backFEATURED ARTICLES
Coders Oppose Government Access To Encrypted Data – A group of top coding specialists published a paper on July 6, 2015, arguing that law enforcement’s desire to access encrypted data is not only unfeasible, but would also possibly imperil the security and privacy of global digital communications. The group, made up of 14 of the world’s pre-eminent cryptographers and computer scientists, warned that giving law enforcement “exceptional access” to encrypted data would likely introduce security flaws in today’s complex Internet environment that would be almost impossible to predict or detect. Such access would also curtail innovation and raise “thorny issues” for human rights and international relations, the experts said.
Law enforcement in both the U.S. and the U.K have been pushing for mandated government access to encrypted information, according to the computer scientists, out of fears of “going dark” and being unable to monitor criminals and terrorists’ encrypted communications. The Communications Assistance for Law Enforcement Act (“CALEA”) currently requires “telecommunications carriers” to provide assistance to ensure that the government is able to intercept electronic communications when lawfully authorized, but it does not require a carrier to decrypt communications encrypted by the customer unless the carrier provided the encryption and possesses the information necessary to decrypt. It also does not currently cover all Internet-based communications services. Law enforcement officials have now proposed that data storage and communication systems be designed for “exceptional access” by law enforcement agencies. However, the coding specialists warn that these “proposals are unworkable in practice, raise enormous legal and ethical questions and would undo progress on security at a time when Internet vulnerabilities are causing extreme economic harm.”
The experts oppose giving law enforcement exceptional access to encrypted data because it would be a complete reversal from current security best practices. Simply giving agencies a key to decrypt messages presents a significant security risk, they argue, because communications would be left open to attack by anyone who could get a copy of the key. And leaving a backdoor open for law enforcement to access a social network could also let in hackers. Those access features would also make systems more complex, thus introducing new security vulnerabilities, according to the report. Finally, the greatest obstacle to providing access to encrypted data might simply be jurisdiction, the scientists say, given the global nature of the Internet.
The report was issued the day before FBI Director James Comey and Deputy Attorney General Sally Quillian Yates testified before a Senate Judiciary Committee hearing on encryption and security. They testified “about the growing challenges to public safety and national security that have eroded our ability to obtain electronic information and evidence pursuant to a court order or warrant.” They acknowledged their support for strong encryption technology but highlighted challenges that such encryption technology created for law enforcement. They also advocated for continued investment in “tools, techniques, and capabilities designed to mitigate the increasing technical challenges associated with the Going Dark problem.”
Reporter, Ashley B. Guffey, Atlanta, + 1 404 572 2763, aguffey@kslaw.com.
“Hacking Team” Gets Hacked, Caught Using Trivial Passwords – Until last week, an Italian cybersecurity company known as “Hacking Team” was reputed to be an elite provider of sophisticated spyware and hacking tools to numerous governments, police agencies and intelligence services. But then they found themselves on the receiving end of a hack, with over four hundred gigabytes of emails, source code and internal documents collected and posted online for all to see. Adding insult to injury was the fact that the hack apparently resulted from a failure to employ basic cybersecurity practices on their own systems.
The attackers announced the public availability of Hacking Team’s files by hijacking the company’s official Twitter account and providing a direct link to a storage repository and an associated Torrent file.
News outlets reviewing the now-public Hacking Team data report that key security staff at Hacking Team utilized passwords with simple variations of “password” for privileged root access to key systems, which are well-known to be susceptible to hybrid attacks that crack passwords using a dictionary list while substituting numbers and symbols for certain alpha characters (e.g., replacing “s” with “$”) as well as appending numbers or special characters to the end of words.
There are many other aspects to this hacking story that are attracting attention, but perhaps the key takeaway is that even highly-sophisticated companies and users can fall victim to cyber-attacks when established cybersecurity practices are not properly administered. This underscores a few essential points that should always be emphasized with senior management at firms:
- Never get complacent when it comes to monitoring and improving cyber-security practices;
- Policies for complex passwords and other security defenses are not effective unless enforced and audited; and
- Tech-savvy IT and information security personnel are not entitled to “self-determine” their personal level of compliance, and in many instances should be subject to stricteroversight because they often have root access and administrator privileges on corporate systems.
Reporter, Mark H. Francis, New York, +1 212 556 2117, mfrancis@kslaw.com.
State Attorneys General Ask Congress Not To Preempt Breach Notification Laws – In the wake of recent, large-scale data breaches, several pieces of legislation have been introduced in Congress to establish a national data breach notification law, including a House bill that would preempt the current “patchwork” of laws with a single, national protection and notification standard. A group of 47 state attorneys general objected to the possibility of federal preemption of state data breach notification laws in a letter sent to congressional leaders last week.
In the letter, the National Association of Attorneys General asks that any federal data breach notification law not preempt similar state laws already in place. The attorneys general cite a similar letter in 2005 that argued preemption “interferes with state legislatures’ democratic role as laboratories of innovation. The states have been able to respond more quickly to concerns about privacy and identity theft involving personal information and have enacted laws in these areas years before the federal government.”
The state attorneys general highlight the “important role states already play protecting consumers from data breaches and identity theft,” calling legislation passed by states “innovative.” The attorneys general also note that several states in recent years have enhanced breach notification laws with additional protections, including requiring notification for compromised biometric data, login credentials for online accounts, and login credentials for medical information. They wrote, “[o]ur constituents are continually asking for greater protection. If states are limited by federal legislation, we will be unable to respond to their concerns. Toward that end, it is important that any federal legislation ensure that states can continue to enforce breach notification requirements under their own state laws.”
Further, the attorneys general point out, states are on the “front line[s] in helping consumers” following a data breach. The states also investigate breaches and monitor businesses’ compliance with state regulations to have reasonable security practices and notify consumers when a breach occurs. Many state data breach notification statutes require data collectors experiencing breaches to directly notify the attorneys general in states where the affected consumers reside.
The attorneys general state that they recognize “the need to work together at the state level” and, as a result, 40 states assess data security matters as a working group. The working group evaluates breaches impacting consumers in multiple states. The letter also argues against federal enforcement and regulatory authority regarding data breaches. Rather, the attorneys general believe that “[t]oo many breaches occur for any one [federal] agency to respond effectively to all of them,” and “[s]tate attorneys general must have the authority to investigate such breaches.” However, even if Congress chooses not to preempt state data breach laws expressly, federal legislation could impliedly preempt related state laws to the extent those laws frustrate Congress’ purpose in adopting a federal minimum standard to govern data breach issues.
Many consider the matrix of state laws in this area to be confusing and a barrier to a streamlined notification process that a uniform federal standard might bring. For example, the breach notification law in New Jersey requires notification to a state agency before notification is made to affected individuals, while other states do not have such a requirement. In addition, many state laws have a “risk of harm” trigger; that is, a provision that says, in essence, notification is not required if there is not a significant risk of harm to the affected persons. However, the language in these provisions can vary, which places an additional burden on companies in the event of a multi-state breach.
Reporter, Elizabeth K. Hinson, Atlanta, +1 404 572 2714, bhinson@kslaw.com.
ALSO IN THE NEWS
FCC Working Group Issues Report On Cybersecurity Best Practices – The June 2015 issue of the Intellectual Property & Technology Law Journal features an article by King & Spalding partner Steven Snyder on a Federal Communications Commission (“FCC”) working group’s recently issued Final Report on Cybersecurity Risk Management and Best Practices. In the article, Mr. Snyder provides an explanation of the report and suggests action that companies in the communications sector should consider in view of the publication. To read the full article, please click here.
SEC Division Of Investment Management Provides Cybersecurity Guidance – In the June 2015 issue of Wall Street Lawyer, Mr. Snyder analyzes recent cybersecurity guidance issued by the SEC’s Division of Investment Management. The guidance highlights best practices for registered investment companies and investment advisers so that they can adequately protect confidential data.
OPM Director Steps Down In Wake Of Data Breach – On July 10, 2015, Office of Personnel Management (“OPM”) Director Katherine Archuleta resigned amid controversy involving her handling of a massive federal government computer data breach. “I conveyed to the president that I believe it is best for me to step aside and allow new leadership that will enable the agency to move beyond the current challenges and allow the employees at OPM to continue their important work,” Archuleta said in a statement. OPM recently revealed that the breach was vastly larger than they originally thought, affecting some 21.5 million people. To read our previous coverage of the OPM data breach, please click here.
White House Encourages Patient Access To Health Records – On July 8, 2015, the Executive Office of the President released a Statement of Administration Policy supporting the medical research provisions in H.R. 6, the 21st Century Cures Act. According to the statement, the “Administration appreciates the legislation’s support for the President’s Precision Medicine Initiative, which would advance a new model of participant-centered research to accelerate biomedical discoveries and provide clinicians with new tools and therapies tailored to individual patients’ needs. This will also require enabling patients to access their data and accelerating interoperability between electronic health records.”
The content of this publication and any attachments are not intended to be and should not be relied upon as legal advice.