Cyber Security, Information Governance & Privacy

On May 22, Vermont passed the nation’s most expansive data broker legislation in an effort to provide consumers with more information about data brokers, their data collection practices, and consumers’ right to opt out.

The legislation, which in part takes effect on January 1, 2019, defines “data brokers” to mean “a business … that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” While this definition appears to be broad in scope, the controlling test to determine whether a business is a “data broker” is whether the sale or license of data is merely incidental to the business.  If the sale or license of data is merely incidental, the business would likely not be considered a data broker.

The legislation takes note of the fact that there are important differences between data brokers and businesses with whom consumers have a direct relationship.  Specifically, it finds that consumers who have a direct relationship with traditional and e-commerce businesses typically have some level of knowledge and control over the businesses’ data collection practices, including the choice to use the businesses’ products or services and the ability to opt out of certain data collection practices.  By contrast, however, consumers may not be aware that data brokers are collecting information about them or that they even exist.  As such, the new law aims to provide consumers with necessary information about data brokers, including information about their data collection activities, opt-out policies, purchaser credentialing practices, and security breaches.

Once the enacted legislation goes into effect, data brokers will be required to:

  1. Annually register with the Secretary of State and pay a registration fee of $100.00.  Notably, registration would only be required if, in the prior year, the data broker collected and licensed or sold to a third party the personal information of a Vermont consumer.
  2. Annually disclose the following information about its data collection practices:

a.  Whether the data broker permits a consumer to opt out of the data broker’s collection of brokered personal information, opt out of its databases, or opt out of certain sales of data;

b.  A statement specifying the data collection, databases, or sales activities from which a consumer may not opt out;

c.  A statement whether the data broker implements a purchaser credentialing process;

d.  The number of data security breaches experienced during the previous year, and if known, the total number of consumers affected by the breaches; and

e.  The data broker’s collection practices as it relates to minors.

  1. Develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards appropriate for the size, scope, and type of business of the data broker.  Notably, a violation of the legislation’s information security requirements will constitute an “unfair and deceptive act” for which the Attorney General is authorized to bring an enforcement action.

Attorney General T.J. Donovan applauded lawmakers for the passage of the law and stated that “the state has a strong public safety interest in transparency, data security, and consumer protection generally with respect to commercial interests that elect to engage in the business of buying and selling consumer data without the consumer’s knowledge.”  And while “transparency of information is great when it comes to government,” said Vermont Secretary of State Jim Condos, it is not “for individuals and their personal information.”

On Wednesday, June 6, from 3 – 4 pm ET, Troutman Sanders attorneys, Ronald Raether and Jonathan Yee will present a webinar discussing vendor risk.

Business interconnectivity is nothing new. With the rise of the cloud, vendor management came into focus. Companies continue to engage outside vendors and third-party services providers to assist with key aspects of their operations including payment platforms, customer relations management, information technology, and data storage, to name a few. With the cloud, many companies believed that their data would be safer. However, those involved in security for years (decades) knew better. So, now after some hard lessons, many businesses still fail to account for the use of these third-parties and their access to sensitive company and consumer information in their respective cybersecurity programs. Join us for an informative look at emerging laws and guidelines which provide best practices that companies should consider to minimize cyber risk from vendors and third-party service providers and to work towards a stronger position to assert compliance with cybersecurity regulations.

Covered Topics

  • Overview of cyber risks associated with vendors and third-party service providers
  • Steps to develop a vendor cybersecurity compliance program
  • How regulations should inform on policies including a look at the NYDFS Cybersecurity Regulation and DFAR
  • Industry best practices

Registration

Click here to register. Scheduling conflict? Register anyway to receive the recording after the event.

We are pleased to announce that Troutman Sanders attorney Ron Raether will be presenting during the NetDiligence Cyber Risk Summit Conference at the Bellevue Hotel in Philadelphia, PA. This conference features two full days of panel discussions by leading cyber experts who will share their insights on hot topics, trends, and cybersecurity concerns.  Ron will be speaking on a panel discussing “Improving Insurance Industry and Government Collaboration” on July 13, 2018 at 11:20 a.m.

Attendees will:

  • Gain valuable tips and advice on Cyber Risk Security
  • Discuss and Learn top issues that are happening now in the Cyber world
  • Connect with leaders in cyber risk and private liability and learn from their experiences on current and emerging concerns in the ever- changing cyber landscape

To register or obtain additional information, visit the NetDiligence Website.

Last week, the National Institute of Standards and Technology released version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity—more commonly known as the Cybersecurity Framework.

The first version of Cybersecurity Framework was initially issued in February 2014 as voluntary guidance for critical infrastructure organizations to better manage and reduce cybersecurity risk. Although it was designed specifically for companies that are part of the U.S. critical infrastructure, many other organizations, both from the public and private sector, have since then relied on the Cybersecurity Framework. The Framework has been used for a variety of purposes, including to raise cybersecurity awareness and to communicate with stakeholders within their organization, and as a strategic planning tool to assess cybersecurity risks and current practices.

As noted by NIST, the Cybersecurity Framework was, and continues to be, developed through ongoing engagement with stakeholders in government, industry, and academia. Version 1.1 in particular was the result of “eight public workshops, multiple Requests for Comment or Information, and thousands of direct interactions with stakeholders from across all sectors of the United States along with many sectors from around the world.” This collaboration has undoubtedly contributed to the framework’s popularity and success, as exemplified by the framework’s widespread adoption by organizations globally.

Version 1.1 of the Cybersecurity Framework provides new details on authentication and identity management, self-assessing cybersecurity risk, managing cybersecurity within the supply chain, and vulnerability disclosure. Additionally, as explained by Matt Barrett, NIST’s program manager for the Cybersecurity Framework, Version 1.1 was written to “refine and enhance the original document and to make it easier to use.” The update, Barrett notes, “is fully compatible with the original framework, and the framework remains voluntary and flexible to adaptation.”

We have discussed the challenges by companies in creating the proper incentives for the development of sound cybersecurity practices. Initially, industry looked to certifications as a measure of compliance, such as PCI audits. Data breach events such as that experienced by retailer Target in 2012 exposed the inherent limits in an event-based system dependent on third-party audits. Indeed, it completely ignored the reality that cybersecurity is an iterative process – a cat-and-mouse game – as we must react to defend against the ever-developing tactics of hackers. It also ignored the practical necessity of creating direct accountability of the company and its employees, or in other words, the need to create a culture of sound security practices, recognizing security as a fundamental precept of a profitable company, rather than just a cost center. A Framework based on honest self-assessment applied to specified domains with measurable goals and a thoughtful governance structure invests the company in cybersecurity and continual improvement.

NIST actively encourages all businesses – regardless of size, industry, or sector – to review and consider the Framework as a helpful tool in managing cybersecurity risks. To explain the updates made in Version 1.1, NIST will be hosting a free public webcast explaining Version 1.1 in detail on April 27, 2018, at 1:00 p.m. EDT.

Attorneys general from thirty-one states have signed a letter urging Congress to scrap a proposed federal breach notification law that was introduced by Rep. Blaine Lukemeyer (R-Mo.) and Rep. Carolyn Maloney (D-N.Y.) in an effort to create a national data breach notification and security standard.  The proposed law, known as the Data Acquisition and Technology Accountability and Security Act (the “Draft Bill”), if passed, would require covered entities to, among other things:

  1. Conduct preliminary investigations of data breaches – If a covered entity believes that a breach of data security containing personal information occurred, the covered entity would be required to conduct an immediate investigation (“Preliminary Investigation”) to determine, among other thing, if personal information has or is likely to have been acquired without authorization.
  2. Notify agencies in the event of reasonable risk – If, after conducting the Preliminary Investigation, a covered entity determines that there is a reasonable risk that the data breach resulted in or will result in identity theft, fraud, or economic loss to consumers, the covered entity would be required to notify certain governmental entities, such as the Secret Service, the Federal Bureau of Investigation, and other agencies, if the data breach involved personal information relating to 5,000 or more consumers.
  3. Notify consumers in the event of harm – If, after conducting the Preliminary Investigation, a covered entity determines that there is a reasonable risk that a data breach resulted in identity theft, fraud, or economic loss to consumers, the covered entity would be required to notify all impacted consumers.

With respect to state enforcement rights, the Draft Bill indicates that state attorneys general may bring civil actions against covered entities for certain violations of the Draft Bill, provided that: (1) the covered entity is not a financial institution, and (2) the attorney general provides prior written notice of any action to the FTC and provides the FTC with a copy of its complaint, except in certain circumstances where such notice may not be feasible.  Additionally, the Draft Bill indicates that the FTC shall have the right to intervene in all state actions and that no state attorney general can bring an action against a covered entity if the FTC has already done so.

Lastly, and likely most controversially, Section 6 of the Draft Bill indicates that the act would “preempt any law, rule, regulation, requirement, standard, or other provision having the force and effect of any law of any state … with respect to securing information from unauthorized access or acquisition, including notification of unauthorized access or acquisition of data … .”

So, what is the big deal?  Having a national data breach notification law is a good thing, right?  Well, no … not according to the thirty-two attorneys general who signed the letter to Congress released on March 19.  As explained by these attorneys general, there are several issues of concern with the draft bill, including that it:

  1. “[T]otally preempts all state data breach and data security laws that require notice to consumer and state attorneys general of data breaches,” which would include the states’ consumer data breach notification laws that, as of March 28, 2018, have been enacted by all fifty states.
  2. “Allows entities suffering breaches to determine whether to notify consumers of a breach based on their own judgment of whether there is ‘a reasonable risk’ that the breach of data security has resulted in identity theft, fraud, or economic loss to any consumers.”  This, as they noted, is insufficient and too late, and will result in less transparency to consumers as fewer notifications to consumers will be sent.  It also permits entities that have suffered a data breach to notify consumers after the harm to them has occurred, which limits consumers’ opportunity to take proactive steps to protect themselves from identity theft before it happens.
  3. Fails to acknowledge the fact that data breaches come in all sizes by only addressing large, national breaches affecting 5,000 or more consumers, and prevents attorneys general from learning of or addressing breaches that are smaller in scale but nonetheless victimize residents in their states.
  4. Places consumer reporting agencies and financial institutions out of states’ enforcement reach, which would prevent State attorneys general from pursuing these companies after a security incident.

Considering themselves to be the “chief consumer protection officials” in their respective states, the attorneys general note that there is a place for both state and federal agencies to protect consumers’ personal information, and therefore, recommend that the Draft Bill not preempt state data security and breach notification laws.

We are pleased to announce that Troutman Sanders partner Ronald Raether will make a presentation on, “Incident Response Plans: Avoiding Common Mistakes through a Table Top Exercise,” at the Fraud & Breach Prevention Summit at the Hyatt Hotel in Dallas, Texas on April 24th, 2018 at 10:50 a.m. Ronald will also be on a panel discussion, “Know Your Attacker: Lessons Learned from Cybercrime Investigations,” on April 24th, 2018 at 4:00 p.m.

Ronald’s presentation will give attendees insight on:

  • Response to IRPs and why it matters
  • Privilege of Breach Response Efforts
  • Table Top Exercise and Goals
  • Purpose of the Incident Response Team
  • Membership of the Incident Response Team and Training
  • Walkthrough several common incident scenarios

Ronald’s panel discussion will give attendees insight on:

  • Today’s most prevalent cybercrime schemes
  • Traits of the threat actors that are most common
  • Lessons learned from actual crime investigations

ISMG hosts the Fraud & Breach Prevention Summit yearly in different locations across the United States. The conference will bring industry leaders from across the globe speaking on specialties ranging from IoT and the use of deception technology, on-going business email compromise trends, DDoS for extortion and ransomware attacks.

ISMG has designed its sessions to address the needs of CISOs, fraud and risk teams, security and IT professionals, and many others by providing hands-on tools, real-world problems and solutions for attendees to be able to take back to their office.

To register or obtain additional information, visit the ISMG Website. For a 10% discount on registration, use code: SAVE10%

Please join us on Tuesday, April 24th from 3:00 – 4:00 PM ET for a complimentary webinar with speakers Ronald Raether and Sheila Pham.

Learn how to make sure that all involved parties communicate effectively to develop a defensible cyber risk management program which will stand up under scrutiny and avoid common pitfalls. Effective cyber risk management requires resolving natural conflicts between functionality, security and privacy. Yet most companies fail to acknowledge, let alone address, key differences in these groups. Even the term “standard” is understood differently. From real-world examples, attendees will learn how to manage a program which will stand up under scrutiny and what common pitfalls to avoid.

Covered Topics

  • Legal, regulatory, and business issues to consider in creating a data governance and cybersecurity program
  • Determining what data privacy and cybersecurity standards to follow
  • Steps to take in creating a data governance and cybersecurity program
  • Importance of a tailored data governance and cybersecurity program
  • Industry best practices

Key Takeaways

  • Identify tensions and consider resolutions among various stakeholders
  • Identify various frameworks
  • Understand the necessary steps to create a tailored data governance and cybersecurity plan

Register here.

The Clarifying Lawful Overseas Use of Data Act, commonly referred to as the “CLOUD Act,” a last-minute addition to the $1.3 trillion federal spending bill, has been signed into law by President Donald Trump. The Act allots the United States government more access to Americans’ overseas data for law enforcement purposes and helps foreign governments access domestic data from their own citizens.

The Act was added to the 2,232-page omnibus spending bill one day ahead of its vote. The bill passed 256-167 in the House, and 65-23 in the Senate.

The law is essentially an update to the Electronic Communications Privacy Act, a series of laws that regulate how U.S. law enforcement officials can access data stored overseas. Congress passed the ECPA in 1986 which, due to obvious advances in technology over the past 30 years, is ill-equipped to handle today’s variety of electronic communications and related data.

Prior to the CLOUD Act, the United States could only access data stored overseas through mutual legal-assistance treaties (“MLATs”). With a MLAT, two or more nations are required to put in writing how they are willing to accommodate each other with legal investigations. Each proposed MLAT must receive a two-thirds approval from the Senate to pass.

Through the Act, law enforcement officials at any level, including local police, can require companies to turn over user data regardless of where the data is stored.

The Act also gives the executive branch the ability to enter into “executive agreements” with foreign nations. These agreements, which do not require congressional approval, could allow each nation to acquire stored personal data from other nations, regardless of the hosting nation’s privacy laws.

Through the CLOUD Act, electronic data stored overseas is now far more accessible to law enforcement officials. According to a 2013 report by the President’s Review Group, the average MLAT request took an average of ten months to fill. Under the new regime, this turnaround time undoubtedly will be shorter.

Troutman Sanders LLP will continue to monitor developments regarding implementation of the CLOUD Act.

Last month, the North American Reliability Corporation (“NERC”) approved a settlement agreement between the Western Electric Coordinating Council (“WECC”) and an unnamed power company that imposed a penalty of $2.7 million on the power company for improper cybersecurity oversight after the company inadvertently allowed critical cyber security data to be exposed online for 70 days.

According to NERC’s Notice of Penalty, the online data exposure was attributed to a third-party contractor who was doing work for the unnamed company. The contractor improperly accessed data from the company’s network and copied that data onto the contractor’s network. While the information was on the contractor’s network it was accessible online to anyone without password protection. The information exposed records of over 30,000 assets, including records associated with Critical Cyber Assets (CCAs) such as IP addresses and server host names.

The breach was discovered when a white hat security researcher found the information on the internet. The unnamed power company then notified WECC, its regulator, of the breach. The data incident ultimately revealed that the power company was in violation of NERC’s Critical Infrastructure Protection (“CIP”) Reliability Standards. The WECC found that the power company “failed to implement adequately its program to identify, classify, and protect information associated with CCAs [cyber security assets]” and failed to “implement adequately a program for managing access to protected information related to CCAs.”

When determining the penalty to assess on the power company, WECC took into consideration several factors, a few of which worked to the power company’s advantage: (1) that the violations constituted the power company’s first occurrence of violations of the subject NERC Reliability Standards; and (2) that the power company had an internal compliance program at the time of the violations.

The unnamed power company did not admit or deny the allegations, but agreed to the penalty and agreed to take corrective action to mitigate the violation and facilitate future compliance under the terms of the settlement. The penalty will be effective upon expiration of the 30-day period following the filing of NERC’s notice, or upon final determination by the Federal Energy Regulatory Commission.

 

Going slow and steady may work out for you if you’re a tortoise competing against an overly confident hare. However, if you’re in the mobile device industry and have been lagging on sending out security updates, it’s time to pick up the pace. A new Federal Trade Commission report issued last month found that while the industry has taken steps to expedite the security update process, more can be done to streamline the process and make it easier for consumers to ensure their devices are secure.

As noted in the FTC’s report, “[s]ecurity researchers and government agencies have consistently maintained that the best way to secure consumer information is to take reasonable steps to design secure products and maintain their security with updates that patch vulnerabilities in device software. Despite this consensus, security researchers and industry observers have reported that many mobile devices’ operating systems (the software that powers the devices’ basic functions) are not receiving the security patches they need to protect them from critical vulnerabilities.”

While the FTC commended the mobile device industry for its efforts to expedite the security update process, it set forth the following five recommendations as ways to continue and improve such efforts:

  1. Educating Consumers: Government, industry, and advocacy groups should work together to educate consumers about their role in the operating system update process and the significance of security update support. The FTC notes that the more consumers understand the importance of updates, the more likely they are to install available updates and consider security updates when making decisions to purchase, use, and upgrade devices.
  2. Start with Security: Businesses should consider security as a foundational aspect of their practices and procedures. As such, manufacturers, carriers, and operating system developers should ensure that reasonable security update support is a shared priority, reflected in each company’s policies, practices, and contracts.
  3. Learning from the Past: Companies should evaluate current practices by studying past practices. This requires keeping more consistent records on security support topics such as update decisions, support length, update frequency, customized patch development time, carrier testing time, and uptake rate. The FTC notes that an analysis of this data may provide an empirical basis for improving mobile device security.
  4. Security-Only Updates: The industry should consider how best to package security updates to encourage consumers to accept them. This may require offering security-only updates that do not include general software updates, which some users may be hesitant to accept due to feature changes or potential impact on memory, battery life, bandwidth, or the operating system.
  5. Providing Consumers With Better Information About the Security Update Process: Device manufacturers should consider adopting and stating minimum guaranteed support periods for their devices and should clearly explain the date on which updates will end.

The report was primarily based on the FTC’s findings from information they requested in May 2016 from eight mobile device manufacturers about how they issue security updates. It also took into consideration information it received from wireless carriers about their security updates practices. The FTC noted that while the data provided by these companies was not sufficiently representative to permit definitive conclusions about industry practices as a whole, it did provide remarkable insight into the security update practice that affects a large proportion of the devices on the U.S. market.