Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Cyber and National Security

Subscribe to Cyber and National Security RSS Feed

Congress Funds Cybersecurity: Spending Bill Allocates over $1 Billion to Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning
congress money2

The final spending bill of the 113th Congress, which keeps the government doors open until September 30th of 2015, was passed by the House on December 11th, the Senate on the 13th, and signed by the President on December 16th. It is a $1.1 trillion omnibus spending bill that will direct well over $1 billion toward cybersecurity. Among other things, it will provide $675,500,000 for the National Institute of Standards and Technology (NIST) scientific and technical core programs, which includes $15,000,000 for the National Cybersecurity Center of Excellence, up to $60,700,000 for cybersecurity research and development, $4,000,000 for the National Initiative for Cybersecurity Education, and $16,500,000 for the National Strategy for Trusted Identities in Cyberspace. It also allocates funds to various other federal agencies specifically for cybersecurity, as well as to federal investigative agencies to combat cybercrime. Some of the funds are directed toward developing a more robust cybersecurity workforce, including $35 million to the General Services Administration (GSA) for construction of a “civilian cyber campus” that would house federal employees and contractors dedicated to the civilian cyber security mission. According to a GSA prospectus on the project, the goals of the ... Continue Reading

Congress Confirms NIST’s Role in Cybersecurity – and the Continuation of the Cybersecurity Framework

Posted in Cyber and National Security, Policy and Regulatory Positioning
cyber button

The Cybersecurity Enhancement Act of 2014 (CEA) was passed by the House and the Senate on December 11th, and signed by the President on the 18th. The bill formalizes the role of the National Institute for Standards and Technology (NIST) in continuing to develop the voluntary Cybersecurity Framework. Through five “titles,” the bill includes provisions to promote cybersecurity research, private/public sector collaboration on cybersecurity, education and awareness and technical standards, which includes a federal cloud computing strategy.

Title I of the CEA, entitled “Public-Private Collaboration on Cybersecurity,” amends the NIST Act to permit the Secretary of Commerce, through the Director of NIST, to facilitate and support the development of a voluntary, industry-led set of standards and procedures to reduce cyber risks to critical infrastructure – this would be the Cybersecurity Framework. It requires the Director of NIST to coordinate continuously with, and incorporate the industry expertise of, relevant private sector personnel and entities, critical infrastructure owners and operators, sector coordinating councils, Information Sharing and Analysis Centers, and other relevant industry organizations.  It also requires the Director of NIST to consult with the heads of agencies with national security responsibilities, sector-specific agencies, state and local governments, governments ... Continue Reading

Congress Passes Cybersecurity Workforce Legislation

Posted in Cyber and National Security, Policy and Regulatory Positioning
164310488

The Border Patrol Agent Pay Reform Act of 2014 was passed by the Senate on September 18th, by the House on December 10th, and signed by the President on December 18th. It contains provisions from the Cybersecurity Workforce Recruitment and Retention Act of 2014, which allows the Secretary of the Department of Homeland Security (DHS) to establish cybersecurity positions within DHS to better meet its cybersecurity mission. Another piece of legislation, the Cybersecurity Workforce Assessment Act (CWAA), was passed by the Senate on December 10th, by the House on December 11th, and was also signed by the President on December 18th. It requires DHS to evaluate and enhance its cybersecurity workforce. It requires the Secretary of DHS, within 180 days of the enactment of the CWAA and then annually for the next three years, to assess the cybersecurity workforce of DHS. Among other things, the assessment is to include an evaluation of the readiness and capacity of the DHS workforce to meet its cybersecurity mission.

Comprehensive workforce strategy: The CWAA requires the Secretary of DHS, within one year of its enactment, to develop a comprehensive workforce strategy ... Continue Reading

Congress Passes The Federal Information Security Modernization Act of 2014: Bringing Federal Agency Information Security into the New Millennium

Posted in Cyber and National Security, Policy and Regulatory Positioning
red congress

The Federal Information Security Modernization Act of 2014 (FISMA) was passed by the Senate on December 8th, by the House on December 10th, and by the President on December 18th. It is a comprehensive bill intended to bring federal agency information security practices into the new millennium – to better respond to evolving cybersecurity threats. FISMA updates the Federal Information Security Management Act of 2002, and provides a comprehensive framework for ensuring the effectiveness of information security controls over federal information operations and assets. It recognizes the highly networked nature of current federal computing environments and the complex task of coordinating information security efforts throughout the civilian, law enforcement and national security communities. It also acknowledges that commercially developed information security products offer effective information security solutions, and that specific information security solutions should be left to individual agencies from among commercially developed products.

FISMA oversight: FISMA reestablishes the oversight authority of the Director of Office of Management and Budget (OMB) with respect to federal agency information security policies and practices. This includes the development and implementation of principles, standards and guidelines pertaining to information security within federal agencies, and coordinating the development of ... Continue Reading

Congress Passes the National Cybersecurity Protection Act: Codifies National Cybersecurity Center & Creates Federal Agency Data Breach Notification Law

Posted in Cyber and National Security, Policy and Regulatory Positioning
Lockcyber

The National Cybersecurity Protection Act of 2014 (NCPA) was passed by the House on December 8th, by the Senate on December 10th, and signed by the President on December 18th. Senate Committee on Homeland Security and Governmental Affairs Chairman Tom Carper (D-Del.) issued the following statement regarding the NCPA: “Cybersecurity is one of the biggest national security challenges our country faces. Our laws should reflect that reality. By codifying the Department of Homeland Security’s existing cybersecurity operations center, the National Cybersecurity Protection Act of 2014 bolsters our nation’s cybersecurity while providing the department with clear authority to more effectively carry out its mission and partner with private and public entities. It is critical that the department continues to build strong relationships with businesses, state and local governments, and other entities across the country so that we can all be better prepared to stop cyber-attacks and quickly address those intrusions that do occur.”

Codification of the National Cybersecurity and Communications Integrity Center: The NCPA codifies the existing cybersecurity and communications operations center at DHS, known as the National Cybersecurity and Communications Integrity Center (NCCIC). The bill directs the NCCIC to provide a number of services, ... Continue Reading

Cybersecurity Legislation Focuses on Federal Government Initiatives – Leaves Private Sector Reforms for 2015

Posted in Cyber and National Security, Policy and Regulatory Positioning
164310488

One of the few things the parties in Congress can agree upon these days is cybersecurity – at least when it comes to directing the federal government’s cyber activities.  In its final days, the 113th Congress reached agreement on several major pieces of legislation intended to improve the nation’s cybersecurity: the National Cybersecurity Protection Act of 2014, the Federal Information Security Modernization Act of 2014, the Border Patrol Agent Pay Reform Act of 2014 (a bill that contains provisions from the Department of Homeland Security (DHS) Cybersecurity Workforce Recruitment and Retention Act of 2014), the Cybersecurity Workforce Assessment Act, and the Cybersecurity Enhancement Act of 2014. All of these were signed by the President on December 18th, and will be funded by a $1.1 trillion spending package signed by him on December 16th. In total, the bills update the federal government’s roles and responsibilities with respect to planning for and responding to cyber threats, helping them move into the 21st century with a trained workforce.  What is notably absent in this nicely wrapped package of bills, however, is any meaningful reforms for the private sector.

Subsequent posts will provide details ... Continue Reading

Federal Financial Institutions Examination Council Releases Cybersecurity Assessment Results: Boards of Directors and Senior Management Need to Engage

Posted in Cyber and National Security
stealing money

The Federal Financial Institutions Examination Council (FFIEC) released general observations yesterday from a cybersecurity assessment of over 500 community financial institutions. The cybersecurity assessment evaluated the institutions’ preparedness to mitigate cyber risks. It ultimately found that due to the critical dependence of financial institutions on information technology to conduct business operations, combined with increasing sector interconnectedness and the rapidly evolving cyber threats, it is more important than ever before that boards of directors and senior management be engaged in managing cybersecurity risk.

The cybersecurity assessment was piloted during the summer of 2014 by FFIEC membership which consists of the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, the Consumer Financial Protection Bureau, the National Credit Union Administration, and the State Liaison Committee. The assessment supplemented regularly scheduled exams and built upon key supervisory expectations contained within existing FFIEC information technology handbooks and other regulatory guidance.

The cybersecurity assessment found that the level of cybersecurity inherent risk varies significantly across financial institutions. Due to the varied risks, the FFIEC stated that it was important for financial institution management to understand their inherent risk to cybersecurity threats and vulnerabilities. ... Continue Reading

Federal Financial Institutions Examination Council Launches Cybersecurity Webpage and Begins Cybersecurity Assessments

Posted in Cyber and National Security, Data Protection, Financial Services, Marketing and Consumer Privacy

For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers.” Thomas J. Curry, Comptroller of the Currency

In comments before the Risk Management Association’s Governance, Compliance, and Operational Risk Conference last month, Thomas J. Curry, Comptroller of the Currency and Chairman of the Federal Financial Institutions Examination Council [1] stated that “Attacks on our information infrastructure are everywhere. … For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers. Some attackers target banks because they want to undermine confidence in our country’s financial system. Penetrating the information defenses of any one system may enable attackers to penetrate another, and that in turn could enable more widespread attacks on the broader economy.”

Comptroller Curry stated that helping to make banks less vulnerable and more resilient to cyber-attacks has been one of his top priorities as Comptroller and Chairman of the FFIEC. As part of this effort, he formed the Cybersecurity and Critical Infrastructure ... Continue Reading

“…Because That’s Where the Money Is.” OCC Head Highlights Oversight of Cybersecurity for Financial Industry—Will All Vendors Cooperate?

Posted in Cyber and National Security

Why are banks often tempting targets for criminals and terrorists alike? Thomas Curry, the head of the Office of the Comptroller of the Currency (OCC), recently reminded us: “…because that’s where the money is.” But what most worries the Comptroller is not a modern-day Bonnie & Clyde or John Dillinger attacking banks from without, but rather scofflaws, “hacktivists,” terrorists and foreign regimes exploiting vulnerabilities in the financial industry’s cybersecurity and striking from within.

Over the last few months, Mr. Curry has taken to the speaking circuit, venturing from the Consumer Electronics Show (CES) Government Conference last April to the New England Council in May to raise the question of how vulnerable the nation’s financial sector is to cyber-attack. Mr. Curry noted that while consumers are rightfully concerned about the security of the financial tools they use on a daily basis—from credit card readers at the mall to Internet bill pay and online banking—many do not consider “what goes on behind the scenes” to process these transactions. “Yet the impact of a cyber-attack on those systems could be even more disruptive than a data leak at a large retail store,” Mr. Curry told the CES. “It’s one thing to worry about ... Continue Reading

Department of Energy Invites Cybersecurity Comments

Posted in Cyber and National Security, Energy

In a Federal Register notice to be officially published Friday, June 20, 2014, the Department of Energy (DOE) is inviting public participation in its efforts to develop a guidance document entitled “Energy Sector Framework Implementation Guidance.” The term “Framework” references the Framework for Improving Critical Infrastructure Cybersecurity which was released by the National Institute of Standards and Technology (NIST) on February 12, 2014. In a prepublication notice, the DOE announced that “[t]he document is being designed to help energy sector stakeholders develop or align existing cybersecurity risk management programs with the Cybersecurity Framework. The document will also take in to consideration energy sector organizations that may have business activities across multiple critical infrastructure sectors, e.g., Dams, Transportation, Chemicals, etc. requiring a harmonized implementation approach with these other sectors.” The notice stated that bi-weekly conference calls will “provide periodic opportunities for participants to comment on the incremental updates to the Draft Framework Implementation Guidance document.”... Continue Reading

Managing Risk in an Inhospitable Environment: The Restaurant and Hospitality Industries are an Alluring Destination for Cyber Thieves

Posted in Cyber and National Security, Data Protection, Retail/Hospitality

The recent onslaught of cybersecurity incidents and payment card thefts dominate daily headlines and have captured the nation’s attention—from the diner whose credit card was compromised during a data breach to the President of the United States who recently advocated passage of national data breach legislation: everyone has a stake in this issue. Beyond the headlines, however, the hospitality and restaurant industries are under constant attack by cyber thieves attempting to breach point of sale (PoS) servers and any other crack in their digital infrastructure. And while the data breaches reported by Target, Michaels and Neiman Marcus dominated the headlines, cyber thieves focused much of their attention on food, beverage and hospitality providers. The quick take away is that where data can be obtained and monetized, it will be stolen and the restaurant and hospitality industries are an alluring destination for cyber thieves.

The PoS Problem
In 2012, credit card and debit card fraud resulted in losses of $11.27 billion. While the total cyber theft losses for 2013 are not yet known, over 342 million identities were compromised in 2013. It appears that the most common cyberattack, and perhaps the most devastating economically and reputationally, involves the compromise of PoS ... Continue Reading

Government Officials Continue to Reference NIST Framework

Posted in Communications/Media, Cyber and National Security, Data Protection

On Thursday, June 12, 2014, while delivering remarks on cybersecurity at the American Enterprise Institute in Washington, D.C., Federal Communications Commission Chairman Tom Wheeler challenged businesses to be more proactive in addressing increasingly prevalent threats to their cybersecurity, urging them to embrace a “new paradigm” in which the private sector takes the lead and regulators step in to address shortcomings. In doing so, he urged businesses to use the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. Wheeler’s comments followed similar comments two days earlier by U.S. Securities and Exchange Commissioner Luis Aguilar. As mentioned in our previous advisory, during a “Cyber Risks and the Boardroom” Conference at the New York Stock Exchange on June 10, 2014, Commissioner Aguilar noted that while the NIST Framework provides voluntary guidance for any company, some commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure to cybersecurity issues or for insurance purposes.... Continue Reading

SEC Commissioner Calls on Corporate Boards to Address Cybersecurity—Refers to NIST Cyber Framework as “the Bible”

Posted in Communications/Media, Cyber and National Security, Data Protection

While attending the “Cyber Risks and the Boardroom” Conference at the New York Stock Exchange on Tuesday, June 10, 2014, U.S. Securities and Exchange Commissioner Luis Aguilar called on corporate boards to make sure they are taking the necessary steps to address and oversee their companies’ cybersecurity risks. In a prepared statement, he said that ensuring the adequacy of a firm’s cybersecurity measures “needs to be a critical part of a board of directors’ risk oversight responsibilities.” He said that “(e)ffective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.”

CONTINUE READING …... Continue Reading

United States Charges China with Cyber-Espionage in Unprecedented Indictment

Posted in Cyber and National Security, Global
This morning, the U.S. Department of Justice (DOJ) announced that a grand jury in the Western District of Pennsylvania has indicted five Chinese military officials on charges of computer hacking, economic espionage, and related offenses. The indictment marks the first time that the DOJ has filed charges against a state actor for cyber-theft and cyber-espionage crimes.

The indictment alleges that, between 2006 and 2014, the five individuals, while working for the Chinese People’s Liberation Army, hacked or attempted to hack into six U.S. companies in the nuclear power, solar, and metals industries to steal sensitive, non-public business information and trade secrets. The indictment alleges that the defendants stole this information to obtain economic advantages for Chinese state-owned enterprises (SOE) and other state interests. A summary of the specific allegations may be read in the DOJ’s press release about the indictment. The allegations of criminal conduct range from the defendants stealing proprietary information from Westinghouse Electric Co. about the design of its powers plants while it was in negotiations with an SOE for the construction of plants in China, to the theft of emails from the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union ... Continue Reading

California Bill Would Create Cyber Security Commission

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

In recognition of the increasing threat that cyber-attacks pose to the state’s infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a “Cyber Security Commission.”

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor’s Office and Legislature on the status and progress of cyber security efforts.

The commission would be comprised of a wide range of representatives from the Legislature, private industry, state, local, and federal government, including the following or their designees who have knowledge in information technology and information security: the California Director of Technology, the Chief of the California Office of Information Security, the President of the California Public Utilities Commission, representatives from the state universities, private sectors (retail, finance, utilities, healthcare or technology), the FBI, and the federal Department of Justice. Among other things, AB 2200 requires the Cyber Security ... Continue Reading

California AG Weighs in on Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning

Just as NIST completes its version 1.0 national Framework for Improving Critical Infrastructure Cybersecurity, California Attorney General Kamala Harris has made clear she intends a leadership role for California. With a guide called “Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents,” the AG offers a simplified, brief, and plain English version of cybersecurity protections directed toward small and medium size California businesses that likely lack the resources to hire full-time cybersecurity personnel. The Guide’s “Practical Steps to Minimize Cyber Vulnerabilities” are based on acknowledged deficiencies in the devices, websites, and apps at the network’s edge, and on the need for users and businesses to discipline their behavior and increase their vigilance against threats. The best practices outlined in the Guide are not unique to small or medium size businesses and overlap to a large extent NIST’s perspective on threats and cyber recommendations from many sources. The NIST Framework provides greater detail and is more explicit in the latitude it provides for business judgments about the proportionality of precautions with respect to the specific risks. Both the California Guide and NIST Framework seek to ... Continue Reading

FTC’s 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

Posted in Cyber and National Security, Healthcare, Litigation

The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.

CONTINUE READING …... Continue Reading

The Twelve Days of Surveillance

Posted in Cyber and National Security, Surveillance

By Lance Koonce

It seems like a new revelation about mass surveillance by the U.S. government and our allies occurs on an almost daily basis, each one more astounding than the last.  Don’t be surprised if those jingling bells you hear on your roof next week are not St. Nick, but instead someone installing a covert listening device on your fiberoptic phone line.

So, just in time for holidays, here’s a musical summary of some of the most stunning surveillance disclosures, with citations to background material on each.  Break out the eggnog and join us as we count down the Twelve Days of Surveillance.... Continue Reading

Are You a Target?

Posted in Cyber and National Security, Data Protection

By Daniel P. Reing

As has been widely reported, the popular retail giant Target announced yesterday that it suffered a data breach impacting approximately 40 million credit and debit card accounts used in Target stores across the country between November 27th and December 15th. It appears that the breach involved the theft of “track data” from the magnetic stripe on the back of credit and debit cards used in Target stores. Thieves use this stolen information to create counterfeit cards.... Continue Reading

More Online Trouble for Service Providers?

Posted in Cyber and National Security, Marketing and Consumer Privacy

By John D. Seiver

Google is facing increased scrutiny of its data collection and use practices, which may be a warning to all Internet and online service providers.  Last week, Judge Koh in San Jose held Google accountable for an alleged violation of the wiretap laws for Google’s “undisclosed” review of subscribers’ emails and other data to deliver targeted ads and create user profiles.  Among other things, the fact that Google warned its Gmail users that it “may” review their emails was apparently not the same as saying it “will” review them.

In the Street View case I blogged on the week before, the Ninth Circuit found that Google violated the same wiretap laws when, as part of compiling Street View data, it accessed unencrypted Wi-Fi transmissions, despite exceptions in the wiretap laws permitting access to unencrypted radio signals.  Google filed for panel and en banc rehearing.... Continue Reading

Deadline for Compliance with Updated COPPA Rules Draws Near

Posted in Cyber and National Security, Marketing and Consumer Privacy

By:  Ronald G. London and Robert G. Scott, Jr.

The July 1, 2013, deadline for complying with the Federal Trade Commission’s (FTC) updated regulations implementing its Children’s Online Privacy Protection Act (COPPA Rule) is around the corner, as discussed in our post here on the FTC’s denial of additional time and its revised “Frequently Asked Questions” to guide compliance efforts.  Our earlier advisory provides details on, e.g., the expansion of data collection activities covered by COPPA, including through persistent identifiers, new types of personal information whose collection will trigger the rule, clarification of how to obtain parental consent, refinements on what the Commission will deem to be a “child-directed” site covered by COPPA, and more.  The FTC’s COPPA Rule amendments are the first update to capture technological developments and evolving popular online practices – primarily social networking, smartphone Internet access, and the ability to use geolocation information – that arose after the law was enacted.... Continue Reading

Bills on Use of Mobile-Device-Location Data Reintroduced

Posted in Cyber and National Security

By Brad Guyton

Updating our entry on this issue posted during the last Congress, on March 21, 2013, lawmakers in the House and Senate reintroduced companion bills intended to curb government use of mobile users’ geolocation data.  The reintroduced Geolocation Privacy and Surveillance Act is nearly identical to legislation introduced nearly two years ago, as described in our prior post.  However, unlike two years ago, the bills are not accompanied by companion legislation requiring users’ permission for industry to share geolocation data, as was the case previously with the Location Privacy Protection Act of 2011.

The newly reintroduced Geolocation Privacy and Surveillance Act, sponsored again in the Senate by Sen. Ron Wyden (D-Or.) and in the House by Rep. Jason Chaffetz (R-Utah), would require the government and law enforcement agencies to obtain a warrant before accessing a person’s geolocation data, i.e., GPS information logged through Wi-fi networks and cellular towers.  The legislation is modeled after existing wiretapping and electronic surveillance laws and would add to Title 18 of the U.S. Code a new chapter 120 entitled “Protection of Geolocation Information.”

Several exceptions would apply, including those for emergency responders, parents of minors, and intelligence investigations under the Patriot Act.  ... Continue Reading

California District Court Finds National Security Letter Statute Unconstitutional

Posted in Cyber and National Security

By Brad Guyton and John Seiver

Last week, in In re National Security Letter, the United States District Court for the Northern District of California found unconstitutional two sections of the federal law allowing the FBI to issue “National Security Letters” (“NSLs”) to secretly demand subscriber records from ISPs, telecom carriers and other electronic service providers when investigating international terrorism or conducting clandestine intelligence activities.  An as-yet-unnamed telecommunications provider challenged the federal law and United States District Judge Susan Illston ordered the federal government to cease issuing NSLs and stop enforcing NSL gag orders, but stayed the order pending an expected appeal by the government to the Ninth Circuit.... Continue Reading

Executive Order and Policy Directive Promotes Cybersecurity Cooperation and Intelligence Sharing

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure.  The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.... Continue Reading