Proposed Bill to Establish Security Standards for IoT Devices Used by Government Officials Passes House

 

For many, being able to securely connect, access, and move data across multiple devices is an integral aspect of everyday life. Some of our nation’s lawmakers are wanting to ensure that the internet connected devices that they use have the same established cybersecurity standards that the public has come to expect in the private sector. Lawmakers got one step closer to making that a reality this week.

The U.S. House of Representatives passed the Internet of Things (IoT) Cybersecurity Improvement Act, known as House Bill 1668, earlier this week, which seeks to establish security standards for the federal purchases of internet-connected devices and the private sector groups providing such devices.

Currently, there is no national standard to ensure the security of internet-connected devices purchased by the federal government. Under the proposed law, these internet-connected devices, which would include computers, mobile devices and other devices that have the ability to connect to the internet, would now have to comply with minimum security recommendations issued by the National Institute of Standards and Technology (NIST). The bill does not lay out what those standards should be; rather, it tasks the Office of Management and Budget to oversee that adopted IoT cybersecurity standards are in line with minimum information security requirements.

Devices covered under the bill

The bill would not only cover computers and smart phones used by federal government officials. The legislation defines a covered device to include a physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and has computer processing capabilities of collecting, sending or receiving data. It would not include personal cell phones or personal computers. It also exempts devices that are necessary for “national security” or “research purposes”.

Obligations on the private sector under bill

The bill would require contractors and their subcontractors that provide covered devices to the federal government to notify government agencies of any security vulnerabilities. While security standards are being considered, private sector providers, contractors and subcontractors can look to Standards 29147 and 30111 in the International Standards Organization for guidance since bill drafters explicitly cited to them in the Act. There’s a process for companies to challenge whether their devices are covered under the bill as well.

Cyberthreat on IoT

The Mirai botnet attack in 2016 served as the drive for the Bill’s sponsors. Recall that the Mirai botnet attack left millions in the East Coast, among other locations, without access to many popular websites for a few hours in late October of 2016. The attack blocked unsecured internet connected devices from accessing popular websites such as Twitter, Netflix and the New York Times in order to carry out a cyber attack.

While Mirai primarily impacted internet connected computers, for many, including the IoT Cybersecurity Improvement Act sponsors, the Mirai attack showed just how debilitating a cyber attack can have on a heavily connected internet life, and the havoc attackers can create on unsecured internet connectable devices and the lives that depend on their functionality. Internet connected devices, or IoT devices, are devices which can be controlled or accessed using the internet, including everything from webcams to baby monitors to gaming consoles. It includes any exercise tracker or a programmable lock to your home. According to some estimates, there will be close to 75 billion IoT connected devices by 2025. The IoT Cybersecurity Improvement Act would work toward ensuring the government’s IoT connected devices containing the nation’s top data information are secure.

Up next for the bill

The IoT Cybersecurity Improvement Act heads next to the Senate floor, after passing unanimously by the House.

Up next for you

Gordon & Rees will keep an eye on cutting-edge developments in this space. We can expect similar regulations in the private sector with various guiding authorities, such as NIST, providing similar recommendations.

SCHREMS II – IT’S DÉJÀ VU ALL OVER AGAIN

The more things change, the more they stay the same. On July 16, 2020, the Court of Justice of the European Union (“CJEU”) issued its decision in the so called “Schrems II” case. If you need some background on the case, you can find our original blog post on the case here.  

The two main takeaways of the Schrems II decision are:

  1. 1. The CJEU invalidated the EU-US Privacy Shield framework.
  1. 2. The CJEU reaffirmed the validity of standard contractual clauses (“SCCs”).

While the validity of SCCs were upheld, and remain a viable transfer mechanism, the CJEU holding requires businesses utilizing SCCs to analyze whether the destination country provides an adequate level of data protection.  Where the country doesn’t, the business must provide additional safeguards or suspend the transfer. Similarly, EU data protection authorities must suspend or prohibit a transfer of personal data to a third country if the data protection authority has determined that SCCs cannot be complied with in the third country and data protection cannot be ensured. 

Recall that the Privacy Shield worked together in a closely integrated manner with the GDPR. It was not a separate law or a substitute for GDPR compliance. More specifically, and to use a bit of regulatory jargon (we’ll leave unexplained for now in the interest of brevity), the Privacy Shield had served as what is known as a “partial adequacy decision” falling under GDPR Article 45. In short then, what the CJEU has done in the Schrems II case is take the Privacy Shield, a proven, centralized system for regulatory oversight and enforcement on both sides of EEA-US data transfer equation, and replace it with a system of self-policing by transferors and ad hoc decision making by local EEA authorities.  

That’s all likely to work out about as well as it did in 2015 when the EU-US Safe Harbor was invalidated in the Schrems I case. Back then, data transfers continued (and even increased), through a two year period of ambiguity, confusion and almost complete non-enforcement until the Privacy Shield went into effect to fill the void left by the CJEU’s invalidation of the Safe Harbor.  

So what does all this mean for US businesses who had relied on the Privacy Shield?  Not much over at least the next week or two, and likely longer.  Contracting counter-parties in the EEA, rather than regulators, will be the most likely source of pressure to adopt the SCCs.  The U.S. Department of Commerce, for instance, issued a statement in response to the Schrems II decision informing US businesses that it intends to continue to operate for the time being as if the Privacy Shield remains in effect and, as such, the CJEU decision does not relieve participating businesses of their Privacy Shield obligations. 

If US and EU negotiators can’t work together to fix this soon, companies will need to start looking at alternative to the Privacy Shield such as SCCs, binding corporate rules or the derogations under GDPR Article 49.  Regardless of what happens as a result of Schrems II, US businesses that remember and practice our recurring mantra about applying the Pareto Principle to their data security and privacy compliance obligations will get through this fine. So if you haven’t already:

  • adopt a risk-based technical and administrative data protection program,
  • take the time to actually implement that program (“saying” it is one thing, “doing it” is another)
  • tell your employees and customers what you’re doing with the data you collect about them and why,
  • give your employees and customers some degree of access to, and autonomy over, that data,
  • keep a close eye on third parties (including vendors) with whom you share that data, and
  • respond swiftly to, and be honest with those affected by, unauthorized use if it occurs.

Learn more and contact the Gordon & Rees Privacy, Data & Cybersecurity practice group here.

The SEC Takes Action to Protect Retail Investors

In recent years, retail data breaches have become the norm. The news is filled with stories of nefarious hackers, identity theft, and credit monitoring. A topic that we rarely hear about, however, is the impact a data breach event can have on retail investors. Data breaches can have catastrophic consequences for retailers and, by extension, their investors, as a result of both decreased profits and increased expenses. To address this issue, the SEC has established two new initiatives specifically targeted at protecting retail investors from cybersecurity risks. To learn more, check out the SEC’s September 25, 2017 Press Release, available here.

The Equifax Mass Hack Serves as a Reminder for All to Take Action

Equifax, one of the “big three” credit-reporting agencies and a broker in personal-identifying data, announced September 7 “a cybersecurity incident,” as stated in a mea culpa by its Chairman and CEO Richard Smith.

Smith explained that hackers gained access to the names, dates of birth, SSN, addresses, and in some cases, driver’s license and credit card numbers of 143 million Americans. That is nearly half the United States’ population, many of which were unaware Equifax had their information to begin with. Equifax gets this data from creditors who report credit activity on individuals, rather than from the individuals themselves.

In response, the financial institutions reporting to Equifax, and the individuals about whom it tracks and rates will be filing lawsuits across the country. Two such lawsuits sprung up within hours of Equifax’s announcement. The complaints were filed in federals courts in Portland and Atlanta on behalf of nationwide classes. Large-scale litigation such as this is par for the course in the aftermath of high-profile data breaches, which can result in settlement payments up to hundreds of millions of dollars.

Just recently, Target agreed to payout over $39 million to settle litigation with banks and another $18.5 with consumers over a 2013 breach that exposed 40 million credit and debit cards and the personal information of about 60 million customers. Heartland, a credit card processing company, paid out over $110 million to credit card companies and individuals for a 2008 breach that exposed about 130 million credit and debit cards. And in June of this year, Anthem agreed to pay $115 million to settle litigation over a 2015 hacking that compromised about 79 million people’s personal information.

Equifax appears to have been bracing for such litigation during the five weeks between its discovery of the breach on July 29, and its disclosure to the public on September 7. During that time, it created a website that in theory allows individuals to check whether they are among the 44% of Americans affected by the breach. The website invites those affected to “Click the button below to continue your enrollment in TrustedID Premier”—an Equifax security monitoring service that is free, but only for one year. Notably, enrollment requires that you accept Equifax’s Terms of Use. Those terms seemingly required arbitration of all disputes, and waiver of the ability to bring or participate in a class action lawsuit, such as those filed in Portland and Atlanta.

That arbitration provision and class action waiver received heavy criticism and sparked an investigation by New York Attorney General Eric Schneiderman who called the provision “unacceptable and unenforceable.” Equifax subsequently updated its terms to remove the provision.

The website had other problems, however, that have not been resolved. It has been described as a marketing funnel for Equifax’s own credit protection service, the value of which is in serious question. Moreover, the website does not work.

It gives inconsistent reports to people, myself included. On September 7, the website stated that my information was not impacted. On September 8, it said it was. Others have experienced the same, or received “System Unavailable” messages. One has to question whether Equifax even knows the full extent of its breach.

As an individual, this is a reminder to protect yourself to the extent possible by creating strong passwords unique to each website, take advantage of advanced security features like two-step authentication, and consider ending relationships with businesses that do not offer advanced security options. If you believe you were affected by the Equifax breach, and there is nearly a 50/50 chance you were, consider instituting a credit freeze.

As a holder of consumer information, this is a reminder of the incredible focus that must be paid to securing your customers’ privacy. It is also a reminder to review your own customer agreements. Equifax was in a unique position because it did not have an agreement with the people whose information it carried. If you do, this is a good time to consider consulting with a lawyer as to whether you need an arbitration provision and class action waiver or, if such provisions are already in your agreements, whether they are legally current and, thus, enforceable.

About the author: Holly Heffner is a partner in Gordon Rees Scully Mansukhani’s Intellectual Property and Commercial Litigation Practice Groups. Ms. Heffner’s biography can be found here.

SEC Study Shows Improved Cybersecurity Preparedness in the Investment Industry, But Improvement Still Needed

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert that summarized the OCIE Staff’s “observations from the Cybersecurity 2 Initiative examinations,” which involved validation and testing of procedures and controls of 75 broker-dealers, investment advisers, and investment companies.  The staff noted that a majority of firms’ policies and procedures “appeared to have issues.”  For more information, please see the Risk Alert, which is available here.

Recent Study Reveals Interesting Trends in Cyber Attacks in First Quarter of 2017

A recent study issued by Navigant Global Technology Solutions has indicated that “2017 is poised to be a year of significant awareness and development in the area of cybersecurity regulation.” The study indicates that the ferocity of cybersecurity attacks has continued unabated since 2016 and that 2017 is shaping up to be another “watershed year” for cybersecurity threats and attacks.

Statistics (Q1 2017):

  • The overall average breach size decreased from 58,882 records in Q3 2016 to 49,877 in Q4 2016.
  • Healthcare accounted for the largest percentage of reported data breaches (42.77%).
  • Hacking incidents were the most common type of breach.
  • An average of more than 4,000 ransomware attacks occurred per day.
  • 73% of IT security professionals at critical infrastructure utilities say their organizations have suffered a breach.

Additionally, there has been a significant increase in the number of security incidents caused by remote desktop protocol (“RDP”) hacking in the first quarter of 2017. Not surprising in light of the increasing “work-from-home” trend, this hacking technique involves technology to allow users and system administrators to remotely access computers that they are not physically able to access. The attackers gain access to the network through phishing emails or other social engineering techniques. The study also noted that TeamViewer, a major RDP provider, has also seen a spike in the number of RDP security breaches. However, TeamViewer and Navigant both note that the exposure is not due to a “flaw” in the technology, but rather the usage of poor password policies by users. Once again, the findings indicate that human error appears to be one of the most difficult problems to safeguard against.

The second quarter of 2017 is poised to be no exception to the spike in cybersecurity breaches. The 2016 tax year is coming to a close and a plethora of sensitive personal information is available to hackers across multiple platforms. Recognizing that a majority of cyber attacks are the result of the usage of poor/duplicative passwords by users, the use of “two-factor authentication” on all account logins continues to be a focus in designing effective cyber security programs.

Two-factor authentication (also referred to as “2FA”) is a process requiring two different authentication methods to prevent unauthorized access of private and sensitive information. The three main categories of authentication factors are: something you know (password, pin code, social security number); something you have (USB security token, bank card, key); and something you are (fingerprint, eye, voice, face). The two-factor authentication process requires two of these factors.

According to Symantec’s 2016 Internet Security Threat Report, 80% of breaches can be prevented by using multi-factor authentication. Thus, by using basic, two-factor authentication, an organization can immediately reduce its cybersecurity threat profile in a fast and meaningful way.

As we continue in 2017, these statistics and studies must inform the development of practical, effective means of combating countless threats to cyber security. Being attacked is only a question of when, not if. In cyber security, the best offense is a strong defense, including accommodations for the likelihood of human error.

‘The Dark Overlord’ Places Healthcare Databases on Dark Web

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?

Addressing the Wendy’s Data Breach Proves Difficult Due to Size of Breach and Company’s Structure

As discussed earlier, Wendy’s announced that it was investigating a possible breach of its point of sale systems (“POS”), after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. An earlier Wendy’s press release stated “[b]ased on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.”

It has been reported by Security expert Brian Krebs that “some breached Wendy’s locations were ‘still leaking’ customer card data at the end of March 2016 and into early April.” A statement by Wendy’s spokesman Bob Bertini said, in response to questions about the duration of the breach at some stores, “[a]s you are aware, our investigator is required to follow certain protocols in this type of comprehensive investigation and this takes time. Adding to the complexity is the fact that most Wendy’s restaurants are owned and operated by independent franchisees.”

It has been opined that the extent and duration of the breach was a result of its size. Specifically, Tod Beardsley, security research manager at cybersecurity specialist Rapid 7, stated that the “fact that the breach affected only 5 percent of Wendy’s locations was likely a contributing factor to its success. A small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialize.” Unfortunately, the detection time allows the individuals involved to go on spending sprees comprised of unauthorized purchases well after the breach took place.

At this time it seems investigators are still trying to wrap their arms around the problem so we may not know the extent and duration of this breach for some time.

FBI’s Demand for an Apple iPhone Hack Could be Turning Point for Business

We’ve all heard of Apple’s refusal to provide a “back-door” to bypass the security features on an iPhone belonging to the perpetrator of the terrible terrorist attack in California. That law enforcement wants to investigate the data does not concern me. But the subpoena directs Apple to create a program that will bypass its own security to unlock the phone to retrieve data not captured in the last iCloud backup.

Many think the government’s actions are justified, and see no reason why the data on this phone should be protected. The FBI is proceeding pursuant to a lawfully obtained court order, and therefore argues that its request will only effect this one investigation, into this one phone and could save additional lives. But where will government’s ability to reach into a private business lead?

Although Apple has cooperated with law enforcement on numerous occasions in the past, for a myriad of reasons, Apple refuses to create this “hack” of its own software. I find it troubling that the subpoena requires Apple to affirmatively build a new program. This is not a case where the technology is available, and they just need Apple to access or apply it. How far may the government go in requiring a business to devote time, resources and expertise to developing a technology for use in a “single” investigation?

And that begs the question is this really a single use instance? A program that would be able to crack open this phone, will also able to open all phones running the same operating system. Will law enforcement then regularly issues subpoenas to Apple to hack other phones, in less compelling circumstances? Or will they subpoena other businesses, directing them to devote their assets to assist in investigations, arguing that the precedent is set.

Once created, it will be virtually impossible to prevent unauthorized access or prohibit inappropriate use of the hacking tool. Anything used in the cyberworld is at risk. As we have seen time and again, even the most sophisticated corporations are breached by talented hackers looking for a way in. The fact of a lawfully ordered subpoena in this case is of little consequence. China is Apple’s second largest market.  Will the Chinese government seek a Court order from an American Court, consistent with due process principles before demanding that Apple provide access to iPhone there?  Doubtful.

The government has a compelling argument that they are acting for the safety of the American people. Apple has a legitimate interest in protecting its technology, the privacy of its customers, and its ability to do business in other countries, all to preserve its bottom line. It will be interesting to see which market powerhouse – the U.S. Government or the world’s richest company – prevails.

Wendy’s May Face Liability for Failing to Upgrade Payment Systems

As was previously reported, October 1, 2015 signaled a fraud “liability shift” between credit card issuers and merchants, in which liability for fraudulent credit card transactions began falling on whichever party used the lower level of security and compliance with EMV standards. While merchants are not required to adopt EMV technology (which reads chip cards, as opposed to the less secure magnetic strip cards), in the event of a data breach, their failure to do so can now render them responsible for the costs associated with the fraudulent use of stolen credit card information. This liability shift has created a very strong incentive for merchants to implement EMV chip card readers.

For companies that have not opted to make the EMV transition, lawsuits may begin to abound. One of the first suits targeting a retailer for its failure to keep up with industry standards was filed on February 8, 2016, in the wake of a possible data breach at the nationwide fast food chain, Wendy’s.

On January 27, 2016, Wendy’s announced that it was investigating a possible breach of its point of sale systems, after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. Wendy’s hired a cybersecurity firm to investigate the potential breach – which involved transactions in late 2015 – who discovered malware designed to steal customer payment data on computers that operate Wendy’s payment processing systems in certain locations.

An Orlando, Florida man purporting to be a victim of the Wendy’s breach initiated a class action lawsuit against the company on February 8, 2016, claiming that Wendy’s “lackadaisical” and “cavalier” security measures allowed his debit card data to be stolen and used to purchase nearly $600.00 of merchandise from various retailers. The lawsuit alleges that Wendy’s could have prevented the breach, yet maintained a system that was insufficient and inadequate to protect customers’ data. An attorney representing the plaintiff suggested that Wendy’s failed to incorporate technology allowing for use of chip-enabled cards, and that the lawsuit may expose the danger of failing to adopt such a system.

The threat of similar class action litigation may serve as a wake-up call for retailers who have failed or otherwise delayed in implementing up-to-date security measures. The suit, Jonathan Torres vs. The Wendy’s Company, can be found here.