With Inauguration Day upon us, it’s time for a #MLWashingtonCyberWatch update.   President-elect Donald Trump has vocalized his support for the future of “cyber” throughout his campaign – but how will members of his cabinet act, or refuse to act, on his vision for that future?

During the past two weeks, the United States Senate has been holding confirmation hearings for Mr. Trump’s cabinet selections. Pointed questioning from senators has surfaced many issues of critical importance to the American people, among them the future of privacy and cybersecurity. The incoming administration will confront significant issues in these areas such as the use of back-door encryption, mass data collection and surveillance, and international cybersecurity threats. The nominees for Attorney General, Secretary of the Department of Homeland Security (“DHS”), and Director of the Central Intelligence Agency (“CIA”) were each questioned about how they will navigate these concerns as part of the Trump Administration. In this installment of #MLWashingtonCyberWatch we are discussing highlights from these hearings. Continue Reading #MLWashingtonCyberWatch: Nominees Discuss Future of Cybersecurity

The U.S. Federal Trade Commission (“FTC”) has filed a lawsuit against device manufacturer D-link for allegedly deceiving the marketplace about the security of its products and, in turn, unfairly placing customer privacy at risk.

Overview

Taiwan-based manufacturers D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”) design a variety of home network devices, such as routers, IP cameras, and baby monitors. Devices such as these are susceptible to hacking when they are connected to each other and to the internet (in what is often referred to as the “Internet of Things” or “IoT”), and weak security measures therefore pose a significant security concern. Judging from D-Link’s advertisements for its products, the company is certainly aware of these risks. D-Link boasted that its routers are safelocked from hackers thanks to “Advanced Network Security,” its baby monitors and cameras assure a “Secure Connection” to protect the livestream view of a sleeping child, and promises of an “easy” and “safe” network appear repeatedly during the set up process for a D-Link device with an online interface. As the FTC explains in its lawsuit claims like those made by D-Link are not only misleading but also dangerous.

Despite an apparent awareness of consumers’ cybersecurity concerns, the FTC alleges that D-Link neglected to build common security measures into the devices it sells. The allegations are startling: mobile app credentials were stored unsecured in plain text on consumer devices; a private company key code was accidentally made viewable online for six months; hard-coded login credentials in camera software left video feeds vulnerable to unauthorized viewers. And that’s just the beginning. More details are listed in the FTC’s complaint filed in a U.S. District Court in California on January 5, 2017.  These lapses and D-Link’s deceptive advertising prompted the FTC to charge the company with a violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45.

As of January 10th, D-link has denied the allegations outlined in the complaint and has retained the Cause of Action Institute as counsel to defend against the action.

The growing IoT problem

In recent years, the FTC has tried to keep pace with mounting concerns over the IoT industry by filing a handful of complaints focused on consumer protection.  For example, it went after the company TRENDnet after the firm’s faulty software allowed hundreds of personal security cameras to be hacked. It also filed an action against computer parts manufacturer ASUS after its cloud services were compromised and the personal information of thousands of consumers was posted online. These isolated mistakes add up; when millions of unsecured and seemingly innocuous WiFi-enabled devices join the global network, they can serve as a massive launchpad for crippling cyber attacks like the one that overwhelmed internet traffic operator Dyn and shut down several major websites in October 2016. The efforts of the FTC are aimed at mitigating such attacks and encouraging technology developers to invest effort and resources in order to secure their IoT devices before they hit the marketplace.

Search for solutions

Both the FTC and the National institute of Standards and Technology (NIST) have released reports offering guidelines and technical standards for building reliable security into the framework of new systems and devices.  As we wrote about recently, the White House has also left the incoming Trump administration an extensive report on cybersecurity recommendations. Achieving these standards will require a combination of regular agency enforcement and greater market demand for safe, secure devices. In the meantime, some digital vigilantes are working to stop cyber-attacks before they start. Netgear, for instance, has launched a “bug bounty program” offering cash rewards of $150-$15,000 for eager hackers to track and report security gaps in its devices, applications, and APIS.  Indeed, incentivizing solutions rather than quietly overlooking mistakes, and searching for loopholes in our laws, will make a substantial difference in safeguarding the IoT landscape.

It’s a new year, and time for the Financial Industry Regulatory Authority (FINRA)’s annual Regulatory and Examination Priorities Letter (the “2017 Letter”)    We remind regulated entities of this list of examination priorities every year, because cybersecurity appears high on the list every year.  2017 is no exception.

The 2017 Letter

FINRA has been increasing its on-site examinations and enhanced risk-based surveillance “to apply a nationally consistent approach to identify and focus on material conduct at firms…”   Among the operational risks listed in the 2017 Letter, Cybersecurity is listed first, and according to FINRA, “remain[s] one of the most significant risks many firms face, and in 2017, FINRA will continue to assess firms’ programs to mitigate those risks.”

Firms should be prepared for FINRA reviews of methods for preventing data loss, including understanding of data (e.g., its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors.  FINRA may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools. In some instances, FINRA has been known to review how firms manage their vendor relationships, including the controls to manage those relationships, and this line of examination is expected to continue.  Importantly, the 2017 Letter recognizes the nature of the “insider threat” and expresses FINRA’s intent to inquire into what controls firms have in place to acknowledge and manage that “insider threat”.    According to the 2007 Letter:  “The nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources.”

The WORM Actions

As if to emphasize the seriousness of the inquiries, FINRA issued a series of Letters of Consent at the end of December, levying fines totaling $14 million against 12 firms, and discussed the record-keeping requirements at the core of the December regulatory actions in its 2017 Letter.

Specifically, Securities & Exchange Commission and FINRA rules require member firms to maintain certain electronic records in a non-erasable, non-rewritable format, known by the acronym WORM, for  “Write Once, Read Many”.  This format prevents the alteration or destruction of records stored electronically.

in its press release, FINRA explained that WORM format requirements were essential to FINRA’s investigative duties. FINRA noted how the volume of sensitive financial data stored electronically by members had risen exponentially in the past decade. This increase in the amount of sensitive information stored by FINRA members coincides with increasingly aggressive attempts to hack into electronic data repositories. “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records. Ensuring the integrity of these records is critical to the investor protection function because they are a primary means by which regulators examine for misconduct in the securities industry.

FINRA found that the each of the 12 fined firms failed to follow required document retention regulations in various ways outlined in the Letters of Consent.

Brad Bennett, FINRA’s current chief of enforcement, will be stepping down shortly.  #MLWashingtonCyberWatch will be keeping an eye on what, if any, changes may come with the new administration in 2017. Only time will tell whether FINRA will continue its aggressive enforcement actions or if we will see a softening of FINRA’s actions.   Regardless of the regulatory inquiries, firms should continue to take actions to improve cybersecurity resilience and investor protection.   For a quick review of the FINRA Report on Cybersecurity Practices, check out our webinar recording.

The New York State Department of Financial Services has announced — much to the relief of the multitude of financial services companies and insurers regulated by DFS — that it will revamp its recently proposed cybersecurity rule.  After receiving more than 150 letters and taking into account recent public comments, the NYDFS has decided to revise its initial proposed rule to address public comments and concerns and to scale back some of the proposed standards.

As we previously wrote, the NYDFS had announced its original proposed rule in September.  The initial proposed rule, which was due to go into effect on January 1, 2017, has immediately received criticism from financial institutions.  The industry was concerned that the rule failed to distinguish between large and small financial institutions, and that it may further conflict with future federal regulations on cybersecurity.  In response to recent public comments, the department has agreed to ease certain requirements for encrypting data and breach notification, to name a few.   In particular, encryption requirements have been stepped back to provide that in the event encryption is found to be “infeasible” for some sensitive data, entities can provide an alternate method of security for the data, approved by the company’s Chief Information Security Officer.

Other notable revisions include:  A limited small business exemption, risk-based assessments, clarification with respect to the role and function of the Chief Information Security Officer, less strict audit trails requirement, and what triggers the 72-hour reporting period to notify the department of a cybersecurity event.  The full text of the proposed rule can be found here.

The rule will again be subject to a 30-day comment period.  The department will focus its final review on new comments not raised previously.

Once implemented, this will be the first rule of its kind in the United States.  All financial institutions under the jurisdiction of NYDFS—including banks, lenders, insurers, mortgage companies, and money services businesses—should carefully evaluate the requirements and consider submitting public comments.  Once the rule goes into effect on March 1, 2017, financial institutions will need to ensure compliance within 6 months to 2 years (depending on the applicable tier).

 

 

The Obama White House has grappled with cybersecurity more than any administration in history: China’s 2009 hack of Google, the 2015 Office of Personnel Management breach, and the recent investigation of Russian cyberattacks during the 2016 election, to name just a few examples. In the midst of the president-elect’s transition efforts, President Obama’s administration has published what it considers to be a blueprint for enhancing the cybersecurity capabilities of government institutions and our digital consumer society today and for years beyond Inauguration Day.   Continue Reading #MLWashingtonCyberWatch: White House Releases Cybersecurity Report Aimed at New Administration

As published in our sister blog, Health Law & Policy Matters

OCR Provides Additional Clarification on Phishing Scam

As we reported earlier this week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights described a phishing campaign that is attempting to convince recipients of their inclusion in OCR’s Phase 2 audit program. The email, which was disguised as an official communication, suggests that recipients click on a link. This link takes recipients to a non-governmental website marketing cybersecurity services.

On Wednesday, OCR followed up their alert with additional details about the phishing campaign. According to OCR, the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. OCR points out the subtle difference from the official email address for its HIPAA audit program, OSOCRAudit@hhs.gov, noting that such subtlety is typical in phishing scams.

OCR also took the opportunity to confirm that it has notified select business associates of their inclusion in the Phase 2 HIPAA audits.  For more information about the Phase 2 audit program please visit our earlier post.

Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak

An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed.  On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores.  The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat

 

The growing scale of cybersecurity concerns is prompting action from government leadership on the federal level. Before the Thanksgiving recess, the House’s Committee on Energy and Commerce got in on the act when two of its subcommittees–the Communications and Technology Subcommittee, chaired by Rep. Greg Walden (R-OR), and the Commerce, Manufacturing, and Trade Subcommittee, chaired by Rep. Michael C. Burgess, M.D. (R-TX)–held a joint hearing to investigate and consider the role of Internet-enabled devices (collectively referred to as the “Internet of Things,” or “IoT”) in high-profile online attacks.  Continue Reading House Energy & Commerce Committee Holds Hearing on Security of the Internet of Things

Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later.  The hotel chain paid a penalty to the State of New York for its handling of that incident.  The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy

Developers and operators of educational technology services should take note.  Just before the election, California Attorney General Kamala Harris provided a document laying out guidance for those providing education technology (“Ed Tech”).  “Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data” provides practical direction that operators of websites and online services of a site or service used for K-12 purposes can use to implement best practices for their business models.

Ed Tech, per the Recommendations, comes in three categories: (1) administrative management systems and tools, such as cloud services that store student data; (2) instructional support, including testing and assessment; (3) content, including curriculum and resources such as websites and mobile apps.  The Recommendations recognize the important role that educational technology plays in classrooms by citing the Software & Information Industry Association; the U.S. Market for PreK-12 Ed Tech was estimated at $8.38 billion in 2015.

The data that may be gathered by through Ed Tech systems and services can be extremely sensitive, including medical histories, social and emotional assessments and test results.  At the Federal level, the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Rule (COPPA) govern the use of student data.  However, according to the Recommendations, these laws “are widely viewed as having been significantly outdated by new technology.”

Recognizing this, California has enacted laws in this space to fill in gaps in the protection.  Cal. Ed. Code § 49073.1, requires that local education agencies (county offices of education, school districts, and charter schools) that contract with third parties for systems or services that manage, access, or use pupil records, to include specific provisions regarding the use, ownership and control of pupil records. On the private side, the Student Online Personal Information Privacy Act (SOPIPA), requires Ed Tech provides to comply with baseline privacy and security protections.

Building on this backdrop of legislation, Attorney General Harris’ office provided six recommendations for Ed Tech providers, especially those that provide services in the pre-kindergarten to twelfth grade space.

  • Data Collection and Retention: Minimization is the Goal 

Describe the data being collected and the methods being used, while understanding that data can be thought of to include everything from behavioral data to persistent identifiers.  If your service links to another service, disclose this in your privacy policy and provide a link to the privacy policy of the external service.  If you operate the external service, maintain the same privacy and security protections for the external service that users enjoyed with the original service.  Minimize the data collected to only that necessary to provide the service, retain the data for only as long as necessary, and be able to delete personally identifiable information upon request.

  • Data Use: Keep it Educational

Describe the purposes of the data you are collecting.  Do not use any personally identifiable data for targeted advertising, including persistent identifiers, whether within the original service, or any other service.  Do not create profiles other than those necessary for the school purposes that your service was intended for.  If you use collected data for product improvement, aggregate or de-identify the data first.

  • Data Disclosure: Make Protections Stick 

Specifically describe any third parties you share personally identifiable data with. If disclosing for school purposes, only do so to further the school specific purpose of your site.  If disclosing for research purposes, only disclose personally identifiable information if you are required by federal or state law, or if allowed under federal and state law, and the disclosure is under the direction of a school, district or state education department.  Service providers should be contractually required to use any personally identifiable data only for the contracted service, not disclose the information, take reasonable security measures, delete the information when the contract is completed, and notify you of any unauthorized disclosure or breach.  Do not sell any collected information, except as part of a merger or acquisition.

  • Individual Control: Respect Users’ Rights 

Describe procedures for parents, legal guardians, and eligible students to access, review and correct personally identifiable data.  Provide procedures for students to transfer content they create to another service, and describe these procedures in your privacy policy.

  • Data Security: Implement Reasonable and Appropriate Safeguards

Provide a description of the reasonable and appropriate security you use, including technical, administrative and physical safeguards, to protect student information.  Describe your process for data breach notification.  Provide training for your employees regarding your policies and procedures and employee obligations.

  • Transparency: Provide a Meaningful Privacy Policy

Make available a privacy policy, using a descriptive title such as Privacy Policy, in a conspicuous manner that covers all student information, including personally identifiable information.  The policy should be easy for parents and educators to understand.  Consider getting feedback regarding your actual privacy policy, including from parents and students.  Include an effective date on the policy and describe how you will provide notice to the account holder, such as a school, parent, or eligible student.  Include a contact method in the policy, at a minimum an email address, and ideally also a toll-free number.

Given the size of the California market, any guidance issued by the California Attorney General’s office should be carefully considered and reviewed.   If you are growing an ed tech company, this is the time to build in data privacy and security controls.   if you are established, it’s time to review your privacy practices against this Guidance and see how you match up.  If you have any questions or concerns as to how these recommendations could be applied to your company, please do not hesitate to contact the team at Mintz Levin.