Fourth Circuit Revives Wikimedia NSA Case

Yesterday the Fourth Circuit reinstated a case brought by the Wikimedia Foundation concerning the National Security Agency’s bulk “Upstream” surveillance program.  Under the Upstream program, the NSA collects traffic on the U.S. Internet backbone.  The Government claims that this collection is targeted to specific queries relating to terror investigations and other intelligence matters.  As a result, the government claimed, it is unlikely that any communications involving Wikimedia were reviewed by the NSA as part of the Upstream program, and therefore Wikimedia lacks standing to assert its claims.  The district court, relying on Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), agreed and Granted the government’s motion to dismiss on the pleadings.  The Fourth Circuit reversed.

Wikimedia alleged that  that, because of the way packets travel over the network, the NSA necessarily must collect substantially all the the international text-based communications traveling  over high-capacity cables, switches and routers in the U.S.  The Government argued that this was a speculative assertion that should not be taken at face value even at the pleading stage.  However, Wikimedia also alleged that, given the enormous number of Internet communications involving Wikimedia each year — a number Wikimedia put at over one trillion — it is nearly certain that the NSA has collected and reviewed communications involving Wikimedia even if the NSA’s data collection were limited to one trunk line.  As the Complaint put it, “even if one assumes a 0.00000001% chance  . . . of the NSA copying and reviewing any particular communication, the odds of the government copying and reviewing at least one of the Plaintiffs’ communications in a given one-year period would be greater than 99.9999999999%.”  Complaint, 46-47.  

The Government disputed these factual statistical assertions as well, but the Fourth Circuit found them plausible enough that the case should proceed.  The Fourth Circuit noted that “[w]e would never confuse the plausibility of this conclusion with that accorded to Newton’s laws of motion,” but noted that the standard is merely reasonable plausibility.  Opinion, at 26.  The Fourth Circuit did, however, uphold the dismissal of what it termed that “Dragnet” allegations because the Complaint did not contain specific enough factual assertions about the actual scope of the NSA’s surveillance activity.

The Fourth Circuit makes some interesting interpretive moves in this Opinion relating to how Clapper should apply in cases involving bulk surveillance claims and large Internet entities.  Wikimedia’s “statistical” argument seems dubious, and it seems that under the Fourth Circuit’s analysis any entity with a large Internet presence would have standing to challenge a surveillance program.  Perhaps that is a good policy result, but it does not seem consistent with Clapper.

The Fourth Circuit’s Opinion is below:

Facebook and Terrorism: Cohen v. Facebook and Force v. Facebook

It’s well-known that Facebook, Twitter, YouTube, and other social media platforms are used for propaganda and recruiting purposes by terrorist groups such as ISIL.  A number of Jewish groups filed lawsuits alleging that Facebook should be held civilly liable for facilitating terrorist attacks against Jews.  Two of these cases recently were dismissed by Judge Nicholas Garaufis in the U.S. District Court for the Eastern District of New York.  A copy of Judge Garaufis’ Memorandum and Order is available below.

In Cohen v. Facebook, the plaintiffs asserted negligence and civil conspiracy theories under Israeli and U.S. law.  That case was removed to federal court by Facebook.  In Force v. Facebook, the plaintiffs asserted claims under the federal “Providing Material Support to Terrorists” statute, 18 U.S.C. § 2339A and the civil remedies provision for terrorist acts, 18 U.S.C.  §  2333A, as well as for negligence and other breaches of duty under Israeli law. Copies of the Cohen and Force Complaints are available below.

Judge Garaufis dismissed the Cohen case for lack of standing because the individual plaintiffs asserted only a threat or fear of possible future harm.  He also dismissed the Force case under the immunity provision of section 230 of the Communications Decency Act, 47 U.S.C. § 230(c)(1).  This provision states that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.”  Id.  

The Second Circuit has established a three-part test for determining whether section 230 immunity applies:  the law “shields conduct if the defendant (1) is a provider or user of an interactive computer service, (2) the claim is based on information provided by another information content provider and (3) the claim would treat [the defendant] as the publisher or speaker of that information.”  FTC v. LeadClick Media, LLC, 838 F.3d 158, 173 (2nd Cir. 2016).

The primary issue in these cases was whether the third element would be satisfied.  Here, the focus is on whether the provider exercises “a publisher’s traditional editorial functions — such as deciding whether to publish, withdraw, postpone, or alter content.”  Id. at 174.  The plaintiffs in the Force case argued that Facebook was not acting as a publisher but rather was providing content-neutral services in support of terrorist activities by Hamas.  The court rejected this argument and found the section 230 immunity applies to Facebook. Memorandum and Order, at 17-23.

The plaintiffs in the Force case also raised a creative argument:   section 230 should not apply because the terrorist acts occurred in Israel and there is a presumption against extraterritoriality.  Judge Garaufis also rejected this argument and held that the focus of section 230 is to limit civil liability of internet service providers and that the relevant events relating to such liability involve the location of the speaker.  Since Facebook is a U.S. corporation, Judge Garaufis held that section 230 did not require extraterritorial application in this case even though the terrorist acts happened in Israel. Memorandum and Order, at 23-27.

Judge Garaufis’ interpretation of section 230, including the question of extraterritoriality raised by this case, seems correct.  Section 230, however, was a legislative solution to Internet publisher liability in a simpler age, before the explosion of social media platforms and their cooptation by terrorists.  There may be good policy arguments today for imposing some legal duties on social media sites to screen for materials that incite violence and terrorism.

 

Cohen and Force Opinion

 

Cohen Complaint

 

Force Complaint

WannaCry Ransomware and Legal Fault

The WannaCry Ransomware attack has spread throughout the world over the past week.  Fingers are pointing at Microsoft for the vulnerability in earlier versions of Windows, at the NSA for creating the leaked exploit, and at North Korea for allegedly perpetrating the attack.  There is blame to go around, but if we were to assess comparative fault the victim is also substantially to blame, for at least two reasons, one obvious and one less obvious:

First, the obvious reason:  the attack affected older versions of Windows, including Windows XP, which has not been supported by Microsoft since 2014.  However frustrating Microsoft’s update and support cycle might seem, and whatever transaction and opportunity costs are involved in switching an organization to a newer OS, it is negligent to continue using an outdated, unpatchable OS.

Second, the less obvious reason:  the attack exploited Port 445, a networking port used by those older versions of Windows for peer-to-peer connections with printers and the like.  A basic component of any cybersecurity compliance program — in addition to using updated, patched software — is to conduct regular port audit scans and to configure firewalls to block unnecessary ports.  Given the low cost of this kind of precaution, failure to conduct port audits is almost certainly negligence.

 

Trump Cybersecurity Executive Order

President Trump Signing an Earlier Executive Order (Img Src = ZDNet)

President Trump signed today a long-awaited Executive Order on Cybersecurity.  I think it is mostly a non-event.  There are some helpful provisions, including a requirement that government agencies implement the NIST Framework.  Otherwise, it requires  a series of executive reports on cybersecurity preparedness, generally within 90 days of the Order.  As others have noted, those reports are likely to show that government cybersecurity is significantly lacking because of outdated infrastructure.  The real test will come when changes must be implemented and government cyber infrastructure moves towards a more centralized cloud-based model.

The text of the Order is below.

DTSA Statistics

Introduction

Trade secrets are important to cybersecurity because many data breaches involve trade secret theft.  The Defend Trade Secrets Act of 2016 (DTSA) amended the Espionage Act of 1996 to provide a federal private right of action for trade secret misappropriation.   Some commentators opposed the DTSA in part because it seems redundant in light of state trade secret law and could lead to unnecessary litigation and restrictions on innovation.  Now that the DTSA has been in effect for nearly a year, I conducted an empirical study of cases asserting DTSA claims (with the able help of my research assistant, Zach Hansen).  This post summarizes the results of that study.

Methodology

We ran keyword searches in the Bloomberg Law federal docket database to identify cases asserting DTSA claims in federal courts.  It is not possible to search only on the Civil Cover Sheet because there is no discrete code for DTSA claims.  Our search ran from the effective date of the DTSA (May 26, 2016) through April 21, 2017 (just prior to our symposium on the DTSA at Seton Hall Law School).  After de-duping, we identified 280 unique Complaints, which we coded for a variety of descriptive information.  Our raw data is available online.

Findings

This chart shows the number of filings by district:

We were not surprised to see that the Northern and Central Districts of California, Southern District of New York, or District of Massachusetts were among the top five.  We were surprised, however, to see the Northern District of Illinois tied for first.  This could reflect the influence of the financial services industry in Chicago, but further research is required.

The next chart shows the number of filings by month:

It is interesting to note the decline in filings following the initial uptick after the May 26, 2016 effective date.  Perhaps this reflects a slight lull during the summer months.  Filings then remained relatively steady until March, 2017, when they increased significantly.  This could have something to do with the quarterly business cycle or bonus season, since many of the cases (as discussed below) involve employment issues.  Or, it could reflect a random variation given the relatively small sample size.

We next examined other claims filed along with the DTSA counts in these Complaints:

We excluded from this chart related state law trade secret claims.  Not surprisingly, nearly all the cases included claims for breach of contract.  As noted above, trade secret claims often arise in the employment context in connection with allegations of breach of a confidentiality agreement or covenant not to compete.  Another finding of note was that a fair number of cases assert Computer Fraud and Abuse Act claims, although the number is not as high as expected.  Most trade secret cases today involve exfiltration of electronic information, but perhaps many cases do not involve hacking or other access techniques that could run afoul of the CFAA.

We also noted a smaller but not insignificant number of cases asserting other intellectual property claims, including trademark, copyright and patent infringement.  Since many documents taken in alleged trade secret thefts are subject to other forms of intellectual property — particularly copyright — this may show that some lawyers are catching on to the benefit of asserting such claims along with DTSA claims.

Finally, our review of case status revealed the following:

  • 198 cases in various pre-trial stages
  • 61 cases dismissed
  • 5 preliminary injunctions
  • 4 final judgments, including 2 permanent injunctions
  • 3 default judgments
  • 1 case sent to compulsory arbitration
  • 8 undetermined / miscellaneous

At first blush, the number of cases dismissed seems high, given that none of the cases have been pending for more than a year.  We assume the vast majority of these cases settled, though further investigation is required.  In contrast, the number of preliminary injunctions granted seems very low.  Again, further investigation is required, but so far it does not seem that the DTSA is resulting in the kind of preliminary injunction practice we expected to see under a federal trade secret statute.

Why Education and Training Matter to Cybersecurity Compliance

Cybersecurity is an overwhelming problem – so overwhelming that it seems impossible to address.  From the legal and compliance perspective, the problem is compounded by a lack of clear regulatory rules or judicial precedent about what kinds of measures might be sufficient to mitigate the risk of liability for a data breach or other cybersecurity incident.  One important step every business can take, however, is to implement a cybersecurity compliance training program.

Training as a Component of Legal Compliance

The “gold standard” for managing cybersecurity risk is the NIST Cybersecurity Framework.  The NIST Framework identifies four “tiers” of cybersecurity compliance, with Tier 1 representing the lowest degree of compliance and Tier 4 the highest.  A principle driver of how an organization can move up from Tier 1 through Tier 4 is organizational knowledge.  In Tier 1, according to the Framework,

There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.

Id. at 10.  In contrast, at Tier 4,

There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.

Id. at 11.  In order to move up through the Tiers, an organization must ensure that “[a]pplicable information from organizational privacy policies is included in cybersecurity workforce training and awareness activities.”  Id. at 16.

The FTC also emphasizes the importance of cybersecurity training.  In the Opinion of the Commision in In the Matter of LabMD, Inc., FTC Docket No. 9357 (July 29, 2016), the Commission found that

LabMD did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring software, or penetration testing. It also failed to monitor traffic coming across its firewalls. In addition, LabMD failed to provide its employees with data security training. And it failed to adequately limit or monitor employees’ access to patients’ sensitive information or restrict employee downloads to safeguard the network.

Id. at 11-12 (emphasis in original).  Concerning training, the FTC noted, “[e]ven where basic hardware and software data security mechanisms are in place, there is an increased likelihood of exposing consumers’ personal information if employees are not adequately trained.”  Id. at 14.  The Eleventh Circuit recently stayed the FTC’s Order in LabMD over concerns about the Commission’s statutory authority over general cybersecurity issues.  See LabMD v. Federal Trade Commission, No. 16-16270-D,  Slip Op., (11th Cir. Nov. 11, 2016).  Meanwhile, the FTC continues aggressively to pursue cybersecurity enforcement actions.  However the Eleventh Circuit litigation turns out, the FTC’s emphasis on cybersecurity training will continue to inform standards of legal liability, both before the FTC and other authorities.

The emphasis on training is also evident in the recently proposed New York State Department of Financial Services Cybersecurity Regulations.  See New York State Department of Financial Services Proposed 23 NYCRR 500 (Dec. 28, 2016).  The NYDFS regulations created national headlines because they will cover a wide array of entities, including most of the U.S. and multinational banking sector, with any connection to financial service business in New York.  The regulations state that every covered organization must “provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks” and “verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.” Id., §  500.10  The proposed NYDFS Regulation further states that all covered entities must “provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.”  Id., § 500.14.

The NIST, FTC, and NYDFS sources cited above are only a few recent prominent examples of why cybersecurity training is important.  The importance of adequate cybersecurity training will continue to resonate through statutory, regulatory and case law developments concerning cybersecurity liability for many years to come.

Training About What, For Whom, By Whom?

This discussion of “training” raises the obvious question of what kind of content the training should include, who should receive training, and who should perform the training.  There is no one-size-fits-all answer to these questions.  Obviously, Information Technology and Security professionals will need highly specialized technical training, which may come in the form of advanced degrees or industry certifications in the details of network configuration, digital forensics and the like.  But perhaps less obviously, all members of the organization, from the C-Suite to operations to sales, should receive cybersecurity training appropriate to their functions.

General cybersecurity training should cover concepts such as organizational risks from cyber threats, basic principles of cyber risk measurement, common types of cyber attacks, good cyber hygiene, procedures for reporting cybersecurity incidents, and awareness of the organization’s legal and regulatory environment relating to cybersecurity risks.  The LabMD case supplies one cautionary tale about how training could have helped:  the breach in that case resulted from LabMD’s billing manager using Peer-to-Peer software to download music while at work, and the resulting costs of the FTC action helped bankrupt the company.  See LabMD v. Federal Trade Commission, No. 16-16270-D,  Slip Op., (11th Cir. Nov. 11, 2016) (noting that “[t]he costs of complying with the FTC’s Order would cause LabMD irreparable harm in light of its current financial situation.”).   Perhaps if that billing manager had known about the enormous vulnerabilities presented by P2P software she would not have used it at work and the company would still be in business.  Another good example relates to a common kind of “social engineering” attack.  Cyber criminals sometimes leave USB memory sticks containing malware in open areas such as parking lots and reception areas.  Employees who find these “lost” memory sticks are often compelled by curiosity to plug them in – after all, perhaps they contain racy photos from the boss’s party last weekend, or secret documents worth millions! – but once plugged in they unleash havoc on the company network.  A good training program will highlight this kind of risk and will connect the risk to a compliance program that provides clear procedures for the handling and disposal of orphaned USB sticks.

The final question is who should perform the training.  The first requirement, of course, is that the trainers are thoroughly knowledgeable about cybersecurity risks, compliance procedures, and the organization’s legal and regulatory environment.  Technical professionals need technical training, but for most people in an organization, the training required is more policy oriented.  This means that not only IT, but also the organization’s risk management, human resources, and legal functions should become involved in crafting and delivering the training.  Since cybersecurity training should be connected to an organization’s comprehensive cybersecurity policy, and since a proper cybersecurity policy should flow from the Board of Directors, inside and/or outside counsel should play a key role in this process.  Legal counsel can ensure that the organization’s cybersecurity program is consistent with the organization’s legal and regulatory environment, and can also, if appropriate, seek to protect elements of the program within the attorney-client and work product privileges in the event of an investigation or dispute.

Conclusion

Cybersecurity risks cannot be ignored.  This is true not only as a practical matter, but also as a legal and compliance issue.  The need for cybersecurity training at all levels of an organization is embedded in the emerging regulatory consensus about what is required to satisfy an organization’s basic legal obligations.  Legal counsel can play an important role in helping shape and deliver an organization’s cybersecurity training program.

Presentation on Cybersecurity and the Economic Loss Doctrine

Here are the slides for my presentation on cybersecurity and the economic loss doctrine at the NJICLE 2016 Cybersecurity Conference.

LabMD Enforcement Stayed

150px-us-federaltradecommission-seal-svgThe FTC’s enforcement action against LabMD has been stayed in an unusual grant of emergent relief by the Eleventh Circuit.  The FTC’s Opinion in LabMD essentially established a negligence balancing test for cybersecurity compliance.  A negligence balancing test requires a rough evaluation of the burden of avoiding a risk (B) compared to the probability of loss (P) and extent of loss (L):  B >< PL.  Such a test is incredibly difficult to apply in the cybersecurity context because the probability of loss is close to 1, the potential loss is enormous, and the burden of taking adequate precautions to prevent loss is also potentially enormous.

A big part of the problem in applying this calculus is the definition of “loss” or “harm.”  In LabMD, the FTC found that the mere unauthorized disclosure of a file containing personal information is a harm and that reputational or emotional harm to affected consumers, apart from any showing of financial loss, is a kind of substantial injury that must be considered.  In the tort context, recovery for emotional harm without related personal injury or property damage is difficult and controversial, and is usually handled under theories of intentional or negligent infliction of emotional distress.  Recovery for reputational damage is perhaps even more difficult and controversial, because such claims usually arise under the law of defamation, which involves first amendment concerns, or a cause of action such as “public disclosure of private facts,” which requires an act of “publication” by the defendant.

The relevant section of the FTC Act in evaluating the LabMD standard  is section 45(n):

The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.

The Eleventh Circuit found that the FTC Act likely does not provide remedies for intangible harms and that the phrase “likely to cause” in section 45(n) means something more than a low probability of occurrence.  Opinion, at 9-10.  The Eleventh Circuit’s Opinion is a bit unclear on this point, but I think the court is getting at the heart of how a negligence balancing test is applied.  The “P” in B >< PL will be something between 0 and 1.  As long as it is above 0, there could be a duty of care depending on the values of B and L.  The Eleventh Circuit seems to think “P” has to pass a certain threshold before the FTC’s statutory authority is triggered.  Opinion, at 10 (stating “we do not read the word ‘likely’ [in section 45(n)] to include something that has a low likelihood.”).

I’m sympathetic to the Eleventh Circuit’s concerns about whether the FTC should be in the business of creating a new negligence standard for cybersecurity enforcement.  Focusing on the “P,” however, is not the best approach because the probability of some loss from cybersecurity incidents for any business today is 1 or close to 1.  As we often say in the cybersecurity business, if not if you’ll get hacked, it’s when.  A more important statutory question, it seems to me, is whether mere “reputational” or “emotional” privacy harms are the kind of “substantial injury to consumers” Congress originally tasked the FTC with redressing.