Photo of Nick Theodore

On July 19, 2018, the Federal Energy Regulatory Commission (FERC) issued a final rule (Order No. 848) directing the North American Electric Reliability Corporation (NERC) to develop and submit modifications to NERC Reliability Standards related to Cyber Security Incident reporting. FERC recognized that, under the current Cyber Security Incident reporting Reliability Standard, incidents are only required to be reported if they have compromised or disrupted one or more reliability tasks. FERC issued Order No. 848 to strengthen Cyber Security Incident reporting requirements.

The Commission’s directive consists of four elements:

  • Responsible entities must report Cyber Security Incidents that compromise, or attempt to compromise, a responsible entity’s Electronic Security Perimeter (ESP) or Electronic Access Control and Monitoring Systems (EACMS) associated with an ESP;
  • Required information in Cyber Security Incident reports should include certain minimum information to improve the quality of reporting and allow for ease of comparison by ensuring that each report includes specified fields of information;
  • The filing deadline for Cyber Security Incident reports should be established once a compromise or disruption to reliable BES operation, or an attempt to compromise or disrupt, is identified by a responsible entity; and
  • Cyber Security Incident reports should continue to be sent to the Electricity Information Sharing and Analysis Center (E-ISAC), rather than the Commission, but the reports should also be sent to DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). Finally, NERC must file an annual, public, and anonymized summary of the reports with the Commission.

FERC also suggested that NERC develop a flexible reporting timeline that reflects the severity of a Cyber Security Incident to help address the administrative burden of reporting attempted compromises.

NERC is required to develop modifications to the Reliability Standards within six months. The final rule will take effect 60 days after publication in the Federal Register.

To view FERC’s final rule, click here.

Over a dozen lawsuits have been filed by users and investors against Facebook after it was revealed last month that Cambridge Analytica, a political research firm, obtained personal information on millions of Facebook users. Cambridge Analytica obtained the data through a personality test app linked to Facebook accounts. Many of the lawsuits claim the information was used to create profiles and target audiences for purposes of categorizing voters in the 2016 presidential election. Most of the lawsuits accuse Facebook of failing to protect users’ personal information despite stating in its privacy policy that Facebook users own and control personal information posted on Facebook. Some of the lawsuits go beyond allegations of privacy violations and accuse Facebook of negligence, consumer fraud, unfair competition, securities fraud and racketeering. On March 16, Facebook announced that it was suspending Cambridge Analytica for violating Facebook’s policies on data gathering

Starting April 9, Facebook will begin alerting users whose data may have been harvested by Cambridge Analytica. As part of this process, the company plans to post a link at the top of users’ news feeds that will allow them to see which apps are connected to their Facebook accounts and what information those apps are permitted to see. Additionally, Facebook CEO Mark Zuckerberg is scheduled to testify before U.S. Congress on April 10 and April 11. Zuckerberg will appear before the Senate Judiciary and Commerce committees on April 10 and the House Energy and Commerce Committee on the morning of April 11. Zuckerberg’s testimony will hopefully shed more light into how this alleged violation occurred and its broader implications on data privacy in general.

 

 

On January 28, 2017, as part of Data Privacy Day, Facebook shared its data privacy principles for the first time. In a blog post drafted by Erin Egan, Facebook’s Chief Privacy Officer, Facebook posted these principles to help users understand how data is used and managed on the site. Among other things, Facebook’s data privacy principles stress user control of privacy, the goal of protecting users’ accounts and implementing security tools (like two-factor authentication), and user ownership of information shared. Facebook also announced the launch of a new education campaign to help users understand how data privacy is handled by the company. As part of this effort, Facebook is preparing to roll out a “Privacy Center” that features important privacy settings in a single place.

This publication comes ahead of the European Union’s (EU) General Data Protection Regulation (GDPR), which will be implemented on May 25, 2018. The GDPR will set stringent data privacy requirements for companies operating in the EU.  In recent years, Facebook has faced scrutiny from EU regulators over its handling of user data. Facebook hopes to embrace a more transparent data privacy approach to meet all GDPR obligations.

To view Facebook’s Privacy Principles, click here.

On November 15, 2017, the Trump administration released the Vulnerabilities Equities Policy and Process. This document describes the process by which U.S. agencies and departments determine whether to disclose or restrict information on vulnerabilities in information systems and technologies. The Vulnerabilities Equities Process (VEP) balances whether to disclose vulnerability information to the vendor or supplier in the expectation that the vulnerability will be fixed or to temporarily restrict disclosure of the information so that it can be used for national security and/or law enforcement purposes.

The Equities Review Board (ERB), consisting of individuals from numerous agencies, functions as the forum for interagency deliberation and determination concerning the VEP. The National Security Agency will function as the VEP Executive Secretariat. The VEP Executive Secretariat will oversee communications, documentation and recordkeeping for the VEP. The VEP Executive Secretariat will also publish a report of unclassified information on an annual basis.

The VEP provides steps for submitting and reviewing identified vulnerabilities:

  • When an agency determines that a vulnerability reaches the threshold for entry into the VEP, it will notify the VEP Executive Secretariat and provide a recommendation for disclosure or restriction of the vulnerability.
  • The VEP Executive Secretariat will provide notice to all agencies of the ERB and request agencies to respond if they have a strong interest (i.e., “equity”) in the vulnerability. Any agencies with a strong interest in the vulnerability must concur or disagree with the recommendation.
  • The ERB will then reach a consensus on whether or not to disclose or restrict the vulnerability

To view the VEP Charter, click here.

To view the fact sheet, click here.

On August 7 2017, the U.S. Securities and Exchange Commission (SEC), through its Office of Compliance Inspections and Examinations (OCIE), published a Risk Alert summarizing observations on how broker dealers, investment advisers, and investment companies have addressed cybersecurity issues. The OCIE examined 75 financial firms registered with the SEC. The examinations focused on the firms’ written policies regarding cybersecurity. The OCIE observed increased cybersecurity preparedness since a similar 2014 observational initiative was conducted but also noticed areas of compliance and oversight that could be improved.

In particular, the OCIE observed that almost all firms that were examined maintain cyber-security related written procedures regarding protection of customer and shareholder records and information. Additionally, the examinations confirmed many of the firms are conducting cybersecurity risk assessments, penetration tests and vulnerability scans, and maintaining clearly defined cybersecurity organizational charts for workforces. However, the OCIE also observed that, in some cases, firms are administering vague or unclear cybersecurity policies, are not adequately following cybersecurity policies, or are not conducting adequate system maintenance to address system vulnerabilities. The Risk Alert concluded that, despite some improvements, cybersecurity remains one of the top compliance risks for financial firms. The OCIE noted that it will continue to monitor financial firms’ compliance in this area.

To view the Risk Alert, click here.

 

 

An Alabama man has been sentenced to spend six months in prison for illegally accessing the personal information of over fifty women. For over two years, Kevin Maldonado engaged in a hacking technique called “phishing,” creating fake email accounts impersonating email providers and requesting numerous women to change their email passwords. He was then able to obtain passwords and access private information, including personal photographs. Maldonado then stored the stolen information on his personal computer. Maldonado pleaded guilty in February 2017 to computer intrusion, and was sentenced to six months in prison and three years of supervised release.

Although extensive, Maldonado’s phishing technique is a common strategy employed by hackers to gain personal information. Phishing scams are fraudulent email messages that appear to come from legitimate sources. In 2016, according to the FBI’s Internet Crime Complaint Center, there were more than 19,000 victims of phishing and related scams. Email users can guard against these scams by verifying information sent in emails, like the name of the company, sender and url links embedded in the email message. Personal firewalls and security software can provide even more protection if needed.

To view information from the SEC on protection from phishing scams, click here.

To view the U.S. Attorney’s press release click here.

On April 4, 2017, President Trump signed legislation repealing the Federal Communications Commission’s (FCC) privacy protections adopted in October 2016. The regulations, set to go into effect later this year, would have required internet service providers (ISPs) to adopt stricter consumer privacy protections than websites like Google and Facebook. Among other things, the regulations would have required ISPs to obtain consent before sharing sensitive customer proprietary information, take reasonable measures to secure customer proprietary information, provide notification to customers, the FCC and law enforcement in the event of data breaches, and not condition provision of service on the surrender of privacy rights.

The regulations were opposed by many ISPs who felt that they would be at a disadvantage to companies like Amazon, Google and Facebook, who are regulated by the Federal Trade Commission (FTC). Because these companies offer internet services, and do not provide internet connection, they are subject to the less restrictive FTC regulations. While many ISPs have promised not to sell proprietary customer information, these promises are voluntary. President Trump’s repeal leaves the states as the only real possible enforcer of ISP privacy regulations.

On March 10, 2017, the White House Office of Management and Budget (“OMB”) released its 2016 Federal Information Security Modernization Act (“FISMA”) Annual Report to Congress. The FISMA Report describes the current state of Federal cybersecurity. It provides Congress with information on agencies’ progress towards meeting cybersecurity goals and identifies areas that need improvement. Additionally, the report provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and progress in implementing adequate cybersecurity programs and policies.

According to the FISMA report, agencies reported over 30,899 cyber incidents that led to the compromise of information or system functionality in 2016. However, only sixteen of these incidents met the threshold for a “major incident” (which triggers a series of mandatory steps for agencies, including reporting certain information to Congress). The report categorizes the types of agency-reported incidents. The largest number of reported incidents (more than one-third) was “other,” meaning the attack method did not fit into a specific category or the cause of the attack was unidentified. The second largest was loss or theft of computer equipment. Attacks executed from websites or web-based applications were the third most common type of incident.

Despite these incidents, the report notes that there were government-wide improvements in cybersecurity, including agency implementation of:

  • Information Security Continuous Monitoring (“ISCM”) capabilities that provide situational awareness of the computers, servers, applications, and other hardware and software operating on agency networks;
  • Multi-factor authentication credentials that reduce the risk of unauthorized access to data by limiting users’ access to the resources and information required for their job functions; and
  • Anti-Phishing and Malware Defense capabilities that reduce the risk of compromise through email and malicious or compromised web sites.

Federal agencies will look to continue these cybersecurity improvements in 2017.

To view the Report, click here.

In a recent opinion, the Second Circuit ruled against the United States government and in favor of protecting data stored overseas. In Microsoft v. United States, the Second Circuit held that the Stored Communications Act (SCA) does not authorize courts to issue warrants against internet service providers (ISPs) for the seizure of customer email content stored exclusively on foreign servers. The case began in December 2013 when the government obtained a warrant to gain access to a Microsoft customer’s account on a server in Dublin, Ireland. Microsoft argued that the United States lacked the authority to obtain the data due to its location in an overseas server. The United States countered, arguing that the SCA warrant required Microsoft to turn over the data because, although the data was stored in an overseas server, Microsoft had access to it in the United States. Ultimately, the Second Circuit decided in favor of Microsoft. The Court held that the data was located in Ireland and the SCA was not meant to be applied extraterritorially.

On January 24, 2017, the Second Circuit denied rehearing the case. Although the decision was reached in a tie (4-4 vote), the rehearing request was denied due to a rule requiring a majority vote for granting of petitions. The decision garnered four dissents, with each dissenter essentially arguing that the issue rested on the location of the disclosure of the information, which would take place in the United States, and not the location of the information itself.

Microsoft v. United States raises important data privacy questions that will likely reappear in future cases. Asking courts to apply dated technology statutes and answer the complicated question of where virtual data is physically located leaves no straightforward answer. The United States government might get another shot to revisit this question in the near future, but it will have to be through the Supreme Court.