News & Insights

Newsletter

August 7, 2017

Data, Privacy & Security Practice Report – August 7, 2017


Hackers Target U.S. Power Plants, Including Kansas Nuclear Facility—According to a June 2017 joint report issued by the Department of Homeland Security (“DHS”) and the Federal Bureau of Investigation (“FBI”), hackers penetrated the computer networks of at least a dozen U.S. power plants beginning in May.  The report carried an amber warning, the second-highest level of urgency for these types of reports.  There is no indication that hackers breached the control systems of any facility, but the report concluded that the apparent goal was to map out computer networks for future attacks.

Among the facilities targeted was the Wolf Creek Nuclear Operating Corporation’s nuclear power plant located near Burlington, Kansas.  Wolf Creek officials declined to comment about the cyberattacks, but stated that their business-side network and internet are separate from the plant’s network, and that no plant operations systems had been affected by the breach.  Nuclear facilities must report cyberattacks related to their “safety, security, and operations;” no such reports were made by Wolf Creek or any other power plant related to these recent attacks. 

The hackers used a variety of methods to gain entry into the networks.  In most cases, the attacks targeted industrial control engineers with direct access to plant systems.  Such systems, if damaged, could cause explosions, fires, or spills of dangerous material.  The hackers electronically sent engineers fake resumes laced with malicious code that allowed the hackers to steal the engineers’ credentials and access other machines in the network.  In addition, the hackers employed so-called “watering hole attacks,” compromising legitimate websites frequented by their targets, as well as “man-in-the-middle attacks,” in which the targets’ internet traffic was redirected through the hackers’ machines.

The origins of the hackers have not been confirmed, but the DHS-FBI report indicated that an “advanced persistent threat actor”—typically, government-backed hackers—was responsible.  Notably, the hackers’ techniques mimicked those of the organization called “Energetic Bear,” a Russian hacking group tied to attacks on the energy sector since as early as 2012.

Reporter, Bailey J. Langner, San Francisco, +1 415 318 1214, blangner@kslaw.com.

Senate Cybersecurity Caucus Introduces Bill To Secure Federal Agencies’ Connected DevicesOn August 1, 2017, the Senate introduced the proposed “Internet of Things (‘IoT’) Cybersecurity Improvement Act of 2017” (the “Act”) to establish, among other things, minimum cybersecurity standards for contractors who provide an array of connected devices to the federal government.

Introduced by Senators Mark Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Senators Ron Wyden (D-OR) and Steve Daines (R-MT), the core provisions of the Act would require the inclusion of specific clauses in procurement contracts with federal agencies for Internet-connected devices (e.g., smart phones and laptops), including a certification that the devices do not contain known security vulnerabilities or defects, are capable of being updated with new security patches, meet certain industry security standards, and do not contain any fixed or hard-coded credentials allowing remote access.  To facilitate implementation and allow discretion to federal agencies, the Act provides for waiver of the minimum security requirements under certain circumstances, as well as recognition of alternative third-party security standards.

Senator Warner previously called for changes to connected device security in October 2016, when he wrote the FTC, FCC, and DHS in response to the Mirai botnet, a large-scale cyber-attack carried out by hackers who scanned the Internet for connected devices—such as routers and cameras—protected only by minimal factory-default passwords.  With the IoT universe expected to include over 20 billion devices by 2020, Senator Warner expressed hope this week that the proposed legislation “will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”  While the Act would only apply to devices purchased by federal agencies, commentators such as Jonathan Zittrain of Harvard’s Berkman Klein Center for Internet & Society have applauded the Act’s use of “the power of the Federal procurement market, rather than direct regulation, to encourage Internet-aware device makers to employ some basic security measures in their products.”

In addition to the minimum out-of-the-box security requirements for connected devices, the Act would also mandate that government procurement contracts include provisions requiring (1) the seller-contractor to notify the purchasing agency of subsequently discovered security vulnerabilities or defects; (2) the updating of software to address future vulnerabilities; and (3) in the event a software update cannot sufficiently remediate a vulnerability, the repair or replacement of the device.

Finally, a separate component of the Act would provide carve-outs to liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act for persons engaged in “good faith” research of the cybersecurity of an Internet-connected device provided by a contractor to a federal agency.  These protections would allow independent researchers to conduct systems penetration testing and other research on the types of devices used by federal agencies to identify potential security vulnerabilities without running afoul of federal law.

Reporter, Robert D. Griest, Atlanta, +1 404 572 2824, rgriest@kslaw.com.

FTC Approves TRUSTe’s Updated Safe Harbor Program—On July 31, 2017, the Federal Trade Commission (“FTC”) announced that it voted 2-0 to approve TRUSTe’s modifications to its safe harbor program under the terms of the Children Online Privacy Protection Act (“COPPA”).  TRUSTe is a for-profit organization that provides enterprise members with privacy compliance certifications for a yearly fee.  The FTC requested comments on TRUSTe’s modified safe harbor program from April to May 24, 2017, as previously reported in this newsletter. 

The FTC approved TRUSTe’s modified program because it complies with minimum guidelines for a COPPA safe harbor program under 16 C.F.R. § 312.11(b).  There are now seven approved COPPA safe harbor organizations.  To act as a “safe harbor,” a program must (1) protect children at least as much as the default COPPA rule; (2) have an effective and mandatory mechanism for assessing members; and (3) impose disciplinary actions for noncompliance by members.

Generally, COPPA is a strict liability statute for child-directed website operators.  However, a safe harbor member is generally subject to the enforcement procedures in the safe harbor instead of the FTC investigation and enforcement procedures.  TRUSTe has operated as a COPPA safe harbor since May 2001, but has been the subject of actions by the FTC in 2014-2015 and the New York Attorney General in 2015-2017.  TRUSTe has since made significant improvements to its operational and technical processes.  In its proposed modified program, TRUSTe fleshed out its guidelines regarding (1) scanning for third party tracking technologies manually (in addition to automatically, via proprietary software) and (2) the timing for seal removal for participants who have not completed annual review and remediation by the anniversary of the prior year’s certification date.

The FTC characterized the comments on the proposed modifications as either approving or neutral.  Notably, industry players—two toy and gaming companies—indicated support for TRUSTe’s proposed modifications.  Two non-profits, the Center for Digital Democracy and the Campaign for a Commercial-Free Childhood, asked the FTC to suspend TRUSTe’s authority to operate its COPPA safe harbor program altogether because TRUSTe “misrepresent[s] its certification procedures.”  No comments actually pointed to any deficiencies in TRUSTe’s proposed modified safe harbor program, however.  Therefore, in a pro-business move, the FTC has concluded that the TRUSTe modified safe harbor program satisfies the COPPA Rule.  In response to multiple comments requesting increased enforcement, including from non-profit organizations, the FTC also noted that it has “a robust monitoring program to ensure compliance with our orders[.]”

Reporter, Anush Emelianova, Atlanta, +1 404 572 4616, aemelianova@kslaw.com

New Russian Legislation May Contradict GDPR—In July 2016, two bills became law as part of a package of amendments designed to protect Russian citizens’ data against terrorism.  The measures were dubbed as the “Yarovaya Law” or “Yarovaya Package” after one of its authors, the State Duma Deputy Irina Yarovaya, who is known for her other initiatives mainly aimed at restriction of information distribution.  The counter-terror measures come into force on July 1, 2018.

The regulation requires Russian operators of communication networks (mobile operators and internet providers) to record and store records of communications between all users for at least six months, and provide such data to the authorities at their request.  The new provisions also expand the powers of Russian enforcement officers with respect to monitoring of data.

As the new provisions make no exceptions for data pertaining to foreign citizens, the personal information of EU citizens visiting Russia or residing in Russia may become part of such recorded communications, be stored in Russia, and be provided to Russian authorities without the consent of the relevant data subjects.  Such use and disclosure is very likely to contradict the provisions of the new European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”).  The GDPR includes significantly enhanced protections for EU citizens with regard to the processing of personal data and the free movement of such data outside of the EU to third countries—including Russia—where adequate protections for that data are not in place.  The GDPR comes into force in May 2018.

The issue was raised by the Internet Research Institute, an association of industry experts.  The Russian government has refrained from making comment on the issues, while local operators note that in the case of serious breaches of the fundamental principles of the GDPR, the relevant Data Protection Authority has legislative authority to impose fines for serious contraventions of the fundamental requirements of the GDPR of up to EUR 20,000,000, or up to four percent of an organization’s total worldwide annual turnover or revenues for the preceding financial year.

Reporter, Xenia Melkova, Moscow, +7 495 228 8519, xmelkova@kslaw.com.

ALSO IN THE NEWS        

King & Spalding To Host Medical Device Summit—King & Spalding, in conjunction with FDANews, invites you to register and participate in the Medical Device Summit 2017 on September 7, 2017, in Chicago.  Exploring cutting-edge issues facing the medical device industry, the Summit features two tracks of in-depth presentations from which attendees can build a program to suit their interests and needs.  The Summit will begin on Wednesday evening, September 6th, with a Welcome Dinner followed by a full day of sessions on Thursday, September 7th, and closing that evening with a networking reception.  Subjects will include cybersecurity, regulatory, reimbursement, enforcement, compliance, commercial, litigation and other topics that demand the attention of medical device manufacturers in the coming year.  Click here for more information and to register: Medical Device Summit 2017.

10th Annual King & Spalding Pharmaceutical University—On Thursday, November 9, 2017, King & Spalding will host its 10th Annual Pharmaceutical University, a full day of presentations on subjects critical to drug and biologics manufacturers, their in-house counsel, managers, and executives.  For almost a decade, King & Spalding’s Pharmaceutical University has provided timely, in-depth, practical insight into almost every area of law affecting the development, manufacture, and sale of pharmaceuticals and biologics.  At our tenth annual event this November, Pharma U will again provide the sophisticated variety of presentations that hundreds of industry attendees have come to rely upon year after year.  We hope you will save the date and join us in Philadelphia on November 9 at our three-track symposium addressing regulatory, enforcement, intellectual property, commercial, corporate, litigation, international trade, and political issues, among many other topics that will demand your attention in 2018.  Registration will open in the Fall.