Legal BlackBook


September 2018
FBI v. iPhone Was the Undercard: Here’s the Main Event
THIS COULD BE THE BIG ONE: the heavyweight contest between the government and the tech industry over protecting customer data.
     The FBI has asked a federal judge in California to force Facebook to disable the encryption on its Messenger app so that agents can listen to an MS-13 gang member’s conversations. Few details are available, since the case is under seal, but Facebook has vigorously resisted the effort.
     The case is reminiscent of Apple’s refusal to “unlock” the San Bernardino shooter’s iPhone in 2016. Only some observers say that this case could be more important. In the Apple dispute, the FBI already had possession of the phone, and it wasn’t even clear if it contained useful information.
     In the current dispute, the FBI seeks to be able to access conversations in real time, and continue to do so in the future. Experts believe that the bureau is most likely basing its argument on the Wiretap Act of 1968.
     If successful, it could be broadly applied to many other apps on the internet.  And it would likely get the attention of governments around the world.
     Read more from The Washington Post.
How Soon Must You Report a Breach to the SEC?
THERE'S BEEN A LOT OF TALK about 72 hours. That’s how long the EU’s General Data Protection Regulation says that companies have to report data breaches to regulators. Few experts think many companies will meet that standard. We’ll have to wait to see if they’re right—and if they are, what regulators decide to do about it.
     Let’s look at any easier question. How long does a company have to report a breach to the Securities and Exchange Commission? That one should be clear by now, right? Maybe not.
     Yaki Faitelson takes a stab at answering. There’s no set deadline, but if a big breach is involved, not two years! The co-founder and CEO of the cybersecurity firm Varonis deduced as much from examining the SEC’s public statements and the $35 million fine it slapped on Yahoo in April for waiting two years to report a massive breach.
     Companies need to report in their regular SEC filings both breaches and cybersecurity risks that are significant—that is, what a reasonable investor would want to know, Faitelson says. And they need to do so in a timely manner.
     Read more from Forbes.
A Closer Look at Cybersecurity in Asia
SOME OF THE BIGGEST cybersecurity powerhouses on the planet are found in Asia. It behooves us to understand what makes each of them tick.
     North Korea seeks to generate revenue from cyberattacks, and also sees them as both defensive and offensive weapons at its command. The country has hacked a remarkably broad array of companies, agencies and institutions in South Korea.
     For China, cyber is a key tool for spying and for stealing intellectual property.   
     The big surprise in the region is Singapore. Once thought of as hopelessly far behind, in recent years it has become a cybersecurity leader and has helped some of its neighbors make progress as well.
     These were some of the takeaways from a three-part conference in June on cybersecurity in Asia hosted by Brookings, in Washington, D.C.
     Read more from Brookings.
More Evidence of Cooperation
MORE AND MORE OFTEN tech companies seem to be finding themselves on the same side. And the sometimes bitter competitors are learning to cooperate—for their own good and the country's.
     The most recent examples were Facebook, Microsoft and Twitter taking down suspicious accounts, pages and websites that they said were directed by Russia and Iran to disrupt the midterm elections.
     The companies have been criticized when they have failed to police the abuse of their services by nation-states, and they have acknowledged that cooperating in this way benefits them all.
     This solidarity is also an extension of the Cybersecurity Tech Accord that Microsoft, Facebook and more than 30 other tech companies signed in April (though Twitter and Google did not). The signatories vowed to cooperate to protect their customers and each other from cyberattacks.
     Read more from The Seattle Times.
August 2018
The Government Admits It Needs to Share More
GOVERNMENT OFFICIALS have finally admitted that there’s a problem. Even though Congress passed the Cybersecurity Information Sharing Act in 2015—a law that created incentives and protections for companies to share breach information with the government—very few companies have done so.
  And the officials also acknowledged what has been troubling companies for some time: The government has not shared very much threat information with them.  
  Those were some of the candid assessments delivered during a live conversation on this important topic hosted in late July by The Washington Post. The featured guests were Christopher Krebs, undersecretary for the Department of Homeland Security’s main cyber unit, the National Protection and Programs Directorate; and Tonya Ugoretz, director of the Cyber Threat Intelligence Integration Center, which tracks cyber threats from within the Office of the Director of National Intelligence. 
  Read more from The Washington Post.
Sports and Fitness Retailers Targeted
DOES SOMEONE SPIN a roulette wheel to figure out which industry to pick on, and then send out an email to let everyone know?
  Whatever the method, hackers do seem to target a sector and go after it for a while before moving on. It seems to be the turn of sports and fitness retailers. First came the announcement from Under Armour that the personal data of 150 million users of its food and nutrition app MyFitnessPal was compromised.
  Next Addidas revealed that information about “a few million” customers had been hacked. Then the British specialty grocer Fortnum & Mason disclosed that the email accounts of 23,000 customers had been compromised.  
  Each company also pointed out that no financial information on customers was compromised.
  Read more from Security Boulevard .
Theft of Cryptocurrency Goes Through the Roof
IT WAS PROBABLY INEVITABLE. Cyber criminals helped create a demand by requiring cryptocurrency payments as ransom. And, independently, the value of the currency soared—for a time. So it’s not a complete shock that theft of cryptocurrency also skyrocketed this year.
  How much has it risen? A lot. In the first half of 2018, the amount has nearly tripled total thefts in all of 2017—from $266 million to $761 million.
  The development has gotten the attention of the authorities—in places where they exist. But it has also underscored the global gaps in both regulation and enforcement. The exchange is governed by no central authority, and the regulatory approach countries take can vary dramatically.
  These are a few of the many reasons why crytocurrency is a particularly attractive vehicle for money laundering.
  Read more from Bitcoin Exchange Guide.
Japan Seeks International Help In Advance of the Olympics
AS JAPAN PREPARES to host the 2020 summer Olympics, it’s got a long list of projects to complete. But it has already received a little reminder that there’s one area it should not neglect.
  In 2015, the Tokyo Organizing Committee of the Olympic and Paralympic Games was unable to access its own website for more than 12 hours. It had apparently been hacked.
  It may not be an Olympic sport, but it’s certainly going to require lots of work to counter cyberattacks. The London Olympics suffered about 200 million in 2012. Four years later, the Rio Games racked up about 500 million attacks. It’s anybody’s guess what Tokyo can expect.
  To their credit, Japanese authorities have actively sought help outside their borders. Most notably they have begun discussions, and have laid the groundwork, for a cooperation agreement with the European Union.
  Read more from The Mainichi .

July 2018
California Passes Tough Privacy Law
WE HAVEN'T HAD A CHANCE to exhale after the EU’s General Data Protection Regulation went into effect on May 25. The EU’s ePrivacy regulation is apparently on its way. And if that weren’t enough, the sovereign state of California suddenly adopted a bold new privacy law of its own.
  Operating at warp speed, the state took only a week to draft and pass its law in late June. The result has been called the toughest privacy law in the country.
  When it takes effect in January 2020, it will give consumers the right to know what data about them companies are collecting and with whom it’s being shared. It will also give them the right to direct companies to delete information and to tell them not to sell it.
  Though California often leads the way in adopting innovations, in this instance it was prompted to act swiftly not because it was trying to keep up with the action in Europe. There was a ballot issue set to be voted on by California residents in November that was even more aggressive than the law the state adopted.
  The only way the state could avert that day of reckoning was by adopting its own law while the ballot issue could still be withdrawn. State legislators beat that deadline by less than a day.
  Read more from USA Today .
Good  Cybersecurity Means Sweating the Small Stuff
THE BREACHES we read about in the media are often large, dramatic and complicated.  This sometimes leads the people who defend against them to conclude that their countermeasures need to be of equal scale. Not true, according to Chad Renfro , head of enterprise cybersecurity at Fidelity Investments.  Focusing on the small things, the fundamental things, he said, is where it all should start.
  Renfro spoke at ICI’s general membership meeting in June. Drawing on his long experience—he’s led more than 500 investigations of cyber incidents—Renfro talked about the importance of staying on top of software patches and constantly monitoring activities.
  He tries to do his job the way his company’s investment managers approach their portfolios, Renfro said. It’s essential to keep up with the research and the trends every day, and then break the large tasks down to manageable components.
  Read more from ICI Viewpoints .
Chad Renfro
4 Ways To Train Employees To Enhance Cybersecurity
A SURVEY of IT security professionals by Baracuda Networks, Inc . which specializes in IT solutions, found that employee training is an essential part of improving cybersecurity. No big surprise there. But fortunately the survey went on to report methods the IT pros recommended.
  The four top vote getters, in the order of the votes they received, involved using:
1. Customized examples that are relevant to an employee's department and role (54%)
2. Unscheduled simulations of typical attacks (51%)
3. Training modules that employees can complete at their convenience (47%)
4. Rewards for those who take the right actions (28%)
  Read more from TechRepublic .
Communicating With the Board
THE JOBS OF general counsel and chief information security officer (CISO) do not have a great deal in common. But in at least one task, doing the job well requires the same approach and the same skills. That task is communicating with the company’s board of directors.
  CISOs, like lawyers, speak their own language. But using it is not the best way to communicate with trustees. To do that well, CISOs need to speak the language of business. And not just any business—specifically, their company’s business.
  They need to start with an understanding of their company’s business priorities. That’s what the board is focused on. And effective CISOs explain not only how they’re keeping company data secure, but how they’re enabling the business to succeed.
  The same goes for company lawyers. They need to translate the legal issues into English, and then explain how the lawyers’ work is paving the way for the business to advance.
  Read more from Security Intelligence .
June 2018
Cybersecurity Tips for Summer Vacations
WELCOME TO SUMMER, prime hacking season. If that sounds like a downer, it doesn’t have to be. It’s a warning, and there are measures you can take to avoid having data stolen. 
  The most important factor is your mindset. If you let down your guard, and many summer travelers do, you’re vulnerable. 
Vacationers often conduct business on personal devices, and they use WiFi connections, such as those in airports, that are not secure. Or they check business email in hotel office centers equipped with computers that are equally unprotected. 
  What they don’t realize is that cyber criminals are often lurking nearby, waiting for these opportunities to steal data, 
which they can accomplish in a matter of seconds.  
  Read more from .
Local Governments Are Overmatched by Cyberattacks
Source: University of Maryland, Baltimore County Get the data
IN RECENT WEEKS, two major American cities had services disrupted by cyberattacks. A hacking attack in Baltimore disrupted online emergency dispatch services for nearly a full day. And Atlanta was hit with a ransomware attack that took city services offline for nearly a week. 
  These are the kinds of events that grab public attention, but research has suggested that the problem 
is far larger than a few isolated events. 
  Local governments across the country are unprepared to prevent cyberattacks, and furthermore, they never identify who was responsible for the majority of those they detect, the research found. 
Nearly half of those surveyed said they are attacked daily, but most don’t even record all of them.  
  The biggest impediment to improving cybersecurity is that local leaders have not made it a priority and have not demonstrated sufficient support for the IT and cybersecurity officials who filled out the survey. 
  Read more from .
NIST Updates its Popular Framework
IN APRIL, the National Institute of Standards and Technology (NIST) released version 1.1 of the Framework for Improving Critical Infrastructure     
  Cybersecurity. It was an update of the first version of the voluntary guidelines NIST published four years ago at the direction of the Obama administration. 
  The organization announced these changes to the original: 
Version 1.1 includesupdates on:
   authentication and identity,
   self-assessing cybersecurity risk,
   managing cybersecurity within
    the supply chain and
   vulnerability disclosure.

Credit: N. Hancek/NIST
NIST also included a brief description of its methodology:   “The changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held in 2016 and 2017. Two drafts of Version 1.1 were circulated for public comment to assist NIST in comprehensively addressing stakeholder inputs.”
  Read more about the changes from ; from  helpnetsecuritycom ; and from  NIST  itself.  
A New Model for Cybersecurity Investigations
SHOULDN'T SOME ONE INVESTIGATE cybersecurity events to determine what happened, and how similar incidents might be prevented in the future? And with no effort to cast blame or judge whether the savings would justify the cost? 
  There is an agency that already performs this function when there’s a plane crash: the National Transportation Safety Board. Why not use the NTSB as a model for an agency that would be tapped to investigate major cyber breaches? 
  This was the suggestion of Paul Rosenzweig, a senior fellow at the R Street Institute in Washington, D.C., who wrote a paper endorsing the idea, which he credited to Representative Denny Heck (D-Wash.). Rosenzweig, who also manages a small consulting company on cybersecurity and teaches at George Washington School of Law, suggested the new agency might be called the Computer Network Safety Board. 
  Read more from .
Paul Rosenzweig
White House Axes Cybersecurity Czar
IN THE 1960s, some writers of fiction publicly complained about the difficulty they had plying their craft because they found it impossible to compete with the reality they were confronted by each day. 
  There are undoubtedly novelists today who feel the same way. But these days even journalists are finding themselves stretched in unusual ways. It can sometime be difficult to reconcile the competing realities we’re confronted by. And these can involve realities that bump into each other not only in different areas of the news, or different events, but sometimes even in the 
same stories.  
  So, we have grown used to reading about the ever-expanding challenges of fending off cybersecurity risks. And preparing for the next new assault. And government agencies have tried hard to reassure businesses that they are doing everything they can to work with them against this growing threat. 
  And yet, at the very time that the Department of Homeland Security, which is generally viewed as the lead agency in defending against cyberattacks, was talking about the expanding risks, the administration eliminated the position of Cybersecurity coordinator on the National Security Council because 
the role was no longer necessary. 
  Read more from .
May 2018
We're Getting Better at Cyber Detection
TIRED OF READING depressing articles about cybersecurity? They always seem to feature statistics that go from bad to worse. 
  But new data suggests that we’re actually getting better at cybersecurity. These are the kinds of statistics we’ve been waiting for. 
  Last year in North and South America, 64 percent of security breaches were discovered by the victim companies themselves rather than external sources like law enforcement, according to Axios (citing Mandiant’s M-Trends 2018 report). That’s quite a contrast to the results in 2011, when only 6 percent of breaches were discovered internally.
  Axios didn’t mention another positive statistic that’s even more startling. This one can be found in the 2018 Trustwave Global Security Report. Looking at the length of time it takes to discover compromised data from the date of intrusion to the date of detection, the report found that for intrusions detected internally, it was zero days—meaning on average they were detected in less than one day. For the incident to be reported externally, they averaged 83 days.
  So, companies must be doing something right. Maybe more things than they get credit for.
  Read more from  Axios .
May 2018
Arizona’s Surprising Choice to Manage Cybersecurity
HERE'S A DEVELOPMENT that’s going to be watched by state administrators around the country. Arizona made a bold move to protect itself from cyberattacks.
  The state has 133 agencies in all. That’s a lot of data to worry about. 
And it knows it has vulnerabilities because it was hacked during the last national election. The solution? It decided to hire a single firm to handle cybersecurity for all of them. And it didn’t even choose an Arizona company. It picked  RiskSense , based in neighboring New Mexico. 
  Interestingly, one of the prime reasons it cited was the ease of using the vendor’s software. It scores an agency’s cyber vulnerabilities with a system modeled on credit ratings, so someone without an IT background can quickly see how each is doing.
  Read more from  StateScoop .
Don’t Leave Cybersecurity to IT
YOU CAN"T RELY on your information technology team to protect your company from data breaches. That’s the message that the United Kingdom’s information commissioner delivered in her keynote address in April at the National Cyber Security Centre's CYBERUK conference in Manchester, according to ZDNet. 
  "Security is a boardroom-level issue,” Commissioner Elizabeth Denham told the audience. “We have seen too many major breaches where companies process data in a technical context, but security gets precious little airtime at board meetings." 
  And failing to hire specialists and to properly invest in security is a recipe for disaster, she said. Denham cited companies that paid a steep price for their 
security failures in last year's   WannaCry  attacks. 
  Recent revelations about  Facebook and Cambridge Analytica  were a “wake-up call” about the importance of protecting data, she added.  
  Read more from  ZDNet .
Elizabeth Denham
Does a Nonprofit Need Cyber Insurance
NONPROFITS TYPICALLY don’t have a lot of extra money to spend. And they don’t figure to be the kinds of targets for cyberattacks that large data-rich (and just plain rich) companies can be. So, how much time and money should they spend on cybersecurity?
  It’s a good question. And it’s answered with intelligence and clarity in an article that appeared in NTEN, which stands for Nonprofit Technology Network.  
  The article discusses insurance, but it doesn’t have an agenda and it isn’t pushing any particular solution. It advises readers how to think about the risks of their own work environments in order to make prudent decisions for their own companies’ needs. 
  Read more from  NTEN .
THE COURTS have been waiting for the law to catch up with technology for a long time. But given the warp-speed of tech advances and the almost nonexistent pace of legislation these days, not many big cases have been mooted by new laws. But one was in April. 
  And it was a big one. It was a case that had made it all the way to the Supreme Court. It was Microsoft’s cloud case, which began in late 2013.  
  As you’ll recall, federal agents had obtained a warrant seeking access to the email account of one of the company’s users. The warrant was issued on a showing of probable cause that the email contained evidence of drug trafficking. But Microsoft declined to provide access, arguing that the data was stored on servers in Ireland, and the law did not reach overseas.  
  The long-running litigation and the attendant publicity finally led to legislative action.  The Clarifying Lawful Overseas Use of Data (CLOUD) Act   passed in March, and it requires companies to turn over data under these circumstances, no matter where it’s stored. 
  The feds got a new warrant to replace the old one, and the Supreme Court, finding that there was no longer a live dispute, sent it back to the district court with instructions to dismiss. 
  If you’ve been holding your breath, you can exhale now. 
  Read more from  TechRepublic .
The Tipping Point?
HOW WILL WE KNOW when cybersecurity has become a household word, a genuine phenomenon? Not by the number of law review articles on the subject, or even the number of Big Law practice groups devoted to it. It’s more likely to be revealed by an unexpected event in the popular culture. 
    Would this qualify? In September, Girl Scouts of the U.S.A. will roll out its first cybersecurity badges that scouts can earn by demonstrating their mastery of the subject. It’s part of an effort to boost girls’ interest in tech, which in turn could lead to their greater representation in the field. 
  Read more from  NBC News .
When Will They Ever Learn?
WHAT'S THE DEFINITION of education? A pretty good one, when you think about it, is the ability to change.
  Now wrap your mind around this. According to a recent report by CyberArk, 46 percent of organizations never change their cybersecurity strategy even after they  suffer a cyberattack. 
  And only 8 percent of the security professionals surveyed said that their company
continuously conducts penetration tests to determine where their vulnerabilities 
are located.
  These numbers suggest that, where cybersecurity is concerned, some of the pros companies depend on may need to be sent to reeducation camp. 
  Read more in  TechRepublic .
Collaborating for Security
A FEW YEARS AGO, Siemens was immersed in a bribery scandal. In the wake of it, as the company took major steps to reform, then-General Counsel Peter Solmssen reached out to his company’s competitors, and they agreed to cooperate to combat not just bribery but the competitive advantage it had offered. Solmssen called this joint effort the Cabal of the Good. 
  Flash forward. In February, Siemens and seven of its competitors signed what they called the Charter of Trust, vowing to cooperate in order to enhance cybersecurity worldwide. It’s actually even more ambitious than this may sound. It calls not only for the cooperation of the eight companies (the other seven are Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom), but also governments. 
  Read more in  AutomationWorld .
The First Cybersecurity Style Guide
THE BISHOP FOX CYBERSECURITY GUIDE , published in February, is billed as the first of its kind. Hacker lexicons have been published, but never one dedicated to cybersecurity, according to lead editor Brianne Hughes. 
  It aims for breadth rather than depth, and it does a good job. In 92 pages (including preliminary notes, appendices and an epilogue) it’s got everything from AI to zero day, and it’s almost guaranteed that you won’t know them all. 
  One warning: it’s designed for security researchers. That means there’s an emphasis on proper usage. Many of the words listed are not defined. This can be annoying for a more general audience, and a missed opportunity for the editors. (The appendix does include links to other guides that fill in the gaps.) 
  There’s one particularly nice feature. If you like it, you’ve got it. You can download it simply by clicking.
  Read more on  The Parallax .
A Company’s Cybersecurity Information May Not Be an Open Book
LET'S SAY YOUR COMPANY just discovered it’s suffered a data breach. The CEO asks whether it should be reported to the state police. As the general counsel, you feel it’s clearly information that’s going to have to be disclosed within a few months, and you point out that the police may help the company counter the attack. 
  But your boss isn’t happy. The company has been struggling lately. “This would be a lousy time for this to get out,” the CEO complains. And what if the media catch wind and file a Freedom of Information Act request with the police? 
  This isn’t purely hypothetical. The issue has come up, and in March Michigan’s Legislature overwhelmingly.  
  Predictably, the vote was not greeted warmly in the media or by the media.
   Still, two weeks later Republican Governor Rick Snyder signed the bill into law.
   Read more on Crain’s Detroit Business  here  and (for the follow-up)  here