backAuto-ISAC Pushes To Protect Internet-Enabled Connected Cars – In July 2016, the nonprofit Automotive Information Sharing and Analysis Center (“Auto-ISAC”) released a series of auto cybersecurity best practices to collectively address cyber threats that could pose unreasonable risks to safety or security in internet-enabled vehicles.
The principles cover governance, risk management, security by design, threat detection, incident response, training, and collaboration with third parties. The issue of threats to vehicle security first garnered significant attention last year when two cybersecurity experts remotely hacked into a 2014 Jeep Cherokee driven by a journalist who was traveling at 70 mph in downtown St. Louis, demonstrating that they could access and control the car’s air conditioning, radio, accelerator, and transmission. In response, Fiat Chrysler issued a recall for 1.4 million vehicles.
Previous car hacking attempts, though not as well-publicized, prompted the Alliance of Automobile Manufacturers Inc. and the Association of Global Automakers, Inc. to form the Auto-ISAC in July 2014. The consortium seeks to share intelligence about vehicle cybersecurity risks and to update the framework of best practices to safeguard against and respond to such threats.
As technology in cars evolves rapidly, including with the advent of self-driving vehicles, the auto industry is signaling its desire to keep pace also with safety measures, through industry collaboration. The release of Auto-ISAC’s best practices this summer parallels an increased focus on regulatory compliance, along with an emphasis on disclosing cybersecurity risks to consumers.
The activists who hacked the Jeep Cherokee last year put on a new demonstration at the Black Hat USA conference in August 2016, showing that the same vehicle remains vulnerable to new and potentially more dangerous threats. Fiat Chrysler insisted that this year’s hack could not have been performed remotely, due to the fixes made after last year’s vehicle recall. However, the manufacturer also just launched its first “bug bounty” program, offering up to $2,500 to hackers who inform the company about cybersecurity flaws in its vehicles.
Reporter, Nicole M. Pereira, New York, NY, + 1 212 556 2132, npereira@kslaw.com.
LabMD Seeks To Stay FTC Decision Related To Evidence Of Consumer Harm Pending Appeal – LabMD—a medical testing lab that, the Federal Trade Commission (“FTC”) alleged, exposed consumer personal information through a peer-to-peer (“P2P”) file-sharing network—is now seeking a stay pending its appeal of the FTC’s recent opinion and decision that the agency need not provide evidence of consumer harm to show that LabMD’s actions “caused or were likely to cause substantial injury to consumers.” Rather, the FTC explained, “We need not wait for consumers to suffer known harm at the hands of identity thieves.”
The issue began in 2008, when LabMD is alleged to have discovered that sensitive personal information it had collected (including social security numbers, insurance information, and test results) had been exposed because a file (the “1718 File”) that contained the information had been inadvertently shared on a P2P file-sharing network. The file contained information from 9,300 patients. LabMD claimed that cybersecurity company Tiversa found the exposed file and alerted LabMD “with the aim of obtaining LabMD’s business” and that LabMD rejected Tiversa’s solicitations. Although LabMD claimed to have conducted an internal investigation, it did not alert its 9,300 patients that their personal data had been exposed. In 2009, in response to a request for information from the FTC, a company that LabMD alleges was affiliated with Tiversa provided the 1718 File to the Commission.
In November 2015, Chief Administrative Law Judge D. Michael Chappell found that the evidence brought by the FTC “fail[ed] to show that the 1718 File was in fact downloaded by anyone other than Tiversa.” Therefore, the evidence failed to “demonstrate that the exposure of the 1718 File placed the consumers whose Personal Information was exposed in the 1718 File ‘at significantly higher risk’ of harm, or that such exposure caused, or is likely to cause, identity theft harm, medical identity theft harm, or reputational or ‘other’ harm.” Judge Chappell further explained that the testimony of the FTC’s expert—who used a number of risk factors to determine that LabMD’s actions posed a significant risk of identity theft harm—was unreliable because his testimony relied on certain evidence that was not found to be credible (namely that Tiversa had found the 1718 File at various IP addresses, one of which belonged to a suspected identity thief).
In July 2016, the FTC reversed the decision of Judge Chappell, finding that he used the “wrong legal standard for unfairness.” The FTC explained that “a practice may be unfair if the magnitude of the potential injury is large, even if the likelihood of the injury occurring is low.” Thus, “the privacy harm resulting from the unauthorized disclosure of sensitive health or medical information is in and of itself a substantial injury under Section 5(n).” In other words, under the FTC Act, “likely to cause substantial injury” does not mean that the injury is probable, but rather, that there is a “significant risk” that the injury could occur because of the failure to deploy appropriate information security protections. The FTC explained that it could rely on the testimony of its expert because the expert simply identified “a range of harms” that could result from unauthorized disclosure of personal information. As a result of this decision, the FTC issued an order that requires LabMD to notify affected consumers, establish a comprehensive information security program reasonably designed to protect the security and confidentiality of the personal consumer information in its possession, and obtain independent assessments regarding its implementation of the program.
LabMD is now seeking a stay of the FTC’s decision pending its appeal. In its application for a stay, LabMD challenges the FTC’s interpretation of the “unfairness” standard, and continues to contend that the company cannot be held liable without evidence that consumers actually suffered harm as a result of LabMD’s unauthorized disclosure. Specifically, LabMD states that the Commission’s opinion is contrary to the plain language of Section 5(n) “which [ ] requires proof that an ‘act or practice causes or is likely to cause substantial injury to consumers’ before ‘unfairness’ liability may be imposed.” LabMD urges the FTC to interpret Section 5(n) as requiring “proof of actual or, at minimum, probable or highly probable economic or physical harm.”
The case is In the Matter of LabMD Inc., docket number 9357, before the Federal Trade Commission.
Reporter, Bethany Rupert, Atlanta, GA, + 1 404 572 3525, brupert@kslaw.com.
U.S. House Of Representatives Announces OPM Data Breach Findings – On Wednesday, September 7, Republicans on the U.S. House of Representatives’ Committee on Oversight and Government Reform released a report detailing the events leading up to the sweeping hack of the federal Office of Personnel Management’s (“OPM”) databases. The report concludes that it was ultimately a failure of culture and leadership at the OPM, not a lack of technology or tools, that led to the breach.
The OPM is tasked with checking the backgrounds of 90 percent of federal government job applicants. In June 2015, the OPM announced that the personnel records of 4.2 million former and current federal employees had been compromised. A month later, OPM announced that the background investigation data for 21.5 million individuals were compromised as well as the fingerprint data of 5.6 million of these individuals.
According to the Committee’s 231-page report, the OPM data were compromised through a series of breaches from 2014 to 2015 that were “likely connected and possibly coordinated” by two Chinese government-sponsored groups. The report concludes that the breach and exfiltration of the data can be attributed to a longstanding failure of the OPM’s leadership to implement basic cybersecurity measures, such as employing strong multi-factor authentication. Furthermore, tools were available that could have prevented the breaches, but the OPM failed to leverage those tools to mitigate the agency’s extensive vulnerabilities.
The report offers a number of recommendations, including ensuring that agency Chief Information Officers are empowered, accountable, and competent, and are retained for more than the current average of two years. The report also recommends that the government move away from the use of social security numbers and that federal information security efforts move toward a zero-trust model in which users inside a network are treated as no more trustworthy than users outside a network.
The Democratic Committee staff issued a 21-page memorandum in response, explaining that it could not support the report because the report failed to adequately address federal contractors and their role in federal cybersecurity. According to the memo, the Committee’s investigation found that federal cybersecurity is intertwined with government contracts and that cyber requirements for government contracts are inadequate. The memo highlights that the OPM breach was achieved using credentials taken from one of the OPM’s contractors to disguise its initial movements into and through the OPM’s computer network.
Reporter, Drew Crawford, Washington, DC, +1 202 626 5512, dcrawford@kslaw.com.