On May 15, 2019, President Trump issued Executive Order 13873 (“E.O. 13873”) and declared a national emergency in response to increasing actions by “foreign adversaries” to create and exploit “vulnerabilities in information and communications technology and services” supplied to the U.S.  E.O. 13873 broadly prohibits persons subject to U.S. jurisdiction from engaging in information and communications technology or services transactions with “foreign adversaries” that: (i) pose undue sabotage or subversion risks to U.S. information and communications technology or services, (ii) pose an undue risk to critical U.S. infrastructure or the U.S. digital economy, or (iii) otherwise pose an unacceptable risk to U.S. national security.  Within one hundred fifty (150) days of E.O. 13873, the Secretary of Commerce, in consultation with other executive agencies, will issue formal rules or regulations which will identify the specific “foreign adversaries” who are subject to E.O. 13873’s prohibitions, establish criteria for determining the types of transactions that are prohibited by E.O. 13873 and establish procedures for obtaining licensing to conduct transactions that would otherwise be prohibited by E.O. 13873 and its associated rules and regulations.

Continue Reading

You can add Nevada to the growing list of the states that are considering privacy-related legislation in the wake of last year’s enactment of the California Consumer Privacy Act (CCPA). Nevada is one of three states that already require certain entities to provide online privacy notices to disclose the types of personal information that they collect from consumers. Senate Bill 220 would supplement that existing law by allowing consumers to submit notices to businesses directing them not to sell any personal information the business has collected or will collect about the consumer (i.e., an opt-out). An entity that receives such a notice would be forbidden from selling the consumer’s personal information.
Continue Reading

Sharing informationThe Cybersecurity Act of 2015, signed into law on Dec. 18, has four titles that address longstanding concerns about cybersecurity in the United States, such as cybersecurity workforce shortages, infrastructure security, and gaps in business knowledge related to cybersecurity. This post distills the risks and highlights the benefits for private entities that may seek to take advantage of Title I of the Cybersecurity Act of 2015 – the Cybersecurity Information Sharing Act of 2015 (“CISA”).

It’s been clear for many years that greater information-sharing between companies and with the government would help fight cyber threats. The barriers to such sharing have been (1) liability exposure for companies that collect and share such information, which can include personally identifiable information, and (2) institutional and educational impediments to analyzing and sharing information effectively.

CISA is designed to remove both of these information-sharing barriers. First, CISA provides immunity to companies that share “cyber threat indicators and defensive measures” with the federal government in a CISA-authorized manner. Second, CISA authorizes, for a “cybersecurity purpose,” both use and sharing of defensive measures and monitoring of information systems. CISA also mandates that federal agencies establish privacy protections for shared information and publish procedures and guidelines to help companies identify and share cyber threat information. Notably, companies are not required to share information in order to receive information on “threat indicators and defensive measures,” nor are entities required to act upon information received – but this won’t shield companies from ordinary ‘failure to act’ negligence claims.
Continue Reading

Hacker at workAt DEF CON you’ll often hear that “every company is receiving penetration testing, but some companies pay for the pleasure.” My take is that every company pays for penetration testing – some companies pay in planned expenditures, but others pay in response costs, reputation loss, business interruption, legal liability, and increased insurance premiums. Or as Claus Moser observed, “Education costs money, but then so does ignorance.”

Last week’s DEF CON post shared insights from DEF CON 23 presenters on the fast-moving threat environment. Below are post-DEF CON observations on strengthening an organization’s cyber risk management strategy.
Continue Reading

Hacker at workFaces lit by computers, the hackers’ objectives were clear — attack and defend. At this year’s DEF CON, the largest hacker convention in the United States, pre-qualified teams of hackers from around the globe faced-off in a network-security simulation that combined network sniffing, cryptanalysis, programming, reverse-engineering, and other tactics that would make Lisbeth Salander blush. Back in 1993, the first DEF CON had roughly 100 participants. This year, badges dangled from the necks of nearly 20,000 attendees, including hackers, lawyers, academics, journalists, and government officials.

DEF CON has an edgy narrative — it’s notorious for criminal exploits, wild parties, and Mohawk-fitted outcasts. But that story line is much too simple. And “too simple” is what security researchers—or hackers, depending on your sensibilities—proclaim after they expose the vulnerabilities in products and infrastructure we rely on daily.

Below are highlights and insights from presentations at DEF CON 23 that illustrate the evolving cyber risks and policy dilemmas facing governments, individuals, and the private sector.
Continue Reading

Washington DCAs high-profile data breaches continue to make news, it appears Congress could finally pass legislation establishing a national standard for data breach notification. Currently, PII breach notification is governed by a patchwork of state laws, making compliance burdensome and time consuming for affected businesses. To further complicate matters, many states have recently passed or are considering legislation to amend current rules in the wake of recent breaches. However, despite Congress ramping up its efforts to pass federal breach notification legislation and President Obama calling for federal action on data breaches in his State of the Union address, a number of factors still need to be ironed out. They include:

  • The extent to which state laws should be preempted. Federal breach notification legislation would obviously set minimum standards, but the question remains whether it should set the ceiling as well. Some members of Congress would likely oppose a law that prevents states from setting a higher standard than the federal minimum. Additionally, whether a federal cause of action would provide the sole remedy for breach notification violations will likely be another subject of debate, along with the enforcement role, if any, of the FTC.
  • The types of breaches that trigger a notification requirement. Congress will need to specify which types of information must be put at risk to bring an incident under the federal standard. States have taken a myriad of approaches in this respect, so Congress must determine how broadly or narrowly to construe the definition of “personal information.” There also will be a debate over how much, if any, potential harm a breach must pose before it would trigger a requirement to notify affected parties.

Both chambers of Congress are currently considering legislation that would create a federal standard for breach notification. Some of the more notable bills currently pending include:
Continue Reading

quilt-patchworkiStock_000001968466_LargeAh, Federalism. In countless ways we benefit from a system in which individual states can express their respective policy interests in differing state laws, with the resulting quilt bound together by the Constitution, federal law, and judicial interpretation. But on some topics we end up with a “crazy quilt” … and PII breach notification is trending crazy.

Since 2002, when California enacted the seminal state law mandating notification of individuals whose personally identifiable information (PII) is breached, virtually every state has followed suit. Forty-seven states, the District of Columbia, Puerto Rico, Guam, and the U.S. Virgin Islands now have such statutes.  Only Alabama, New Mexico, and South Dakota are without one, and under Texas’ statute, companies doing business in Texas that have a PII breach must follow the Texas notification requirements for affected residents of these three states.

These laws are triggered by the affected individual’s residency, not where the breach occurred. So, when an organization with employees or customers in many states suffers a data breach, it must comply with a wide variety of differing and potentially conflicting state breach notification laws. And differ and conflict they do, as the following three examples illustrate.
Continue Reading

wolf-eyesiStock_000012725226_MediumCompanies suffering a data breach have a lot to worry about. High on that list is Norman Siegel, a founding member of Stueve Siegel Hanson LLP. Siegel is a prominent data breach plaintiffs’ lawyer – he helped lead the team representing consumers in the consolidated Target data breach lawsuits, and currently serves as lead counsel representing consumers in the pending Home Depot data breach litigation. He also is co-chair of the Privacy and Data Breach Litigation Group of the American Association for Justice.

I recently asked Siegel for his thoughts on the current landscape of data breach consumer litigation. Here is what he shared.
Continue Reading

spinningPlatesiStock_000011904878_LargeIt’s a dangerous world for protected information, with major breaches in the news and a challenging cyber-threat environment behind the scenes. Organizations must be prepared to respond to data breaches, but effective response is no small matter. There are 10 different channels of response activity for an organization that has suffered a security breach: Security, Legal, Forensic, Law Enforcement, Regulators, Insurance Coverage, Public Relations, Stakeholders, Notification, and Personnel Management. Most of these activities are involved in every breach, and all must be dealt with in significant breaches. These activities are not sequential. They play out in parallel, with interrelated effects… and with the response clock ticking.
Continue Reading

US-capitaliStock_000027739539_LargeAfter years of debate, Congress last December passed three bills focused on combating cybercrime. President Obama quickly signed each bill into law.

They include:

  • National Cybersecurity Protection Act of 2014. The most notable piece of legislation for the private sector, this Act establishes a framework for private entities and government authorities to share intelligence about cyber threats and incident response plans. However, much to the dismay of many private entities, this stripped-down version of an earlier House bill lacks the liability protections that many companies had desired.
  • Federal Information Security Modernization Act. This Act creates a structure for maintaining safeguards to protect federal government data. It encourages government agencies to use automated security tools to identify and correct security deficiencies, building upon the risk management framework originally established by the Federal Information Security Management Act of 2002. It also requires that agencies report major cyber incidents to Congress within seven days of discovery.


Continue Reading