On April 4, 2017, President Trump signed legislation repealing the Federal Communications Commission’s (FCC) privacy protections adopted in October 2016. The regulations, set to go into effect later this year, would have required internet service providers (ISPs) to adopt stricter consumer privacy protections than websites like Google and Facebook. Among other things, the regulations would have required ISPs to obtain consent before sharing sensitive customer proprietary information, take reasonable measures to secure customer proprietary information, provide notification to customers, the FCC and law enforcement in the event of data breaches, and not condition provision of service on the surrender of privacy rights.

The regulations were opposed by many ISPs who felt that they would be at a disadvantage to companies like Amazon, Google and Facebook, who are regulated by the Federal Trade Commission (FTC). Because these companies offer internet services, and do not provide internet connection, they are subject to the less restrictive FTC regulations. While many ISPs have promised not to sell proprietary customer information, these promises are voluntary. President Trump’s repeal leaves the states as the only real possible enforcer of ISP privacy regulations.

Earlier this month, the new cybersecurity regulation from the New York Department of Financial Services (“DFS“) took effect. The new regulation requires banks, insurance companies and other financial services institutions regulated by the DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

The final cybersecurity regulation is very similar to the proposed regulation, which we reported on in a previous post, but contains a few notable changes:

  • Record retention requirements for audit trails designed to detect and respond to Cybersecurity Events were reduced from five years to three years.
  • Clarification that Covered Entities’ policies and procedures regarding notice to be provided by Third Party Service Providers of Cybersecurity Events cover only Covered Entity’s Nonpublic Information being held by the Third Party Service Provider.
  • Clarification of the circumstances under which a Covered Entity must provide notice of Cybersecurity Event to the Superintendent.
  • The limited exemptions have been revised to specifically include the number of employees and the gross annual revenue of a Covered Entity’s affiliates located in New York.
  • Clarification on the exemptions available for companies regulated under New York’s Insurance Law.

Financial institutions in other states may wish to pay particular attention to this “first-in-the-nation cybersecurity regulation” issued by a state financial regulator, particularly as it may be only a matter of time before other states follow New York’s lead.

The DFS regulation, 23 N.Y.C.R.R. Part 500, is available here.

On March 10, 2017, the White House Office of Management and Budget (“OMB”) released its 2016 Federal Information Security Modernization Act (“FISMA”) Annual Report to Congress. The FISMA Report describes the current state of Federal cybersecurity. It provides Congress with information on agencies’ progress towards meeting cybersecurity goals and identifies areas that need improvement. Additionally, the report provides information on Federal cybersecurity incidents, ongoing efforts to mitigate and prevent future incidents, and progress in implementing adequate cybersecurity programs and policies.

According to the FISMA report, agencies reported over 30,899 cyber incidents that led to the compromise of information or system functionality in 2016. However, only sixteen of these incidents met the threshold for a “major incident” (which triggers a series of mandatory steps for agencies, including reporting certain information to Congress). The report categorizes the types of agency-reported incidents. The largest number of reported incidents (more than one-third) was “other,” meaning the attack method did not fit into a specific category or the cause of the attack was unidentified. The second largest was loss or theft of computer equipment. Attacks executed from websites or web-based applications were the third most common type of incident.

Despite these incidents, the report notes that there were government-wide improvements in cybersecurity, including agency implementation of:

  • Information Security Continuous Monitoring (“ISCM”) capabilities that provide situational awareness of the computers, servers, applications, and other hardware and software operating on agency networks;
  • Multi-factor authentication credentials that reduce the risk of unauthorized access to data by limiting users’ access to the resources and information required for their job functions; and
  • Anti-Phishing and Malware Defense capabilities that reduce the risk of compromise through email and malicious or compromised web sites.

Federal agencies will look to continue these cybersecurity improvements in 2017.

To view the Report, click here.

Vintage toned Wall Street at sunset, NYC.

Today, acting FTC Chairman Maureen K. Ohlhausen and FCC Chairman Ajit Pai issued a joint statement on the FCC’s issuance of a temporary stay of a data security regulation for broadband providers scheduled to take effect on March 2.  In their statement, they advocate for a “comprehensive and consistent framework”, so that Americans do not have to “figure out if their information is protected differently depending on which part of the Internet holds it.”

The Chairmen stated that for this reason, they disagreed with the FCC’s 2015 unilateral decision to strip the FTC of its authority over broadband provider’s privacy and data security practices, and believed that jurisdiction over broadband providers’ privacy and data security practices should be returned to the FTC, thus subjecting “all actors in the online space” to the same rules.

Until then, the joint statement provides, the two chairmen “will work together on harmonizing the FCC’s privacy rules for broadband provider with the FTC’s standards for other companies in the digital economy.”  The statement provides that the FCC order was inconsistent with the FTC’s privacy framework. The stay will remain in place only until the FCC is able to rule on a petition for reconsideration of its privacy rules.

In response to concerns that the temporary delay of a rule not yet in effect will leave consumers unprotected, the Chairmen agree that it is vital to fill the consumer protection gap, but that “how that gap is filled matters” – it does not serve consumer’s interests to create two separate and distinct frameworks – one for Internet service providers and another for all other online companies.

Going forward, the statement says, the FTC and the FCC will work together to establish a uniform and technology-neutral privacy framework for the online world.

To view the joint FTC and FCC statement, click here.

To view the FCC Order staying the regulation, click here.

Last month, the Financial Industry Regulatory Authority (FINRA) released its annual Regulatory and Examination Priorities Letter (the “2017 Priorities Letter”) which highlights the areas that FINRA plans to focus on in its 2017 examination of registered broker-dealers.

It should come as no surprise that cybersecurity is listed as one of the operational threats that FINRA intends to focus on in 2017. The 2017 Priorities Letter recognizes that “[c]ybersecurity threats remain one of the most significant risks many firms face.” As part of its examination, FINRA will assess a broker-dealer’s programs to mitigate cybersecurity risks, taking into consideration each broker-dealer’s business model, size and risk profile. More specifically, broker-dealers should be prepared for FINRA to (i) review the broker-dealer’s methods for preventing data loss, (ii) assess the controls the broker-dealer uses to monitor and protect its data, and (iii) review how the broker-dealer manages their vendor relationships.  Also, because FINRA understands that “[t]he nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources,” FINRA intends to examine a broker-dealer’s controls to protect sensitive information from insider threats.

Additionally, FINRA intends on focusing on two areas in which FINRA has noted repeated shortcomings in controls among the broker-dealers that it regulates: (1) poor cybersecurity controls at branch offices (for example, poor controls related to the use of passwords, encryption of data, use of portable storage devices, implementation of patches and virus protection, and the physical security of assets and data), and (2) failure to preserve certain records in a non-rewriteable, non-erasable format, commonly known as write once read many (WORM) format pursuant to Securities Exchange Act (SEA) Rule 17a-4(f).

The full text of FINRA’s 2017 Regulatory and Examination Priorities Letter can be found here.

In a recent announcement today, Verizon and Yahoo have announced that they are amending the existing terms of their agreement for the purchase of Yahoo’s operating business.  Under the amended terms, Verizon and Yahoo have agreed to reduce the price Verizon will pay by $350 million.  In addition, Yahoo will be responsible for 50% of any cash liabilities incurred following the closing related to non-SEC government investigations and third-party litigation related to the breaches.  Liabilities arising from shareholder lawsuits and SEC investigations will continue to be the responsibility of Yahoo.  Finally, the amended terms provide that the data breaches or losses arising from them will not be taken into account in determining whether a “Business Material Adverse Effect” has occurred or whether certain closing conditions have been satisfied.  Verizon’s acquisition – now valued at approximately $4.48 billion subject to closing adjustments, is expected to close in Q2 of 2017.

In an October 2016 article for Corporate Counsel highlighting M&A Lessons Learned from the Yahoo breach, we noted that such managed resolutions as a result of cybersecurity-related discoveries during the M&A process are not uncommon: “The buyer can insist that the problem be fixed and that the selling company indemnify the buyer for any future problems, or the buyer may adjust its valuation of the company based on the uncovered risk.”

Despite Yahoo’s recent troubles with data breaches and the associated amendments to the purchase agreements, the two companies remain optimistic about the acquisition.  In a recent press release, Ms. Marni Walden (Verizon EVP and president of Product Innovation an New Businesses), states that “[w]e have always believed that this acquisition makes strategic sense. We look forward to moving ahead expeditiously so that we can quickly welcome Yahoo’s tremendous talent and assets into our expanding profile in the digital advertising space.” Yahoo’s CEO, Marissa Mayer, stated that “[w]e continue to be very excited to join forces with Verizon and AOL.  This transaction will accelerate Yahoo’s operating business especially on mobile, while effectively separating our Asian asset equity stakes. It is an important step to unlock shareholder value for Yahoo, and we can now move forward with confidence and certainty.”

Today, Vizio, Inc., agreed to pay $2.2 million to settle charges by the FTC and the New Jersey Attorney General that it installed software on its Smart TGVS to collect viewing data on 11 million consumer televisions without the consumers’ knowledge or consent. The $2.2 million payment includes a $1.5 million payment to the FTC, and a $1 million payment to the New Jersey Division of Consumer Affairs, although $300,000 will be suspended and vacated after 5 years upon compliance with the order.   In a concurring statement, Commission Ohlhausen supported the order, but questioned the FTC’s allegation that individualized television viewing activity falls within the definition of sensitive information.

The 2014 complaint alleged that Vizio and an affiliate company manufactures smart TVs that capture second-by-second information about video displayed on the Smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices.  In addition, Vizio facilitated the integration of specific demographic information (e.g., sex, age, income, marital status, household size, educational level, home ownership, household value, etc.) to the viewing data.  Vizio then sold the information to third parties, who used it for various purposes, including targeted advertising to consumers across devices.

According to the complaint, Vizio touted its “Smart Interactivity” features that “enables program offers and suggestions”, but failed to inform consumers that the settings also enabled the collection of consumer’s viewing data. The complaint alleges that Vizio’s data tracking, – which occurred without viewer’s informed consent – was unfair and deceptive. The Complaint charges that the Defendants participated in deceptive and unfair acts in violation of Section 5 of the FTC act, and similar charges under the New Jersey Consumer Fraud Act, in connection with the unfair collection and sharing of consumers’ Viewing Data and deception concerning their “Smart Interactivity” features.

As part of the settlement, Vizio stipulated to a federal court order that:

  • Requires Vizio to prominently disclose and obtain affirmative express consent of its data collection and sharing practices;
  • prohibits misrepresentations about the privacy, security, or confidentiality of consumer information they collect;
  • requires Vizio to delete data collected before March 1, 2016; and
  • requires Vizio to implement (and review biennially) a comprehensive data privacy program.

In a concurring statement, Commissioner Ohlhausen supported Count II of the complaint, alleging that Vizio deceptively omitted information about its data collection and sharing program.  However, she expressed concern about the implications of Count I, which alleged that granular (household or individual) television viewing activity is sensitive information, and that sharing this viewing information without consent causes or is likely to cause  a “substantial injury” under Section 5 of the FTC Act.  Although Commissioner Ohlhausen acknowledged that there may be good policy reasons to consider such information, she states that the statute does not allow the FTC to find a practice unfair based primarily on public policy, and that this case demonstrates “the need for the FTC to examine more rigorously what constitutes ‘substantial injury” in the context of information about consumers. Ohlhausen indicated that she will launch an effort in the coming weeks to examine this issue further.

To view the stipulated order, click here.

To view Commissioner Ohlhausen’s concurring statement click here.

 

In a recent opinion, the Second Circuit ruled against the United States government and in favor of protecting data stored overseas. In Microsoft v. United States, the Second Circuit held that the Stored Communications Act (SCA) does not authorize courts to issue warrants against internet service providers (ISPs) for the seizure of customer email content stored exclusively on foreign servers. The case began in December 2013 when the government obtained a warrant to gain access to a Microsoft customer’s account on a server in Dublin, Ireland. Microsoft argued that the United States lacked the authority to obtain the data due to its location in an overseas server. The United States countered, arguing that the SCA warrant required Microsoft to turn over the data because, although the data was stored in an overseas server, Microsoft had access to it in the United States. Ultimately, the Second Circuit decided in favor of Microsoft. The Court held that the data was located in Ireland and the SCA was not meant to be applied extraterritorially.

On January 24, 2017, the Second Circuit denied rehearing the case. Although the decision was reached in a tie (4-4 vote), the rehearing request was denied due to a rule requiring a majority vote for granting of petitions. The decision garnered four dissents, with each dissenter essentially arguing that the issue rested on the location of the disclosure of the information, which would take place in the United States, and not the location of the information itself.

Microsoft v. United States raises important data privacy questions that will likely reappear in future cases. Asking courts to apply dated technology statutes and answer the complicated question of where virtual data is physically located leaves no straightforward answer. The United States government might get another shot to revisit this question in the near future, but it will have to be through the Supreme Court.

Abstract geometric technology graphic elements. Template design.Today, the Treasury Department issued a General License authorizing transactions and activities concerning information technology products in the Russian Federation despite recent executive order prohibiting such transactions.

In April 1, 2015, President Obama issued Executive Order 13694 (“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”). In short summary, this order blocked any property or interests in property that is in the US, ends up in the US, or that come within the possession or control of any US persons, if such persons end up being responsible, complicit or supportive of cyber-enabled activities that (1) have the purpose of causing harm or risk to the critical infrastructure sector and are reasonably likely to result in or material contribute to threats to national security, foreign policy or economic heal or financial stability; or (2) the knowing receipt or use by a commercial entity outside or the United States, for commercial or competitive advantage or private financial gain, of trade secrets misappropriate by cyber-enabled means.

On December 28, 2016, following reports regarding the Russian hacking of Democratic political organizations and operatives, President Obama issued Order 13757 (“Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities”) to amend Order 13694. This amendment included an Annex blocking certain entities and individuals, including the Federal Security Services (a.k.a. Federalnaya Sluzhba Bezopasnosti, or “FSB”),but also authorizing the Secretary of Treasury, in consultation with the Attorney General and the Secretary of State, to determine “that circumstances no longer warrant the blocking of the property and interested in property of a person listed in the Annex to this order, and to take necessary action to give effect to that determinations.” The Russian FSB represents Russia’s domestic security service, and must approve certain encrypted technology imports to Russia per domestic law.

Today, however, the Treasury exercised its right in Section 10 by authorizing American tech companies to seek licenses from Russia’s FSB to export their good to Russia, so long as the products are not used in Crimea and do not violate pre-existing sanctions.  Despite claims that the Trump administration is “easing sanctions against Russia”, White House press secretary Sean Spicer claimed in today’s press conference that the Treasury Department’s actions were not “easing sanctions”, and that it is “a fairly common practice of the Treasury Department, after sanctions are put in place, to go back and to look at whether or not there needs to be specific carve-outs for either industries or products and services that need to be going back and forth.” Other experts agreed that the OFAC’s amendment is likely an intention to clean up unintended consequences of the ban through limited carveouts rather than relaxing sanctions.

 

 

On January 10, 2017, NIST issued an update to the NIST Cybersecurity Framework (v.1.1).  After reviewing public comment and convening a workshop, NIST intends to publish a final version of this Version 1.1 in the fall of 2017.

Key updates the framework include:

  • Metrics.  A new section 4.0 on Measuring and Demonstrating Cybersecurity to discuss correlation of business results to cybersecurity risk management metrics and measures.
  • Supply Chain.  A greatly expanded explanation of using the framework for supply chain risk management purposes.
  • Authentication, Authorization and Identify Proofing.  Refinements to the language of the Access Control category to account for authentication, authorization, and identify proofing.  A subcategory has been added, and the Category has been renamed to “Identity Management and Access Control (PR.AC) to better represent the scope of the Category and corresponding subcategories.
  • Explanation of Relationship between Implementation Tiers and Profiles.  Adds language on using Framework Tiers in Framework implementation, to reflect integration of Framework considerations within organizational risk management programs, and to update Figure 2.0 to include actions from the Framework Tiers.

More detail on the changes can be found in Appendix D.  NIST seeks public comment on the following questions:

  • Are there any topics not addressed in the draft Framework Version 1.1 that could be addressed in the final?
  • How do the changes made in the draft Version 1.1 impact the cybersecurity ecosystem?
  • For those using Version 1.0, would the proposed changes impact your current use of the Framework? If so, how?
  • For those not currently using Version 1.0, does the draft Version 1.1 affect your decision to use the Framework? If so, how?
  • Does this proposed update adequately reflect advances made in the Roadmap areas?
  • Is there a better label than “version 1.1” for this update?
  • Based on this update, activities in Roadmap areas, and activities in the cybersecurity ecosystem, are there additional areas that should be added to the Roadmap? Are there any areas that should be removed from the Roadmap?

A redline version of the framework can be found by clicking here.  A clean version of the Framework may be found by clicking here.