Today, on June 1, 2017, China’s new cybersecurity law, entitled the “Network Security Law”, goes into effect.  The law was passed in November 2016.  It now becomes legally mandatory for “network operators” and “providers of network products and services” to: (a) follow certain personal information protection obligations, including notice and consent requirements; (b) for network operators to implement certain cybersecurity practices, such as designating personnel to be responsible for cybersecurity, and adopting contingency plans for cybersecurity incidents; and (c) for providers of networks.

The law focuses on protecting personal information and individual privacy, and standardizes the collection and usage of personal information. Companies will now be required to introduce data protection measures, and sensitive data (e.g., information on Chinese citizens or relating to national security) must be stored on domestic servers.  Users now have the right to ask service providers to delete their information if such information is abused.  In some cases, firms will need to undergo a security review before moving data out of China. One of the challenges is that the government has been unclear on what would be considered “important or sensitive data”, and which products may fall under the “national security” definition.

Penalties vary, but can include (1) a warning, injunction order to correct the violation, confiscation of proceeds and/or a fine (typically ranging up to $1 million Chinese yuan (~$147,000); (2) personal fines for directly responsible persons up to $100,000 Chinese yuan (~$14,700); and (3) under some circumstances, suspensions or shutdowns of offending websites and businesses and revocations of operating permits and business licenses. Such sanctions would take into account the degree of harm and the amount of illegal gains. (Fines could include up to five times the amount of those ill-gotten gains).

While draft implementing regulations and a draft technical guidance document have been circulated by the Cyber Administration (China’s internet regulator) the final versions of these documents are still forthcoming.  These documents are expected to clarify obligations regarding restrictions on cross-border transfers of “personal information” and “important information”, including a notice and consent obligation. They may also include procedures and standards for “security assessments”, which are necessary to continue cross-border transfers of personal information and “important information”.  Under the draft regulation, “network operators” would not be required to comply with the cross-border transfer requirements until December 31, 2018.  It is expected that the final draft will contain a similar grace period.

Although large multinational corporations are typically accustomed to adapting to new laws and regulations in various countries and are already accustomed to tight internet and content controls in China, there remains concern about the potential cost impacts as well as the enforcement risk of the ambiguous language.  It is also unclear on whether the new law may alienate small or medium sized businesses otherwise looking to enter the Chinese market.  While Beijing is touting the law as a welcome milestone in data privacy, companies both large and small are concerned that the law is both vague and exceptionally broad, thus potentially putting companies at undue risk of regulatory enforcement unrelated to cybersecurity.

For an official press release from the state run website, China Daily, on May 31, 2017, click here.

Target Corporation has reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the investigation into the retailer’s 2013 data breach, officials announced on May 23, 2017. The 2013 data breach incident triggered various state consumer protection and data breach laws when hackers accessed consumer data for over 110 million Target customers. In response, state attorneys general from across the country joined in an investigation led by Connecticut and Illinois. The investigation has culminated in the largest multistate data breach settlement to date.

In November 2013, hackers breached Target’s gateway server using stolen credentials from a third-party vendor. The hackers were able to access a customer service database, install malware on the system, and capture consumer data. Customer payment card accounts for more than 41 million and contact information for more than 60 million, including full names, telephone numbers, email and mailing addresses, payment card numbers and verification codes, and encrypted debit PINs, were compromised in the breach.

Notably, Target has agreed to much more than the monetary payments to the states. Through Target’s compliance with the settlement agreement, various state attorneys general project Target will set industry standards for secure credit card processing and customer data maintenance. According to the settlement terms, Target must adhere to several requirements, including: (1) developing, implementing, and maintaining a comprehensive information security program within 180 days designed to protect customer personal information; (2) employing an executive or officer responsible for implementing and maintaining the information security program; (3) developing and implementing policies and procedures for auditing vendor compliance with its information security program; (4) maintaining encryption protocols and policies; (5) complying with the Payment Card Industry Data Security Standard (“PCI DSS”) with respect to its payment card system; (6) segmenting its payment card system from its larger computer network; (7) deploying and maintaining controls to detect and prevent the execution of unauthorized applications within its point-of-sale terminals and servers; and (8) adopting improved, industry-accepted payment card security technologies, such as chip and PIN technology.

Target has one year to obtain a third-party security assessment and report and provide the report to the Connecticut Attorney General’s Office.

A copy of the full settlement is available here.

On March 10, 2017, the White House Office of Management and Budget (“OMB”) released its 2016 Federal Information Security Modernization Act (“FISMA”) Annual Report to Congress. The FISMA Report describes the current state of Federal cybersecurity. It provides Congress with information on agencies’ progress towards meeting cybersecurity goals and identifies areas that need improvement. Additionally, the report provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and progress in implementing adequate cybersecurity programs and policies.

According to the FISMA report, agencies reported over 30,899 cyber incidents that led to the compromise of information or system functionality in 2016. However, only sixteen of these incidents met the threshold for a “major incident” (which triggers a series of mandatory steps for agencies, including reporting certain information to Congress). The report categorizes the types of agency-reported incidents. The largest number of reported incidents (more than one-third) was “other,” meaning the attack method did not fit into a specific category or the cause of the attack was unidentified. The second largest was loss or theft of computer equipment. Attacks executed from websites or web-based applications were the third most common type of incident.

Despite these incidents, the report notes that there were government-wide improvements in cybersecurity, including agency implementation of:

  • Information Security Continuous Monitoring (“ISCM”) capabilities that provide situational awareness of the computers, servers, applications, and other hardware and software operating on agency networks;
  • Multi-factor authentication credentials that reduce the risk of unauthorized access to data by limiting users’ access to the resources and information required for their job functions; and
  • Anti-Phishing and Malware Defense capabilities that reduce the risk of compromise through email and malicious or compromised web sites.

Federal agencies will look to continue these cybersecurity improvements in 2017.

To view the Report, click here.

In a recent announcement today, Verizon and Yahoo have announced that they are amending the existing terms of their agreement for the purchase of Yahoo’s operating business.  Under the amended terms, Verizon and Yahoo have agreed to reduce the price Verizon will pay by $350 million.  In addition, Yahoo will be responsible for 50% of any cash liabilities incurred following the closing related to non-SEC government investigations and third-party litigation related to the breaches.  Liabilities arising from shareholder lawsuits and SEC investigations will continue to be the responsibility of Yahoo.  Finally, the amended terms provide that the data breaches or losses arising from them will not be taken into account in determining whether a “Business Material Adverse Effect” has occurred or whether certain closing conditions have been satisfied.  Verizon’s acquisition – now valued at approximately $4.48 billion subject to closing adjustments, is expected to close in Q2 of 2017.

In an October 2016 article for Corporate Counsel highlighting M&A Lessons Learned from the Yahoo breach, we noted that such managed resolutions as a result of cybersecurity-related discoveries during the M&A process are not uncommon: “The buyer can insist that the problem be fixed and that the selling company indemnify the buyer for any future problems, or the buyer may adjust its valuation of the company based on the uncovered risk.”

Despite Yahoo’s recent troubles with data breaches and the associated amendments to the purchase agreements, the two companies remain optimistic about the acquisition.  In a recent press release, Ms. Marni Walden (Verizon EVP and president of Product Innovation an New Businesses), states that “[w]e have always believed that this acquisition makes strategic sense. We look forward to moving ahead expeditiously so that we can quickly welcome Yahoo’s tremendous talent and assets into our expanding profile in the digital advertising space.” Yahoo’s CEO, Marissa Mayer, stated that “[w]e continue to be very excited to join forces with Verizon and AOL.  This transaction will accelerate Yahoo’s operating business especially on mobile, while effectively separating our Asian asset equity stakes. It is an important step to unlock shareholder value for Yahoo, and we can now move forward with confidence and certainty.”

On January 10, 2017, NIST issued an update to the NIST Cybersecurity Framework (v.1.1).  After reviewing public comment and convening a workshop, NIST intends to publish a final version of this Version 1.1 in the fall of 2017.

Key updates the framework include:

  • Metrics.  A new section 4.0 on Measuring and Demonstrating Cybersecurity to discuss correlation of business results to cybersecurity risk management metrics and measures.
  • Supply Chain.  A greatly expanded explanation of using the framework for supply chain risk management purposes.
  • Authentication, Authorization and Identify Proofing.  Refinements to the language of the Access Control category to account for authentication, authorization, and identify proofing.  A subcategory has been added, and the Category has been renamed to “Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding subcategories.
  • Explanation of Relationship between Implementation Tiers and Profiles.  Adds language on using Framework Tiers in Framework implementation, to reflect integration of Framework considerations within organizational risk management programs, and to update Figure 2.0 to include actions from the Framework Tiers.

More detail on the changes can be found in Appendix D.  NIST seeks public comment on the following questions:

  • Are there any topics not addressed in the draft Framework Version 1.1 that could be addressed in the final?
  • How do the changes made in the draft Version 1.1 impact the cybersecurity ecosystem?
  • For those using Version 1.0, would the proposed changes impact your current use of the Framework? If so, how?
  • For those not currently using Version 1.0, does the draft Version 1.1 affect your decision to use the Framework? If so, how?
  • Does this proposed update adequately reflect advances made in the Roadmap areas?
  • Is there a better label than “version 1.1” for this update?
  • Based on this update, activities in Roadmap areas, and activities in the cybersecurity ecosystem, are there additional areas that should be added to the Roadmap? Are there any areas that should be removed from the Roadmap?

A redline version of the framework can be found by clicking here.  A clean version of the Framework may be found by clicking here.

On December 28, 2016, the New York State Department of Financial Services (NYDFS) updated its proposed cybersecurity regulation to protect New York State.  The proposed regulation is effective March 1, 2017, and requires banks, insurance companies and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.  Entities covered by the rule include “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.”  We last reported on the draft version of these rules in a previous post.

The rule was issued after receiving comments on the proposed rule due November 14, 2016.  The updated proposed regulation, which was submitted to the New York State Register on December 15, 2016 and published on December 28, will be finalized following an additional 30-day notice and public comment period, which ends 30 days from publication, or Friday, January 27, 2017.

You may view the updated proposed regulation by clicking here.

On December 19, 2016, the U.S. District Court for the District of Kansas denied a motion to dismiss, ruling that the named plaintiff for a putative class, approximately two thousand former and current employees whose personal information had been compromised as a result if a phishing attack, had alleged sufficient harm for standing under Spokeo Inc. v. Robins.

The plaintiff alleges that in February 2016, an unauthorized person, posing as a fellow employee, emailed a request for current and former employees’ W-2 forms. One of the employees complied with the request, compromising the named plaintiff’s own information as well as that of up to two thousand people. The defendant notified the plaintiff of the data breach on March 27, 2016 and on April 18, the plaintiff received a letter from the IRS stating that someone had filed a fraudulent tax return in her name. Plaintiff claimed that since receipt of the IRS letter in April 2016, she has “spent multiple hours on telephone conferences with IRS representatives,” experienced delay, expended “costs related to postage and mileage in countering the tax fraud,” and “will continue to be at heightened risk for tax fraud and identity theft.” She also claims that she faces a continuing, real, immediate risk of identity theft and tax fraud.  The plaintiff filed a cause of action for common law negligence, alleging that the defendant had failed to implement reasonable data security measures to protect their employees’ personal information from disclosure.

The court emphasized that because the named plaintiff’s personal information had been fraudulently used to file a false tax return, the plaintiff had suffered some form of “actual, concrete injury,” rejecting the defendant’s arguments that the plaintiff’s claims were too speculative.  The court stated that the fact that her stolen information had already been used had “a direct impact on the plausibility of future harm” for standing purposes, even in light of the bar for standing outlined in Spokeo.  The court here ruled that the plaintiff had adequately pleaded the elements of a negligence claim, holding that “[g]iven plaintiff’s allegations that the harm was foreseeable, defendant had the duty to exercise reasonable care to prevent that harm.”

To view the court’s memorandum and order denying the motion to dismiss, click here.

computer securityCourts and litigants find themselves standing on the precipice of Spokeo v. Robins, a monumental Supreme Court decision that could have potentially wide-ranging implications for data breach cases. Given the Court’s holding in Spokeo that a plaintiff must allege and prove more than just “a bare procedural violation” to satisfy the “concrete injury” component of standing’s injury-in-fact requirement, it may prove difficult for data-breach plaintiffs to survive challenges to their allegations of standing. For example, even if a consumer’s data has been stolen, a third party (such as a bank) may ultimately pay for any out-of-pocket losses (for instance, in the case of stolen credit card numbers). Thus, in the absence of any actual monetary losses, which is often the case, plaintiffs are forced to rely on allegations of an increased likelihood of fraud or identity theft. But as the initial influx of post-Spokeo cases make clear, plaintiffs must establish that their risk of future harm is more than speculative, a leap which some courts have been reluctant to take. Continue Reading Standing on the Precipice: The Actual Injury Requirement After Spokeo

Fiber Optic cables and UTP Network cablesOn October 27, 2016, the FCC released rules to “empower consumers to decide how data are used and shared by broadband providers.”  In the order, the FCC defines information protected under Section 222 for telecommunications carriers as “customer proprietary information (customer PI)”, to include the following: (1) individually identifiable Customer Proprietary Network Information (CPNI), (2) personally identifiable information (PII) and (3) content of communications.  The FCC also adopts and explains its multi-part approach to determining whether data has been properly de-identified and is therefore not subject to the customer choice regime adopted by the FCC for customer PI. Much of the rules are modeled after FTC best practices and the White House Administration’s Consumer Privacy Bill of Rights. Continue Reading FCC Adopts Privacy Rules Protecting Broadband and other Telecommunications Customers

AftDeveloping new programer surveying nearly 200 regulated financial institutions to obtain insight into the industry’s efforts to prevent cybercrime and meeting with a cross-section of those surveyed, as well as cybersecurity experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third party vendors, the New York State Department of Financial Services (NYDFS) recently released its proposed cyber security regulation.  The proposed regulation, titled “Cybersecurity Requirements for Financial Services Companies”, if implemented, would be a first-in-the-nation provision that requires a mandatory cybersecurity program for financial institutions.

Continue Reading New York Department of Financial Services Proposes Cybersecurity Requirements