CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Posts Tagged ‘data breach’

A Majority of Federal Agencies Are “At Risk” For Further Data Security Incidents

Posted on: June 6th, 2018

By: Allen Sattler

The Office of Management and Budget (“OMB”) performed a cyber security risk assessment of 96 federal agencies, and it recently published its findings in the “Federal Cybersecurity Risk Determination Report and Action Plan.”  The OMB reported that only 25 of the 96 agencies assessed were adequately managing their risk.  Most agencies, 74% of them, were either “at risk” or “high risk.”  A “high risk” rating meant that the agency either did not have in place or failed to sufficiently deploy key, fundamental cybersecurity policies, processes, and tools.

The OMB performed the risk assessment in response to an Executive Order requiring that the OMB develop a plan to adequately protect the executive branch by improving its cybesecurity.  The assessment conducted by the OMB examined the agencies’ ability to identify, detect, and respond to cyber incidents.  Nearly 31,000 cyber incidents affected the 96 agencies in 2016 alone.

The OMB found that most agencies had poor situational awareness.  The OMB explained that those agencies often lacked the information and resources needed to understand or determine the tactics, techniques, and procedures being used by threat actors to exploit their systems.  For instance, in 38% of the cyber incidents analyzed, the agencies affected could not identify the method of attack used by the threat attacker.  The OMB also found that most agencies lack standardized procedures and information technology, which makes mitigating the vulnerabilities of those systems difficult.  For instance, one agency operates 62 separate email services on its systems, making it “virtually impossible” to track and inspect inbound and outbound communications to prevent attacks.  The OMB explained that if the email service is standardized, the agency can then manage the risk.  For instance, it can inspect, detect, and quarantine malicious messages, such as phishing attempts and emails that include attachments with malicious code.

The OMB also found that agencies lack the ability to detect when large amounts of data have been pulled from their systems by an outside attacker.  Only 27% of the agencies reported the ability to detect and investigate whether large amounts of data have been exfiltrated from their systems.  Also, while agencies have largely complied with policies requiring them to encrypt data in transit, less than 16% of agencies achieved their targets for encrypting data at rest.

The findings by the OMB are alarming given that the federal government is often a prime target for attack by cyber criminals, as shown by previous, high-profile breaches.  For instance, in 2015, the Office of Personnel Management sustained a data breach that resulted in the disclosure of fingerprint data belonging to 5.6 million federal employees.

If you have any questions or would like more information, please contact Allen Sattler at [email protected].

Facebook and Twitter: More Transparency for Political Ads

Posted on: June 4th, 2018

By: Amy Bender

In the wake of the alleged Russian interference with the U.S. presidential election through targeted Facebook ads, both Facebook and Twitter now have imposed conditions for political campaign advertisements. Since there currently are no legal requirements for posting political content on private social media platforms, the platforms have the freedom – and, some say, the responsibility – to create their own policies in order to regulate the content delivered to their users. Facebook and Instagram (which Facebook owns) now require that political ads be labeled with information such as who funded the ad, the campaign budget, the number of viewers, and their demographics. The information also will be stored in a searchable archive. Twitter will require advertisers of political campaigns for federal elections to identify themselves and prove they are located in the U.S. Further, it will not allow foreign nationals to target political ads to U.S. residents. Both platforms have cited increased transparency as the basis for these changes. Facebook also has been under scrutiny since the Cambridge Analytica/user data breach incident, as we reported here.

It remains to be seen if these measures will help regulate political content and if more social media platforms will follow suit.

If you have any questions or would like more information, please contact Amy Bender at [email protected].

Lessons Learned from the SEC’s Order in the Yahoo! Data Breach Enforcement Action

Posted on: May 22nd, 2018

By: Jennifer Lee

On April 24, 2018, the SEC issued an order in the enforcement action against Altaba Inc., formerly Yahoo! Inc., and imposed a $35 million fine relating to the 2014 data breach which affected more than 500 million Yahoo! user accounts.

SEC’s Findings

The SEC found that Yahoo! violated federal securities laws by failing to disclose the 2014 data breach for almost two years. The SEC focused on the fact that despite its knowledge of the data breach, Yahoo!’s annual and quarterly reports made no mention of the data breach as a risk factor. Instead, the reports represented that the company only faced the risk of potential future data breaches that may expose its users’ personally identifiable information which may lead to litigation, loss of revenue, and damage to its reputation.

In addition, Yahoo! management’s analysis of the company’s financial condition also omitted changes to revenue that were expected to result from the public disclosure of the 2014 data breach.

Lastly, the stock purchase agreement between Yahoo! and Verizon entered into on July 23, 2016 and filed with the SEC on July 25, 2016 was misleading because it contained affirmative representations denying the existence of any significant data breaches.

The data breach was not disclosed until September 2016 in a press release filed as an attachment to a Form 8-K. After the public announcement of the data breach, Yahoo!’s stock price decrease by 3%, resulting in a $1.3 billion drop in its market cap.

Lessons Learned

Disclosures regarding cybersecurity risk factors that discuss potential incidents are misleading if they do not discuss known incidents that have already occurred. The SEC found that the omission of the 2014 data breach in the risk factor disclosures were misleading because it suggested that a significant data breach had not yet occurred, which in turn implied that any negative effects that may result from future breaches are merely speculative.

Companies should perform regular assessments of cybersecurity threats and their likely impact on the business to determine whether such issues should be disclosed as a risk factor. Regulation S-K item 303 requires companies to include trends or uncertainties reasonably likely to have a material impact on their business. Item 503(c) requires companies to disclose the most significant risk factors that make the company speculative or risky. Because cybersecurity incidents have the potential to and often do, in fact, lead to a significant depreciation in a company’s stock price and market cap, failing to perform regular assessments of cybersecurity threats and their likely impact on the business will inevitably lead companies to run afoul of Regulation S-K.

Be mindful of other state, federal, and international regulations that govern disclosure of data breaches and other cybersecurity incidents. Currently, data breach notification obligations in the United States consist of a patchwork of individual state statutes. In addition, the EU’s General Data Protection Regulation, which takes effect on May 25, 2018, contains a whole new set of rules regarding the disclosure of data breaches and other cybersecurity incidents. Companies that operate on a national or international level must be aware of their disclosure obligations under these regulatory structures and how they may affect companies’ disclosure obligations under federal securities laws.

If you have any questions or would like more information, please contact Jennifer Lee at [email protected].

 

Cybersecurity in Georgia Hits a Roadblock

Posted on: May 14th, 2018

By: Ze’eva Kushner

On May 8, 2018, Georgia’s Governor Nathan Deal made a controversial decision to veto a cybersecurity bill.  Issued in the wake of the massive data breach of Atlanta-based Equifax, among other data breaches across the country, the cybersecurity bill would have made logging into a computer without permission illegal, even if no information was stolen.  The recent ransomware attack on the City of Atlanta serves as a reminder of the potential significant costs of not having computer systems protected adequately.

However, the bill included multiple exemptions, one of which would have permitted individuals to engage in active defense measures aimed at preventing or detecting unauthorized computer access.  In the industry, this is often referred to as “hacking back.”  The defensive actions could have included techniques such as using beaconing technology to determine the location of a hacker or leaving one’s network to track down stolen data.  The legality of these cyber defense measures is murky.

Google and Microsoft both urged Governor Deal to veto the bill, explaining that the active defense exemption would have authorized the hacking of other networks and systems under the pretext of cybersecurity and potentially lead to anticompetitive behavior.  According to Governor Deal, the end result of the bill would have hurt organizations’ ability to secure their computer systems.

If you have any questions or would like more information, please contact Ze’eva Kushner at [email protected].