The FBI has issued new guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode.  FTPs are routinely used to transfer information between network hosts.  As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients.  In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity.

The FBI provides the following specific guidance, which Covered Entities and Business Associates should heed:

The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI [Protected Health Information] or PII [Personally Identifiable Information] is not stored on the server.

Coupled with recent advice from FBI Director James B. Comey on ransomware, which we blogged about here, this latest guidance from the FBI demonstrates the seriousness the potential cybersecurity threats facing healthcare entities.

With Inauguration Day upon us, it’s time for a #MLWashingtonCyberWatch update.   President-elect Donald Trump has vocalized his support for the future of “cyber” throughout his campaign – but how will members of his cabinet act, or refuse to act, on his vision for that future?

During the past two weeks, the United States Senate has been holding confirmation hearings for Mr. Trump’s cabinet selections. Pointed questioning from senators has surfaced many issues of critical importance to the American people, among them the future of privacy and cybersecurity. The incoming administration will confront significant issues in these areas such as the use of back-door encryption, mass data collection and surveillance, and international cybersecurity threats. The nominees for Attorney General, Secretary of the Department of Homeland Security (“DHS”), and Director of the Central Intelligence Agency (“CIA”) were each questioned about how they will navigate these concerns as part of the Trump Administration. In this installment of #MLWashingtonCyberWatch we are discussing highlights from these hearings. Continue Reading #MLWashingtonCyberWatch: Nominees Discuss Future of Cybersecurity


Wearable devices, including health and activity monitors, video and audio recorders, location trackers, and other interconnected devices in the form of watches, wristbands, glasses, rings, bracelets, belts, gloves, earrings and shoes are being heavily promoted in the next wave of consumer electronics.

It is estimated that 90 million wearable data devices (“WDD”) will be shipped to customers in 2014.  Many of these customers will bring them into the workplace, which will challenge employers to adapt employment and IT policies to these new visitors.

WDDs also are attracting the attention of the FTC and legislators.  The FTC is investigating the collection and use of consumer location data transmitted by smartphones and other devices.  Earlier this month, U.S. Senator Chuck Schumer (D-N.Y.) sent a letter to the FTC asking that fitness device companies be required to give users an “opt-out” before sending personal health data to third parties.

Corporate human resources and IT policies are not ready for an influx of these devices and employers do not want to be caught up in the potential for liability.  Smart employers will put policies in place now to manage the integration of WDDs into the workplace, rather than trying to catch up after the fact.  This Advisory outlines the principal issues that any workplace WDD policy should cover.


The release yesterday of the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology caps a year-long effort by NIST to find an industry consensus for assessing and improving the cybersecurity of the nation’s privately-owned critical infrastructure.

We will be publishing a more detailed analysis of the final Framework in the next few days, but here are some quick takeaways:

  • The core of the Framework that resulted from a series of industry meetings over the past year, and which is based upon a combination of NIST and industry standards publications, remains quite consistent with earlier versions that were published for public comment.
  • The language surrounding the core Framework has been modified from earlier versions to emphasize that adoption of the Framework by industry is voluntary, remaining consistent with the Administration’s repeated assurances that the Framework is not a new regulation.
  • There is new language suggesting that the tiers of the Framework are not to be interpreted as a rating of cybersecurity preparedness or a standard of care, but rather a means for a business to describe how it is addressing its internally adopted cybersecurity goals.
  • Privacy controls based upon the Fair Information Practice Principles (FIPPs) have been removed as an element of a cybersecurity strategy, and in place of controls, the Framework has substituted “a general set of considerations” to be adopted “in circumstances where such measures are appropriate.”
  • In the course of the industry consultations for the development of the Framework, participants identified numerous areas where technical ability and coordination to respond to cybersecurity threats is inadequate.  These include authentication technologies, supply chain assurance, and engineering systems with enhanced privacy protections.  NIST proposes a work plan or “roadmap” to address such issues in the coming months.

Look for our posts with a detailed analysis of the Framework and its legal implications for industry in the coming days.


On Wednesday, the House Homeland Security Committee passed a substitute bill for H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013.  The committee substitute bill was broadly supported by both parties.  As it presently stands, H.R. 3696 delegates to the Department of Homeland Security  the responsibility for civilian cybersecurity research and development, incident detection and response, and facilitating the exchange of cyberthreat information between government and the private sector.  It calls for the establishment of industry sector coordinating councils under a so-called public-private partnership model.  In response to requests from industry, it expands the tort liability immunity provisions of the SAFETY Act by adding cybersecurity technologies to the anti-terrorism technologies covered by that statute.

Of concern to privacy advocates is the inclusion of a provision that appears to immunize private electronic communications services from liability for selling information about their customers’ communications to the government.  Under the bill, DHS is authorized to enter into contracts or other agreements to obtain “the assistance of private entities that provide electronic communication services, remote computing services, or cybersecurity services to acquire, intercept, retain, use, and disclose communications and other system traffic . . . . No cause of action shall exist against private entities for assistance provided to the Secretary in accordance with this subsection.”



The Department of Defense and the General Services Administration, which together spend more than $500 billion annually on information technology, have released a joint report to the White House recommending steps to upgrade the cybersecurity requirements of acquisitions of information technology and services throughout the federal government.  These recommendations will affect not only suppliers to federal agencies, but together with the NIST cybersecurity Framework for critical infrastructure to be released in mid-February, will be felt throughout the broader U.S. marketplace for IT goods and services.

Executive Order 13636, issued in February 2013, is best known for initiating development of the NIST cybersecurity Framework for critical infrastructure, which is due to be released in two weeks.  The EO had other, less well-known provisions, including a requirement that DoD and GSA make recommendations to incorporate cybersecurity requirements into standards for federal acquisitions of information technology products and services.  This report, completed in November but not released until yesterday, recommends adoption of standards and practices that will significantly affect both federal IT procurement and the broader U.S. market for information technology.

Among the recommendations are the following:

  •  For acquisitions that present cyber risks, the government should only do business with organizations that meet such baseline requirements in both their own operations and in the products and services they deliver. The baseline should be expressed in the technical requirements for the acquisition and should include performance measures to ensure the baseline is maintained and risks are identified.
  • Require organizations that do business with the federal government to receive training about the acquisition cybersecurity requirements of the organization’s government contracts.
  • Mitigate the risk of receiving inauthentic or otherwise nonconforming items by obtaining required items only from original equipment manufacturers, their authorized resellers, or other trusted sources.

The report acknowledges that “while it is not the primary goal, implementing these recommendations may contribute to increases in cybersecurity across the broader economy, particularly if changes to Federal acquisition practices are adopted consistently across the government and concurrently with other actions to implement the [NIST] Cybersecurity Framework.”

Initially, the recommendation that technical requirements for cybersecurity in procurements will be implemented through two rulemakings currently underway: “Basic Safeguarding of Contractor Information Systems” published as a proposed rule in August 2012, and “Safeguarding Unclassified Controlled Technical Information” published by DoD as an interim rule in December 2013.

The recommendation to narrow the sources from which the government may buy information technology to OEMs, authorized resellers and “other trusted sources” inherently conflicts with broad competition and may place some smaller contractors at risk because they do not have, or cannot achieve the required status.  The report acknowledges that “limiting eligibility to only these types of sources for all acquisitions may not be compatible with acquisition rules, socioeconomic procurement preferences, or principles of open competition,” but leaves resolution of that difficult problem to another day.

The report contends that its recommendations are really more addressed to changing the behavior of government acquisition personnel than changing the behavior of industry, but the consequences of the acquisition rule and policy changes already underway on the larger industry are inevitable.

If you are in the Boston area (or will be on September 26), please join us for an afternoon discussion on cybersecurity and the growing risk to corporate directors.   It’s no longer just the purview of a company’s IT or compliance personnel.  Cybersecurity needs to be elevated to boardroom discussion and this seminar will cover what directors and advisors to directors need to know and do.      Space will be limited – click here to register now!


  • What every director needs to understand about this enterprise risk
  • Where you, as a director, and your board may be exposed
  • Surprising gaps in your D&O insurance
  • Recent trends in claims and lawsuits


  • Cynthia Larose, CIPP, Chair, Privacy & Security Practice, Mintz Levin
  • Heidi Lawson, Member, Risk Management & Executive Protection Practice, Mintz Levin
  • Peter Foster, Executive Vice President, Willis FINEX North America
  • Jason Straight, CIPP, Managing Director, Kroll Advisory Solutions


Register today!



As published in DataGuidance

USA: New cybersecurity framework has far-reaching effects on US economy

President Obama issued – on 12 February 2013 – the long-awaited Executive Order entitled ‘Improving Infrastructure Cybersecurity’ (the Order), alongside Presidential Policy Directive/PPD 21, to establish a nation-wide ‘Cybersecurity Framework’ and ‘enhance the security and resilience of the Nation’s critical infrastructure’.
The Order proposes an extensive data sharing mechanism with the private sector whereby the US Government will disclose unclassified reports on cyber threats so that private entities ‘may better protect and defend themselves’. By 12 June 2013, the Secretary of Homeland Security is directed to establish procedures to allow the US Government to share classified cyber threats and technical information to eligible entities in all critical infrastructure sectors.

In particular, the Order prioritises privacy safeguards by directing the Chief Privacy Officer of the Department of Homeland Security and other agencies to ‘assess the privacy […] risks of the functions and programs […] and recommend to the Secretary [of Homeland Security] ways to minimize or mitigate such risks, in a publicly available report, to be released [by 12 February 2014]’.

Cynthia J. Larose, Chair of the Mintz Levin’s Privacy & Security Practice, told DataGuidance: “Companies in any of the targeted industries will need to be aware of potential obligations arising out of data sharing. Work should be undertaken now to review customer-facing privacy policies and procedures to determine what representations are made to customers relating to information-sharing and how the [Order] might affect that. In-house counsel or government affairs offices at critical infrastructure companies should consider providing input into the regulatory process in order to shape the prospective new regulatory regime. It also represents an opportunity for critical infrastructure businesses to learn much more about the network threat environment and how to potentially contain the threats to their own business.”

The Order also directs the Secretary of Homeland Security to establish, in coordination with sector-specific agencies, a voluntary program ‘to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure’, and to ‘coordinate establishment of a set of incentives to promote participation in the program’.

The Cybersecurity Framework and voluntary program would apply only to public and private entities that form part of the critical infrastructure of the US. The Order defines critical infrastructure as ‘systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters’. However, entities that fall outside the scope of the critical infrastructure may still be affected.

The National Institute of Standards and Technology (NIST), an agency of the US Department of Commerce, will lead the development of the Cybersecurity Framework. The Order requires NIST to publish a preliminary version of the Framework by 10 October 2013, and a final version by 12 February 2014. NIST stated that ‘the Framework will not dictate ‘one-size-fits-all’ solutions’.

NIST will request organizations to share their current risk management practices; use of frameworks, standards guidelines and best practices; and other industry practices. “The process for developing the [Cybersecurity Framework] reflects a core component of NIST’s work, bringing together various stakeholders to address a technical challenge”, said Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director. “By collaborating with industry to develop the framework, we will better protect our nation from the cybersecurity threat while enhancing America’s ability to innovate and compete in a global market.”

“Right now, there is a lack of immunity provisions for disclosure of information – only Congress can provide immunity from civil liability”, said Larose. “In the absence of legislative action, businesses should carefully consider how and whether to share information if they participate in these voluntary information sharing programs. Some suggested actions: (a) determine your organization’s critical infrastructure sector; (b) develop a strategy to combat reported threats – will the failure to act on reports produced by federal officials increase an organization’s exposure to liability? and (c) review policies and procedures for handling network threats.”

“America must … face the rapidly growing threat from cyber-attacks. Now, we know hackers steal people’s identities and infiltrate private emails. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems.  We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”

President Barack Obama, State of the Union Address, Tuesday, February 12, 2013

Just before delivering his State of the Union address, President Obama signed an Executive Order aimed at increasing information sharing between the government and private-sector businesses in order to move the issue of cybersecurity protection. The goal of the order is to achieve a “partnership with owners and operators of critical infrastructure to improve cybersecurity information sharing…” by developing and promoting a new cybersecurity framework.  The framework will partner critical infrastructure with sector-specific agencies to increase the flow of cybersecurity information between the government and private industry.   See the White House blog posts at

How will the Executive Order Potentially Affect You? 

(1)  The “Enhanced Cybersecurity Services” program is a voluntary program among federal agencies aimed at de-classifying information about cybersecurity threats and sharing that information with eligible private-sector businesses.  Establishing the program will require industry involvement to determine what types of information will be most helpful in combating cyber security threats. The a accompanying presidential policy directive identifies 16 critical infrastructure sectors with which the federal government aims to “increase the volume, timeliness, and quality of cyber threat information shared…”  and targets such industries as financial services, utilities and healthcare.

(2)  The order calls for the government to develop a “baseline framework” to reduce cyber risk.  This work will be led by the director of the National Institute of Standards and Technology.  The framework will attempt to align “policy, business, and technological approaches” in combating cyber risk.  The framework will also include a “voluntary consensus…and industry best practices…” Since the framework will be built around industry best practices it follows that it could become the standard for measuring cybersecurity programs.

(3)  The order requires the Secretary of Homeland Security (“Secretary”) and agencies to create a voluntary program to promote the adoption of the framework by creating incentives for private-sector businesses.  If targeted industries are receptive to the voluntary framework this definitely increases the odds that the baseline will be a measuring stick for all cybersecurity programs within those industries.

Other Measures in the Executive Order

The Order also requires agencies to establish safeguards based on the Fair Information Practice Principles to protect the customer information that companies may share with the government and calls for the Chief Privacy Officer and the Officer for Civil Liberties of the Department of Homeland Security to release a report assessing the privacy and civil liberties risks of the program.

The Secretary is also charged with identifying critical infrastructure at the greatest risk. “Greatest risks” means that if a cybersecurity incident occurred it could “reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”  This list will be updated on an annual basis and will not specifically identify commercial information technology products or consumer information technology services.

In addition, agencies that are responsible for regulating the security of critical infrastructure are required to work with Department of Homeland Security, Office of Management and Budget and National Security staff to determine if current cybersecurity regulatory requirements are sufficient, if not what actions need to be adopted to mitigate cyber risk and whether the agencies have regulatory authority to adopt the preliminary cybersecurity framework.  If the agencies find that they do not have the appropriate authority to adopt the framework they must identify what additional authority is required.

Finally, agencies are required to work with private-sector business owners and operators of critical infrastructure and determine which businesses, if any, are subject to “ineffective, conflicting, or excessively burdensome” cybersecurity requirements.

Cybersecurity concerns have been at the forefront of much debate and congressional leaders such as Senator Rockefeller have been trying to push legislation forward, but have not been successful. Last month Sen. Rockefeller introduced the Cybersecurity and American Cyber Competitiveness Act of 2013 and this month the House is slated to reintroduce the Cyber Intelligence Sharing and Information Act (CISPA) which passed the House last year.

Developments and information regarding this Executive Order and potential Congressional action continue and you can find updates here.  We will also be presenting a webinar on how to prepare your business, so stay tuned for the date/time.


Written by Amy Malone