On November 15, 2017, the Trump administration released the Vulnerabilities Equities Policy and Process. This documents describes the process by which U.S. agencies and departments determine whether to disclose or restrict information on vulnerabilities in information systems and technologies. The Vulnerabilities Equities Process (VEP) balances whether to disclose vulnerability information to the vendor or supplier in the expectation that the vulnerability will be fixed or to temporarily restrict disclosure of the information so that it can be used for national security and/or law enforcement purposes.

The Equities Review Board (ERB), consisting of individuals from numerous agencies, functions as the forum for interagency deliberation and determination concerning the VEP. The National Security Agency will function as the VEP Executive Secretariat. The VEP Executive Secretariat will oversee communications, documentation and recordkeeping for the VEP. The VEP Executive Secretariat will also publish a report of unclassified information on an annual basis.

The VEP provides steps for submitting and reviewing identified vulnerabilities:

  • When an agency determines that a vulnerability reaches the threshold for entry into the VEP, it will notify the VEP Executive Secretariat and provide a recommendation for disclosure or restriction of the vulnerability.
  • The VEP Executive Secretariat will provide notice to all agencies of the ERB and request agencies to respond if they have a strong interest (i.e., “equity”) in the vulnerability. Any agencies with a strong interest in the vulnerability must concur or disagree with the recommendation.
  • The ERB will then reach a consensus on whether or not to disclose or restrict the vulnerability

The view the VEP Charter, click here.

To view the fact sheet, click here.

The FTC is seeking public comment on a petition by Sear’s to reopen and modify its 2009 consent order to restrict the broad definition of “tracking application”.

Background.  In 2009, the FTC issued an order settling charges that Sears Holdings Management Corporation (“Sears”) had failed to adequately disclose the scope of consumers’ personal information it collected via a downloadable software application.  While Sears represented to consumers that the software would track their “online browsing”, the FTC alleged that the software would also monitor consumers’ other online secure sessions – including sessions on third parties’ websites — and collect information transmitted in those sessions, “such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based emails.”  The software would also track some computer activities unrelated to the Internet.  The proposed settlement called for Sears to stop collecting data from consumers who downloaded the software, and to destroy all data it had previously collected.

The 2009 Sears case is significant, among other reasons, because, the FTC found a violation of Section 5 of the FTC Act notwithstanding Sears’ disclosure, because the disclosure was not sufficiently conspicuous.  Specifically, while Sears did disclose the full scope of the software’s specific functions, the details of such functions were contained on approximately the 75th line of the scroll box containing the privacy statement and user license agreement.  The FTC order stated that because such description was not displayed clearly and prominently, that Sears was being “unfair and deceptive” under Section 5 of the FTC Act.

Petition.  On October 30, 2017, Sears petitioned the FTC to reopen and modify its final order to modify the broad definition of “tracking application”.   Sears states that the current definition should be updated because of changing circumstances over the past eight years which result in the definition unnecessarily restricting Sears’s ability to compete in the mobile app marketplace. Sears states that the requested modification would enable the company to “keep step with current market practices” related to retail online tracking applications.

  • Definition. Paragraph 4 of the consent order defines “tracking application” as:  “any software program or application disseminated by or on behalf of respondent, its subsidiaries or affiliated companies, that is capable of being installed on consumers’ computers and used by or on behalf of respondent to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from, or transmitted to the computers on which it is installed.” 
  • Modification. Sears requests that the following additional language be inserted after the word “installed”: “unless the information monitored, recorded, or transmitted is limited solely to the following: (a) the configuration of the software program or application itself; (b) information regarding whether the program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.”
  • Rationale. Sears states that the proposed modification is necessary to carve out commonly accepted and expected behaviors from the scope of the Order without modifying the Order’s core manage of providing notice to consumers when software applications engaged in potentially invasive tracking.  Sears states subparts (a) and (b) would exclude “activities common to all modern software applications” while subpart (c) would exclude “information tracking that is commonly accepted by consumers and that does not present the type of risks to consumer privacy that the Order was intended to remedy.” Sears further states that the proposed modification mirrors language that the FTC has used to exclude such commonly accepted practices from more recent consent orders.

Solicitation of Public Comment.  On November 8, the FTC issued a release seeking public comment on Sear’s petition requesting that it reopen and modify the 2009 order and definition.  The FTC will decide whether to approve Sears’ petition following the expiration of the 30-day public comment period.  Public comments may be submitted under December 8, 2017.

To view the 2009 FTC Order, click here.

To view Sears’s Petition, click here:

To view FTC’s solicitation of public comment click here.

 

If you’ve seen the news, you’re probably aware that Equifax announced last week that hackers had breached some of its website application software, potentially affecting the sensitive personal information of approximately 143,000,000 consumers.  If you believe you may be affected by the breach, or are wondering what to do about it, read below for: (A) a brief background of the breach and mitigating efforts, as well as: (B) 5 basic steps to take that may improve your chances of protecting yourself from identity theft as a result of the breach.

A. Background: Equifax Breach

The scope of data includes names, social security numbers, birth dates, addresses, and driver’s licenses.  The incident may have also compromised credit card numbers for 209,000 U.S. consumers, and other “dispute documents” that contained identifying information for 182,000 consumers.  On July 29, the company discovered the intrusion, which began in mid-May and continued through July.  More information can be found in a video statement by CEO, Rick Smith.  To support consumers, Equifax has beefed up its call centers and is directing consumers to a specific Equifax’s website, where they can type in their last name and the last 6 digits of their social security number to see if they are impacted; they also have the option to enroll in its “TrustedID Premier” service. Normally costing $19.95 a month, Equifax is offering this “comprehensive package of ID theft protection and credit monitoring at no cost.”

Criticisms.  Some debate currently exists about whether consumers should sign up for this product on the Equifax website, and various criticisms are being blasted on social media and elsewhere over the way in which Equifax is handling the breach:

  • Some have specifically criticized the nature of Equifax’s help, asserting that (a) consumers may be giving up some rights to sue the company if they signed up for its credit monitoring services, and (b) while companies do offer an opt out provision, consumers must do so in writing within 30 days of accepting the services, which the CFPB has pushed back against.
  • One Ars Technica article even criticizes the security of the Equifax website itself, which encourages you to type in your last name and the last 6 digits of your social security number to see if you’ve been impacted. According ot the article, “it runs on a stock installation WordPress … that doesn’t provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number.”
  • Some criticize free credit card monitoring as simply a Band-Aid, like treating the symptom instead of the underlying disease.
  • Other criticisms range from the Equifax’s delay (five weeks) before announcing to sale of shared by top executives shortly after the July 29 discovery of the breach.

Response.  Contrary to some of these assertions and several social media posts, Equifax has clarified on its website that consumers signing up for TrustedID Premier will not be automatically enrolled or charged after the conclusion of the complimentary year of Trusted ID Premier. Equifax also subsequently clarified in its FAQs that enrolling in the free credit file monitoring and ID theft protection associated with this cybersecurity incident does not waive any rights to take legal action.

B. Now What Do I Do?

Perhaps you are concerned that your information may have been compromised.  Perhaps you even went on the Equifax website and were told that your information “may have been impacted”. As you weigh the pros and cons of enrolling in Equifax’s TrustedID Premier product, or entering your information to see whether you may have been impacted, here are some additional steps you can take to protect yourself:

  1. Check your credit reports. Through this website, you can check your credit reports once a year – for free – from each of the 3 major credit reporting agencies, Equifax, Experian, and TransUnion. Accounts or activity that you do not recognize could indicate identity theft.
  2. Consider placing a credit freeze on your files. While it may not prevent an identity thief from making charges to existing accounts, placing a credit freeze on your file could make it harder for someone to open a new account in your name. A freeze will remain in place until you request it to be removed or temporarily lifted, which can take up to 3 business days.  Note that if you plan on opening a new account, applying for a job, renting an apartment or buying insurance in the near future, you will need to either remove the freeze or lift it temporarily for a specific time or specific party (e.g., potential landlord, employer, etc.). Check with your credit reporting company for the costs and lead times associated with temporarily lifting a freeze. If you coordinate with the party, you can find out which company they are contacting, and simply lift the freeze for that company instead of all three.
  3. Alternatively, if someone has misused your information, place a fraud alert. While a credit freeze locks down your credit, a fraud alert allows creditors to access your report as long as they take steps to verify your identify.  For instance, if you provide a phone number, the business must call you to verify you are the person making the credit requests. This may prevent someone from opening new credit accounts in your name, but won’t prevent the misuse of your existing accounts (i.e., bank, credit card, insurance statements), which you should still monitor for any indications of fraudulent transactions. You must only ask one of the three credit reporting companies to put a fraud alert on your report – they will contact the other two.  Fraud alerts are free, but require you to provide proof of your identity. They can vary from: (a) initial fraud alert (90 days, but can be renewed), (b) extended fraud alert (7 years) and (c) active duty military alert (protecting the military while deployed for one year).
  4. Monitor your existing credit card and bank accounts closely. As stated above, credit freezes and fraud alerts help prevent the opening of new accounts using your information, but they may not prevent misuse of your existing accounts. For the next couple of months, put a note in your calendar to sit down and go through each bank and credit statements to monitor for any charges you do not recognize.
  5. File your taxes early. Tax identity theft can occur when someone uses your Social Security number to get a tax refund or a job.  You may recall in 2015, when hackers obtained sensitive information and then used the data to authenticate themselves to the IRS Get Transcript application and receive tax record belong to approx. 724,000 tax filers. More recently, the IRS announced the compromise of an online tool used to fill out FAFSA student loan applications. By filing your taxes as soon as you have the tax information you need, you can help to prevent a scammer from doing so. Respond to any letters from the IRS right away.

Contact Information for the Three Credit Reporting Companies:

  1. TransUnion — 1-800-680-7289
  2. Experian — 1-888-397-3742
  3. Equifax — 1-888-766-0008

On August 7 2017, the U.S. Securities and Exchange Commission (SEC), through its Office of Compliance Inspections and Examinations (OCIE), published a Risk Alert summarizing observations on how broker dealers, investment advisers, and investment companies have addressed cybersecurity issues. The OCIE examined 75 financial firms registered with the SEC. The examinations focused on the firms’ written policies regarding cybersecurity. The OCIE observed increased cybersecurity preparedness since a similar 2014 observational initiative was conducted but also noticed areas of compliance and oversight that could be improved.

In particular, the OCIE observed that almost all firms that were examined maintain cyber-security related written procedures regarding protection of customer and shareholder records and information. Additionally, the examinations confirmed many of the firms are conducting cybersecurity risk assessments, penetration tests and vulnerability scans, and maintaining clearly defined cybersecurity organizational charts for workforces. However, the OCIE also observed that, in some cases, firms are administering vague or unclear cybersecurity policies, are not adequately following cybersecurity policies, or are not conducting adequate system maintenance to address system vulnerabilities. The Risk Alert concluded that, despite some improvements, cybersecurity remains one of the top compliance risks for financial firms. The OCIE noted that it will continue to monitor financial firms’ compliance in this area.

To view the Risk Alert, click here.

 

On August 1, 2017, the Senate introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”, which aims to bolster the security of government-acquired IoT devices.  Sponsored by Sens. Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT), the bill would require connected devices purchased by the government agencies to be patchable, rely on industry standard protocols, not use hard-coded passwords, and not contain any known security vulnerabilities.

The bill would also require each executive level agency head to inventory all connected devices used by the agency.  OMB and DHS would establish guidelines for the agencies based on DHS’s Continuous Diagnostics and Mitigation (CDM) program.  Specifically, the bill directs OMB to develop alternative network-level security requirements for devise within limited data process and software functionality.  It also directs DHS to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.  Finally, researchers would be exempted from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when engaging in good-faith research pursuant to adopted coordinated vulnerability disclosure guidelines.

This legislation follows calls for more security and standards addressing IoT devices to further safeguard information from potential attacks. For example, the Government Accountability Office (GAO) recently recommended that the Department of Defense update its policies to address IoT risks that leave them vulnerable to attacks.  In addition, Trump’s executive order on cybersecurity called for reports with recommendations to reduce the threat of botnets and other automated distributed attacks.

In a press release, Senator Warner, co-chair of the Senate Cybersecurity Caucus (SCC), states that the bill would provide “thorough, yet flexible guidelines for Federal Government procurements of connected devices.”  In the same statement, the SCC’s co-chair, Sen. Garner, states the bill would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.”

To view the introduced legislation, click here.

To view the public statement, click here.

To view the fact sheet summary, click here.

 

An Alabama man has been sentenced to spend six months in prison for illegally accessing the personal information of over fifty women. For over two years, Kevin Maldonado engaged in a hacking technique called “phishing,” creating fake email accounts impersonating email providers and requesting numerous women to change their email passwords. He was then able to obtain passwords and access private information, including personal photographs. Maldonado then stored the stolen information on his personal computer. Maldonado pleaded guilty in February 2017 to computer intrusion, and was sentenced to six months in prison and three years of supervised release.

Although extensive, Maldonado’s phishing technique is a common strategy employed by hackers to gain personal information. Phishing scams are fraudulent email messages that appear to come from legitimate sources. In 2016, according to the FBI’s Internet Crime Complaint Center, there were more than 19,000 victims of phishing and related scams. Email users can guard against these scams by verifying information sent in emails, like the name of the company, sender and url links embedded in the email message. Personal firewalls and security software can provide even more protection if needed.

To view information from the SEC on protection from phishing scams, click here.

To view the U.S. Attorney’s press release click here.

This month, the Federal Trade Commission (FTC) issued guidance for businesses operating websites and online services looking to comply with the Children’s Online Privacy Protection Act (“COPPA”). COPPA addresses the collection of personal information from children under 13.  Importantly, the determination of whether a business’s website is “directed to children under 13” (and thus subject to certain COPPA requirements) is based on a variety of factors – thus even website that do not target children as its primary audience may nonetheless be subject to COPPA’s requirements based on the website’s subject matter, visual and audio content, ads on the site that may be directed to children, and other factors.

The FTC’s guidance notes that updates to the COPPA regulations were made in July 2013 to reflect changes in technology, and reminded businesses that violations can result in law enforcement actions as well as civil penalties.  The compliance guidance sets out steps to (1) determining whether your business is covered by COPPA; (2) if so, what steps need to be taken to ensure compliance, including privacy policy provisions, notifying and obtaining verifiable consent from parents, (3) providing methods for parents to review, delete, or revoke consent, and (4) implementing reasonable security procedures. Finally, the guidance provides a chart describing limited exceptions to the parental consent requirement.

  • Step 1: Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
  • Step 2: Post a Privacy Policy that Complies with COPPA.
  • Step 3: Notify Parents Directly Before Collecting Personal Information from Their Kids.
  • Step 4: Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
  • Step 5: Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
  • Step 6: Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.
  • Chart: Limited Exceptions to COPPA’s Verifiable Parental Consent Requirement

The six COPPA compliance steps are described below. To view the FTC’s full guidance webpage, click here.

NOTE:  In addition to COPPA, it may be worth determining whether California’s state version of COPPA, the California Online Privacy Protection Act (“CalOPPA”) applies to your business and, if so, whether additional compliance measures may be necessary. CAlOPPA broadly applies whenever a website or app collects “personally identifiable information” or PII (as defined in the state’s business code) from a California resident, and thus applies to the vast majority of online businesses, even if not based in California.

 

 

 

 

On June 9, 2017, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR) released a cyber-attack “Quick Response” checklist (the Checklist) for the benefit of HIPAA covered entities and business associates.

This checklist and the accompanying info-graphic is part of the ongoing HHS campaign to get out ahead of cyber-attacks in the healthcare sector. Rather than the HHS merely reacting to HIPAA-related fallout that can occur as a result of a breach, this checklist is meant to preemptively explain the steps for a HIPAA covered entity or its business associate to take in response to a cyber-related security incident. This preventative campaign by HHS has been spurred on by the increasing prevalence of cyber-attacks, particularly the May 2017 WannaCry ransomware attack in May 2017 which “rapidly affected numerous organizations across over one hundred countries.” The Checklist contains response, reporting, and assessment / notice requirements for covered entities and business associates.

1) Response: The entity must execute its response and mitigation procedures in addition to its contingency plan. See HIPAA Security Rule, 45 C.F.R. § 164.308(a)(6)−(7) (requiring the establishment of contingency plans and the entity’s response to and mitigation of security incidents). This requires that the entity immediately identify the problem, fix it, and mitigate any impermissible disclosure of public health information (PHI).

2) Report: The entity should report the crime to law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigations, or the Secret Service. This report should not include any PHI.

The entity should report all cyber threat indicators to federal and information sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.

3) Assessment and Notice: If the breach affects 500 or more individuals, the entity must report it to OCR as soon as possible, but no later than 60 days after the discovery of the breach. The entity must also notify the individuals affected by the breach and the media unless a law enforcement officer has requested a delay in the reporting.

If the breach affects less than 500 individuals, the entity must notify the affected individuals without unreasonable delay, but no later than 60 days after discovery and OCR within 60 days after the end of the calendar year in which the breach was discovered.

If the PHI was encrypted or the entity determines through a written risk assessment that there was a low probability that PHI was compromised during the breach, this would not constitute a breach that would have to be reported to OCR.

In recent testimony to Congress, HHS officials testified that its cybersecurity push is meant “to engage the broader healthcare sector and ensure that IT security practitioners ha[ve] the information they need,” while additionally providing guidance and support regarding “how to manage cybersecurity incidents in this era of heightened consequences….” (See Congressional Testimony, Steve Curren, Division of Resilience in the Office of Emergency Management, HHS Office of the Assistant Secretary for Preparedness and Response). In the Checklist release, HHS specifically refers to HIPAA-related penalties, noting that “in determining the amount of any applicable civil penalty, OCR may consider mitigating factors,” including compliance with the actions encouraged by the Checklist. (See also 45 C.F.R. §160.408 (describing mitigating and aggravating factors in determining civil penalties)). The release of this “Quick Response” checklist follows the HHS establishment of the Health Cybersecurity and Communications Integration Center, demonstrating the serious commitment of the HHS to combating the occurrence and effect of these cybersecurity breaches.

For the official Checklist from the HHS on June 9, 2017, click here. For the HHS info-graphic that accompanied the Checklist, click here.

On May 31, 2017, the Federal Financial Institutions Examination Council (FFIEC) released an update to its Cybersecurity Assessment Tool.

The Cybersecurity Assessment Tool was originally released by the FFIEC in June of 2015 to help financial institutions identify their risks and assess their cybersecurity preparedness.  The Cybersecurity Assessment Tool is intended to be used by financial institutions of all sizes to perform a self-assessment and inform their risk management strategies. Upon the release of the original Cybersecurity Assessment Tool, the FFIEC noted its plan to update the Cybersecurity Assessment Tool as threats, vulnerabilities, and operational environments evolve.

According to the FFIEC’s May 31st press release, the update to the Cybersecurity Assessment Tool “addresses changes to the FFIEC IT Examination Handbook by providing a revised mapping in Appendix A to the updated Information Security and Management booklets”. The updated Cybersecurity Assessment Tool also provides “additional response options, allowing financial institution management to include supplementary or complementary behaviors, practices and processes that represent current practices of the institution in supporting its cybersecurity activity assessment.”

Financial institutions can find the updated version of the Cybersecurity Assessment Tool here.

Today, on June 1, 2017, China’s new cybersecurity law, entitled the “Network Security Law”, goes into effect.  The law was passed in November 2016.  It now becomes legally mandatory for “network operators” and “providers of network products and services” to: (a) follow certain personal information protection obligations, including notice and consent requirements; (b) for network operators to implement certain cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and (c) for providers of networks.

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Companies will now be required to introduce data protection measures, and sensitive data (e.g., information on Chinese citizens or relating to national security) must be stored on domestic servers.  Users now have the right to ask service providers to delete their information if such information is abused.  In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges is that the government has been unclear on what would be considered “important or sensitive data”, and which products may fall under the “national security” definition.

Penalties vary, but can include (1) a warning, injunction order to correct the violation, confiscation of proceeds and/or a fine (typically ranging up to $1 million Chinese yuan (~$147,000); (2) personal fines for directly responsible persons up to $100,000 Chinese yuan (~$14,700); and (3) under some circumstances, suspensions or shutdowns of offending websites and businesses and revocations of operating permits and business licenses. Such sanctions would take into account the degree of harm and the amount of illegal gains. (Fines could include up to five times the amount of those ill-gotten gains).

While draft implementing regulations and a draft technical guidance document have been circulated by the Cyber Administration (China’s internet regulator) the final versions of these documents are still forthcoming.  These documents are expected to clarify obligations regarding restrictions on cross-border transfers of “personal information” and “important information”, including a notice and consent obligation. They may also include procedures and standards for “security assessments”, which are necessary to continue cross-border transfers of personal information and “important information”.  Under the draft regulation, “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018.  It is expected that the final draft will contain a similar grace period.

Although large multinational corporations are typically accustomed to adapting to new laws and regulations in various countries and are already accustomed to tight internet and content controls in China, there remains concern about the potential cost impacts as well as the enforcement risk of the ambiguous language.  It is also unclear on whether the new law may alienate small or medium sized businesses otherwise looking to enter the Chinese market.  While Beijing is touting the law as a welcome milestone in data privacy, companies both large and small are concerned that the law is both vague and exceptionally broad, thus potentially putting companies at undue risk of regulatory enforcement unrelated to cybersecurity.

For an official press release from the state run website, China Daily, on May 31, 2017, click here.