernization Act (FISMA).

Needless to say, Courts will set a very high bar for plaintiffs to allege standing to sue governmental agencies for data breaches.

Major Security Breach Reported to Congress By Federal Bank Regulator

Recently, the Office of the Comptroller of the Currency (OCC) informed Congress that it had suffered a major information security incident.

The agency reported that, in November 2015, a former employee downloaded over 10,000 records onto two thumb drives before retiring.  The breach was first detected in September 2016 during an internal review of employee downloads.  Following investigation, the agency determined that the breach was a “major incident” requiring reporting to Congress under the Federal Information Security Modernization Act of 2014 (FISMA).

Under FISMA, as clarified by the October 30, 2015 Office of Management and Budget (OMB) Memorandum 16-03, a federal agency is required to notify Congress within 7 days of discovery of a “major” security incident.  Per OMB Memo 16-03, a “major incident” is one which:

1) Involves information that is classified or otherwise protected under certain categories; and

2) Is not recoverable or not reasonably recoverable; and

3) Has some functional impact to the mission of an agency; or

4) Involves exfiltration, modification, deletion or unauthorized access to either:

a) 10,000 or more records or users affected; or

b) any record of special importance.

OCC determined that the breach in question was a “major incident” because it involved protected information that was not recoverable, and the unauthorized removal involved a large number of files, exceeding 10,000.

Currently, there is no indication that the information involved included any non-public personally identifiable information, or that it has been disclosed to the public or otherwise misused in any way.  Notice of the breach was also given to the Director of the Office of Management and Budget, the Secretary of Homeland Security, and the head of the Government Accountability Office.  The important lesson for government agencies is to understand the parameters of FISMA, and the reporting requirements when a major incident has occurred.

Beazley Report Details Increase in Ransomware Attacks

A report issued last week by Beazley, one of the prominent insurance companies in the cyber field, revealed what industry experts predicted earlier in the year – ransomware is an increasingly prevalent menace.  That report is a reminder to everyone that there is no time like the present to review backup and incident response plans, and to take a close look at your insurance policies.

Beazley has been a prominent cyber insurance player since the inception of that specialized coverage. As an early presence in this area, Beazley started its data breach response unit in 2009.  During that time, it has been tracking its incident response figures based on claims from its policyholders.  And the early reports from 2016 reveal ransomware to be a growing threat.  While the percentage of ransomware attacks as part of the broader data breach universe stayed proportional to the figures seen in 2015, there was a huge uptick in the total number of ransomware incidents.  As Beazley noted, cyber thieves have apparently determined that it is easier to get payment in bitcoins via ransomware than selling information on the dark web.

But all is not lost in this grim report.  There are easy lessons to take away that can help prevent or minimize the risk or damage from a potential ransomware attack.

  • First, ensure you have robust backup practices. A thief stealing your company’s data is a bad outcome.  But Ransomware can cripple a company.  Backup processes are no sure solution, but the absence of a solid backup plan will certainly result in catastrophic results because the ransomware will leave you at the mercy of the attackers.
  • Second, prepare or update your incident response plan. Whatever that plan may be, you do not want an actual data breach attack to be the first time you have practiced your plan.
  • Third, educate your employees. Over 80% of data attacks resulted from human error – when your employee opens the wrong attachment, it is utterly meaningless if you have the Fort Knox of cyber defenses.
  • Finally, review your insurance portfolio. Ransomware is somewhat unique in its mode of attack, and the “damage” that it does to your system. Does it actually do damage your data?  Your computers?  Insurers will certainly argue to the contrary.

The important takeaway is that you should understand where your potential cyber coverage might lie, and determine if you need additional coverage.  Cyber insurance may or may not be cost effective for your company, but you need to understand your insurance portfolio to better evaluate your risk profile.

New York Department of Financial Services Proposes Comprehensive Cybersecurity Regulations for Financial Institutions

In September, the New York Department of Financial Services (“DFS”) proposed new rules (“Rules”) that would require covered financial institutions – banks, insurers, and other institutions regulated by the DFS – to establish and maintain cybersecurity programs to protect consumer data and financial systems from cyberattacks. The Rules may have a very broad impact, if implemented, as they could be the template that other states follow when overseeing their own financial institutions.

The proposed Rules were based on DFS’s survey of nearly 200 banking institutions and insurance companies regarding emerging cybersecurity trends and risks.  According to Governor Cuomo, “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

Cybersecurity legal experts believe that the Rules may serve as a model for other states to follow. The Rules will not only impact the covered institutions, but also third-party vendors transacting business with covered institutions and would clearly impact covered entities’ contract negotiations with third parties.  A 45-day public comment for the Rules period began September 28, 2016 and the Rules have an effective date of January 1, 2017, after which covered entities would have 180 days to comply with the Rules.
Some important aspects the Rules are summarized below:

Cybersecurity Program: A covered entity would be required to design a cybersecurity program addressing “core cybersecurity functions,” such as:

  • Identifying and assessing access to non-public information stored on the entity’s information system;
  • Protecting the entity’s information systems from “unauthorized access, use or other malicious acts”;
  • Detecting, responding and recovering from cybersecurity attempted breach or breach; and
  • Fulfilling all regulatory reporting obligations.

Cybersecurity Policy: The Rules would require a covered entity to implement written cybersecurity policies for protecting its information systems, addressing areas such as: information security, data governance, access controls, disaster recovery plans, systems and network monitoring, and incident response. The Rules would require that the policies be reviewed annually by an entity’s board of directors or equivalent governing board and approved by a Senior Officer.

Chief Information Security Officer: The Rules would require an entity to appoint a Chief Information Security Officer to oversee and implement the entity’s cybersecurity program and enforce its cybersecurity policy. However, the entity would be permitted to fulfill this requirement by outsourcing that responsibility to a third-party vendor so a long as the entity: (1) retains responsibility for compliance with this requirement; (2) designates a senior member of the entity to oversee the third party; and (3) requires that the third party maintains a cybersecurity program that meets the requirement of this provision.

Third Party Information Security Policy: The Rules would require a covered entity to establish written policies and procedures to ensure the security of its information systems and non-public information being accessed or held by third parties doing business with the covered entity. The policies and procedures, among other areas, shall address setting minimum cybersecurity standards that the third party should meet to conduct business with the covered entity.

Limited Exemptions: The Rules provide limited exemption for certain covered entities that meet the following three criteria:

  1. Fewer than 1,000 customers in each of the last three calendar years;
  2. Less than $5,000,000 in gross annual revenue in each of last three fiscal years; and
  3. Less than $10,000 in year-end total assets.

This exemption releases such institutions from some, but not all, requirements outlined in the Rules. For example, these exempted institutions would still need to implement the cybersecurity program and policy requirements. See 23 NYCRR 500.

The Rules are the first attempt by a regulating body to implement overarching rules requiring the implementation of cybersecurity policies for financial institutions.

Breach Notification Law: Yahoo’s Breach and the Duty to Disclose

Last week, Yahoo disclosed that in 2014 it suffered one of the largest data breaches in history, with at least 500 million Yahoo accounts compromised.  Given the timing of its acquisition deal with Verizon, Yahoo has been criticized for failing to sooner notify its customers of the breach.  Reportedly, Yahoo has been aware of loss of information as early as July 2016, the same month that it was revealed that Verizon would acquire Yahoo.  Did Yahoo have a duty to disclosure the “breach”?

A “breach” generally indicates unauthorized acquisition compared to an “incident” where unauthorized access is attempted.  Under California breach notification laws—where Yahoo is headquartered—unless notification would impede a criminal investigation, expedient disclosure without unreasonable delay must be given following the discovery or notification of a breach.  This law requires a business or a government agency that owns or licenses unencrypted computerized data that includes personal information to notify any California resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person.  The California Office of Privacy Protection provides guidance that notice should be given within 10 business days.

But the notification requirements for Yahoo are further complicated by the fact that each state’s law protects the breach of personal information of residents only of that state.  Thus, for a company like Yahoo who has customers in all 50 states, it is subject to many separate breach notification laws.  Currently all states and the District of Columbia have their own breach notification laws with the exception of Alabama, New Mexico, and South Dakota.  In states such as Connecticut, New Jersey, and the U.S. territory of Puerto Rico, notification may be triggered based on discovery of unauthorized access alone.

Data breach notification is intended to give individuals early warning to take protective action against their personal information being compromised.  Practically speaking, one can argue that in the case of Yahoo, the information was stolen over two years ago and any unauthorized use could have occurred well before the two month delay in disclosing the breach.  Nonetheless, breach notification laws nationwide require otherwise.

Ninth Circuit Issues Two Recent Decisions Further Definining Liability Under the Computer Fraud and Abuse Act

In July, the Ninth Circuit Court of Appeals issued two decisions by which it intends to clarify liability under the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030 (“CFAA”).  The CFAA imposes criminal penalties and civil damages upon whoever “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value . . . .”  For a more complete explanation of the CFAA, please click here.  The two cases are United States v. Nosal (Nosal II), No. 14-10037, 2016 U.S. App. LEXIS 12382 (9th Cir. July 5, 2016) and Facebook, Inc. v. Power Ventures, No 13-17102, 2016 U.S. App. LEXIS 12781 (9th Cir. July 12, 2016).

In Nosal II, the Ninth Circuit, for a second time, considered the scope of the CFAA involving defendant Nosal.  The first time was in United States v. Nosal (Nosal I), 676 F.3d 854 (9th Cir. 2012) (en banc), holding that exceeding the terms of use of computer where access was authorized was not a violation of the CFAA.  The court in Nosal I rejected Nosal’s liability for downloading confidential information from his then employer’s databased to use at a new enterprise.  Although Nosal was authorized to access the database as a current employee, the downloading violated the employer’s confidentiality and computer use policies.  However, violating such terms of use did not constitute a violation of the CFAA; the court distinguished between access restrictions and use restrictions and held that the “exceeds authorized access” prong of section 1030(a)(4) of the CFAA “does not extend to violations of [a company’s] use restrictions.”  (Id. at 863.)  The court affirmed the district court’s dismissal of the five CFAA counts related to Nosal’s conduct.

Undaunted, the United States Attorney prosecuted Nosal in Nosal II under a different factual scenario.  In addition to accessing and downloading computer material during his employment, Nosal also accessed and downloaded material after his employment terminated.  Even though his former employer revoked his access to the employer’s computers, Nosal enlisted the aid of his former executive assistant to access the former employer’s computers.  The executive assistant continued to have permitted access to the former employer’s computers.

The court in Nosal II concluded that Nosal’s use of the executive assistant to access computers to which he had no permitted access violated the CFAA, holding:

“Without authorization” is an unambiguous, non-technical term that, given its plain and ordinary meaning, means accessing a protected computer without permission.  This definition has a simple corollary:  once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.

(Nosal II, 2016 U.S. App. LEXIS 12382 at *4.)

The second case Facebook, Inc. v. Power Ventures, Inc., No 13-17102, 2016 U.S. App. LEXIS 12781 (9th Cir. July 12, 2016), applied Nosal I and Nosal II to a specific and complex fact pattern.  In Facebook, the defendant Power Ventures, Inc. (“Power”) operated a social website with the following concept:  “Individuals who already used other social networking websites could log on to Power.com and create an account.  Power.com would then aggregate the user’s social networking information.  The individual, a ‘Power’ user could see all contacts from many social networking sites on a single page.  The Power user thus could keep track of a variety of social networking friends through a single program and could click through the central Power website to individual social networking sites.”  (Id. at *4.)

Power instituted a promotional campaign to generate more users for its site.  It did so by encouraging Facebook users to refer Facebook “friends” to Power.com.  This campaign utilized Facebook to transmit messages both external and internal to Facebook.  Upon becoming aware of Power’s promotional campaign, Facebook transmitted a cease and desist letter to Power instructing Power to terminate its activities.  Facebook also attempted to block Power’s access to Facebook.  Power sought to circumvent the block and continued its promotion.

Facebook filed an action alleging, inter alia, violation of the CFAA.  The district court granted summary judgment in favor of Facebook and awarded damages.  The Ninth Circuit affirmed the district court’s ruling on the CFAA claim while reversing on certain other issues.  The court remanded for reconsideration of appropriate remedies and a recalculation of damages under the CFAA.

In reaching its conclusion, the Ninth Circuit reviewed both Nosal I and Nosal II:

From those cases, we distill two general rules in analyzing authorization under the CFAA.  First, a defendant can run afoul of the CFAA when her or she has no permission to access a computer or when such permission has been revoked explicitly.  Once permission has been revoked, technological gamesmanship or the enlisting of a third party to aid in access will not excuse liability.  Second, a violation of the terms of the use of a website – without more – cannot be the basis for liability under the CFAA.

(2016 U.S. App. LEXIS 12781 at *17-18.)

The court ruled that Power’s original access to the Facebook website through Facebook users (who were also Power.com users) did not violate the CFAA.  The permission of the Facebook user was sufficient to avoid liability.  However, once Facebook served Power with the cease and desist letter, Power no longer had permission to access the Facebook website.  That letter superseded any permission attributable to any Facebook user.

Whether Nosal I, Nosal II and Facebook provide a clear enough road map to computer users and legal counsel as to what constitutes a CFAA violation remains to be seen.  What we do know is that:

(a)     violation of terms of use alone is not a violation of CFAA;

(b)     one cannot circumvent revocation of right of access to computers through the use of third parties or other “gamesmanship’”

(c)     a timely cease and desist letter can revoke permission which third parties may have previously and legitimately provided.

Ninth Circuit Rules on Meaning of “Without Authorization” under Computer Fraud and Abuse Act

Last month, the Ninth Circuit affirmed the criminal conviction of an individual for accessing a computer “without authorization” in violation of the Computer Fraud and Abuse Act (“CFAA”).  U.S. v. Nosal (9th Cir., July 5, 2016).

The CFAA imposes criminal penalties on whoever “accesses a protected computer without authorization, or exceeds authorized access . . .” 18 U.S.C. § 1030.

“Without authorization”, the court ruled, means “accessing a protected computer without permission.”

In Nosal, a former employee of an executive search firm conspired with former colleagues to obtain confidential source lists and client contact data to start a competing search firm. Among other counts, Nosal was charged with violating the CFAA. The question before the three-judge panel was whether Nosal conspired to access a protected computer “without authorization” when he and his accomplices used the login credentials of Nosal’s former assistant to access the search firm’s proprietary information. Affirming Nosal’s conviction, the court held that Nosal did act “without authorization” when he continued to access data after his former employer rescinded permission to access its computer system.

Justice Reinhardt issued a vehement dissent in the case. He argued that the case was about simple password sharing, and the majority opinion “threatens to criminalize all sorts of innocuous conduct engaged in daily by ordinary citizens.” He emphasized that the CFAA is a criminal statute and must be construed more narrowly than a civil statute. A better interpretation of “without authorization”, he urged, is accessing a computer without the permission of either the system owner or a legitimate account holder. Though the facts of this case were distasteful, he noted that the court’s ruling had broader legal implications and thus he could not endorse the majority’s opinion.

Interestingly, this is the second time the Ninth Circuit has interpreted provisions of the CFAA in this case, and the first case touched on the very issues the dissent addressed. In the prior opinion, an en banc panel of the Ninth Circuit ruled on the meaning of “exceeds authorized access.” The court held that “exceeds authorized access” serves to restrict access to information but did not restrict how that information was used. Accordingly, the court determined that Nosal did not violate the CFAA when he had his former colleagues access information from the firm’s confidential databases and send it to him. Those colleagues were authorized to access the data. The CFAA, the court ruled, was not intended to impose criminal liability for violations of private computer use policies. The en banc panel construed the statute narrowly, “so that Congress will not unintentionally turn ordinary citizens into criminals.”

The majority’s recent opinion will likely not be the last word on this issue. Nosal will be filing a Petition for Rehearing and Rehearing en Banc. If this eventually gets to the panel it will be left to be seen whether Judge Reinhardt’s position seeking narrow construction of the term “without authorization” will be followed.

Regulators Nationwide Weigh in on CPUC Litigation

In May, we posted a blog on litigation filed by telecom providers and trade associations to prevent the California Public Utilities Commission (CPUC) from requiring Plaintiffs to turn over competitively sensitive data to a third party. Plaintiffs allege that disclosure of that data would violate regulations issued by the Federal Communications Commission (FCC) regarding the confidential status of that information. There is now a new party at the table. The National Association of Regulatory Utility Commissioners (NARUC) filed an amicus brief asking the Court to side with the CPUC, and permit disclosure of the data.

For background, after the complaint was filed, the Northern District of California granted Plaintiffs’ motion for a preliminary injunction, blocking the CPUC from sharing the companies’ ostensibly sensitive data with the third party. That order was based on the Court’s finding that the telecom Plaintiffs were likely to prevail on their argument that the CPUC order is preempted by FCC regulations, and because the telecom Plaintiffs “overwhelmingly” demonstrated that they would face irreparable harm if disclosure occurs.

NARUC then filed its amicus brief requesting that the Court deny Plaintiffs’ claims and permit the CPUC order to stand. NARUC framed the question before the Court as follows:

[D]o States have the ability to obtain and to use under state law broadband data, including granular, disaggregated, carrier-specific subscription data, which telecommunications carriers may (or may not) also submit to the FCC on the FCC’s Form 477?

NARUC argues in the affirmative. In particular, NARUC cites a 2010 opinion and order from the FCC that concluded the collection and use of broadband data by states was not preempted by federal law. NARUC also points to the great need for disclosure of data by regulated entities to state regulators, suggesting that it would be poor policy to prevent public utility regulators from accessing the data at issue in this litigation.

Interestingly, NARUC’s amicus brief focuses on the preemption argument and does not attempt to address or reconcile the impetus for the litigation—privacy concerns.

This litigation highlights two areas of tension in the privacy sphere. The first is the tension between ensuring privacy and data security and conducting regulatory activities, whether for the promotion of health, safety, or environmental wellbeing. The second tension is whether privacy protections should stem from the federal government, the states, or the industry itself. Without clear guidelines governing how to balance these competing policies, courts are often asked to decide significant privacy questions through legal doctrine and not the substance of the implicated rights. That is the case here, where the Court is left to grapple with a traditional legal question—whether the FCC’s regulations preempt state regulatory actions—rather than the propriety of requiring disclosure of sensitive information in the context of a public utility regulatory proceeding.

LexBlog