backStates Seek Help To Ensure Security Of Election Systems – In the weeks and months leading up to Election Day 2016, states have made preparations to increase the security of their election systems, despite assurance from the U.S. Intelligence Community (“USIC”) that it would be extremely difficult for someone to alter ballot counts or elections results via cyber-attack or intrusion. USIC’s assessment was based on the decentralized nature of our election system and the number of protections state and local election officials have in place, such as ensuring that voting machines are not connected to the internet. Even so, the steady hacking and release of emails, including those from Democratic Party institutions, have demonstrated that certain hackers are committed to disrupting and discrediting the U.S. election process.
On October 7, the Department of Homeland Security (“DHS”) and the Office of the Director of National Intelligence (“DNI”) released a joint statement confirming that the Russian government was behind the recent e-mail hacking of U.S. persons and institutions. The release states that the agencies are “confident” that the recent disclosures of hacked e-mails are consistent with the “methods and motivations” of Russian-directed efforts and are aimed at disrupting the integrity of the U.S. elections. Dmitri Alperovitch, the chief technology officer of CrowdStrike, said last week that Russia is targeting the United States’ elections with an “unprecedented influence operation.”
DHS reported that several states have seen scanning and probing of their election systems, in many cases originating from servers operated by a Russian company (although DHS notes that it is not yet able to attribute this activity to the Russian government). Given the rise in such activity, DHS has encouraged states to be vigilant and has offered to help states and local governments test and prepare their election systems. DHS offered to assist with cyber “hygiene” scans, risk and vulnerability assessments, information sharing, and best practices for securing voter registration databases and addressing potential cyber threats. As of last week, forty-six states had accepted DHS’s offer to help.
In a letter to the National Board of State Election Directors, House and Senate Leaders encouraged states to “take full advantage of the robust public and private sector resources available to them to ensure that their network infrastructure is secure from attack,” and reminded states that DHS “stands ready to provide cybersecurity assistance to those states that choose to request it.”
In addition to help from DHS, Ohio is using the National Guard to help keep the state’s elections systems safe. Republican Secretary of State Jon Husted said last week that the National Guard’s cyberprotection unit will be testing the state’s computer system for vulnerabilities ahead of the November 8 election.
Reporter, Lauren M. Donoghue, Washington, DC, +1 202 626 8999, ldonoghue@kslaw.com.
EU Privacy Regulators Issue Letters To Yahoo And WhatsApp – In late October 2016, European Union (“EU”) data protection authorities issued letters to Yahoo and WhatsApp related to alleged privacy incidents involving those companies. The letters were issued by a collective of EU data protection authorities known as the “Article 29 Working Party” or “WP29”, which is comprised of representatives of the data protection authorities of each of the EU’s 28-member states, the European Data Protection Supervisor, and the European Commission.
The letter issued to Yahoo related to two recent privacy incidents. First, in September, Yahoo announced that hackers had infiltrated its systems in late 2014 and lifted account data tied to at least 500 million users. The EU regulators noted their “deep concern” over this data breach, called on Yahoo to take certain measures to communicate with European Yahoo users about the data breach, and requested that Yahoo provide additional information about the data breach. Second, in October, reports surfaced that Yahoo had scanned customer emails for U.S. intelligence purposes at the request of U.S. intelligence agencies. The EU regulators expressed interest in understanding the legal basis and justification for the alleged surveillance activity, including an explanation of how this activity complied with EU law.
With regard to WhatsApp, the regulators focused on a recent change the company made to its privacy policy. In August, WhatsApp announced that it was updating its terms of service and privacy policy. WhatsApp told consumers that, as part of that update, it would start sharing some user information with Facebook, its parent company. In its letter to WhatsApp, the EU regulators noted that they had concerns about the way information related to the updated terms and privacy policy was communicated to users, the validity of users’ consent to the terms and privacy policy, and the ability of users to exercise their rights under the terms and privacy policy. In order to assess whether the changed policy complied with European privacy laws, the regulators asked WhatsApp to provide additional information about the exact data that was implicated by the change in policy, the source of the data, a list of recipients of the data, and information on the effects of the data transfer on users and potential third parties.
In a press release announcing the issuance of the letters, the Article 29 Working Party explained that it had recently formed a WP29 enforcement subgroup due to the increasing number of cross-border data security incidents. The enforcement subgroup is tasked with facilitating the exchange of views on enforcement strategies and actions in cross-border cases and with helping European data enforcement authorities to prepare for implementation of the recently adopted EU General Data Protection Regulation. The enforcement subgroup will hold its first meeting in November. During that meeting, it will addresses the topics covered in the letters issued to WhatsApp and Yahoo.
Reporter, Ashley B Guffey, Atlanta, + 1 404 572 2763, aguffey@kslaw.com.
Department Of Justice Releases Charging Policy For Computer Crime Matters – On October 24, 2016, the Department of Justice (“DOJ”) publicly released an internal policy memorandum dated September 11, 2014 (“the policy”), that details the factors federal prosecutors should use in determining whether to investigate or bring charges in matters relating to computer crime. Specifically, the policy, which was issued internally within DOJ by former Attorney General Eric Holder, provides guidelines for prosecutors determining when to open an investigation or charge an offense under the Computer Fraud and Abuse Act (18 U.S.C. § 1030). According to the policy, these guidelines seek to ensure that charges are brought only “in cases that serve a federal interest.”
The factors that should be considered include:
- The sensitivity of the affected computer system or the information;
- The potential for significant impact of the activity on national or economic interests, including unauthorized access to classified information, and whether the information accessed or the conduct otherwise impacts national security, critical infrastructure, public health and safety, economic market integrity, or international relations;
- The connection of the conduct to other criminal activity or the impact on potential victims, including the risk of bodily harm;
- Whether the conduct relates to an abuse of a position of trust, such as potential actors exceeding their authorized access to sensitive systems or information; and
- The deterrent value of an investigation or prosecution, including whether the activity involves a new or expanding area of criminal activity, a recidivist defendant, use of a novel or sophisticated technique, or particularly egregious or malicious conduct.
Similar to other previous public DOJ guidance on issues such as anti-corruption, this policy provides information that may be helpful for companies and executives to assess whether federal law enforcement would take interest in an incident involving unauthorized cyber activities by employees or data breaches relating to company systems or information.
The policy also notes that additional considerations for prosecutors include the nature of the impact that the criminal conduct has on a particular district or community, and whether any other jurisdiction (such as another federal district or state authorities) is likely to prosecute the criminal conduct effectively, if the matter is declined for federal prosecution by one federal district. Further, in an effort to make application of these practices consistent, the policy requires that prosecutors across the country coordinate charging decisions and related investigations with DOJ’s Computer Crime and Intellectual Property Section, located in Washington, D.C.
Reporter, Ehren K. Halse, San Francisco, +1 415 318 1216, ehalse@kslaw.com.
California Attorney General Makes Privacy Public With New Crowdsourcing Tool For Reporting Of Privacy Policy Violations – On October 14, the California Attorney General released a new online form designed to crowdsource reporting of allegedly inadequate privacy policies. The tool allows users to report violations of the California Online Privacy Protection Act (“CalOPPA”). CalOPPA is a broad privacy rule that generally affects any organization that collects personally identifiable information from California residents. The new tool is the California Office of the Attorney General’s request for the public’s help in enforcing the statute, and all companies that collect personally identifiable information online or through mobile applications should take note.
With the passage of CalOPPA in 2003, California became the first state in the nation to require commercial websites and online services to post privacy policies. Any website or mobile app that collects personally identifiable information such as name, address, e-mail address, phone number, or Social Security number from California residents must post a compliant and easy to find privacy policy. The policy must also include the categories of information collected, the types of third parties with whom the operator may share that information, instructions regarding how the consumer can review and request changes to his or her information, and the effective date of the privacy policy. In 2013, the law was expanded to require inclusion of information on how the operator responds to “Do Not Track” signals from users, as well as requiring privacy policies to disclose whether third parties can collect personally identifiable information about the site’s users.
The new online form provides several options for consumers to select, including whether the privacy policy is missing, inapplicable, difficult to locate, incomplete, or was violated, or whether the operator failed to provide notice of a material change. According to the California Attorney General, the new tool is intended to “exponentially increas[e] the California Department of Justice’s ability to identify and notify those in violation of CalOPPA.”
Under CalOPPA, website or mobile app operators that collect personally identifiable information have a 30-day grace period after being notified by the California Attorney General to post a CalOPPA-compliant privacy policy. Failure to do so results in a violation of CalOPPA. While there is no private right of action under CalOPPA, the Attorney General has argued that each violation (each download of a non-compliant mobile application, for example) could result in a penalty of up to $2,500 under California's unfair competition law.
Reporter, Anush Emelianova, Atlanta, +1 404 572 4616, aemelianova@kslaw.com.