Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Cyber and National Security

Subscribe to Cyber and National Security RSS Feed

Federal Financial Institutions Examination Council Launches Cybersecurity Webpage and Begins Cybersecurity Assessments

Posted in Cyber and National Security, Data Protection, Financial Services, Marketing and Consumer Privacy

For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers.” Thomas J. Curry, Comptroller of the Currency

In comments before the Risk Management Association’s Governance, Compliance, and Operational Risk Conference last month, Thomas J. Curry, Comptroller of the Currency and Chairman of the Federal Financial Institutions Examination Council [1] stated that “Attacks on our information infrastructure are everywhere. … For cyber criminals, banks are especially tempting targets – not only because banks are where the money is, but also because of the vast amount of proprietary information banks have about their customers. Some attackers target banks because they want to undermine confidence in our country’s financial system. Penetrating the information defenses of any one system may enable attackers to penetrate another, and that in turn could enable more widespread attacks on the broader economy.”

Comptroller Curry stated that helping to make banks less vulnerable and more resilient to cyber-attacks has been one of his top priorities as Comptroller and Chairman of the FFIEC. As part of this effort, he formed the Cybersecurity and Critical Infrastructure ... Continue Reading

“…Because That’s Where the Money Is.” OCC Head Highlights Oversight of Cybersecurity for Financial Industry—Will All Vendors Cooperate?

Posted in Cyber and National Security

Why are banks often tempting targets for criminals and terrorists alike? Thomas Curry, the head of the Office of the Comptroller of the Currency (OCC), recently reminded us: “…because that’s where the money is.” But what most worries the Comptroller is not a modern-day Bonnie & Clyde or John Dillinger attacking banks from without, but rather scofflaws, “hacktivists,” terrorists and foreign regimes exploiting vulnerabilities in the financial industry’s cybersecurity and striking from within.

Over the last few months, Mr. Curry has taken to the speaking circuit, venturing from the Consumer Electronics Show (CES) Government Conference last April to the New England Council in May to raise the question of how vulnerable the nation’s financial sector is to cyber-attack. Mr. Curry noted that while consumers are rightfully concerned about the security of the financial tools they use on a daily basis—from credit card readers at the mall to Internet bill pay and online banking—many do not consider “what goes on behind the scenes” to process these transactions. “Yet the impact of a cyber-attack on those systems could be even more disruptive than a data leak at a large retail store,” Mr. Curry told the CES. “It’s one thing to worry about ... Continue Reading

Department of Energy Invites Cybersecurity Comments

Posted in Cyber and National Security, Energy

In a Federal Register notice to be officially published Friday, June 20, 2014, the Department of Energy (DOE) is inviting public participation in its efforts to develop a guidance document entitled “Energy Sector Framework Implementation Guidance.” The term “Framework” references the Framework for Improving Critical Infrastructure Cybersecurity which was released by the National Institute of Standards and Technology (NIST) on February 12, 2014. In a prepublication notice, the DOE announced that “[t]he document is being designed to help energy sector stakeholders develop or align existing cybersecurity risk management programs with the Cybersecurity Framework. The document will also take in to consideration energy sector organizations that may have business activities across multiple critical infrastructure sectors, e.g., Dams, Transportation, Chemicals, etc. requiring a harmonized implementation approach with these other sectors.” The notice stated that bi-weekly conference calls will “provide periodic opportunities for participants to comment on the incremental updates to the Draft Framework Implementation Guidance document.”... Continue Reading

Managing Risk in an Inhospitable Environment: The Restaurant and Hospitality Industries are an Alluring Destination for Cyber Thieves

Posted in Cyber and National Security, Data Protection, Retail/Hospitality

The recent onslaught of cybersecurity incidents and payment card thefts dominate daily headlines and have captured the nation’s attention—from the diner whose credit card was compromised during a data breach to the President of the United States who recently advocated passage of national data breach legislation: everyone has a stake in this issue. Beyond the headlines, however, the hospitality and restaurant industries are under constant attack by cyber thieves attempting to breach point of sale (PoS) servers and any other crack in their digital infrastructure. And while the data breaches reported by Target, Michaels and Neiman Marcus dominated the headlines, cyber thieves focused much of their attention on food, beverage and hospitality providers. The quick take away is that where data can be obtained and monetized, it will be stolen and the restaurant and hospitality industries are an alluring destination for cyber thieves.

The PoS Problem
In 2012, credit card and debit card fraud resulted in losses of $11.27 billion. While the total cyber theft losses for 2013 are not yet known, over 342 million identities were compromised in 2013. It appears that the most common cyberattack, and perhaps the most devastating economically and reputationally, involves the compromise of PoS ... Continue Reading

Government Officials Continue to Reference NIST Framework

Posted in Communications/Media, Cyber and National Security, Data Protection

On Thursday, June 12, 2014, while delivering remarks on cybersecurity at the American Enterprise Institute in Washington, D.C., Federal Communications Commission Chairman Tom Wheeler challenged businesses to be more proactive in addressing increasingly prevalent threats to their cybersecurity, urging them to embrace a “new paradigm” in which the private sector takes the lead and regulators step in to address shortcomings. In doing so, he urged businesses to use the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. Wheeler’s comments followed similar comments two days earlier by U.S. Securities and Exchange Commissioner Luis Aguilar. As mentioned in our previous advisory, during a “Cyber Risks and the Boardroom” Conference at the New York Stock Exchange on June 10, 2014, Commissioner Aguilar noted that while the NIST Framework provides voluntary guidance for any company, some commentators have already suggested that it will likely become a baseline for best practices by companies, including in assessing legal or regulatory exposure to cybersecurity issues or for insurance purposes.... Continue Reading

SEC Commissioner Calls on Corporate Boards to Address Cybersecurity—Refers to NIST Cyber Framework as “the Bible”

Posted in Communications/Media, Cyber and National Security, Data Protection

While attending the “Cyber Risks and the Boardroom” Conference at the New York Stock Exchange on Tuesday, June 10, 2014, U.S. Securities and Exchange Commissioner Luis Aguilar called on corporate boards to make sure they are taking the necessary steps to address and oversee their companies’ cybersecurity risks. In a prepared statement, he said that ensuring the adequacy of a firm’s cybersecurity measures “needs to be a critical part of a board of directors’ risk oversight responsibilities.” He said that “(e)ffective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.”

CONTINUE READING …... Continue Reading

United States Charges China with Cyber-Espionage in Unprecedented Indictment

Posted in Cyber and National Security, Global
This morning, the U.S. Department of Justice (DOJ) announced that a grand jury in the Western District of Pennsylvania has indicted five Chinese military officials on charges of computer hacking, economic espionage, and related offenses. The indictment marks the first time that the DOJ has filed charges against a state actor for cyber-theft and cyber-espionage crimes.

The indictment alleges that, between 2006 and 2014, the five individuals, while working for the Chinese People’s Liberation Army, hacked or attempted to hack into six U.S. companies in the nuclear power, solar, and metals industries to steal sensitive, non-public business information and trade secrets. The indictment alleges that the defendants stole this information to obtain economic advantages for Chinese state-owned enterprises (SOE) and other state interests. A summary of the specific allegations may be read in the DOJ’s press release about the indictment. The allegations of criminal conduct range from the defendants stealing proprietary information from Westinghouse Electric Co. about the design of its powers plants while it was in negotiations with an SOE for the construction of plants in China, to the theft of emails from the United Steel, Paper and Forestry, Rubber, Manufacturing, Energy, Allied Industrial and Service Workers International Union ... Continue Reading

California Bill Would Create Cyber Security Commission

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

In recognition of the increasing threat that cyber-attacks pose to the state’s infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a “Cyber Security Commission.”

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor’s Office and Legislature on the status and progress of cyber security efforts.

The commission would be comprised of a wide range of representatives from the Legislature, private industry, state, local, and federal government, including the following or their designees who have knowledge in information technology and information security: the California Director of Technology, the Chief of the California Office of Information Security, the President of the California Public Utilities Commission, representatives from the state universities, private sectors (retail, finance, utilities, healthcare or technology), the FBI, and the federal Department of Justice. Among other things, AB 2200 requires the Cyber Security ... Continue Reading

California AG Weighs in on Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning

Just as NIST completes its version 1.0 national Framework for Improving Critical Infrastructure Cybersecurity, California Attorney General Kamala Harris has made clear she intends a leadership role for California. With a guide called “Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents,” the AG offers a simplified, brief, and plain English version of cybersecurity protections directed toward small and medium size California businesses that likely lack the resources to hire full-time cybersecurity personnel. The Guide’s “Practical Steps to Minimize Cyber Vulnerabilities” are based on acknowledged deficiencies in the devices, websites, and apps at the network’s edge, and on the need for users and businesses to discipline their behavior and increase their vigilance against threats. The best practices outlined in the Guide are not unique to small or medium size businesses and overlap to a large extent NIST’s perspective on threats and cyber recommendations from many sources. The NIST Framework provides greater detail and is more explicit in the latitude it provides for business judgments about the proportionality of precautions with respect to the specific risks. Both the California Guide and NIST Framework seek to ... Continue Reading

FTC’s 50th Data Security Settlement Sends a Message: Be Careful with Overseas Contractors

Posted in Cyber and National Security, Healthcare, Litigation

The Federal Trade Commission (FTC) sent a message about the importance of imposing appropriate security measures on—and monitoring—vendors with access to confidential consumer information. The FTC issued a 20-year consent order with GMR Transcription Services (GMR) over its overseas contractor’s data security breach. The decision marks the FTC’s 50th information security settlement and fifth health information complaint (four of which have settled). For health care providers and business associates, the GMR settlement suggests that the FTC has higher expectations than HHS regarding management and oversight of vendors and other downstream subcontractors, especially when these vendors are outside of U.S. jurisdiction. The GMR settlement did not involve security failures by GMR itself, but by a subcontractor, Fedtrans.

CONTINUE READING …... Continue Reading

The Twelve Days of Surveillance

Posted in Cyber and National Security, Surveillance

By Lance Koonce

It seems like a new revelation about mass surveillance by the U.S. government and our allies occurs on an almost daily basis, each one more astounding than the last.  Don’t be surprised if those jingling bells you hear on your roof next week are not St. Nick, but instead someone installing a covert listening device on your fiberoptic phone line.

So, just in time for holidays, here’s a musical summary of some of the most stunning surveillance disclosures, with citations to background material on each.  Break out the eggnog and join us as we count down the Twelve Days of Surveillance.... Continue Reading

Are You a Target?

Posted in Cyber and National Security, Data Protection

By Daniel P. Reing

As has been widely reported, the popular retail giant Target announced yesterday that it suffered a data breach impacting approximately 40 million credit and debit card accounts used in Target stores across the country between November 27th and December 15th. It appears that the breach involved the theft of “track data” from the magnetic stripe on the back of credit and debit cards used in Target stores. Thieves use this stolen information to create counterfeit cards.... Continue Reading

More Online Trouble for Service Providers?

Posted in Cyber and National Security, Marketing and Consumer Privacy

By John D. Seiver

Google is facing increased scrutiny of its data collection and use practices, which may be a warning to all Internet and online service providers.  Last week, Judge Koh in San Jose held Google accountable for an alleged violation of the wiretap laws for Google’s “undisclosed” review of subscribers’ emails and other data to deliver targeted ads and create user profiles.  Among other things, the fact that Google warned its Gmail users that it “may” review their emails was apparently not the same as saying it “will” review them.

In the Street View case I blogged on the week before, the Ninth Circuit found that Google violated the same wiretap laws when, as part of compiling Street View data, it accessed unencrypted Wi-Fi transmissions, despite exceptions in the wiretap laws permitting access to unencrypted radio signals.  Google filed for panel and en banc rehearing.... Continue Reading

Deadline for Compliance with Updated COPPA Rules Draws Near

Posted in Cyber and National Security, Marketing and Consumer Privacy

By:  Ronald G. London and Robert G. Scott, Jr.

The July 1, 2013, deadline for complying with the Federal Trade Commission’s (FTC) updated regulations implementing its Children’s Online Privacy Protection Act (COPPA Rule) is around the corner, as discussed in our post here on the FTC’s denial of additional time and its revised “Frequently Asked Questions” to guide compliance efforts.  Our earlier advisory provides details on, e.g., the expansion of data collection activities covered by COPPA, including through persistent identifiers, new types of personal information whose collection will trigger the rule, clarification of how to obtain parental consent, refinements on what the Commission will deem to be a “child-directed” site covered by COPPA, and more.  The FTC’s COPPA Rule amendments are the first update to capture technological developments and evolving popular online practices – primarily social networking, smartphone Internet access, and the ability to use geolocation information – that arose after the law was enacted.... Continue Reading

Bills on Use of Mobile-Device-Location Data Reintroduced

Posted in Cyber and National Security

By Brad Guyton

Updating our entry on this issue posted during the last Congress, on March 21, 2013, lawmakers in the House and Senate reintroduced companion bills intended to curb government use of mobile users’ geolocation data.  The reintroduced Geolocation Privacy and Surveillance Act is nearly identical to legislation introduced nearly two years ago, as described in our prior post.  However, unlike two years ago, the bills are not accompanied by companion legislation requiring users’ permission for industry to share geolocation data, as was the case previously with the Location Privacy Protection Act of 2011.

The newly reintroduced Geolocation Privacy and Surveillance Act, sponsored again in the Senate by Sen. Ron Wyden (D-Or.) and in the House by Rep. Jason Chaffetz (R-Utah), would require the government and law enforcement agencies to obtain a warrant before accessing a person’s geolocation data, i.e., GPS information logged through Wi-fi networks and cellular towers.  The legislation is modeled after existing wiretapping and electronic surveillance laws and would add to Title 18 of the U.S. Code a new chapter 120 entitled “Protection of Geolocation Information.”

Several exceptions would apply, including those for emergency responders, parents of minors, and intelligence investigations under the Patriot Act.  ... Continue Reading

California District Court Finds National Security Letter Statute Unconstitutional

Posted in Cyber and National Security

By Brad Guyton and John Seiver

Last week, in In re National Security Letter, the United States District Court for the Northern District of California found unconstitutional two sections of the federal law allowing the FBI to issue “National Security Letters” (“NSLs”) to secretly demand subscriber records from ISPs, telecom carriers and other electronic service providers when investigating international terrorism or conducting clandestine intelligence activities.  An as-yet-unnamed telecommunications provider challenged the federal law and United States District Judge Susan Illston ordered the federal government to cease issuing NSLs and stop enforcing NSL gag orders, but stayed the order pending an expected appeal by the government to the Ninth Circuit.... Continue Reading

Executive Order and Policy Directive Promotes Cybersecurity Cooperation and Intelligence Sharing

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure.  The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.... Continue Reading

FBI Reportedly Seeking Expansion of CALEA to New Communications and Technology Platforms

Posted in Cyber and National Security

By Bob Scott & K.C. Halm

On the heels of the House’s recent approval of the Cyber Intelligence Sharing and Protection Act (CISPA), CNET News reports that the FBI has drafted amendments to the Communications Assistance for Law Enforcement Act (CALEA) that would significantly expand the scope of the statute.  The FBI and other law enforcement officials have long been concerned about the increasing volume of communications occurring on technology platforms that are beyond the reach of CALEA, and outside of law enforcement’s existing surveillance capabilities.  The FBI reportedly terms this phenomenon the “Going Dark” problem.  Solving it as the FBI proposes, however, could require significant operational changes by service providers that utilize such technologies.... Continue Reading

House Passes Cyber Intelligence Sharing Bill With Substantial Industry Support, But Veto Threat Looms

Posted in Cyber and National Security

By Jay Ireland

On April 26, 2012 the House passed the Cyber Intelligence Sharing and Protection Act (“CISPA”) on a 248 – 168 vote.  CISPA is supported by many communications and technology companies (e.g., Verizon, AT&T, Facebook, and Microsoft) as a critical step in protecting the nation’s infrastructure and national security from cyber attacks, by permitting the sharing of cyber threat information between private companies and the federal government.  Critics (e.g., the ACLU, Center for Democracy and Technology, and others) strenuously oppose CISPA based on concerns it compromises individual privacy by allowing personal information to be shared with the government without adequate protections, oversight, or legal recourse.  The White House opposes the legislation and has threatened to veto it in its current form.... Continue Reading

House Subcommittee Approves Data Security Bill

Posted in Cyber and National Security

By Richard Gibbs

On July 20, 2011, the House Commerce, Manufacturing and Trade subcommittee approved the Secure and Fortify Electronic (SAFE) Data Act (“SAFE Data Act” or “Act”) in a voice vote. The text of the bill is available here. The measure will now move to the full Energy and Commerce Committee for consideration. The bill would establish a national standard for when companies are required to notify consumers that their unencrypted personal information has been accessed or acquired and for notifying the Federal Trade Commission (“FTC”) and law enforcement of a security breach.

The bill applies to all persons and companies subject to the jurisdiction of the FTC and any tax-exempt organizations under Section 501(c) of the Internal Revenue Code; however, entities subject to HIPAA and Gramm-Leach Bliley will be exempt from the Act in certain circumstances. Under the current version, only data containing personal information related to commercial activity is protected. Personal information is defined as the consumer’s name, or address or phone number combined with one or more of the following pieces of information: social security number, government identification number (e.g., driver’s license number), or financial account identification number (if the codes or passwords needed to ... Continue Reading

Internet Privacy Class Actions

Posted in Cyber and National Security, Global, Litigation, Policy and Regulatory Positioning

In today’s cyberworld, operating in online and social media can put companies in a special class. Unfortunately, that class could mean a class action lawsuit. Websites and social media provide search engines, website operators, and advertisers powerful ways to obtain and monetize data about users. Jimmy Nguyen explores how this power has triggered public and governmental concern about consumers’ online privacy, even leading to a Wall Street Journal investigative report in August 2010 and a wave of class action lawsuits. To read more, click here.... Continue Reading

We’re Baaaaaaack.

Posted in Communications/Media, Cyber and National Security, Data Protection, Marketing and Consumer Privacy

Those of you who were once frequent visitors to this blog may, by now, be asking one or more of the following questions:

(a) Why haven’t you guys posted anything for so many months?
(b) Why does the site look different?
(c) Who’s going to win the NBA playoffs?
(d) Why did they cancel My Name is Earl?

Well, the first two at least. The truth is that this blog was started in August 2005, and ran steadily (sometimes more steadily than others) for about three years. As blogs go, that’s a fairly distinguished record – there are more abandoned blogs lining the sides of the Information Superhighway than there are hubcaps along the Cross Bronx. Wait, did we actually just use the phrase “Information Superhighway”? Because that is so 2005. As is that phrase we just used.

So anyway, when our firm decided to revamp its website, we took this as an opportunity to think seriously (read: discuss over drinks) what we wanted to accomplish with this blog, and what we needed to do to keep it fresh and relevant. The process has taken a bit longer than we expected, but here’s where we are:

Rather than a ... Continue Reading

Malware Cited as the Cause of Massive Supermarket Data Breach

Posted in Cyber and National Security

By Hozaifa Cassubhai

A massive data breach at an East coast supermarket chain compromised up to 4.2 million credit and debit cards earlier in March, leading to 1,800 cases of fraud arising as far away as Mexico, Italy and Bulgaria.  Recently, the Hannaford Bros. grocery chain announced the cause of that breach:  unauthorized software secretly installed on servers that intercepted data from customers as they paid with plastic at checkout counters.... Continue Reading