Google Ruling may give Government an Opening to Broaden its Power Under Outdated Stored Communications Act

As technology progresses and the world becomes even more interconnected, the scope of the Stored Communications Act (“SCA” or “Act”) has become a topic of much interest in the federal courts. One question courts have grappled with lately is whether law enforcement may subpoena data stored on foreign servers under the Act. A recent ruling by Magistrate Judge Rueter of the Eastern District of Pennsylvania in In re Search Warrant No. 16-960-M-01 to Google (“Google ruling”) may give the government all the incentive it needs to continue taking a broad reading of its powers under the Act.

As background, when the SCA was passed in 1986, it empowered the government to compel service providers to disclose customer information via subpoena, court order or warrant.  Recently, search warrants for data issued pursuant to the Act have become a crucial tool in government investigations, whereas technology companies have been pushing back on such data requests, which they believe are overly broad.

Faced with this situation, Judge Rueter ordered Google to comply with search warrants to produce emails stored abroad.  This was particularly interesting because it contradicted a ruling issued by the Second Circuit just seven months ago, where the court held that the government could not enforce a search warrant for user data on Microsoft servers in Ireland because the focus of the Act is user privacy, which would be invaded when the user data is seized in a foreign country.

Judge Rueter saw things differently, stating that the “two warrants executed upon Google . . . do not constitute extraterritorial application of the SCA.”  He held that the court “must analyze where the seizures, if any, occur and where the searches of user data take place.”  He ruled that warrants issued to Google pursuant to the Act were legal because invasion of privacy would not take place outside of the United States, but would take place within the United States once the government began reviewing the data.  Focusing on the Supreme Court’s Fourth Amendment jurisprudence, Judge Rueter reasoned that transferring data to California from an overseas server “does not amount to a ‘seizure’ because there is no meaningful interference with an account holder’s possessory interest in the user data.”  He noted that, in fact, “Google regularly transfers user data from one data center to another without the customers’ knowledge.”  As for searches, the judge held that because the warrants required Google to turn over the data to FBI agents in the U.S., the search would occur in the United States.  Accordingly, he held:

“[T]he invasions of privacy will occur in the United States; the searches of the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.  These cases, therefore, involve a permissible application the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”

The Google ruling gives the government an incentive to press on with broadening its power under the Act.  With contradictory rulings in this area, it will be interesting to see how other circuits will handle issues on this topic.

NARUC Release of Cybersecurity Guidelines should have Utility Companies on High Alert

On January 30, 2017, the National Association of Regulatory Utility Commissioners (“NARUC”) released Version 3.0 of “Cybersecurity A Primer for State Utility Regulators.”  This cybersecurity overview is an important reminder to public utilities to be prepared for cyber threats.

Then again, public utilities probably don’t need a reminder after a cybersecurity event that occurred at the end of last year.  In December 2016, the Burlington Electric Department reported the presence of malware on one of its employee’s computers.  The computer was not connected to the electric grid at the time, and the utility quickly isolated the laptop and coordinated with federal authorities to eradicate the problem.  But, it was still a nerve-wracking development – experts have long warned that public utilities could be targeted because of the wide-spread impact a well-executed hack could have.  And here, even though the electric grid was not compromised, it still became a public relations headache because several news outlets incorrectly reported that the malware-infected computer was, in fact, connected to the grid, endangering vital infrastructure.

In light of increasing threats, state and federal regulators are developing guidance documents, and several state public utility regulators have prepared cybersecurity action plans, such as Connecticut.  The American Water Works Association (“AWWA”) also recently released guidance for water utilities regarding the protection of systems infrastructure.  This momentum is likely to lead to increasingly stringent regulatory requirements regarding cybersecurity plans, policies, and practices for public utilities in the United States.

These guidance documents are also valuable tools for public utilities, particularly small and midsize utilities that are looking to strengthen their cybersecurity protections but may not have the resources to implement a plan from scratch.  The leading thinkers in this area advocate that public utilities develop cybersecurity plans to protect three different operational components:  information technologies systems, operations technology and controls systems (i.e., SCADA systems), and the smart grid.  While protecting IT systems falls within the gambit of traditional cybersecurity planning, the latter two areas are more unique to the public utilities industries.  A public utility’s data security breach plan should address all three functional areas with respect to how it will defend its systems as well as how it will respond in the event of a potential breach.

Resources from institutions like NARUC or AWWA provide invaluable insights on how public utilities can take steps to protect the unique features of their operations.  Unfortunately, cyber threats are not going away, so public utilities must be prepared.

New York Department of Financial Services Delays Compliance Deadline for Cybersecurity Regulations

On October 25, the Privacy Law Report featured a blog post on new cybersecurity regulations being implemented by the New York Department of Financial Services (“DFS”).  Those regulations impose a number of requirements on financial institutions, including banks and insurance companies, such as the implementation of cybersecurity programs, the manner in which those companies handle data breaches, and the necessity for those companies to appoint a chief information security officer.  While these rules certainly advance a good cause, there has been significant push back from the banks to buy more time before the rules go into effect.  In particular, smaller institutions have complained that the rules provide no differentiation between small and large institutions.  Because of these concerns, the DFS has now agreed to move the compliance date from January 1 to March 1.

It will be interesting to see how the coming months will play out.  It shouldn’t come as a major surprise that these companies have pushed back – the rules will require them to implement changes that will require additional manpower and cost.  And as noted, this is a particular concern for smaller companies for which the increased expense will have a larger impact.  It is no secret that the cost of defending against cyber attacks has long been discussed a major limiting factor in the world of cybersecurity.  Nonetheless, these DFS rules will be the first of their kind, and thus may have a broad impact on shaping the drafting of cybersecurity rules to be implemented by other state agencies.  When these rules go into effect, companies should pay close attention to how the DFS tests its new rules and regulations in addition to any changes to the draft rules.

Nossaman Hosts Annual Cybersecurity Symposium with UC Irvine

On December 1, Nossaman hosted its second annual Cybersecurity Symposium in conjunction with the University of California, Irvine School of Law.  This year’s Symposium was entitled “Cybersecurity, Data Breach, and Privacy: Examining Your Risks and Legal Issues From the Inside Out” and focused on recent developments in internal and external cybersecurity, data breach and privacy threats and their implications on both the private and public sectors.  The keynote speaker was the esteemed Erwin Chemerinsky, founding Dean and Distinguished Professor of Law at UC Irvine School of Law.

This year’s event featured many distinguished panelists, including a current agent from the FBI and a former CIA officer, in-house counsel and executives from Southern California Edison, Hyundai, Clyde & Co, Marsh, CommCore Consulting (public relations), KPMG, and Verizon, professors from the UC Irvine School of Law, and the Executive Director of UCI’s new Cybersecurity Research Institute.  Nossaman participants included partners David Graeler, Thomas Dover, Jim Vorhis, Joan Cotkin, and Patrick Richard. As with the first Cybersecurity Symposium, the panels explored a variety of topics:

  • Trends in cyber warfare such as the proliferation of ransomware and phishing;
  • The availability of and types of insurance that might provide coverage for a data breach;
  • The importance of preparing and practicing incident response plans;
  • Policy and enforcement concerns for threats that are multi-jurisdictional;
  • The importance of training and community outreach; and
  • Approaches to public relations and forensic investigations after a breach.

The 2017 Cybersecurity Symposium has been scheduled for October 2, 2017, so save that date now!  It is impossible to know what cybersecurity issues will be front and center at that time, but we’re certain to see new cyber threats, updates on the litigation front, developments related to the EU-US Privacy Shield, and legislation changes with the new administration.  Until then, we will continue to keep you updated on these issues and more here on our blog so please stay tuned!

House Committee Warns Congress to Set Security Standards

Last week, members of the House Energy and Commerce Committee told Congress that they must set cyber security standards for all devices connected to the internet or else face the possibility of a major cyberattack that could cripple critical infrastructure throughout the United States. This hearing came on the heels of the widespread internet outage on October 21.

There are 6 billion internet-related devices today, but that figure is expected to grow to over 20-billion by 2020. With that looming growth, it is important to set those cyber security standards today as it will dictate how internet-connected devices will be made prospectively.

Many have questioned the direction the Trump administration will take in regulating cyber security, as heightened standards will certainly lead to increases costs for businesses. No one can answer that question with any certainty now, but cybersecurity should be a non-partisan issue. As Bruce Schneier, a cybersecurity expert, stated, “I’m not a regulatory fan. But this is the world of dangerous things….The choice is not between government involvement and no government involvement. It’s between smart government involvement versus stupid government involvement.” For now, the message is clear: increase cybersecurity standards or face some dangerous consequences.

IRS Data Breach Class Action Dismissed

Last week, the Internal Revenue Service successfully defeated a putative class action related to a data breach it suffered in 2015. The D.C. District Court’s decision dismissing the suit demonstrates the high bar required to hold a federal agency accountable for lapses in cybersecurity.

In Welborn v. IRS (Case No. 15-1352, D.D.C.), Plaintiffs Becky Welborn, Wendy Windrich and Beth DuPree, on behalf of a proposed class, sued the IRS in connection with a cyberattack on the agency’s website in which over 300,000 tax-related documents were stolen.

Plaintiffs alleged that the IRS violated their rights under the Privacy Act, 5 U.S.C. § 552a, the Administrative Procedure Act (APA), 5 U.S.C. § 701 et seq., and the Internal Revenue Code, 26 U.S.C. § 6103, by “disclosing or failing to prevent the disclosure of their personal identification information to third parties.”

Standing Sufficient Only Where Actual Injury and Causation Shown

As an initial matter, the court determined that only two of the three named plaintiffs had standing to bring suit. Mses. Welborn and Wendrich, who had suffered actual identity theft when someone filed false tax returns and claimed fraudulent refunds in their names, had shown sufficient injury-in-fact and causal connection to the IRS data breach to establish standing to sue for monetary damages.

Ms. DuPree’s claims, however, were dismissed for failure to show causation. Although Ms. DuPree alleged that (1) the IRS notified her that her personal information may have been hacked; (2) no other entity had informed her of a similar data breach; and, (3) she had been the victim of at least two instances of fraudulent activity in her financial accounts following the IRS data breach, the court ruled that there was no nexus showing that the data obtained from the IRS breach was necessarily used to perpetrate the fraud on her accounts. Simply alleging that the financial fraud happened after the data breach was insufficient.

Failure to State a Claim Under the Privacy Act and the Internal Revenue Code

The court also dismissed Plaintiffs’ claims under the Privacy Act for failure to state a claim for actual damages related to the IRS’s alleged failure to safeguard plaintiffs’ personal information. The court ruled that the fraudulent tax returns filed in plaintiffs’ names, the lost time and money spent dealing with data theft and future credit monitoring, and the heightened risk of further identity theft did not equate to actual pecuniary or material damage related to the IRS data breach. Sovereign immunity protects the Federal Government from liability for reputational or emotional harm. Similarly, sovereign immunity barred Plaintiffs’ claims under the Internal Revenue Code.

Finally, the Court ruled that Plaintiffs had no standing to sue for equitable relief under the APA as there was no allegation of an ongoing threat to their personal information, and that there is no private right of action under the Federal Information Security Modernization Act (FISMA).

Needless to say, Courts will set a very high bar for plaintiffs to allege standing to sue governmental agencies for data breaches.

Major Security Breach Reported to Congress By Federal Bank Regulator

Recently, the Office of the Comptroller of the Currency (OCC) informed Congress that it had suffered a major information security incident.

The agency reported that, in November 2015, a former employee downloaded over 10,000 records onto two thumb drives before retiring.  The breach was first detected in September 2016 during an internal review of employee downloads.  Following investigation, the agency determined that the breach was a “major incident” requiring reporting to Congress under the Federal Information Security Modernization Act of 2014 (FISMA).

Under FISMA, as clarified by the October 30, 2015 Office of Management and Budget (OMB) Memorandum 16-03, a federal agency is required to notify Congress within 7 days of discovery of a “major” security incident.  Per OMB Memo 16-03, a “major incident” is one which:

1) Involves information that is classified or otherwise protected under certain categories; and

2) Is not recoverable or not reasonably recoverable; and

3) Has some functional impact to the mission of an agency; or

4) Involves exfiltration, modification, deletion or unauthorized access to either:

a) 10,000 or more records or users affected; or

b) any record of special importance.

OCC determined that the breach in question was a “major incident” because it involved protected information that was not recoverable, and the unauthorized removal involved a large number of files, exceeding 10,000.

Currently, there is no indication that the information involved included any non-public personally identifiable information, or that it has been disclosed to the public or otherwise misused in any way.  Notice of the breach was also given to the Director of the Office of Management and Budget, the Secretary of Homeland Security, and the head of the Government Accountability Office.  The important lesson for government agencies is to understand the parameters of FISMA, and the reporting requirements when a major incident has occurred.

Beazley Report Details Increase in Ransomware Attacks

A report issued last week by Beazley, one of the prominent insurance companies in the cyber field, revealed what industry experts predicted earlier in the year – ransomware is an increasingly prevalent menace.  That report is a reminder to everyone that there is no time like the present to review backup and incident response plans, and to take a close look at your insurance policies.

Beazley has been a prominent cyber insurance player since the inception of that specialized coverage. As an early presence in this area, Beazley started its data breach response unit in 2009.  During that time, it has been tracking its incident response figures based on claims from its policyholders.  And the early reports from 2016 reveal ransomware to be a growing threat.  While the percentage of ransomware attacks as part of the broader data breach universe stayed proportional to the figures seen in 2015, there was a huge uptick in the total number of ransomware incidents.  As Beazley noted, cyber thieves have apparently determined that it is easier to get payment in bitcoins via ransomware than selling information on the dark web.

But all is not lost in this grim report.  There are easy lessons to take away that can help prevent or minimize the risk or damage from a potential ransomware attack.

  • First, ensure you have robust backup practices. A thief stealing your company’s data is a bad outcome.  But Ransomware can cripple a company.  Backup processes are no sure solution, but the absence of a solid backup plan will certainly result in catastrophic results because the ransomware will leave you at the mercy of the attackers.
  • Second, prepare or update your incident response plan. Whatever that plan may be, you do not want an actual data breach attack to be the first time you have practiced your plan.
  • Third, educate your employees. Over 80% of data attacks resulted from human error – when your employee opens the wrong attachment, it is utterly meaningless if you have the Fort Knox of cyber defenses.
  • Finally, review your insurance portfolio. Ransomware is somewhat unique in its mode of attack, and the “damage” that it does to your system. Does it actually do damage your data?  Your computers?  Insurers will certainly argue to the contrary.

The important takeaway is that you should understand where your potential cyber coverage might lie, and determine if you need additional coverage.  Cyber insurance may or may not be cost effective for your company, but you need to understand your insurance portfolio to better evaluate your risk profile.

New York Department of Financial Services Proposes Comprehensive Cybersecurity Regulations for Financial Institutions

In September, the New York Department of Financial Services (“DFS”) proposed new rules (“Rules”) that would require covered financial institutions – banks, insurers, and other institutions regulated by the DFS – to establish and maintain cybersecurity programs to protect consumer data and financial systems from cyberattacks. The Rules may have a very broad impact, if implemented, as they could be the template that other states follow when overseeing their own financial institutions.

The proposed Rules were based on DFS’s survey of nearly 200 banking institutions and insurance companies regarding emerging cybersecurity trends and risks.  According to Governor Cuomo, “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

Cybersecurity legal experts believe that the Rules may serve as a model for other states to follow. The Rules will not only impact the covered institutions, but also third-party vendors transacting business with covered institutions and would clearly impact covered entities’ contract negotiations with third parties.  A 45-day public comment for the Rules period began September 28, 2016 and the Rules have an effective date of January 1, 2017, after which covered entities would have 180 days to comply with the Rules.
Some important aspects the Rules are summarized below:

Cybersecurity Program: A covered entity would be required to design a cybersecurity program addressing “core cybersecurity functions,” such as:

  • Identifying and assessing access to non-public information stored on the entity’s information system;
  • Protecting the entity’s information systems from “unauthorized access, use or other malicious acts”;
  • Detecting, responding and recovering from cybersecurity attempted breach or breach; and
  • Fulfilling all regulatory reporting obligations.

Cybersecurity Policy: The Rules would require a covered entity to implement written cybersecurity policies for protecting its information systems, addressing areas such as: information security, data governance, access controls, disaster recovery plans, systems and network monitoring, and incident response. The Rules would require that the policies be reviewed annually by an entity’s board of directors or equivalent governing board and approved by a Senior Officer.

Chief Information Security Officer: The Rules would require an entity to appoint a Chief Information Security Officer to oversee and implement the entity’s cybersecurity program and enforce its cybersecurity policy. However, the entity would be permitted to fulfill this requirement by outsourcing that responsibility to a third-party vendor so a long as the entity: (1) retains responsibility for compliance with this requirement; (2) designates a senior member of the entity to oversee the third party; and (3) requires that the third party maintains a cybersecurity program that meets the requirement of this provision.

Third Party Information Security Policy: The Rules would require a covered entity to establish written policies and procedures to ensure the security of its information systems and non-public information being accessed or held by third parties doing business with the covered entity. The policies and procedures, among other areas, shall address setting minimum cybersecurity standards that the third party should meet to conduct business with the covered entity.

Limited Exemptions: The Rules provide limited exemption for certain covered entities that meet the following three criteria:

  1. Fewer than 1,000 customers in each of the last three calendar years;
  2. Less than $5,000,000 in gross annual revenue in each of last three fiscal years; and
  3. Less than $10,000 in year-end total assets.

This exemption releases such institutions from some, but not all, requirements outlined in the Rules. For example, these exempted institutions would still need to implement the cybersecurity program and policy requirements. See 23 NYCRR 500.

The Rules are the first attempt by a regulating body to implement overarching rules requiring the implementation of cybersecurity policies for financial institutions.

LexBlog