backHomeland Security Committee Hearing Focuses On “Borderless Battle” Of Cyber Threats–On March 22, 2017, the U.S. House Committee on Homeland Security heard testimony on the current state of the global cyber battleground, how rapid changes in technology and the expanding Internet-of-Things (“IoT”) present new threats from a wide range of malicious actors, and what steps the public and private sectors must jointly undertake to protect the nation.
In his opening statement, Chairman Michael McCaul (R-TX) did not mince words, stating that “we are in the fight of our virtual lives, and we . . . are . . . NOT . . . winning.” Describing a nationwide cybersecurity defense system in desperate need of improvement, McCaul said that “the U.S. government is fighting 21st century threats with a 20th century mindset and a 19th century bureaucracy.” Echoing McCaul’s appeal for immediate and substantial overhaul of the nation’s cybersecurity infrastructure, several witnesses spoke about how cyber threats are evolving, what is at stake, and most importantly, what can be done to combat existing and future threats to safeguard America.
Bruce W. McConnell, Global VP of the EastWest Institute, emphasized the ever-increasing role of the internet and connectivity among all facets of modern life, calling cyberspace “the global endoskeleton of commerce, trade, and all manner of human interaction.” Alongside our increasing reliance on connectivity, McConnell said, is a new breed of malicious cyber actors, including state-actors like Russia, China and Iran. The dilemma in addressing these new threats, according to McConnell, is that cyberspace remains a virtual Wild West. For example, McConnell pointed to the well-established protections in modern cargo aviation (airport security, pilot licensing, and registration of airplanes and flight plans), saying that corresponding safeguards are nonexistent for cyberspace, yet the financial value of commercial transactions routed through the internet “is actually 100 times greater on an annual basis than the value of goods transported in the air cargo system.”
Similarly, Gen. (ret.) Keith B. Alexander, current President and CEO of IronNet Cybersecurity, stressed that cyberspace is misguidedly being addressed differently than the “real” world, even though organized crime groups and terrorist organizations, as well as state-actors, are increasingly using the internet to carry out illegal and even military activities. For example, Alexander said that the U.S. is not treating nation-state threats and actions “in cyberspace as we would treat the presence of nation-states’ key naval assets inside our territorial waters,” viewing them instead “largely as nuisance[s].” Alexander emphasized that the “future of warfare is here,” and that the United States must “structure and architect our nation to defend our country in cyberspace.”
But while cybersecurity in the United States may currently be lagging behind the evolving threats, the Committee also heard testimony on tangible ways to address existing shortcomings and develop a robust, integrated system of cybersecurity protection. According to Frank J. Cilluffo, Director of George Washington University’s Center for Cyber and Homeland Security, a “multidimensional response” requires action not just from the U.S. military but all stakeholders, with public-private partnerships an “instrumental” component of a comprehensive cybersecurity framework. Cilluffo further stressed that cybersecurity is a global problem that must be addressed on a global level, with military and non-military alliances between nations a key to effectively stopping cyber threats.
Finally, cooperation between all stakeholders should be leveraged through the use of rapid cyber threat information sharing, according to Michael Daniel, President of the Cyber Threat Alliance, who said that such information sharing across the “entire cybersecurity ecosystem is a necessity in achieving our shared goals of enhanced cybersecurity.” To that end, the Cyber Threat Alliance has already assembled an Information Sharing and Analysis Organization (“ISAO”)—featuring six of the largest global cybersecurity companies—to “enable[] real-time sharing of rich, contextual cyber threat information among all cybersecurity companies, which can be leveraged on an individual basis to update and improve their products and services.” Daniel said that information sharing can be used to expose the “playbooks” (tactics, techniques, etc.) of malicious cyber actors so that entities can proactively implement defenses specifically designed to protect against known threats.
A full video of the hearing and the prepared witness statements can be found on the Committee’s webpage.
Reporter, Robert D. Griest, Atlanta, GA, +1 404 572 2824, rgriest@kslaw.com.
Four Indicted On Charges Related To Yahoo Hacks–On March 15, 2017, the United States announced the indictment of four defendants for their roles in the hacks of Yahoo’s network, systems, and user accounts. The indictment stems from an investigation conducted by the Federal Bureau of Investigation (“FBI”) and charges the defendants with 47 counts of criminal acts, beginning as early as 2014 and going through December 2016. The charges include stealing the account information of more than 500 million Yahoo accounts.
Two of the four defendants, Dmitry Aleksandrovich Dokuchaev and Igor Anatolyevich Sushchin, are officers of the Russian Federal Security Service (“FSB”). Another defendant, Alexsey Alexseyeich Belan, was previously indicted in the United States in 2012 and 2013 for charges relating to computer fraud and abuse, access device fraud, and aggravated identity theft. The FSB officers and Belan are alleged to be residents of Russia. The fourth defendant, Karim Baratov, is a resident of Canada. Baratov was arrested in Canada on March 14, 2017, in response to a provisional arrest warrant submitted by the Department of Justice (“DOJ”) to Canadian law enforcement.
The 47-count indictment covers 14 distinct sets of charges, with maximum penalties ranging from two to 20 years imprisonment. The charges include conspiring to commit computer fraud and abuse, conspiring to engage in economic espionage, conspiring to engage in theft of trade secrets, economic espionage, theft of trade secrets, conspiring to commit wire fraud, accessing (or attempting to access) a computer without authorization to obtain information for the purpose of commercial advantage and private financial gain, transmitting code with the intent to cause damage to computers, counterfeit access device fraud, counterfeit access device making equipment, conspiring to commit access device fraud, and aggravated identity theft.
More information on the allegations and indictment is available in a press release issued by the DOJ.
Reporter, Stephen R. Shin, Atlanta, +1 404 572 3502, sshin@kslaw.com.
New York Tallies A Record-Breaking Number Of Data Breach Notices–On March 21, 2017, the Attorney General (“AG”) of New York, Eric T. Schneiderman, announced that his office received a record number of data breach notices in 2016. The total number of breach notifications received by the AG’s office was nearly 1,300. This represents a 60% increase over the total number of reported breaches for 2015. The AG’s office estimates that 1.6 million New Yorkers had their personal information exposed in 2016, which represents a three-fold increase from 2015.
The New York AG’s office has been collecting information regarding data breaches concerning state residents since 2005, when the state first passed its security breach notification statute - N.Y. Gen. Bus. Law §899-aa. Since the initial version of the statute, the law has required notification to the AG’s office “in the event that any New York residents are to be notified.” This means that the AG’s office receives notifications of any data security breach involving New York residents regardless of the size of the breach. In contrast, some states only require notification of a data security breach to the state AG’s office if the total number of state residents notified surpasses a threshold number. For example, California requires notification to the state AG if a security breach resulted in notifying more than 500 California residents.
Based on an analysis of the collected breach notifications by the New York AG’s office, AG Schneiderman estimated that 40% of all reported data security breaches were the result of hacking. The second leading cause for breach notifications was employee error, which consisted of a combination of inadvertent exposure of records, insider wrongdoing, and the loss of a device or other media.
Across all reported breaches involving New York residents, social security numbers and financial account information made up 81% of the information types that were disclosed during a breach. This is not surprising given that New York’s security notification statute defines a security breach to be the disclosure of “personal information consisting of any information in combination with any one or more of the following data elements”: “(1) social security number; (2) driver’s license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual’s financial account.”
In contrast to the reported increase, the total number of reported “mega-breaches” in 2016 was relatively low. Although AG Schneiderman’s report did not define the term “mega-breach,” the report stated that New York experienced only two mega-breaches this past year. First, HSBC bank reported exposing financial, personal, and social security information of 251,201 New Yorkers on January 13, 2016. In addition, Newkirk Products Inc. reported exposing personal health information of 761,782 New Yorkers on October 12, 2016. In comparison, from 2006 through 2013, New York recorded 28 mega-breaches. Although these two breaches combined to impact more than one million New York residents, it appears that smaller and more frequent breaches also are adding up to impact a large number of residents of the state.
Reporter, Julie A. Stockton, San Francisco and Palo Alto, +1 415-318-1256, jstockton@kslaw.com
Major League Baseball Wearable Tech Experiment Raises Athlete Privacy Issues—On March 6, 2017, Major League Baseball (“MLB”) announced that it has officially approved a wearable biometric monitoring device (the “Device”) for in-game use by athletes. Created by WHOOP Inc. (“WHOOP”), the Device is the first of its kind to gain approval to be worn in competition by any major American sports league. The Device, which is intended to be worn by athletes at all times on and off the field, monitors heart rate, heart rate variability, ambient temperature, motion, and sleep data, and can store that data for up to three days. As a result, the approval of the Device has raised concerns over the privacy implications for players who decide to wear it.
Since neither the MLB nor WHOOP are classified as a “covered entity” under the Health Insurance Portability and Accountability Act (“HIPAA”), the biometric data collected by technologies like the Device do not appear to be covered under the privacy protections of HIPAA. Aside from the basic applicability of general privacy laws, such as a possible violation of Section 5 of the Federal Trade Commission Act in the event of any deceptive practices of WHOOP with respect to its privacy or security policies, there is no clear statutory protection for the privacy of the data generated by use of the Device. As a result, the metes and bounds of how such data is protected will largely be determined on a contractual level. Reports state that the MLB’s agreement with WHOOP does not provide WHOOP with any rights to the data being collected, and that the player and the team have equal rights of use over the analysis of data where data collection is permitted by the player. Additionally, consent of both the player and the team is required before any data generated by the Device can be used for commercial or public purposes. The Device also has 27 different privacy settings that allow a player or a team to share various pieces of information, while keeping other data private.
Nevertheless, the primarily private, non-governmental nature of these protections means they are always subject to negotiation. In a sport where statistical analysis of available data can impact personnel and hiring decisions, the refusal of a player to wear something like the Device or engage in similar biometric monitoring could mean that player is at a negotiating disadvantage compared to players who are more willing to engage in such biometric monitoring. This creates the potential for a situation where a player’s livelihood is subject to his willingness to disclose sensitive information about his health.
This collection of sensitive player health information also raises security concerns. The MLB already has witnessed unauthorized intrusions into the computer system of a baseball team. An employee of the St. Louis Cardinals was charged with and pled guilty to five counts of computer hacking when he repeatedly accessed another professional baseball team’s proprietary database without authorization. As of now, however, the perceived gains from player biometric monitoring and data analysis appear to outweigh the myriad concerns over players’ privacy and the protection of their sensitive information. The Device will be used by MLB players across the league when the baseball season starts on April 3.
Reporter, Brett Schlossberg, Silicon Valley, +1 650 422 6708, bschlossberg@kslaw.com
ALSO IN THE NEWS
Cybersecurity Roundtable With U.S. Congressman Joaquin Castro—On Friday, March 31, 2017, join us in King & Spalding’s Houston office for a roundtable discussion with special guest, Congressman Joaquin Castro (TX), member of the House Permanent Select Committee on Intelligence and the House Committee on Foreign Affairs. The discussion will be moderated by King & Spalding Partner J.C. Boggs. Click here to register.
King & Spalding’s 2017 Cybersecurity & Privacy Summit—On Monday, April 24, 2017, make plans to join the cybersecurity and privacy experts from King & Spalding and PwC, as well as representatives from the U.S. Department of Justice, the Federal Trade Commission, Georgia Institute of Technology, The Home Depot, and TSYS, to learn about the latest strategies for protecting your company against the legal and financial risks of cybersecurity breaches and other privacy incidents. Click here for more information regarding session topics and featured speakers.