SEC Hints that Enforcement Actions on Lax Cybersecurity Might Be Coming

With the confirmation of Jay Clayton as the Chair of the Securities and Exchange Commission, comments made last month by the Acting Enforcement Director, Stephanie Avakian, regarding the importance of accurate reporting in the area of cybersecurity, and consequences of inaccurate reporting, may get lost.  At a speech last month, Ms. Avakian, on behalf of the SEC, told an audience of corporate attorneys, “We’ve not brought an action in that space.  Could I see a circumstance where we do?  Absolutely.” Ms. Avakian softened these comments later in the speech, however, suggesting the SEC was not looking to second-guess good faith disclosure decisions.

Going forward, though, how should public companies react to Ms. Avakian’s statements?  With at least some degree of caution.  After all, the SEC has a history of honing in on an area of interest and filing lawsuits in waves.  Take the glut of lawsuits filed in the mid-2000s regarding backdated stock options, for example.  What started as a compensation system used by thousands of companies turned into a key target for the SEC’s Enforcement Division, with dozens of civil lawsuits filed, and a number of officers and directors going to prison in related criminal actions.  Cybersecurity reporting is obviously not the same stock option backdating.  However, like backdating it has been repeatedly described as an area of focus for the SEC.  And because cybersecurity issues remain relatively new and regulators are eager to catch up with emerging technologies, this area could be low hanging fruit.  Hackers are not going away, and it is likely that every company will be compromised at some point.  So what will happen if the Enforcement Division decides to look closely at the disclosures of public companies after hacking events?

No one knows for sure.  There is no reason to believe that companies that take good faith measures will be the target of an enforcement action.  But one can look to the FCC’s pursuit of companies that it believes failed to take proper steps to secure its data for a hint at what may come.  These companies, such as Wyndham Hotels, thought they had taken good faith cybersecurity measures, and still ended up in the crosshairs.  For now, the only recourse public companies can take is to review their reporting disclosures for accuracy and keep an eye on how the SEC handles matters going forward.

Broadband Internet Service Providers no Longer Subject to FCC Privacy Rules Preventing them from Selling Private Consumer Information

Both the House (215-205) and Senate (50-48) have voted to revoke the Federal Communication Commission’s (FCC) broadband privacy rules which would have forced broadband Internet Service Providers (ISPs), such as Verizon, Comcast and Charter, to obtain affirmative “opt-in” consent from consumers to use and share their personal sensitive information.  Sensitive information includes things such as precise geo-location, financial information, health information, children’s information, social security numbers, web browsing history, app usage and the content of communications.  The regulations would have also required ISPs to provide customers with clear, conspicuous and persistent notice about the information they collect, how it may be used and with whom it may be shared.  The FCC proposed the new regulations in March, 2016, and formally adopted them in October, 2016, just days before the presidential election.  President Trump dealt the FCC regulations their final blow by repealing the online privacy rules on April 3rd.

Proponents of the regulations claim that reversing the regulations opens the door for ISPs to sell customer data to third parties and leaves a gaping hole in federal privacy protections.  The proposed regulations would have subjected broadband ISPs to the privacy requirements of Section 222 of the Communications  Act.  That, say opponents of the regulations, was an overstep of the FCC’s authority and such opponents claim further that the FCC does not have the right to regulate ISPs at all.  Prior to such regulations ISPs had never had special privacy rules specifically applicable to them.  The FCC defended its right to implement privacy rules specific to ISPs by claiming that ISPs were actually common carriers, similar to utility providers, of which the FCC does have the authority to regulate over.  Common carriers are subject to Title 2 of the Communications Act.   Opponents of the regulations argue that in addition to overstepping their jurisdiction, the FCC seemed to be picking winners and losers in the marketplace, because while ISPs and websites, such as Google or Facebook, both compete for online generated consumer data, only ISPs would be subject to the proposed regulations.

The vote in Congress to revoke the proposed regulations was primarily drawn on party lines with Democrats in the House and Senate unanimously voting to keep the privacy rules in place and all Senate Republicans and all but 15 House Republicans voting to eliminate the rules. The current FCC Chairman, Ajit Pai, was also in agreement with Republicans, arguing that ISPs should not face stricter rules than website operators. Pai was in the commission minority when the proposed regulations were passed last year.

Trump Budget Raises Questions about Approach to Cybersecurity

On Thursday, March 16, 2017, President Trump unveiled his “America First” budget blueprint.  One of the most important quandaries for those in the cybersecurity world is how the proposal to reorganize the executive branch to improve “the Federal Government’s effectiveness, efficiency, cybersecurity, and accountability” will impact our nation’s cyber defenses since overall spending in this area will decrease from the prior administration.

The President’s budget proposes to (i) support “the Office of Electricity Delivery and Energy Reliability’s capacity to carry out cybersecurity and grid resiliency activities”; (ii) safeguard cyberspace “with $1.5 billion for [Department of Homeland Security] activities that protect Federal networks and critical infrastructure from an attack”; (iii) strengthen cybersecurity in the Department of the Treasury “by investing in a Department-wide plan to strategically enhance existing security systems and preempt fragmentation of information technology management across the bureaus, positioning Treasury to anticipate and nimbly respond in the event of a cyberattack”; and (iv) strengthen “NASA’s cybersecurity capabilities, safeguarding critical systems and data.”  Those are excellent goals, all designed to increase cybersecurity.  But the President’s request for $1.5 billion for DHS’s “continued development of strong cybersecurity defenses” is also less than 8% of the $19 billion requested by the Obama administration last year to address the same cybersecurity concerns.

The goal of the budget in this area relies on increased efficiency – federal agencies doing more with less.  The focus on efficiency in addressing cybersecurity concerns was underscored by White House advisor Thomas Bossert’s statement the day before the blueprint’s release, that the administration would be scoring agencies on implementation of a cybersecurity framework.  The administration plans to require federal agencies to adhere to the cybersecurity framework developed by the National Institute of Standards and Technology (NIST).  Bossert said the administration will require agencies to submit a report to DHS, the Office of Management and Budget, and the White House, which will serve as the basis for the administration’s evaluation and scoring of the agencies’ efforts.  Only time will tell if the goal of increased efficiency will be effective against the increasing prevalence of cyber attacks, but America will be watching closely.

Google Ruling may give Government an Opening to Broaden its Power Under Outdated Stored Communications Act

As technology progresses and the world becomes even more interconnected, the scope of the Stored Communications Act (“SCA” or “Act”) has become a topic of much interest in the federal courts. One question courts have grappled with lately is whether law enforcement may subpoena data stored on foreign servers under the Act. A recent ruling by Magistrate Judge Rueter of the Eastern District of Pennsylvania in In re Search Warrant No. 16-960-M-01 to Google (“Google ruling”) may give the government all the incentive it needs to continue taking a broad reading of its powers under the Act.

As background, when the SCA was passed in 1986, it empowered the government to compel service providers to disclose customer information via subpoena, court order or warrant.  Recently, search warrants for data issued pursuant to the Act have become a crucial tool in government investigations, whereas technology companies have been pushing back on such data requests, which they believe are overly broad.

Faced with this situation, Judge Rueter ordered Google to comply with search warrants to produce emails stored abroad.  This was particularly interesting because it contradicted a ruling issued by the Second Circuit just seven months ago, where the court held that the government could not enforce a search warrant for user data on Microsoft servers in Ireland because the focus of the Act is user privacy, which would be invaded when the user data is seized in a foreign country.

Judge Rueter saw things differently, stating that the “two warrants executed upon Google . . . do not constitute extraterritorial application of the SCA.”  He held that the court “must analyze where the seizures, if any, occur and where the searches of user data take place.”  He ruled that warrants issued to Google pursuant to the Act were legal because invasion of privacy would not take place outside of the United States, but would take place within the United States once the government began reviewing the data.  Focusing on the Supreme Court’s Fourth Amendment jurisprudence, Judge Rueter reasoned that transferring data to California from an overseas server “does not amount to a ‘seizure’ because there is no meaningful interference with an account holder’s possessory interest in the user data.”  He noted that, in fact, “Google regularly transfers user data from one data center to another without the customers’ knowledge.”  As for searches, the judge held that because the warrants required Google to turn over the data to FBI agents in the U.S., the search would occur in the United States.  Accordingly, he held:

“[T]he invasions of privacy will occur in the United States; the searches of the electronic data disclosed by Google pursuant to the warrants will occur in the United States when the FBI reviews the copies of the requested data in Pennsylvania.  These cases, therefore, involve a permissible application the SCA, even if other conduct (the electronic transfer of data) occurs abroad.”

The Google ruling gives the government an incentive to press on with broadening its power under the Act.  With contradictory rulings in this area, it will be interesting to see how other circuits will handle issues on this topic.

NARUC Release of Cybersecurity Guidelines should have Utility Companies on High Alert

On January 30, 2017, the National Association of Regulatory Utility Commissioners (“NARUC”) released Version 3.0 of “Cybersecurity A Primer for State Utility Regulators.”  This cybersecurity overview is an important reminder to public utilities to be prepared for cyber threats.

Then again, public utilities probably don’t need a reminder after a cybersecurity event that occurred at the end of last year.  In December 2016, the Burlington Electric Department reported the presence of malware on one of its employee’s computers.  The computer was not connected to the electric grid at the time, and the utility quickly isolated the laptop and coordinated with federal authorities to eradicate the problem.  But, it was still a nerve-wracking development – experts have long warned that public utilities could be targeted because of the wide-spread impact a well-executed hack could have.  And here, even though the electric grid was not compromised, it still became a public relations headache because several news outlets incorrectly reported that the malware-infected computer was, in fact, connected to the grid, endangering vital infrastructure.

In light of increasing threats, state and federal regulators are developing guidance documents, and several state public utility regulators have prepared cybersecurity action plans, such as Connecticut.  The American Water Works Association (“AWWA”) also recently released guidance for water utilities regarding the protection of systems infrastructure.  This momentum is likely to lead to increasingly stringent regulatory requirements regarding cybersecurity plans, policies, and practices for public utilities in the United States.

These guidance documents are also valuable tools for public utilities, particularly small and midsize utilities that are looking to strengthen their cybersecurity protections but may not have the resources to implement a plan from scratch.  The leading thinkers in this area advocate that public utilities develop cybersecurity plans to protect three different operational components:  information technologies systems, operations technology and controls systems (i.e., SCADA systems), and the smart grid.  While protecting IT systems falls within the gambit of traditional cybersecurity planning, the latter two areas are more unique to the public utilities industries.  A public utility’s data security breach plan should address all three functional areas with respect to how it will defend its systems as well as how it will respond in the event of a potential breach.

Resources from institutions like NARUC or AWWA provide invaluable insights on how public utilities can take steps to protect the unique features of their operations.  Unfortunately, cyber threats are not going away, so public utilities must be prepared.

New York Department of Financial Services Delays Compliance Deadline for Cybersecurity Regulations

On October 25, the Privacy Law Report featured a blog post on new cybersecurity regulations being implemented by the New York Department of Financial Services (“DFS”).  Those regulations impose a number of requirements on financial institutions, including banks and insurance companies, such as the implementation of cybersecurity programs, the manner in which those companies handle data breaches, and the necessity for those companies to appoint a chief information security officer.  While these rules certainly advance a good cause, there has been significant push back from the banks to buy more time before the rules go into effect.  In particular, smaller institutions have complained that the rules provide no differentiation between small and large institutions.  Because of these concerns, the DFS has now agreed to move the compliance date from January 1 to March 1.

It will be interesting to see how the coming months will play out.  It shouldn’t come as a major surprise that these companies have pushed back – the rules will require them to implement changes that will require additional manpower and cost.  And as noted, this is a particular concern for smaller companies for which the increased expense will have a larger impact.  It is no secret that the cost of defending against cyber attacks has long been discussed a major limiting factor in the world of cybersecurity.  Nonetheless, these DFS rules will be the first of their kind, and thus may have a broad impact on shaping the drafting of cybersecurity rules to be implemented by other state agencies.  When these rules go into effect, companies should pay close attention to how the DFS tests its new rules and regulations in addition to any changes to the draft rules.

Nossaman Hosts Annual Cybersecurity Symposium with UC Irvine

On December 1, Nossaman hosted its second annual Cybersecurity Symposium in conjunction with the University of California, Irvine School of Law.  This year’s Symposium was entitled “Cybersecurity, Data Breach, and Privacy: Examining Your Risks and Legal Issues From the Inside Out” and focused on recent developments in internal and external cybersecurity, data breach and privacy threats and their implications on both the private and public sectors.  The keynote speaker was the esteemed Erwin Chemerinsky, founding Dean and Distinguished Professor of Law at UC Irvine School of Law.

This year’s event featured many distinguished panelists, including a current agent from the FBI and a former CIA officer, in-house counsel and executives from Southern California Edison, Hyundai, Clyde & Co, Marsh, CommCore Consulting (public relations), KPMG, and Verizon, professors from the UC Irvine School of Law, and the Executive Director of UCI’s new Cybersecurity Research Institute.  Nossaman participants included partners David Graeler, Thomas Dover, Jim Vorhis, Joan Cotkin, and Patrick Richard. As with the first Cybersecurity Symposium, the panels explored a variety of topics:

  • Trends in cyber warfare such as the proliferation of ransomware and phishing;
  • The availability of and types of insurance that might provide coverage for a data breach;
  • The importance of preparing and practicing incident response plans;
  • Policy and enforcement concerns for threats that are multi-jurisdictional;
  • The importance of training and community outreach; and
  • Approaches to public relations and forensic investigations after a breach.

The 2017 Cybersecurity Symposium has been scheduled for October 2, 2017, so save that date now!  It is impossible to know what cybersecurity issues will be front and center at that time, but we’re certain to see new cyber threats, updates on the litigation front, developments related to the EU-US Privacy Shield, and legislation changes with the new administration.  Until then, we will continue to keep you updated on these issues and more here on our blog so please stay tuned!

House Committee Warns Congress to Set Security Standards

Last week, members of the House Energy and Commerce Committee told Congress that they must set cyber security standards for all devices connected to the internet or else face the possibility of a major cyberattack that could cripple critical infrastructure throughout the United States. This hearing came on the heels of the widespread internet outage on October 21.

There are 6 billion internet-related devices today, but that figure is expected to grow to over 20-billion by 2020. With that looming growth, it is important to set those cyber security standards today as it will dictate how internet-connected devices will be made prospectively.

Many have questioned the direction the Trump administration will take in regulating cyber security, as heightened standards will certainly lead to increases costs for businesses. No one can answer that question with any certainty now, but cybersecurity should be a non-partisan issue. As Bruce Schneier, a cybersecurity expert, stated, “I’m not a regulatory fan. But this is the world of dangerous things….The choice is not between government involvement and no government involvement. It’s between smart government involvement versus stupid government involvement.” For now, the message is clear: increase cybersecurity standards or face some dangerous consequences.

IRS Data Breach Class Action Dismissed

Last week, the Internal Revenue Service successfully defeated a putative class action related to a data breach it suffered in 2015. The D.C. District Court’s decision dismissing the suit demonstrates the high bar required to hold a federal agency accountable for lapses in cybersecurity.

In Welborn v. IRS (Case No. 15-1352, D.D.C.), Plaintiffs Becky Welborn, Wendy Windrich and Beth DuPree, on behalf of a proposed class, sued the IRS in connection with a cyberattack on the agency’s website in which over 300,000 tax-related documents were stolen.

Plaintiffs alleged that the IRS violated their rights under the Privacy Act, 5 U.S.C. § 552a, the Administrative Procedure Act (APA), 5 U.S.C. § 701 et seq., and the Internal Revenue Code, 26 U.S.C. § 6103, by “disclosing or failing to prevent the disclosure of their personal identification information to third parties.”

Standing Sufficient Only Where Actual Injury and Causation Shown

As an initial matter, the court determined that only two of the three named plaintiffs had standing to bring suit. Mses. Welborn and Wendrich, who had suffered actual identity theft when someone filed false tax returns and claimed fraudulent refunds in their names, had shown sufficient injury-in-fact and causal connection to the IRS data breach to establish standing to sue for monetary damages.

Ms. DuPree’s claims, however, were dismissed for failure to show causation. Although Ms. DuPree alleged that (1) the IRS notified her that her personal information may have been hacked; (2) no other entity had informed her of a similar data breach; and, (3) she had been the victim of at least two instances of fraudulent activity in her financial accounts following the IRS data breach, the court ruled that there was no nexus showing that the data obtained from the IRS breach was necessarily used to perpetrate the fraud on her accounts. Simply alleging that the financial fraud happened after the data breach was insufficient.

Failure to State a Claim Under the Privacy Act and the Internal Revenue Code

The court also dismissed Plaintiffs’ claims under the Privacy Act for failure to state a claim for actual damages related to the IRS’s alleged failure to safeguard plaintiffs’ personal information. The court ruled that the fraudulent tax returns filed in plaintiffs’ names, the lost time and money spent dealing with data theft and future credit monitoring, and the heightened risk of further identity theft did not equate to actual pecuniary or material damage related to the IRS data breach. Sovereign immunity protects the Federal Government from liability for reputational or emotional harm. Similarly, sovereign immunity barred Plaintiffs’ claims under the Internal Revenue Code.

Finally, the Court ruled that Plaintiffs had no standing to sue for equitable relief under the APA as there was no allegation of an ongoing threat to their personal information, and that there is no private right of action under the Federal Information Security Modernization Act (FISMA).

Needless to say, Courts will set a very high bar for plaintiffs to allege standing to sue governmental agencies for data breaches.