Why Education and Training Matter to Cybersecurity Compliance

Cybersecurity is an overwhelming problem – so overwhelming that it seems impossible to address.  From the legal and compliance perspective, the problem is compounded by a lack of clear regulatory rules or judicial precedent about what kinds of measures might be sufficient to mitigate the risk of liability for a data breach or other cybersecurity incident.  One important step every business can take, however, is to implement a cybersecurity compliance training program.

Training as a Component of Legal Compliance

The “gold standard” for managing cybersecurity risk is the NIST Cybersecurity Framework.  The NIST Framework identifies four “tiers” of cybersecurity compliance, with Tier 1 representing the lowest degree of compliance and Tier 4 the highest.  A principle driver of how an organization can move up from Tier 1 through Tier 4 is organizational knowledge.  In Tier 1, according to the Framework,

There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.

Id. at 10.  In contrast, at Tier 4,

There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.

Id. at 11.  In order to move up through the Tiers, an organization must ensure that “[a]pplicable information from organizational privacy policies is included in cybersecurity workforce training and awareness activities.”  Id. at 16.

The FTC also emphasizes the importance of cybersecurity training.  In the Opinion of the Commision in In the Matter of LabMD, Inc., FTC Docket No. 9357 (July 29, 2016), the Commission found that

LabMD did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring software, or penetration testing. It also failed to monitor traffic coming across its firewalls. In addition, LabMD failed to provide its employees with data security training. And it failed to adequately limit or monitor employees’ access to patients’ sensitive information or restrict employee downloads to safeguard the network.

Id. at 11-12 (emphasis in original).  Concerning training, the FTC noted, “[e]ven where basic hardware and software data security mechanisms are in place, there is an increased likelihood of exposing consumers’ personal information if employees are not adequately trained.”  Id. at 14.  The Eleventh Circuit recently stayed the FTC’s Order in LabMD over concerns about the Commission’s statutory authority over general cybersecurity issues.  See LabMD v. Federal Trade Commission, No. 16-16270-D,  Slip Op., (11th Cir. Nov. 11, 2016).  Meanwhile, the FTC continues aggressively to pursue cybersecurity enforcement actions.  However the Eleventh Circuit litigation turns out, the FTC’s emphasis on cybersecurity training will continue to inform standards of legal liability, both before the FTC and other authorities.

The emphasis on training is also evident in the recently proposed New York State Department of Financial Services Cybersecurity Regulations.  See New York State Department of Financial Services Proposed 23 NYCRR 500 (Dec. 28, 2016).  The NYDFS regulations created national headlines because they will cover a wide array of entities, including most of the U.S. and multinational banking sector, with any connection to financial service business in New York.  The regulations state that every covered organization must “provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks” and “verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.” Id., §  500.10  The proposed NYDFS Regulation further states that all covered entities must “provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.”  Id., § 500.14.

The NIST, FTC, and NYDFS sources cited above are only a few recent prominent examples of why cybersecurity training is important.  The importance of adequate cybersecurity training will continue to resonate through statutory, regulatory and case law developments concerning cybersecurity liability for many years to come.

Training About What, For Whom, By Whom?

This discussion of “training” raises the obvious question of what kind of content the training should include, who should receive training, and who should perform the training.  There is no one-size-fits-all answer to these questions.  Obviously, Information Technology and Security professionals will need highly specialized technical training, which may come in the form of advanced degrees or industry certifications in the details of network configuration, digital forensics and the like.  But perhaps less obviously, all members of the organization, from the C-Suite to operations to sales, should receive cybersecurity training appropriate to their functions.

General cybersecurity training should cover concepts such as organizational risks from cyber threats, basic principles of cyber risk measurement, common types of cyber attacks, good cyber hygiene, procedures for reporting cybersecurity incidents, and awareness of the organization’s legal and regulatory environment relating to cybersecurity risks.  The LabMD case supplies one cautionary tale about how training could have helped:  the breach in that case resulted from LabMD’s billing manager using Peer-to-Peer software to download music while at work, and the resulting costs of the FTC action helped bankrupt the company.  See LabMD v. Federal Trade Commission, No. 16-16270-D,  Slip Op., (11th Cir. Nov. 11, 2016) (noting that “[t]he costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation.”).   Perhaps if that billing manager had known about the enormous vulnerabilities presented by P2P software she would not have used it at work and the company would still be in business.  Another good example relates to a common kind of “social engineering” attack.  Cyber criminals sometimes leave USB memory sticks containing malware in open areas such as parking lots and reception areas.  Employees who find these “lost” memory sticks are often compelled by curiosity to plug them in – after all, perhaps they contain racy photos from the boss’s party last weekend, or secret documents worth millions! – but once plugged in they unleash havoc on the company network.  A good training program will highlight this kind of risk and will connect the risk to a compliance program that provides clear procedures for the handling and disposal of orphaned USB sticks.

The final question is who should perform the training.  The first requirement, of course, is that the trainers are thoroughly knowledgeable about cybersecurity risks, compliance procedures, and the organization’s legal and regulatory environment.  Technical professionals need technical training, but for most people in an organization, the training required is more policy oriented.  This means that not only IT, but also the organization’s risk management, human resources, and legal functions should become involved in crafting and delivering the training.  Since cybersecurity training should be connected to an organization’s comprehensive cybersecurity policy, and since a proper cybersecurity policy should flow from the Board of Directors, inside and/or outside counsel should play a key role in this process.  Legal counsel can ensure that the organization’s cybersecurity program is consistent with the organization’s legal and regulatory environment, and can also, if appropriate, seek to protect elements of the program within the attorney-client and work product privileges in the event of an investigation or dispute.

Conclusion

Cybersecurity risks cannot be ignored.  This is true not only as a practical matter, but also as a legal and compliance issue.  The need for cybersecurity training at all levels of an organization is embedded in the emerging regulatory consensus about what is required to satisfy an organization’s basic legal obligations.  Legal counsel can play an important role in helping shape and deliver an organization’s cybersecurity training program.

Presentation on Cybersecurity and the Economic Loss Doctrine

Here are the slides for my presentation on cybersecurity and the economic loss doctrine at the NJICLE 2016 Cybersecurity Conference.

LabMD Enforcement Stayed

150px-us-federaltradecommission-seal-svgThe FTC’s enforcement action against LabMD has been stayed in an unusual grant of emergent relief by the Eleventh Circuit.  The FTC’s Opinion in LabMD essentially established a negligence balancing test for cybersecurity compliance.  A negligence balancing test requires a rough evaluation of the burden of avoiding a risk (B) compared to the probability of loss (P) and extent of loss (L):  B >< PL.  Such a test is incredibly difficult to apply in the cybersecurity context because the probability of loss is close to 1, the potential loss is enormous, and the burden of taking adequate precautions to prevent loss is also potentially enormous.

A big part of the problem in applying this calculus is the definition of “loss” or “harm.”  In LabMD, the FTC found that the mere unauthorized disclosure of a file containing personal information is a harm and that reputational or emotional harm to affected consumers, apart from any showing of financial loss, is a kind of substantial injury that must be considered.  In the tort context, recovery for emotional harm without related personal injury or property damage is difficult and controversial, and is usually handled under theories of intentional or negligent infliction of emotional distress.  Recovery for reputational damage is perhaps even more difficult and controversial, because such claims usually arise under the law of defamation, which involves first amendment concerns, or a cause of action such as “public disclosure of private facts,” which requires an act of “publication” by the defendant.

The relevant section of the FTC Act in evaluating the LabMD standard  is section 45(n):

The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.

The Eleventh Circuit found that the FTC Act likely does not provide remedies for intangible harms and that the phrase “likely to cause” in section 45(n) means something more than a low probability of occurrence.  Opinion, at 9-10.  The Eleventh Circuit’s Opinion is a bit unclear on this point, but I think the court is getting at the heart of how a negligence balancing test is applied.  The “P” in B >< PL will be something between 0 and 1.  As long as it is above 0, there could be a duty of care depending on the values of B and L.  The Eleventh Circuit seems to think “P” has to pass a certain threshold before the FTC’s statutory authority is triggered.  Opinion, at 10 (stating “we do not read the word ‘likely’ [in section 45(n)] to include something that has a low likelihood.”).

I’m sympathetic to the Eleventh Circuit’s concerns about whether the FTC should be in the business of creating a new negligence standard for cybersecurity enforcement.  Focusing on the “P,” however, is not the best approach because the probability of some loss from cybersecurity incidents for any business today is 1 or close to 1.  As we often say in the cybersecurity business, if not if you’ll get hacked, it’s when.  A more important statutory question, it seems to me, is whether mere “reputational” or “emotional” privacy harms are the kind of “substantial injury to consumers” Congress originally tasked the FTC with redressing.

FTC Data Breach Response Guide

150px-us-federaltradecommission-seal-svgThe FTC has issued a new data breach response guide for businesses.  There is a good amount of useful information in the guide, particularly in the steps to take immediately upon learning of a data breach.  In particular, the steps to secure affected operations are important, including assembling a forensic and legal team, securing physical spaces, and taking equipment offline without destroying data that might provide clues about the origin of the breach.  I’m a bit less certain about the guide’s “Model Letter” for breach notification to customers.  A model might be helpful, but as the guide notes, there are varying state breach reporting requirements, so the model form will need tailoring for specific jurisdictions.

Perhaps the most interesting aspect of the guide, however, is what it suggests about the FTC’s enforcement intentions and how the FTC views the standard of care for responding to a breach.  A guide such as this one provides an indication of what kind of response the FTC might deem inadequate and therefore potentially subject to an enforcement action, not only for the circumstances leading up to the breach, but also for a poorly executed response.

The FTC, Ransomware, and You

150px-us-federaltradecommission-seal-svgRansomware” is malicious software that enables attackers to hold computer data or a computer network hostage until a ransom is paid.  Ransomware often encrypts all the files on a system, making them unusable until the attacker supplies an encryption key.  An FBI Alert issued last week stated that ransomware infections are at an “all-time high.”  According to the FBI Alert, just one recent strain of ransomware infected about 100,000 computers per day.  Id.  Commenting on the Alert, security expert Brian Krebs said “[w]hat we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.”

The ransomware threat is troubling from the perspective of business continuity, lost productivity, lost data, and possible ransom payment costs.  The threat is also troubling from a legal perspective because in public comments earlier this month, FTC Chairwoman Edith Ramirez suggested that failure to address vulnerabilities that could be exploited by ransomware can comprise an FTC Act violation.  This means companies now face two kinds of liabilities from ransomware:  business costs, and civil liability to the FTC and perhaps private litigants.

The Federal Trade Commission has no specific statutory mandate over cybersecurity compliance.  Nevertheless, the FTC has made cybersecurity enforcement central to its institutional mission.  Legal challenges to the FTC’s authority over cybersecurity so far have failed.  In FTC v. Wyndham Worldwide, 799 F.3d 236 (3rd Cir. 2015), for example, the Third Circuit held the FTC’s statutory mandate under the Federal Trade Commission Act, 16 U.S.C. § 45(a), to prevent “unfair methods of competition in commerce” encompasses cybersecurity policies and requirements relating to a company’s customer data.  And the FTC recently concluded that the FTC Act’s general balancing test for determining if an act or practice is “unfair” applies to cybersecurity issues.  See In the Matter of LabMD, Docket No. 9257, Opinion of the Commission (July 29, 2016).

These risks are particularly difficult to manage because of the FTC Act’s standard of liability and the nature of ransomware.  Under Section 5(2) of the FTC Act, an act or practice is “unfair” only if

(1) it “causes or is likely to cause substantial injury to consumers;”

(2) the injury “is not reasonably avoidable by consumers themselves”; and

(3) the injury is “not outweighed by countervailing benefits to consumers or competition.”

In the Matter of LabMD, at 9 (quoting 15 U.S.C. § 45(n)).  In LabMD, the Commission stated that “’[t]he touchstone of the Commission’s approach to data security is reasonableness.’”  Id. at 11 (quoting Commission Statement Marking the FT’s 50th Data Security Settlement, at 1 (Jan. 31, 2014)).  While a “reasonableness” standard sounds reasonable, the statutory test essentially encodes a kind of “negligence balancing test” in which “reasonableness” is measured by the risk and probability of harm in comparison to the burden of taking precautions.  Most of us will remember – with varying degrees of fondness – this test from Judge Learned Hand’s famous opinion in U.S. v. Carroll Towing Co., 159 F.2d 169 (2d Cir. 1947):  B >< PL.

The problem with this kind of test in relation to cybersecurity is that the probability of some loss is very high and the scope of the loss could be enormous.  This means just about any kind of precaution could be considered reasonable.  Indeed, in LabMD, the Commission found that LabMD “did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring, or penetration testing.”  In the Matter of LabMD, at 11.   “Penetration testing,” which involves employing “white hat” hackers to probe a network for vulnerabilities, can be a valuable part of a cybersecurity hygiene program, but it is a stretch to suggest that penetration testing should always be employed by every entity on every kind of network.  See SANS Institute InfoSec Reading Room, Penetration Testing:  Assessing Your Overall Security Risks Before Attackers Do (June 2006).

The U.S. Department of Justice has published an interagency technical guidance document on protecting networks from ransomware that could serve as a useful rough measure of reasonable care.  According to the Justice Department guide, preventive measures against ransomware should include a number of specific technological measures together with an “awareness and training program.”  Id. at 3-4.  The guide notes that “[b]ecause end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.”  Id. at 3.  The DOJ’s guide also includes lists of instructions for business continuity and for incident response if infected with ransomware.  See id. at 4-5.

The growth in ransomware and other cybersecurity threats and the FTC’s aggressive enforcement posture suggest that companies should carefully consider their preparations for ransomware and other malware attacks in conjunction with legal counsel.  And even with what seem like reasonable preparations, companies of every size must prepare for an adverse incident.  In this regard, the following DOJ recommendations for incident response is particularly noteworthy:

Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance

Id. at 5 (emphasis in original).

Contacting the FBI or Secret Service might be a good idea, because ransomware attackers often are connected to foreign criminal syndicates and might even help finance terrorism.  However, companies should keep in mind the FTC’s commitment to enforcing its broad unfairness standard against companies suffering from ransomware attacks.  In addition, companies sometimes decide to pay the ransom quietly in order to regain access to their data.  Brian Krebs, for example, describes an incident in which a company’s finance department “didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, . . . the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.” Once the government is involved, a quiet ransom payment might not be possible – if it is even considered lawful under the circumstances.  Any investigation of the incident, and particularly any coordination with the FBI, should involve legal counsel to protect privilege and limit liability as much as possible.

Microsoft and the Law of the Cloud

Microsoft is waging a multi-front legal war over control of the “cloud.”  The Second Circuit recently handed Microsoft a battlefield victory in a case captioned In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, — F.3d —, 2016 WL 3770056 (2nd Cir. 2016).

The case concerns the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510 et seq., 18 U.S.C. §§ 2701 et seq., and 18 U.S.C. §§ 3121 et seq.  The SCA was enacted in 1986.  Microsoft Corp., 2016 WL 3770056 at *6.  The SCA limits the circumstances under which a service provider can disclose to third parties, including the government, information about an electronic communication or the contents of an electronic communication.  See id. at 7.  The government can obtain non-content information about a communication, such as subscriber and transactional information, through an administrative subpoena or court order on a showing lower than probable cause.  See id. at *7 (citing 18 U.S.C. §§ 2703(c)(2), (d)).  For content information, the government must obtain a warrant on probable cause or, under some circumstances, under a court order with notice to the subscriber.  See id. (citing 18 U.S.C. §§ 2703(a), (b)(1)(A)).  When a warrant is required, the SCA states that the warrant must be issued “using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.”  See id. (citing 18 U.S.C. §2703(a)).

The dispute in this case arose when Microsoft moved to quash an SCA warrant served on Microsoft in Washington for the contents of customer emails stored on a Microsoft Outlook server located in Ireland.  Outlook is part of Microsoft’s “’enterprise cloud service offerings.’”  See id. at *2.  Emails sent and received through Outlook are stored on servers located in one or more of over 100 data centers owned or leased by Microsoft in over 40 countries.  See id.  The “cloud” is simply a network of dispersed data centers such as Microsoft’s Outlook server network.  Microsoft explained to the court that a customer’s emails usually are stored in a data center located in the country of residence given by the customer.  Id. 

In its motion to quash, Microsoft argued that a search warrant cannot have extraterritorial effect.  Microsoft admitted, however, that it can access and collect email content from any of its data centers using a database management program in the U.S.  See id. at *3.  The Magistrate denied the motion to quash, and the District Court affirmed.  Id. at 4.  The Second Circuit reversed.

As the Second Circuit noted, the “Internet” barely existed in 1986, and the World Wide Web was not created until 1990.  Id.  The SCA therefore was adopted in a very different technological context than today’s networked world.  In particular, there was no universally accessible email, and what we today call the “cloud” was only a gleam in the eyes of some science fiction writers thirty years ago.  The court noted that there is a presumption against extraterritorial application of statutes.  Id. at *9.  Since the SCA specifically referred to search warrants under the Federal Rules of Criminal Procedure, the court held, the territorial limits on such search warrants should apply to warrants under the SCA.  Id. at *11-12.  Although a “subpoena” can have greater extraterritorial reach than a “warrant,” the Second Circuit rejected the government’s argument that a “warrant” under the SCA is more like an administrative subpoena than a search warrant.  Id. at *12-14.

Judge Gerard Lynch wrote a separate opinion concurring in the judgment.  Judge Lynch believed “the government’s arguments are stronger than the Court’s opinion acknowledges” and further wished “to emphasize the need for congressional action to revise a badly outdated statute.”  Id. at *19.  Judge Lynch noted that there was no dispute about the government’s showing of probable cause or about Microsoft’s ability to access the records in the U.S.  Id. at *20.  He also was concerned that the choice of data center location was based on the customer’s self-reported location, which could be inaccurate or even intentionally misleading to evade law enforcement.  Id.  Contrary to some of Microsoft’s arguments, Judge Lynch did not believe the case presented any substantive privacy issue because the “’records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company.”  Id. at 21.  Nevertheless, Judge Lynch felt bound to agree with that court’s statutory interpretation in light of the presumption against extraterritoriality.  Id.  He concluded by suggesting that Congress can and should amend the SCA to extend the reach of SCA warrants to data accessible to U.S. companies in the U.S. even if stored in cloud servers located outside the U.S.  Id. at 26.

Microsoft is presently litigating a separate case in the District of Washington, joined by the American Civil Liberties Union, challenging the constitutionality of parts of the SCA that allow the government to obtain subscriber and content information from Microsoft without notice to Microsoft’s customer.  See Microsoft v. U.S. Dep’t of Justice, No. 2:16-cv-00538-JLR (D. Wash.), filed April 14, 2016.  In its Complaint in that case, Microsoft states that “Cloud computing has spurred [a] profound change in the storage of private information” and that the government, using the SCA, “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”  Id., Complaint for Declaratory Judgment, ¶ ¶  2-3.  For Microsoft, and some other Silicon Valley companies, the cloud should become a domain in which service providers have a kind of jurisdiction to safeguard consumer privacy against governments.  But governments, including the U.S., argue that individuals who store their data with commercial cloud providers have already given up their privacy and that a handful of large information service providers cannot dictate national policy about criminal investigations and terrorism prevention.  This dispute will undoubtedly continue to work its way through the courts and Congress in coming years.

 

Internet Law and Governance: Some Materials

I’m teaching a module on Internet Law and Governance at Seton Hall Law School again this semester.  Here is some of the introductory material for this week, including a video lecture I created:

For our first class, we will discuss some basic principles of Internet “governance.”  I put “governance” in quotes here because, as you will see, there is no single source of legal norms for the Internet.  Much of the “law” of the Internet is what we call “soft law” — that is, a relatively loose collection of principles and standards held together mostly by contractual relationships.

My experience teaching this material to law students over the past few years has shown that it can be a bit frustrating for you to get a handle on what you are supposed to be learning.  By now, you are used to areas of law governed by a somewhat coherent set of Constitutional, common law, and/or statutory and regulatory principles, from which you can derive legal tests for liability or compliance that can be applied by courts.  That is not, usually, how Internet governance works.  Internet governance is fuzzy.  If you continue on and take any of the other modules in our “Cybersecurity” or “New Media” sequence, however, you’ll see that having a sense of the contours of this fuzziness is important to the more specific legal issues arising from things like copyright in YouTube videos or government e-mail surveillance.  So, for now, enjoy the ride.

xDedic Marketplace

Kaspersky Lab released a report on June 15 on the “XDedic” marketplace.  According to the report,

“xDedic” is a trading platform where cybercriminals can purchase any of over 70,000 hacked servers from all around the internet. It appears to be run by a Russian-speaking group of hackers.

The report includes screenshots of the XDedic user dashboard, which includes information about price to obtain access to the server, the server’s location and speed, and other details.

xdedic

Kaspersky’s investigation suggests that the servers are first accessed through password brute-force attacks, after which a malware (Trojan) client is installed that makes the server available on the XDedic network.  Another program is also installed that uses the compromised server to mine bitcoins.  Access to some of the servers available on this marketplace can be gained for as little as $8.

This report underscores both the technological and commercial sophistication of the cybercrime underworld.