Cybersecurity is a method to protect your data and systems. Cyber resiliency is a way of doing business in the face of the inevitable.

When Hurricane Michael struck the Florida Panhandle earlier this month, it wiped away wide swaths of Mexico Beach, a coastal town on the Gulf of Mexico. Left conspicuously standing was a house built just last year of reinforced concrete, specifically designed to withstand a Category 5 storm.

The house, elevated on pilings to survive the storm surge, lost its stairwell—by design. It was built to separate from the building without damaging the structure itself. Other than the missing stairs, the house suffered only minor water damage and a cracked shower window.

This story is an important lesson, and a metaphor for cyber resiliency, taking steps to weather a data or systems catastrophe while maintaining ongoing business operations. The adoption of cyber resiliency is an important mindset shift for those dealing with cybersecurity.

Cybersecurity is the approach that focuses on the methods and processes of protecting electronic data – the goal is to thwart an attack, and emphasizes training people and systems to recognize infiltration so it can be stopped. Cyber resilience, on the other hand, assumes an attack will occur. The underlying premise could be summed up this way: “What can go wrong, will. What are you going to do about it?”

Many companies have made meaningful improvements in protecting their data. They have implemented better firewalls, procedures and training to reduce the likelihood of an attack.  While these steps are essential, implementing a cyber resilience program focuses on how the enterprise can continue doing business in the midst of and in the wake of an attack. Cyber resiliency requires a different set of tools and, more importantly, a corporate culture more attuned with surviving natural disasters.  Continue reading

Uber has had a hard time getting data security right. This past week, the ride-sharing company agreed to pay $148 million in a settlement with 50 state attorneys general and the District of Columbia after it intentionally concealed a 2016 data breach. According to the New York Attorney General, it is the largest settlement ever in a multi-state breach case. Uber was found to have breached notification laws by hiding the fact that hackers accessed the information of 57 million users. Uber then paid the hackers $100,000 to destroy the data, without publically disclosing the loss.

This isn’t Uber’s first time mishandling customer and driver personal information, and misleading the public. This spring, Uber agreed to expand an earlier settlement with the FTC, agreeing to additional conditions. “After misleading consumers about its privacy and security practices, Uber compounded its misconduct by failing to inform the Commission that it suffered another data breach in 2016 while the Commission was investigating the company’s strikingly similar 2014 breach,” acting FTC Chairman Maureen Ohlhausen said in April 2018. Just to be clear, Uber failed to report a data breach while in the midst of an ongoing FTC data breach investigation – not easy to believe, but true. Some of the lessons here are crystal clear. Others are still unfolding. But they will come to bear on all companies, not just Uber. Uber’s conduct creates a more highly charged environment for all companies. Here’s why.

  1. The cover-up is worse than the crime.  Uber guessed that it could cover up its mistakes , and it guessed wrong. Uber used its “bug bounty program” to try to hide the fact that it paid a ransom to have the data destroyed. It’s not even clear that a breach notice would be required under many state laws because the data that was stolen didn’t include personal financial information, even if it included what we now consider, broadly, personal information: names, mobile phone numbers, and email addresses of customers and, in the case of drivers, their driving license information. But in trying to hide the issue, Uber heaped problems on itself. Uber could have reported the issue up the line and let those with real authority decide how to handle it. Instead, the matter was hidden from Uber’s CEO for months, denying the company the chance to go to regulators and seek their guidance.
  2. Welcome to a stricter data regime—for all of us. As part of the settlement, Uber is now mandated to put in place more secure systems, and acknowledge breaches of a broad variety of personal information. It will undergo 20 years of audits, at significant expense, both monetary and in terms of human resources. The company is also required to provide records of its bug bounty reports relating to any vulnerability of consumer data, as well as turn over all third-party audits in full to the FTC. One could argue that the FTC is now running security at Uber, not the company. This is a new line in the sand; any company with less than stellar security programs should be on notice that if they don’t install state-of-the-art systems and processes, the government will be happy to direct them specifically how to do so. The FTC does not like to be fooled, and, while no lap dog in the past, the commission will surely not tolerate being trifled with again.
  3. The expansion of the definition of protected data. Up to this point, data breach notification laws have focused on financial data, such as credit card numbers or social security numbers, or other sensitive protected information, such as health records. This action has the possibility of enlarging the scope of protected data that must be reported if accessed or breached to include any information that can identify a person, much as the European Union has done through the General Data Protection Regulation, or California proposes in its recently-enacted Consumer Privacy Act. This means that the conditions that would merit government disclosure of a loss of information have greatly increased, perhaps exponentially.
  4. Look for more coordinated state actions. The coordinated action by all of the state Attorneys General may foreshadow additional joint action in the future, which could have an effect on pending federal proposals, and impact the FTC’s authority. The $148 million fine was paid directly to the states (California received $26 million), making large fines a powerful incentive for state regulators to jump on what it sees as egregious conduct. And seeing this kind of money on the table will only embolden class action counsel representing consumers whose data is compromised.

 

We’ve previously written how to handle ransomware attacks. What we didn’t mention in that post, because it seemed to go without saying, is that regardless of the amount of data stolen, or the seemingly innocuous sum requested to get it back, is that all breaches should be analyzed and acted upon as quickly as possible so that the responsible parties evaluate and minimize the risks from a breach. The fact that there may be a chance to secure the data, or ensure it is destroyed, or confirm it has not yet been misused, should not enter the equation. The risk in not acting on a breach is 100%. And getting more expensive by the day.


Robert E. Braun
is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

 

JMBM’s Cybersecurity & Privacy Group is pleased to announce that the Group’s Co-Chair, Michael A. Gold, will be participating as a panelist for the webinar Bristows Legally Speaking! Data protection and information security in EU, India and California – what next?

Sponsored by the London-based law firm Bristows, the webinar is open to C-suite executives, Chief IT officers, in-house counsel, and others whose companies are doing business in California, Britain, the EU, or India.

Date: Tuesday, October 30, 2018
Time: 9:00 AM – 10:00 AM Pacific

No registration fee is required. Register here.

Panelists include:

Robert Bond, Partner and Notary Public at Bristows LLP, London
Salman Waris, Partner at TechLegis Advocates & Solicitors, Delhi
Michael Gold, Partner at Jeffer Mangels Butler & Mitchell LLP, Los Angeles

Topics that will be explored include:

  • Draft data protection law in India
  • California data privacy laws explained
  • Overview of US privacy laws
  • Comparisons with EU laws
  • What else is on the global horizon for data protection?

We invite you to join us for this informative webinar. Register now!

iheartcalifornia-300x138On June 28, 2018, Governor Brown signed the California Consumer Privacy Act of 2018, which goes into effect on January 1, 2020. But – because of certain look-back features in the new law – significant compliance will be required by January 1, 2019.

The Act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

Observers estimate that about 500,000 companies nationwide will need to comply with the California Consumer Privacy Act. The California Attorney General is expected to aggressively enforce the Act – and it will have the budget to do so. Consumer watchdogs and plaintiffs class-action lawyers will also be on the hunt for violators.

__________________________

This is a serious law and violations will have serious repercussions for your bottom line and your reputation.

__________________________

The Act provides many of the same consumer privacy protections as the European Union’s General Data Protection Act (GDPR). JMBM’s Cybersecurity & Privacy Group has counseled dozens of companies on GDPR compliance and is now discussing California’s new law with clients; we are eager to help you assess your own compliance and protect your business from expensive liability and litigation.

Some key points:

What does the Act do?

The new act says that California residents, including minors, who give personal data of almost any kind to a for-profit business, have the right to know how the data is being used, have it deleted, know who the data is being sold to, and object to the sale of their data. In short, California consumers now own their personal information and have a significant measure of control over it. It is important to note that personal data includes almost any data that can identify an individual, not just financial data.

Who is subject to the Act?

The California Consumer Privacy Act applies to any for-profit business that:

  • Does business in the state of California;
  • Collects consumers’ personal information (or is the entity on whose behalf such information is collected) and determines how that information is collected and processed;
  • Meets one or more of the following thresholds: has annual gross revenues in excess of $25 million; buys, receives, sells, or shares the personal information of 50,000 or more consumers, households or devices; or, derives 50% or more of its annual revenue from selling consumers’ personal information. The Act applies to small and mid-sized businesses, not just large companies.

What happens if a company does not comply?

The act is enforceable by the California Attorney General and authorizes a civil penalty up to $7,500 per violation.

In the event of a data breach, California residents will have a private right of action to recover up to $750 per incident, or actual damages. The statute directs courts to consider the nature, seriousness, persistence and willfulness of an incident, the number of violations, the length of time over which the incident occurred, and the violating company’s assets, liabilities and net worth.

Because of the minimum recoverable amount, consumers do not have to prove actual damages, only that there was a violation of the act.

What do you need to do now?  

California businesses will need to take several steps to achieve compliance, including:

  1. Adopt a method for handling consumer requests for personal information.
  2. Develop templates and procedures for responding to consumer requests.
  3. Develop procedures for collecting and processing data.
  4. Identify and document the legal basis for collecting and processing personal information, in order to respond to the consumer’s right to have their information deleted.
  5. Make appropriate changes to public-facing website disclosures, including adding a description of consumers’ rights under the Act, listing the categories of data collected, and including a conspicuous way for consumers to indicate that they do not want their data sold.

 What should you do now?

Contact us to discuss whether this new act applies to you, and how you should prepare for it. This is a serious law and violations will have serious repercussions for your bottom line and your reputation.

 

Gold_Michael_Highres_03
Michael Gold
Partner and Co-Chair of the Cybersecurity & Privacy Group
310.201.3529
MGold@jmbm.com
Bob Braun Photo
Robert E. Braun
Partner and Co-Chair of the Cybersecurity & Privacy Group
310.785.5331
RBraun@jmbm.com

 

Agreeing to ransom terms is a losing proposition; spend your time and energy preparing for an attack.

Ransomware attacks are on the rise, partly because of the ease and anonymity of crypto-currencies. In a typical ransomware attack, cyber criminals invade a computer system and encrypt key data, then threaten to destroy the data unless the victim pays the criminal a relatively minor sum (ranging from hundreds to thousands, or in rare cases, tens of thousands of dollars). Schemes go by the teasing names of CryptoLocker and WannaCry, but there’s nothing playful about finding that you are a target. Ransoms are priced at a level that encourage compliance with the criminal demand. Yet there’s nothing that ensures a payment will actually free up your data and the utility of your system – in many cases, it’s clear that the criminals never intended to unencrypt the data.  Moreover, once a system has been compromised, there can be little doubt that the hackers accessed sensitive data and left behind malware allowing them to create more mischief.

There is fierce debate over how to respond to attacks; even the FBI at one point seemed to advocate paying ransom to reclaim stolen data, though it clarified its position in 2016 and no longer recommends payment.  At the same time, for many firms, spending a relatively modest sum to recover mission-critical data sounds better than spending a far greater sum to recover only a portion of that data.  The latter approach is, however, a poor use of resources; rather than trying to determine whether to agree to ransom terms, spend your time and energy preparing for an attack. Companies should consider a ransomware attack as you would any other cybersecurity breach. That is, it is going to happen, the only question is when. Sound preparation boils down to several key considerations.

1. Back Up Data and Store It Properly

Any system is vulnerable when there is only one copy of data, or when backups are stored on tied or companion systems. If cyber criminals encrypt data on your main system, it’s important to be able to access the original data, and that means copying and storing it on a separate, secondary system that is untethered from the main system, and where it is possible to extract uninfected data. This is sound practice no matter what the threat; ransomware has only highlighted its importance. Whether its financial data, health records, or city citations, having multiple ways to access data is key. Moreover, simply having a backup is not sufficient; unless the backup is tested, one can never determine whether it is effective, how long it will take to implement, and other key issues. Continue reading

cursor-clicks-red-VIRUS-button-300x225

Any hobbyist will tell you that a proper guide is a must to mastering a craft.  However, a hobby is a part-time occupation; most of us know that our businesses need full-time attention. Because cybersecurity threats can impact core business activities, addressing those threats, especially those known as “social engineering” and cyber scams, is not a mere pastime — it’s a full-time job.

Bad actors use social engineering — the practice of using human interaction (or simulated human interaction) to gain trust — to obtain passwords, access or other information about a company and its security and computer systems. Most notably, “phishing” is a form of social engineering in which emails or websites pose as known and trusted organizations (such as a customer, credit card company or utility) to trick a target consumer. Because the consumer views the organization as a trusted brand, the consumer is more easily duped into providing user information that could compromise their data security.

Fighting bad actors who use social engineering requires constant attention, especially as hackers become more sophisticated.  To keep you informed, here’s an abbreviated field guide of what you might see in the wild this season.

Phishing: Phishing is the most common type of social engineering cyber scam. Attackers use emails, text messaging or social media outreach to trick victims into providing the desired sensitive information, or to visit a seemingly innocent but malicious site, where their system or security can be compromised.

Many phishing scams present the target with a sense of urgency, such as, “update your password now or lose access to your account.” In the wake of  GDPR requirements, some ironically pose as trusted sources asking for approval for or recognition of privacy policy updates. Some distinguish phishing (think of catching many fish in a large trawling net) from spear phishing, in which a specific individual or small groups of individuals are targeted. Either way, it can end poorly for the phished. Continue reading

It didn’t take long.

On June 28, 2018, just more than a month after the EU’s General Data Protection Regulation went into effect, imposing broad obligations and restrictions on any entity collecting personal information of EU citizens and residents, the California legislature has passed AB 375, and the governor has signed, the California Consumer Privacy Act of 2018, providing many of the same protections and sure to upend privacy regulation in the United States.

The Act goes into effect on January 1, 2020, and while it has broad implications that will become more apparent over time, there are some key initial takeaways:

  • The Act applies to all personal information, which is broadly defined, not just information collected electronically or collected directly by a firm. Companies will need to consider all of their data acquisition functions, and conform their practices to the Act.
  • The Act defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Significantly, personal information explicitly includes a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.  And, particularly significant in light of this week’s Supreme Court decision, it includes geolocation data.  This is a far-reaching extension of how personal information has been defined in the United States for privacy purposes.
  • The Act would grant a consumer a right to request a business to disclose the categories and specific pieces of personal information that it collects about the consumer, the categories of sources from which that information is collected, the business purposes for collecting or selling the information, and the categories of third parties with which the information is shared.
  • The Act includes a private right of action, allowing consumers to seek damages for certain categories of unauthorized disclosures.
  • Business will be required to make disclosures about the information and the purposes for which it is used.
  • Consumers will have the right to request deletion of personal information and would require the business to delete upon receipt of a verified request.
  • Consumers will have the right to opt out of the sale of personal information by a business, and businesses will be prohibited from discriminating against the consumer for exercising this right, including by charging the consumer who opts out a different price or providing the consumer a different quality of goods or services, except if the difference is reasonably related to value provided by the consumer’s data.
  • The Act will protect California citizens, and apply to any company that has annual gross revenues in excess of $25,000,000, alone or in combination, or annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices, or derives 50 percent or more of its annual revenues from selling consumers’ personal information. You should note that these tests are in the alternative, and that it will include many smaller companies.

These are only a few of the provisions of the Act, but it is clear that it has the potential of impacting companies throughout the nation.  Just as California’s initial breach notification act, adopted in 2002, radically changed the privacy landscape, the California Consumer Privacy Act of 2018 is likely to have as important an impact.

The authors of the Act recognize that it will require additional clarifying regulation to implement, and the Act itself authorizes the Attorney General to issue opinions on the scope of the Act.

While the ink on the Act is still wet, it seems clear that the Act reflects many of the requirements of the EU’s General Data Protection Regulation, and complying with the GDPR will put companies at a competitive advantage against those who wait.

The JMBM Cybersecurity and Privacy Group has worked with dozens of companies to establish procedures and policies to achieve GDPR compliance.  For additional information, contact Bob Braun (rbraun@jbmb.com, 310.785.5331) or Mike Gold (mgold@jmbm.com, 310.201.3529).

 

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at RBraun@jmbm.com or +1 310.785.5331.

JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.

The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right.

It’s often said that one can do something well, or quickly, but not both.  Corporate America is facing a world where the public demands both speed and accuracy; companies have one chance to get it right, and get it right at once.

Consider the two most recent examples: on April 12, two black men were arrested at a Philadelphia Starbucks after they entered the store and failed to place an order as they waited for a friend to arrive. The arrest was videotaped and posted on Twitter, where it immediately went viral. Within two days, CEO Kevin Johnson was apologizing for “a disheartening situation” that led to a “reprehensible outcome.” On May 29, Starbucks closed all its stores in order to train employees on racial sensitivity and implicit bias. Six weeks later, ABC reacted to an inflammatory, early morning tweet by Roseanne Barr within hours, calling it “abhorrent, repugnant and inconsistent with our values,” and cancelled her top-ranked TV show.

The lesson here is that the initial corporate emergency response time to a public relations calamity shrank from two days to several hours in just over a month.

What does this have to do with cybersecurity? Everything.

Cybersecurity and data breach response plans are all about dealing with a fast-moving and soon-to-be public crisis. Notifications, and therefore publicity, are mandatory. The stakes have been raised as the EU’s new General Data Protection Regulation, or GDPR, mandates notification within 72 hours. Once that happens, social media and public opinion give you only hours to get it right. And as we know so painfully from the Equifax breach, that needs to be done correctly the first time round. Equifax notified the public of its data breach – covering more than 143 million people and attacking its core business – a month after it discovered the breach, and when it did, its reaction was widely criticized. Continue reading

By David Ma and Robert Braun

The Securities and Exchange Commission (SEC) could be on target to make 2018 the year of cryptocurrency regulation—or at least the start of it.

In January, Jay Clayton, chair of the Securities and Exchange Commission, and J. Christopher Giancarlo, chair of the Commodity Futures Trading Commission, published an op-ed in which they declared distributed ledger technology (DLT) in need of regulation. They wrote:

“History … has proved that transparency, investor protection and market integrity are critical to ensuring that innovation continues. But today we are seeing substantial DLT-related market activity that shows little or no regard to our proven regulatory approach. This concerns us.”

There’s a fair bit to be concerned about. That month, the global cryptocurrency market, which is highly volatile, surpassed a market value of $700 billion. And the SEC is late to the game. It was only last year that its Enforcement Division created a cyber unit.

Playing catch-up, the SEC followed up this interest with subpoenas in March to more than 80 cryptocurrency companies, including a $100 million fund started by TechCrunch’s founder Michael Arrington, in an effort to gather information on how these cryptofunds operate.

There is growing concern of fraud in the market. Some startups are using cryptocurrency to raise funds, and regulators fear that some Initial Coin Offerings (ICOs) are launched for companies that don’t even exist. Some investors eager for quick profits are likely not investigating the associated risks.

It’s unclear whether securities laws apply to digital coins. The SEC has indicated the regulations do apply, but has not formally laid out how issuers and traders should comply. The SEC has repeatedly said that the vast majority of ICOs should be registered with the agency, in part because the coins trade on secondary markets like other securities that the SEC regulates. Continue reading

human-firewall-people-walled-off-300x207


FinCEN, the Financial Crimes Enforcement Network, has indicated that cryptocurrencies will not get an enforcement “pass.”

By David Ma and Robert Braun

The Treasury Department has outlined its efforts to police electronic currencies in a letter to Sen. Ron Wyden after the lawmaker asked what the department was doing to ensure that Bitcoin and other cryptocurrencies are not being used by criminals to evade banking regulations.

Wyden, D-OR, is the ranking member of the Senate Finance Committee. He communicated his concern to the Treasury Department that cryptocurrencies could, among other uses, allow foreign governments to circumvent U.S. economic sanctions.

In its February 13, 2018 letter to Wyden, which surfaced in March, the Treasury Department reiterated its stance that cryptocurrency companies and trading organizations must comply with laws designed to combat money laundering and the financing of terrorism. To comply, these companies and organizations must investigate customers and report suspicious transactions to authorities.

While the letter does not go into further detail about what this would mean for established cryptocurrencies or Initial Coin Offerings (ICOs), some observers fear that this could mean that ICOs would be required to perform the same “Know Your Customer” (KYC) due diligence that banks do when customers open bank accounts. It also implies that cryptocurrency companies and organizations may have some obligation to monitor transactions made with their cryptocurrency.

But given the anonymous nature of cryptocurrencies, it would be difficult, from a practical perspective, for an ICO to perform the same “know your customer” diligence that a bank does. Continue reading