RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Archive for the ‘Cyber, Privacy, & Security’ Category

Executive Order on Improving the Nation’s Cybersecurity issued following Colonial Pipeline Ransomware Attack

Posted on: May 21st, 2021

By: Caitlin Tubbesing

On the heels of the May 7th ransomware attack on Colonial Pipeline—resulting in a temporary shutdown of its 5,5000 mile pipeline system carrying 45% of the East Coast’s fuel supply— President Biden issued an Executive Order aimed at modernizing and improving the country’s defenses against these ever-increasing and malicious cyberattacks. The Order was originally drawn up following the SolarWinds “supply chain” attack, which exposed significant gaps in American cyber defenses in both the public and private sectors.

Although the Order does not specifically address critical infrastructure systems like oil and gas pipelines, power, and water, it directs the Commerce Department’s National Institute of Standards and Technology (NIST) to publish cybersecurity guidelines for supply-chain security, and standards for private companies selling software services to the government. Other provisions in the 34-page Order:

  • direct government agencies to move to secure cloud services and a zero-trust architecture, including a mandate to deploy multifactor authentication and encryption;
  • require IT government contractors to report data breaches posing a potential danger to federal networks to the Office of Management and Budget and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within three days;
  • urges the creation of a standardized playbook and set of definitions for cyber incident response by federal departments and agencies;
  • calls for the formation of a Cybersecurity Safety Review Board, similar to the National Transportation Safety Board, that will study and report how significant breaches occurred; and
  • seeks a national labeling system for software programs that will give consumers information regarding the security level.

The hope is that these measures will not only enable the government to more effective defend against and respond to breaches as they occur, but also that these measures will have a ripple effect in the private sector and critical infrastructure and improve national and global cybersecurity as a whole.  To that end, the White House has urged private sector companies to follow the federal government’s lead and to make necessary investments in cybersecurity and implement ambitious measures to minimize future cyberattacks.

For more information, please contact Caitlin Tubbesing at [email protected].

Google’s Use of Oracle’s java Application Programming Interfaces declared “Fair Use” by the United States Supreme Court

Posted on: April 30th, 2021

By: Kirsten Patzer

In a 6-2 decision, the Supreme Court of the United States(the “Court”) reversed the US Court of Appeals for the Federal Circuit in Google LLC v. Oracle America, Inc., holding Google’s use of Oracle’s Java Application Programming Interfaces (API) in its Android operating system was “fair use.”

The Court granted Google’s certiorari petition on two issues: 1) whether Oracle’s Java API is copyrightable; and 2) was Google’s use of the Java API “fair use.” The Court declined to undertake any analysis of the first question, rendering their opinion on the assumption that the Java API is copyrightable, and examined only whether Google’s use of 11,500 lines of programming code infringed on Oracle’s copyright or if Google’s use of the code was “fair  use” under US copyright law.

To establish whether Google’s employment of the Java API did, in fact, constitute “fair use” the Court examined the four factors set forth in the Copyright Act’s fair use provision: 1) the purpose and character of the use; 2) the nature of the copyrighted work; 3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and 4) the effect of the potential market value of the copyrighted work.

Justice Breyer, writing for the majority, began his assessment with the second factor, holding the nature of the copyrighted work favored a finding of fair use. The Court differentiated between the copied Java API “declaring code” and Google’s “implementing code” explaining the former is more “utilitarian” in nature, and is inherently bound together with the latter’s more “creative” counterpart, suggesting that the Java API code, standing alone, was not at the “core” of copyright protection.

The Court then determined Google’s “purpose and character” of the use was “transformative”, noting Google used the code to create an operating system for a different platform and computing environment. Thus, Google’s use of the code was “consistent with the creative process.” The Court also found the third prong, the amount and substantiality of the use, weighed in Google’s favor, noting the 11,500 lines Google copied were less than one percent of the code in the entire API.

Turning to the fourth factor, the Court determined Google’s Android smartphone platform did not replace Java and did not usurp its place in the market. Furthermore, Oracle would benefit from the reimplementation of their code into the market. The Court noted  Oracle “was poorly positioned to succeed in the mobile phone market” and Google’s Android platform differed from Oracle’s: “Google’s Android platform was part of a distinct (and more advanced) market than Java software.”

In sum, the Court concluded that Google took “only what was needed” to allow their programmers to “put their accrued talents to work in a new and transformative program” thus, Google’s copying of Java API code was fair use of that material as a matter of law.

For more information on this topic, please contact Kirsten Patzer at [email protected].

Client Update – MS Exchange Server Mass-Hack

Posted on: April 28th, 2021

By: John Ghose

In March 2021, government and private sector sources estimated that 30,000 U.S. organizations, and 100,000 organizations worldwide, were hacked by a Chinese state-sponsored group known as Hafnium.  The mass-hack exploited previously unknown “zero-day” vulnerabilities of Microsoft Exchange on-premises products as far back as January 6, 2021. (You can read more about this vulnerability in our prior post here.)  Since then, FMG’s cyber attorneys have worked on numerous MS Exchange matters and helped clients with their investigations of and responses to these incidents.  This client update provides initial reporting on what we have learned about this massive cybersecurity event.

The good news is that, from what we have seen initially, the threat actors exploiting the MS Exchange vulnerabilities have mostly probed without accessing or exfiltrating data. There are exceptions, of course, but in most cases our forensic partners have found China Chopper web shells – malicious interfaces that enable remote access and control to a web server – installed on affected systems, but have not found correlating system activities indicating access to or acquisition of data.  A likely explanation for this result is that the state-sponsored hackers were checking to see if the web shells were present and accessible, but had not yet performed additional activities by the time clients responded to the vulnerability. 

That said, organizations should remain vigilant.  Cybersecurity researchers believe that, when Microsoft reported the vulnerability, with attack details and patching instructions, non-state-sponsored hackers reverse engineered the patch to discover and exploit the vulnerabilities on unpatched systems.  Indeed, several weeks after the MS Exchange vulnerability was discovered, tens of thousands of affected systems remained unpatched.  Although the FBI recently conducted an unusual operation whereby it got court approval to issue commands forcing removal of these malicious web shells, systems that remain unpatched are still vulnerable to re-installation and exploitation.  There also is a new, albeit crude, strain of ransomware – DearCry – being used to exploit the MS Exchange vulnerability, which you can read about here

Based on past experience with zero-day vulnerabilities, we believe it could be six to eight months before experts truly understand the full impact of the MS Exchange vulnerability.  In the meantime, if you need assistance with this or other cybersecurity or incident response matters, please contact one of FMG’s Data Security, Privacy & Technology attorneys.

Breaking – U.S. Supreme Court Narrowly Interprets TCPA Autodialer Definition

Posted on: April 1st, 2021

By: Matt Foree

As we have discussed previously HERE and HERE, the Supreme Court of the United States has been considering an important Telephone Consumer Protection Act (“TCPA”) case concerning the statutory definition of “automatic telephone dialing system” (“ATDS”) in the Facebook v. Duguid case.  Today, the Supreme Court issued its opinion on the matter, resolving the split among the circuit courts in favor of a narrow interpretation of the autodialer definition.  The opinion can be found HERE.

The argument in the case centered around the definition of ATDS, which has created confusion among the courts, resulting in a patchwork of inconsistent decisions throughout the country.  The TCPA defines ATDS as “equipment which has the capacity—(A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.”  Among other things, the TCPA prohibits using an ATDS to make calls to a cellular telephone without the consent of the called party. Therefore, whether an ATDS was used in making calls can be determinative of liability. 

In this case, Facebook argued that the clause “using a random or sequential number generator” modified both verbs that precede it (“store” and “produce”), while Duguid argued that it modifies only the closest one (“produce”).  After analyzing the issue under conventional rules of grammar, the Supreme Court unanimously concluded “that the clause modifies both, specifying how the equipment must either ‘store’ or ‘produce’ telephone numbers.”  Accordingly, it determined that the ATDS definition requires that “in all cases, whether storing or producing numbers to be called, the equipment in question must use a random or sequential number generator.”  As a consequence, it determined that Facebook’s notification system at issue was not an autodialer because it neither stored nor produced numbers “using a random or sequential number generator.”  

The narrow interpretation of the ATDS definition has significant implications for TCPA litigation.  It is a major win for TCPA defendants.  The practical effect of the decision is a limitation of the type of equipment that will qualify as an autodialer, which will mean fewer lawsuits.  Others will argue that this will result in an increase in robocalls.  It may ultimately mean that it is time for Congress to amend this 1991 statute to bring it into the present.  In the meantime, we are actively monitoring these and other TCPA developments. 

For more information on this topic, please contact Matt Foree at [email protected].

NYSDFS’s Cyber Insurance Risk Framework Responds to the “Urgent Challenge” of Managing Cyber Risk

Posted on: March 16th, 2021

By: Curt Graham

New York’s Department of Financial Services (“DFS”) recently issued its Cyber Insurance Risk Framework which details seven best practices for managing cyber insurance risk. The Framework can be found here. One of the primary drivers for this guidance is the rise in the frequency of ransomware attacks, with the global cost of ransomware estimated to be $20 billion in 2020 alone.

The DFS joins the Office of Foreign Assets Control (“OFAC”) in recommending against making ransom payments in the event of a ransomware attack. Several justifications are offered for this recommendation. First, there is no guarantee that a victim will regain access to their data even if the ransom is paid. Second, ransom payments will almost certainly be used to fund more sophisticated attacks. Third, carriers and their policyholders risk violating OFAC sanctions if a ransom is paid.

The DFS’s bulletin also points out various deficiencies in the way cyber risk is currently assessed and priced by the insurance industry. In response, the DFS’s Framework identifies seven practices that all authorized property and casualty insurers writing cyber insurance should utilize. These include establishing a formal cyber insurance risk strategy, managing and eliminating exposure to silent cyber insurance risk, evaluating systematic risk, rigorously measuring insured risk, educating insureds and insurance producers, obtaining cybersecurity expertise, and requiring notice to law enforcement. Additional details relating to each practice can be found in the link above.

This Framework applies to all carriers writing insurance in New York. But its reach is far greater, as the DFS’s regulations also require regulated insurers to vet the cyber readiness of their vendors who may be located outside of New York. Given the vast reach of these regulations, any entity doing business with a DFS-regulated entity is well served by keeping an eye on DFS guidance such as the Cyber Insurance Risk Framework.

If you have questions or would like more information, please contact Curt Graham at [email protected].