On August 1, 2017, the Senate introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”, which aims to bolster the security of government-acquired IoT devices.  Sponsored by Sens. Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT), the bill would require connected devices purchased by the government agencies to be patchable, rely on industry standard protocols, not use hard-coded passwords, and not contain any known security vulnerabilities.

The bill would also require each executive level agency head to inventory all connected devices used by the agency.  OMB and DHS would establish guidelines for the agencies based on DHS’s Continuous Diagnostics and Mitigation (CDM) program.  Specifically, the bill directs OMB to develop alternative network-level security requirements for devise within limited data process and software functionality.  It also directs DHS to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.  Finally, researchers would be exempted from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when engaging in good-faith research pursuant to adopted coordinated vulnerability disclosure guidelines.

This legislation follows calls for more security and standards addressing IoT devices to further safeguard information from potential attacks. For example, the Government Accountability Office (GAO) recently recommended that the Department of Defense update its policies to address IoT risks that leave them vulnerable to attacks.  In addition, Trump’s executive order on cybersecurity called for reports with recommendations to reduce the threat of botnets and other automated distributed attacks.

In a press release, Senator Warner, co-chair of the Senate Cybersecurity Caucus (SCC), states that the bill would provide “thorough, yet flexible guidelines for Federal Government procurements of connected devices.”  In the same statement, the SCC’s co-chair, Sen. Garner, states the bill would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.”

To view the introduced legislation, click here.

To view the public statement, click here.

To view the fact sheet summary, click here.

 

An Alabama man has been sentenced to spend six months in prison for illegally accessing the personal information of over fifty women. For over two years, Kevin Maldonado engaged in a hacking technique called “phishing,” creating fake email accounts impersonating email providers and requesting numerous women to change their email passwords. He was then able to obtain passwords and access private information, including personal photographs. Maldonado then stored the stolen information on his personal computer. Maldonado pleaded guilty in February 2017 to computer intrusion, and was sentenced to six months in prison and three years of supervised release.

Although extensive, Maldonado’s phishing technique is a common strategy employed by hackers to gain personal information. Phishing scams are fraudulent email messages that appear to come from legitimate sources. In 2016, according to the FBI’s Internet Crime Complaint Center, there were more than 19,000 victims of phishing and related scams. Email users can guard against these scams by verifying information sent in emails, like the name of the company, sender and url links embedded in the email message. Personal firewalls and security software can provide even more protection if needed.

To view information from the SEC on protection from phishing scams, click here.

To view the U.S. Attorney’s press release click here.

This month, the Federal Trade Commission (FTC) issued guidance for businesses operating websites and online services looking to comply with the Children’s Online Privacy Protection Act (“COPPA”). COPPA addresses the collection of personal information from children under 13.  Importantly, the determination of whether a business’s website is “directed to children under 13” (and thus subject to certain COPPA requirements) is based on a variety of factors – thus even website that do not target children as its primary audience may nonetheless be subject to COPPA’s requirements based on the website’s subject matter, visual and audio content, ads on the site that may be directed to children, and other factors.

The FTC’s guidance notes that updates to the COPPA regulations were made in July 2013 to reflect changes in technology, and reminded businesses that violations can result in law enforcement actions as well as civil penalties.  The compliance guidance sets out steps to (1) determining whether your business is covered by COPPA; (2) if so, what steps need to be taken to ensure compliance, including privacy policy provisions, notifying and obtaining verifiable consent from parents, (3) providing methods for parents to review, delete, or revoke consent, and (4) implementing reasonable security procedures. Finally, the guidance provides a chart describing limited exceptions to the parental consent requirement.

  • Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
  • Step 2: Post a Privacy Policy that Complies with COPPA.
  • Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
  • Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
  • Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
  • Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
  • Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

The six COPPA compliance steps are described below. To view the FTC’s full guidance webpage, click here.

NOTE:  In addition to COPPA, it may be worth determining whether California’s state version of COPPA, the California Online Privacy Protection Act (“CalOPPA”) applies to your business and, if so, whether additional compliance measures may be necessary. CAlOPPA broadly applies whenever a website or app collects “personally identifiable information” or PII (as defined in the state’s business code) from a California resident, and thus applies to the vast majority of online businesses, even if not based in California.

 

 

 

 

On June 9, 2017, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) released a cyber-attack “Quick Response” checklist (the Checklist) for the benefit of HIPAA covered entities and business associates.

This checklist and the accompanying info-graphic is part of the ongoing HHS campaign to get out ahead of cyber-attacks in the healthcare sector. Rather than the HHS merely reacting to HIPAA-related fallout that can occur as a result of a breach, this checklist is meant to preemptively explain the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident. This preventative campaign by HHS has been spurred on by the increasing prevalence of cyber-attacks, particularly the May 2017 WannaCry ransomware attack in May 2017 which “rapidly affected numerous organizations across over one hundred countries.” The Checklist contains response, reporting, and assessment / notice requirements for covered entities and business associates.

1) Response: The entity must execute its response and mitigation procedures in addition to its contingency plan. See HIPAA Security Rule, 45 C.F.R. § 164.308(a)(6)−(7) (requiring the establishment of contingency plans and the entity’s response to and mitigation of security incidents). This requires that the entity immediately identify the problem, fix it, and mitigate any impermissible disclosure of public health information (PHI).

2) Report: The entity should report the crime to law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigations, or the Secret Service. This report should not include any PHI.

The entity should report all cyber threat indicators to federal and information sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.

3) Assessment and Notice: If the breach affects 500 or more individuals, the entity must report it to OCR as soon as possible, but no later than 60 days after the discovery of the breach. The entity must also notify the individuals affected by the breach and the media unless a law enforcement officer has requested a delay in the reporting.

If the breach affects less than 500 individuals, the entity must notify the affected individuals without unreasonable delay, but no later than 60 days after discovery and OCR within 60 days after the end of the calendar year in which the breach was discovered.

If the PHI was encrypted or the entity determines through a written risk assessment that there was a low probability that PHI was compromised during the breach, this would not constitute a breach that would have to be reported to OCR.

In recent testimony to Congress, HHS officials testified that its cybersecurity push is meant “to engage the broader healthcare sector and ensure that IT security practitioners ha[ve] the information they need,” while additionally providing guidance and support regarding “how to manage cybersecurity incidents in this era of heightened consequences….” (See Congressional Testimony, Steve Curren, Division of Resilience in the Office of Emergency Management, HHS Office of the Assistant Secretary for Preparedness and Response). In the Checklist release, HHS specifically refers to HIPAA-related penalties, noting that “in determining the amount of any applicable civil penalty, OCR may consider mitigating factors,” including compliance with the actions encouraged by the Checklist. (See also 45 C.F.R. §160.408 (describing mitigating and aggravating factors in determining civil penalties)). The release of this “Quick Response” checklist follows the HHS establishment of the Health Cybersecurity and Communications Integration Center, demonstrating the serious commitment of the HHS to combating the occurrence and effect of these cybersecurity breaches.

For the official Checklist from the HHS on June 9, 2017, click here. For the HHS info-graphic that accompanied the Checklist, click here.

On May 31, 2017, the Federal Financial Institutions Examination Council (FFIEC) released an update to its Cybersecurity Assessment Tool.

The Cybersecurity Assessment Tool was originally released by the FFIEC in June of 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness.  The Cybersecurity Assessment Tool is intended to be used by financial institutions of all sizes to perform a self-assessment and inform their risk management strategies. Upon the release of the original Cybersecurity Assessment Tool, the FFIEC noted its plan to update the Cybersecurity Assessment Tool as threats, vulnerabilities, and operational environments evolve.

According to the FFIEC’s May 31st press release, the update to the Cybersecurity Assessment Tool “addresses changes to the FFIEC IT Examination Handbook by providing a revised mapping in Appendix A to the updated Information Security and Management booklets”. The updated Cybersecurity Assessment Tool also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.”

Financial institutions can find the updated version of the Cybersecurity Assessment Tool here.

Today, on June 1, 2017, China’s new cybersecurity law, entitled the “Network Security Law”, goes into effect.  The law was passed in November 2016.  It now becomes legally mandatory for “network operators” and “providers of network products and services” to: (a) follow certain personal information protection obligations, including notice and consent requirements; (b) for network operators to implement certain cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and (c) for providers of networks.

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Companies will now be required to introduce data protection measures, and sensitive data (e.g., information on Chinese citizens or relating to national security) must be stored on domestic servers.  Users now have the right to ask service providers to delete their information if such information is abused.  In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges is that the government has been unclear on what would be considered “important or sensitive data”, and which products may fall under the “national security” definition.

Penalties vary, but can include (1) a warning, injunction order to correct the violation, confiscation of proceeds and/or a fine (typically ranging up to $1 million Chinese yuan (~$147,000); (2) personal fines for directly responsible persons up to $100,000 Chinese yuan (~$14,700); and (3) under some circumstances, suspensions or shutdowns of offending websites and businesses and revocations of operating permits and business licenses. Such sanctions would take into account the degree of harm and the amount of illegal gains. (Fines could include up to five times the amount of those ill-gotten gains).

While draft implementing regulations and a draft technical guidance document have been circulated by the Cyber Administration (China’s internet regulator) the final versions of these documents are still forthcoming.  These documents are expected to clarify obligations regarding restrictions on cross-border transfers of “personal information” and “important information”, including a notice and consent obligation. They may also include procedures and standards for “security assessments”, which are necessary to continue cross-border transfers of personal information and “important information”.  Under the draft regulation, “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018.  It is expected that the final draft will contain a similar grace period.

Although large multinational corporations are typically accustomed to adapting to new laws and regulations in various countries and are already accustomed to tight internet and content controls in China, there remains concern about the potential cost impacts as well as the enforcement risk of the ambiguous language.  It is also unclear on whether the new law may alienate small or medium sized businesses otherwise looking to enter the Chinese market.  While Beijing is touting the law as a welcome milestone in data privacy, companies both large and small are concerned that the law is both vague and exceptionally broad, thus potentially putting companies at undue risk of regulatory enforcement unrelated to cybersecurity.

For an official press release from the state run website, China Daily, on May 31, 2017, click here.

Target Corporation has reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the investigation into the retailer’s 2013 data breach, officials announced on May 23, 2017. The 2013 data breach incident triggered various state consumer protection and data breach laws when hackers accessed consumer data for over 110 million Target customers. In response, state attorneys general from across the country joined in an investigation led by Connecticut and Illinois. The investigation has culminated in the largest multistate data breach settlement to date.

In November 2013, hackers breached Target’s gateway server using stolen credentials from a third-party vendor. The hackers were able to access a customer service database, install malware on the system, and capture consumer data. Customer payment card accounts for more than 41 million and contact information for more than 60 million, including full names, telephone numbers, email and mailing addresses, payment card numbers and verification codes, and encrypted debit PINs, were compromised in the breach.

Notably, Target has agreed to much more than the monetary payments to the states. Through Target’s compliance with the settlement agreement, various state attorneys general project Target will set industry standards for secure credit card processing and customer data maintenance. According to the settlement terms, Target must adhere to several requirements, including: (1) developing, implementing, and maintaining a comprehensive information security program within 180 days designed to protect customer personal information; (2) employing an executive or officer responsible for implementing and maintaining the information security program; (3) developing and implementing policies and procedures for auditing vendor compliance with its information security program; (4) maintaining encryption protocols and policies; (5) complying with the Payment Card Industry Data Security Standard (“PCI DSS”) with respect to its payment card system; (6) segmenting its payment card system from its larger computer network; (7) deploying and maintaining controls to detect and prevent the execution of unauthorized applications within its point-of-sale terminals and servers; and (8) adopting improved, industry-accepted payment card security technologies, such as chip and PIN technology.

Target has one year to obtain a third-party security assessment and report and provide the report to the Connecticut Attorney General’s Office.

A copy of the full settlement is available here.

On April 4, 2017, President Trump signed legislation repealing the Federal Communications Commission’s (FCC) privacy protections adopted in October 2016. The regulations, set to go into effect later this year, would have required internet service providers (ISPs) to adopt stricter consumer privacy protections than websites like Google and Facebook. Among other things, the regulations would have required ISPs to obtain consent before sharing sensitive customer proprietary information, take reasonable measures to secure customer proprietary information, provide notification to customers, the FCC and law enforcement in the event of data breaches, and not condition provision of service on the surrender of privacy rights.

The regulations were opposed by many ISPs who felt that they would be at a disadvantage to companies like Amazon, Google and Facebook, who are regulated by the Federal Trade Commission (FTC). Because these companies offer internet services, and do not provide internet connection, they are subject to the less restrictive FTC regulations. While many ISPs have promised not to sell proprietary customer information, these promises are voluntary. President Trump’s repeal leaves the states as the only real possible enforcer of ISP privacy regulations.

Earlier this month, the new cybersecurity regulation from the New York Department of Financial Services (“DFS“) took effect. The new regulation requires banks, insurance companies and other financial services institutions regulated by the DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

The final cybersecurity regulation is very similar to the proposed regulation, which we reported on in a previous post, but contains a few notable changes:

  • Record retention requirements for audit trails designed to detect and respond to Cybersecurity Events were reduced from five years to three years.
  • Clarification that Covered Entities’ policies and procedures regarding notice to be provided by Third Party Service Providers of Cybersecurity Events cover only Covered Entity’s Nonpublic Information being held by the Third Party Service Provider.
  • Clarification of the circumstances under which a Covered Entity must provide notice of Cybersecurity Event to the Superintendent.
  • The limited exemptions have been revised to specifically include the number of employees and the gross annual revenue of a Covered Entity’s affiliates located in New York.
  • Clarification on the exemptions available for companies regulated under New York’s Insurance Law.

Financial institutions in other states may wish to pay particular attention to this “first-in-the-nation cybersecurity regulation” issued by a state financial regulator, particularly as it may be only a matter of time before other states follow New York’s lead.

The DFS regulation, 23 N.Y.C.R.R. Part 500, is available here.

On March 10, 2017, the White House Office of Management and Budget (“OMB”) released its 2016 Federal Information Security Modernization Act (“FISMA”) Annual Report to Congress. The FISMA Report describes the current state of Federal cybersecurity. It provides Congress with information on agencies’ progress towards meeting cybersecurity goals and identifies areas that need improvement. Additionally, the report provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and progress in implementing adequate cybersecurity programs and policies.

According to the FISMA report, agencies reported over 30,899 cyber incidents that led to the compromise of information or system functionality in 2016. However, only sixteen of these incidents met the threshold for a “major incident” (which triggers a series of mandatory steps for agencies, including reporting certain information to Congress). The report categorizes the types of agency-reported incidents. The largest number of reported incidents (more than one-third) was “other,” meaning the attack method did not fit into a specific category or the cause of the attack was unidentified. The second largest was loss or theft of computer equipment. Attacks executed from websites or web-based applications were the third most common type of incident.

Despite these incidents, the report notes that there were government-wide improvements in cybersecurity, including agency implementation of:

  • Information Security Continuous Monitoring (“ISCM”) capabilities that provide situational awareness of the computers, servers, applications, and other hardware and software operating on agency networks;
  • Multi-factor authentication credentials that reduce the risk of unauthorized access to data by limiting users’ access to the resources and information required for their job functions; and
  • Anti-Phishing and Malware Defense capabilities that reduce the risk of compromise through email and malicious or compromised web sites.

Federal agencies will look to continue these cybersecurity improvements in 2017.

To view the Report, click here.