FTC Data Breach Response Guide

150px-us-federaltradecommission-seal-svgThe FTC has issued a new data breach response guide for businesses.  There is a good amount of useful information in the guide, particularly in the steps to take immediately upon learning of a data breach.  In particular, the steps to secure affected operations are important, including assembling a forensic and legal team, securing physical spaces, and taking equipment offline without destroying data that might provide clues about the origin of the breach.  I’m a bit less certain about the guide’s “Model Letter” for breach notification to customers.  A model might be helpful, but as the guide notes, there are varying state breach reporting requirements, so the model form will need tailoring for specific jurisdictions.

Perhaps the most interesting aspect of the guide, however, is what it suggests about the FTC’s enforcement intentions and how the FTC views the standard of care for responding to a breach.  A guide such as this one provides an indication of what kind of response the FTC might deem inadequate and therefore potentially subject to an enforcement action, not only for the circumstances leading up to the breach, but also for a poorly executed response.

The FTC, Ransomware, and You

150px-us-federaltradecommission-seal-svgRansomware” is malicious software that enables attackers to hold computer data or a computer network hostage until a ransom is paid.  Ransomware often encrypts all the files on a system, making them unusable until the attacker supplies an encryption key.  An FBI Alert issued last week stated that ransomware infections are at an “all-time high.”  According to the FBI Alert, just one recent strain of ransomware infected about 100,000 computers per day.  Id.  Commenting on the Alert, security expert Brian Krebs said “[w]hat we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.”

The ransomware threat is troubling from the perspective of business continuity, lost productivity, lost data, and possible ransom payment costs.  The threat is also troubling from a legal perspective because in public comments earlier this month, FTC Chairwoman Edith Ramirez suggested that failure to address vulnerabilities that could be exploited by ransomware can comprise an FTC Act violation.  This means companies now face two kinds of liabilities from ransomware:  business costs, and civil liability to the FTC and perhaps private litigants.

The Federal Trade Commission has no specific statutory mandate over cybersecurity compliance.  Nevertheless, the FTC has made cybersecurity enforcement central to its institutional mission.  Legal challenges to the FTC’s authority over cybersecurity so far have failed.  In FTC v. Wyndham Worldwide, 799 F.3d 236 (3rd Cir. 2015), for example, the Third Circuit held the FTC’s statutory mandate under the Federal Trade Commission Act, 16 U.S.C. § 45(a), to prevent “unfair methods of competition in commerce” encompasses cybersecurity policies and requirements relating to a company’s customer data.  And the FTC recently concluded that the FTC Act’s general balancing test for determining if an act or practice is “unfair” applies to cybersecurity issues.  See In the Matter of LabMD, Docket No. 9257, Opinion of the Commission (July 29, 2016).

These risks are particularly difficult to manage because of the FTC Act’s standard of liability and the nature of ransomware.  Under Section 5(2) of the FTC Act, an act or practice is “unfair” only if

(1) it “causes or is likely to cause substantial injury to consumers;”

(2) the injury “is not reasonably avoidable by consumers themselves”; and

(3) the injury is “not outweighed by countervailing benefits to consumers or competition.”

In the Matter of LabMD, at 9 (quoting 15 U.S.C. § 45(n)).  In LabMD, the Commission stated that “’[t]he touchstone of the Commission’s approach to data security is reasonableness.’”  Id. at 11 (quoting Commission Statement Marking the FT’s 50th Data Security Settlement, at 1 (Jan. 31, 2014)).  While a “reasonableness” standard sounds reasonable, the statutory test essentially encodes a kind of “negligence balancing test” in which “reasonableness” is measured by the risk and probability of harm in comparison to the burden of taking precautions.  Most of us will remember – with varying degrees of fondness – this test from Judge Learned Hand’s famous opinion in U.S. v. Carroll Towing Co., 159 F.2d 169 (2d Cir. 1947):  B >< PL.

The problem with this kind of test in relation to cybersecurity is that the probability of some loss is very high and the scope of the loss could be enormous.  This means just about any kind of precaution could be considered reasonable.  Indeed, in LabMD, the Commission found that LabMD “did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring, or penetration testing.”  In the Matter of LabMD, at 11.   “Penetration testing,” which involves employing “white hat” hackers to probe a network for vulnerabilities, can be a valuable part of a cybersecurity hygiene program, but it is a stretch to suggest that penetration testing should always be employed by every entity on every kind of network.  See SANS Institute InfoSec Reading Room, Penetration Testing:  Assessing Your Overall Security Risks Before Attackers Do (June 2006).

The U.S. Department of Justice has published an interagency technical guidance document on protecting networks from ransomware that could serve as a useful rough measure of reasonable care.  According to the Justice Department guide, preventive measures against ransomware should include a number of specific technological measures together with an “awareness and training program.”  Id. at 3-4.  The guide notes that “[b]ecause end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.”  Id. at 3.  The DOJ’s guide also includes lists of instructions for business continuity and for incident response if infected with ransomware.  See id. at 4-5.

The growth in ransomware and other cybersecurity threats and the FTC’s aggressive enforcement posture suggest that companies should carefully consider their preparations for ransomware and other malware attacks in conjunction with legal counsel.  And even with what seem like reasonable preparations, companies of every size must prepare for an adverse incident.  In this regard, the following DOJ recommendations for incident response is particularly noteworthy:

Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance

Id. at 5 (emphasis in original).

Contacting the FBI or Secret Service might be a good idea, because ransomware attackers often are connected to foreign criminal syndicates and might even help finance terrorism.  However, companies should keep in mind the FTC’s commitment to enforcing its broad unfairness standard against companies suffering from ransomware attacks.  In addition, companies sometimes decide to pay the ransom quietly in order to regain access to their data.  Brian Krebs, for example, describes an incident in which a company’s finance department “didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, . . . the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.” Once the government is involved, a quiet ransom payment might not be possible – if it is even considered lawful under the circumstances.  Any investigation of the incident, and particularly any coordination with the FBI, should involve legal counsel to protect privilege and limit liability as much as possible.

Microsoft and the Law of the Cloud

Microsoft is waging a multi-front legal war over control of the “cloud.”  The Second Circuit recently handed Microsoft a battlefield victory in a case captioned In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation, — F.3d —, 2016 WL 3770056 (2nd Cir. 2016).

The case concerns the Stored Communications Act (SCA), which is part of the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §§ 2510 et seq., 18 U.S.C. §§ 2701 et seq., and 18 U.S.C. §§ 3121 et seq.  The SCA was enacted in 1986.  Microsoft Corp., 2016 WL 3770056 at *6.  The SCA limits the circumstances under which a service provider can disclose to third parties, including the government, information about an electronic communication or the contents of an electronic communication.  See id. at 7.  The government can obtain non-content information about a communication, such as subscriber and transactional information, through an administrative subpoena or court order on a showing lower than probable cause.  See id. at *7 (citing 18 U.S.C. §§ 2703(c)(2), (d)).  For content information, the government must obtain a warrant on probable cause or, under some circumstances, under a court order with notice to the subscriber.  See id. (citing 18 U.S.C. §§ 2703(a), (b)(1)(A)).  When a warrant is required, the SCA states that the warrant must be issued “using the procedures described in the Federal Rules of Criminal Procedure (or, in the case of a State court, issued using State warrant procedures) by a court of competent jurisdiction.”  See id. (citing 18 U.S.C. §2703(a)).

The dispute in this case arose when Microsoft moved to quash an SCA warrant served on Microsoft in Washington for the contents of customer emails stored on a Microsoft Outlook server located in Ireland.  Outlook is part of Microsoft’s “’enterprise cloud service offerings.’”  See id. at *2.  Emails sent and received through Outlook are stored on servers located in one or more of over 100 data centers owned or leased by Microsoft in over 40 countries.  See id.  The “cloud” is simply a network of dispersed data centers such as Microsoft’s Outlook server network.  Microsoft explained to the court that a customer’s emails usually are stored in a data center located in the country of residence given by the customer.  Id. 

In its motion to quash, Microsoft argued that a search warrant cannot have extraterritorial effect.  Microsoft admitted, however, that it can access and collect email content from any of its data centers using a database management program in the U.S.  See id. at *3.  The Magistrate denied the motion to quash, and the District Court affirmed.  Id. at 4.  The Second Circuit reversed.

As the Second Circuit noted, the “Internet” barely existed in 1986, and the World Wide Web was not created until 1990.  Id.  The SCA therefore was adopted in a very different technological context than today’s networked world.  In particular, there was no universally accessible email, and what we today call the “cloud” was only a gleam in the eyes of some science fiction writers thirty years ago.  The court noted that there is a presumption against extraterritorial application of statutes.  Id. at *9.  Since the SCA specifically referred to search warrants under the Federal Rules of Criminal Procedure, the court held, the territorial limits on such search warrants should apply to warrants under the SCA.  Id. at *11-12.  Although a “subpoena” can have greater extraterritorial reach than a “warrant,” the Second Circuit rejected the government’s argument that a “warrant” under the SCA is more like an administrative subpoena than a search warrant.  Id. at *12-14.

Judge Gerard Lynch wrote a separate opinion concurring in the judgment.  Judge Lynch believed “the government’s arguments are stronger than the Court’s opinion acknowledges” and further wished “to emphasize the need for congressional action to revise a badly outdated statute.”  Id. at *19.  Judge Lynch noted that there was no dispute about the government’s showing of probable cause or about Microsoft’s ability to access the records in the U.S.  Id. at *20.  He also was concerned that the choice of data center location was based on the customer’s self-reported location, which could be inaccurate or even intentionally misleading to evade law enforcement.  Id.  Contrary to some of Microsoft’s arguments, Judge Lynch did not believe the case presented any substantive privacy issue because the “’records’ are electronic zeros and ones that can be moved around the world in seconds, and will be so moved whenever it suits the convenience or commercial purposes of the company.”  Id. at 21.  Nevertheless, Judge Lynch felt bound to agree with that court’s statutory interpretation in light of the presumption against extraterritoriality.  Id.  He concluded by suggesting that Congress can and should amend the SCA to extend the reach of SCA warrants to data accessible to U.S. companies in the U.S. even if stored in cloud servers located outside the U.S.  Id. at 26.

Microsoft is presently litigating a separate case in the District of Washington, joined by the American Civil Liberties Union, challenging the constitutionality of parts of the SCA that allow the government to obtain subscriber and content information from Microsoft without notice to Microsoft’s customer.  See Microsoft v. U.S. Dep’t of Justice, No. 2:16-cv-00538-JLR (D. Wash.), filed April 14, 2016.  In its Complaint in that case, Microsoft states that “Cloud computing has spurred [a] profound change in the storage of private information” and that the government, using the SCA, “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”  Id., Complaint for Declaratory Judgment, ¶ ¶  2-3.  For Microsoft, and some other Silicon Valley companies, the cloud should become a domain in which service providers have a kind of jurisdiction to safeguard consumer privacy against governments.  But governments, including the U.S., argue that individuals who store their data with commercial cloud providers have already given up their privacy and that a handful of large information service providers cannot dictate national policy about criminal investigations and terrorism prevention.  This dispute will undoubtedly continue to work its way through the courts and Congress in coming years.

 

Internet Law and Governance: Some Materials

I’m teaching a module on Internet Law and Governance at Seton Hall Law School again this semester.  Here is some of the introductory material for this week, including a video lecture I created:

For our first class, we will discuss some basic principles of Internet “governance.”  I put “governance” in quotes here because, as you will see, there is no single source of legal norms for the Internet.  Much of the “law” of the Internet is what we call “soft law” — that is, a relatively loose collection of principles and standards held together mostly by contractual relationships.

My experience teaching this material to law students over the past few years has shown that it can be a bit frustrating for you to get a handle on what you are supposed to be learning.  By now, you are used to areas of law governed by a somewhat coherent set of Constitutional, common law, and/or statutory and regulatory principles, from which you can derive legal tests for liability or compliance that can be applied by courts.  That is not, usually, how Internet governance works.  Internet governance is fuzzy.  If you continue on and take any of the other modules in our “Cybersecurity” or “New Media” sequence, however, you’ll see that having a sense of the contours of this fuzziness is important to the more specific legal issues arising from things like copyright in YouTube videos or government e-mail surveillance.  So, for now, enjoy the ride.

xDedic Marketplace

Kaspersky Lab released a report on June 15 on the “XDedic” marketplace.  According to the report,

“xDedic” is a trading platform where cybercriminals can purchase any of over 70,000 hacked servers from all around the internet. It appears to be run by a Russian-speaking group of hackers.

The report includes screenshots of the XDedic user dashboard, which includes information about price to obtain access to the server, the server’s location and speed, and other details.

xdedic

Kaspersky’s investigation suggests that the servers are first accessed through password brute-force attacks, after which a malware (Trojan) client is installed that makes the server available on the XDedic network.  Another program is also installed that uses the compromised server to mine bitcoins.  Access to some of the servers available on this marketplace can be gained for as little as $8.

This report underscores both the technological and commercial sophistication of the cybercrime underworld.

 

Data Breach Litigation and the Economic Loss Doctrine

icleHere are my Powerpoints from the NJICLE Cybersecurity Conference this week on Data Breach Litigation and the Economic Loss Doctrine.

ICANN’s Transition Proposal

By Source, Fair use, https://en.wikipedia.org/w/index.php?curid=28871298You may have heard of “ICANN” in connection with procedures for resolving domain name disputes.  What you may not realize is that ICANN is at the heart of “Internet governance,” and that even today there is a heated dispute about whether the United States government should retain any ongoing oversight of ICANN’s functions.

“ICANN” stands for the Internet Corporation for Assigned Names and Numbers.  Every device connected to the Internet is assigned a unique Internet Protocol (“IP”) address.  Under a standard first developed in 1983 (called the Internet Protocol Version 4, or IPv4), long before the Internet was commercially available and long before there was a World Wide Web, an IP address consists of a 32-bit (4-byte) number comprised of four blocks (1 byte per block).   Because the available number space was becoming exhausted, a newer standard, IPv6, was adopted, which increased the address to 128 bits comprised of 16 blocks, but IPv4 is still the most widely used protocol.

The following graphic shows a typical IPv4 address, with both binary and dotted-decimal notation:

(Graphic source:  Wikimedia Commons).  In general, the first two blocks specify a network (the network identifier) and the last two blocks specify a host or machine (the host identifier).  In the example above, the network identifier 172.16 would indicate a private network such as an intranet, and the host identifier 254.1 would identify a computer or device connected to that local network.  If you have ever had to fiddle with your home or office computer network, you have probably seen IP addresses in the dotted-decimal notation representing the addresses of your printers and other devices.

Numeric addresses are difficult for most humans to remember.  This is not a problem for things like the printer on your home network — you simply configure the network server to remember such things for you.  It is a problem on the World Wide Web, if we want to remember, or conduct searches for, the content that interests us.  This is where the where “domain names” come into play.  The Domain Name System, or DNS, establishes the hierarchy of words and symbols that relate to numeric IP addresses.  For example, the domain name “Google.com” brings you to Google’s home page.  It is much easier to remember “Google.com” than the site’s IP address  (172.217.1.206, as identified through a “Whois” IP lookup).  Obviously, if “Google.com” does not consistently resolve to the IP address 172.217.1.206, the web will cease to function.  The DNS is a vital part of how people and organizations identify their “space” in cyberspace.

With over one billion pages on the web today (according to http://www.internetlivestats.com/total-number-of-websites/), the administration and security of the system for registering, recording, transferring and protecting domain names obviously is complex.  The question of whether to approve new “Top Level Domains (TLDs)” – that is, the part of a domain name to the right of the last dot, such as .com or .gov – can be contentious because such domains can be used to stake out a new “location” in cyberspace.  Until 2012, ICANN strictly restricted the issuance of new “generic” top level domains (gTLDs), but under ICANN’s present rules new gTLDs are much easier to obtain, with about 1,300 new gTLDs now approved and more to come.  Here is an amusing ICANN video describing this process:

These administrative and oversight functions are ICANN’s role.  It is fair to say, then, that ICANN oversees a core system of protocols that makes the Internet possible.  The global information and communication system that underpins every aspect of our global society depends on the governance functions ICANN performs.

But ICANN is not an agency of any national government or international treaty body.  ICANN is not an arm of the United Nations, the World Trade Organization, the World Intellectual Property Organization, or any other transnational organization established by agreement of various nation-states.  Instead, ICANN is a California non-profit corporation first established in 1998.  It operates under a “multi-stakeholder” model that includes input from volunteers serving on numerous working groups, overseen by a Board of Directors comprised of 16 individual voting members.  See A Quick Look at ICANN.”

Why is this vital Internet governance function run by a California non-profit corporation?  The name and number functions we have been discussing (referred to as the Internet Assigned Numbers Authority, or IANA, functions) originally were managed by a single individual, John Postel, who was a computer science researcher at UCLA and USC.  Postel helped create an early packet switching network, the Advanced Research Projects Agency Network, or ARPANET, funded by the U.S. Defense Department, which was a forerunner to today’s Internet.  ARPANET may have been funded by the DOD in part over concerns about maintaining military communications in the event of nuclear war.  Although the connection to fears of nuclear war are debated, there is no doubt that the ARPANET was a cold-war era defense project.  The U.S. federal government therefore had a vital role in the early development of the Internet.

When Postel decided he could no longer handle the domain name functions himself, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) instituted a rulemaking for this function that led to the creation of ICANN.  From its inception, ICANN operated under a contractual arrangement with the U.S. Department of Commerce.  ICANN therefore derives its legal authority from California corporate law and its contract with the U.S. Department of Commerce.

To many participants, particularly outside the U.S., this historical arrangement suggests that ultimately the U.S. government holds too much power over the DNS without adequate checks and balances.  In response to these concerns, the Obama administration announced in March, 2014 that it would relinquish control of the DNS to the global multi-stakeholder Internet community.  A plan for this transition was developed by ICANN and was submitted to the NTIA on March 10, 2016.

The planning process was coordinated by a group “comprised of 30 individuals representing 13 communities.”  Id., ¶ X002.  That should be an astonishing statement:  30 people were in charge of planning this core function of Internet governance!  This group included executives from companies such as Oracle, Cisco, Verisign and GoDaddy, academics, entrepreneurs, and representatives of country domain registries.  Id., n. 2 and http://www.ianacg.org/coordination-group/icg-members/.

The ICAAN plan runs to 210 pages of single-spaced type and 3,115 numbered paragraphs, with an Executive Summary that loosely ties together separately drafted proposals from the “Domain Names Community,”  the “Internet Number Community,” and the “Protocol Parameters Registry Community.”   It contains many paragraphs that read like this:  “Following exhaustion of the foregoing escalation mechanisms, the ccNSO and GNSO will be responsible for determining whether or not a Special IFR is necessary.”  See ICANN Plan, ¶ 1303.   If all of these sounds like a proposal put together by engineers rather than lawyers – it is.  Perhaps that is a good thing, but many questions about representation and accountability remain.

The ICAAN Plan did include some new accountability mechanisms to address concerns about the openness of ICANN’s processes.  For example, paragraph 1106 of the Domain Names Community’s part of the proposal states that the mutistakeholder community would have the ability to appoint and remove ICANN Board members, to oversee key Board decisions, and to approve amendments to ICANN’s fundamental bylaws.  This part of the proposal was consistent with an Accountability Report released by a different ICANN working group in February, 2016.  But, of course, none of this is analogous to a citizen’s rights in a constitutional government.  It is more analogous to how shareholders might have some say in the governance of a private membership organization.  The ICAAN proposal does not contemplate that any governmental or inter-governmental organization will take on the role previously played by the U.S. Commerce Department.  See ICANN Plan, ¶ X028.

On June 9, 2016, the NTIA released an Assessment Report finding that the ICANN plan met the NTIA’s criteria for a working transition plan.  In particular, the NTIA Assessment found that the transition plan would satisfy the following requirements:

  1. Support and enhance the multi-stakeholder model;
  2. Maintain the security, stability, and resiliency of the Internet DNS;
  3. Meet the needs and expectations of the global customers and partners of the IANA services; and
  4. Maintain the openness of the Internet.

Most technology industry players also support ICANN’s plan.  At the same time, some commentators and U.S. lawmakers are not as willing as President Obama or the NTIA to cede U.S. control over the DNS. On June 8, 2016, Representative Sean Duffy (R-WI) and Senator Ted Cruz (R-TX) introduced the “Protecting Internet Freedom Act,” which would prohibit the NTIA from allowing its contract with ICANN to expire.  See S. 3034 and H.R. 5418, 114th Cong., 2d Sess., June 8, 2016.  This bill would also require the Commerce Department to secure permanent U.S. ownership of the .gov and .mil domain top-level domains.  Id., sec 4.  This Bill echoes concerns by commentators such as Kristian Stout, Associate Director for Innovation Policy with the International Center for Law and Economics, stated that under the ICANN plan, “several fundamental governance issues remain outstanding, including ICANN’s ability to thwart threats of foreign government intrusion, its willingness and ability to ensure a basic level of contractual compliance and respect for property rights among registrars and registries, and its avoidance of antitrust risk.”  S

Unless some legislative or Executive action is taken, which seems unlikely, the NTIA contract with ICAAN will expire according to its own terms on September 30, 2016.  This will mark another milestone, for better or worse, along the path towards the creation of a global critical infrastructure resource that is managed primarily by consensus (social norms) and contracts (private law) rather than by national and international public law.

Cybersurveillance Developments

Over the past few months there has been a flurry of sometimes contradictory activity concerning the government’s ability to access electronic information in the course of a criminal investigation.  This article highlights three recent proposals that show how the broader policy debate is playing out at the level of specific legal rules.

Changes to the Federal Rules of Criminal Procedure Concerning Search Warrants

On April 28, 2016, the Supreme Court adopted changes to F. R. Crim. Pro. 41, adding a subsection (6), to authorize a magistrate judge in any district “where activities related to a crime may have occurred” to issue a warrant “to use remote access to search electronic storage media and to seize or copy electronically stored information located within or outside that district. . . .”  See Rule changes submitted by Justice John G. Roberts to Congress, April 28, 2016.  Under the amendment, such warrants can issue if “the district where the media or information is located has been concealed through technological means” or in cases involving investigations of hacking or malware transmission under the Computer Fraud and Abuse Act where the “media” are damaged computers in five or more districts.  Id., amended F. R. Crim. Pro. 41(6)(A), (B).

Previously, the general principle was that a warrant could only be issued to search and seize a person or property located outside the district “if the person or property is located within the district when the warrant is issued but might move or be moved outside the district before the warrant is executed.”  Fed. R. Crim. P. 41(b)(1)-(2).   This principle previously was expanded to include authority to issue a warrant for a person or property outside the district if the investigation involved domestic or international terrorism and to include warrants for installation of a tracking device to track the movement of person inside or outside the district. See Fed. R. Crim. P. 41(b)(1)-(4).  Finally, historically a warrant could be issued for property outside the district but within a U.S. territory, possession or commonwealth, on the premises of a U.S. diplomatic or consular mission in a foreign state, or in a residence leased by the U.S. and used by U.S. personnel assigned to a U.S. diplomatic or consular mission in a foreign state.  Fed. R. Crim. P. 41(5).  

Critics of the recent addition of subsection (6), including some tech industry giants such as Google Inc., argued that “remote access” warrants for nationwide or even worldwide electronic surveillance.  See Google Public Policy Blog, “A Small Rule Change that Could Give the U.S. Government Sweeping New Warrant Power.”  Google’s comments in this regard were typical of tech industry concerns:  

The proposed change does not define what a “remote search” is or under what circumstances and conditions a remote search can be undertaken; it merely assumes such searches, whatever they may be, are constitutional and otherwise legal.  It carries with it the specter of government hacking without any Congressional debate or democratic policymaking process.

Id.  Notwithstanding such objections, the Rule change was approved by the Supreme Court, and will become effective unless disavowed by Congress before December 1, 2016 under the Rules Enabling Act.  See 28 U.S.C. § 2074.

Burr-Feinstein Bill

On April 13, 2016, Senators Richard Burr (R-N.C.) and Diane Feinstein (D-Calif.), Chair and Vice-Chair, respectively, of the Senate Intelligence Committee, released a draft Bill titled the “Compliance With Court Orders Act of 2016.”  See April 13, 2016 Press Release; Discussion Draft.  This Bill responds to the recent showdowns between Apple Inc. and the FBi concerning the ability to compel technology companies under the All Writs Act to assist with access to locked and encrypted devices such as iPhones.  See David W. Opderbeck, “The Apple iPhone Showdown:  What is at Stake,” New Jersey Law Journal, March 7, 2016.  The Bill would require any covered entities that receive court orders “for information or data” to provide the information or data “in an intelligible format” and to “provide such technical assistance as is necessary to obtain such information or data in an intelligible format or to achieve the purpose of the court order.”  Discussion Draft, Sec. 3(a)(1).  The Bill states that a covered entity is only responsible for providing data in an intelligible format “if such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided, by the covered entity or a by a third party on behalf of the covered entity.”  Id., Sec. 3(a)(2).  The Bill further states that it would not authorize any government officer to require or prohibit “any specific design or operating system to be adopted.”  Id., Sec. 3(b).  However, the very next subsection of the Bill requires providers of “remote computing service” or “electronic communication service” to ensure that their products or services a capable of complying with the requirement to provide data in an intelligible format.  Id., Sec. 3(d), (e).  The terms “remote computing service” and “electronic communication services” are defined to have the meanings provided in the Electronic Communication Privacy Act (ECPA), 18 U.S.C. s 2510, 2711.

The draft Bill was immediately pilloried by technology industry and civil liberties advocates.  For example, Kevin Bankston, Director of the New America Foundation’s Open Technology Institute, called it “easily the most ludicrous, dangerous, technically illiterate proposal I’ve ever seen.”  Andy Greenberg, “The Senate’s Draft Encryption Bill is Ludicrous, Dangerous, Technically Illiterate,” Wired Security, April 8, 2016.  Critics noted that the Bill’s performance standard necessarily would constrain design choices, that it would effectively outlaw user-directed end-to-end encryption, and that it would require a greater level of technological assistance than the government ever sought in the All Writs Act cases.  See “The Burr-Feinstein Proposal is Simply Anti-Security,” Electronic Frontier Foundation Deeplinks Blog, April 8, 2016.

Proposed Amendments to ECPA

The changes to F. R. Crim. P. 41 and the Burr-Feinstein Bill are pro-law-enforcement and anti-encryption.  Not all recent legislative proposals, however, fall on that side of the line.  On April 27, 2016, the “Email Privacy Act” passed the House of Representatives.  See H.R. 699, 114th Cong. 2d Sess. (2015-2016).  The Email Privacy Act would amend the ECPA to require the government to obtain a search warrant to access stored electronic communications.  

The law makes a distinction between electronic communications in transit and in storage.  For communications in transit, the Wiretap Act requires a showing of probable cause plus a showing that “normal investigative procedures have been tried and have failed or reasonably appear to be unlikely to succeed if tried or to be too dangerous.”  18 U.S.C. s 2518(3).  Wiretap orders must expire after thirty days, although extensions are possible upon a showing of necessity.  Id. s. 2518(5).  For communications in storage, presently, the ECPA distinguishes between contents stored by an “electronic communication service (ECS)” and a “remote computing service (RCS),” and as to an ECS, further distinguishes whether the communications have been in storage for 180 days or more.  See 18 U.S.C. 2703.  Finally, the ECPA allows a judge in any district, not only the district where the information is stored, to issue the order.  Id. s. 2703(d).  

Uunder the ECPA, to obtain the contents of stored electronic communications (such as emails and voicemails ) that have been in storage by an ECS for 180 days or less by obtaining a warrant.  18 U.S.C. s 2703(a).  However, The government may obtain the contents of information held by an RCS “solely for the purpose of providing storage or computer processing services,” or held in storage by an ECS for 180 days or more, through a court order based on “specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.”  18 U.S.C. s. 2703(a)-(d).   In other words, the law currently recognizes a lower expectation of privacy (a) for the contents of communications held in storage by an RCS; and (b) for the contents of emails and other communications held in storage for more than 180 days by an ECS.  These distinctions date back to the early days of the Internet, when users were able to download and store only a small amount of data from email servers run by their service providers.  See H. Rept. 114-528 – 114th Congress (2015-2016) April 26, 2016, As Reported by the Judiciary Committee.  

The Email Privacy Act would instead recognize the same expectation of privacy in all communications stored by third party providers by requiring a warrant on probable cause before the government could obtain the contents of such communications, regardless of how long they have been in storage, and regarldess of whether the provider is classified as an RCS or ECS.  See Email Privacy Act, Sec. 3.  This would make the statute consistent with practice in the Sixth Circuit, which has held the distinctions under the present ECPA unconstitutional under the Fourth Amendment.  See United States v. Warshak, 631 F.3d 266 (6th Cir. 2010).  The Bill would not affect the government’s ability to obtain non-content information, such as subscriber records, through an administrative subpoena, nor would it change the ability the owner of a communication system, such as an employer-owned email system, to disclose stored information voluntarily.

Most recently, law enforcement groups sought amendments to the proposed Email Privacy Act, which has stalled the bill’s progress in the Senate.  It is unlikely that any further action will be taken before the Presidential election.

Conclusion

These three recent proposals get “into the weeds” of the larger national policy debate about encryption and Internet surveillance.  They demonstrate that the larger debate implicates a host of more granular authorities involving the scope and requirements of judicially approved process for the government to obtain electronic information and for technology companies to assist with such process.  The critics may be right to worry about the jurisdictional and technological breadth of the changes to the search warrant rule and in the Burr-Feinstein Bill.  However, even if these rules are not adopted and the pro-privacy changes of the Email Privacy Act are enacted into law, significant issues will remain concerning how law enforcement can execute its mission to provide security for everyone while respecting Constitutional privacy concerns in the Internet age.

Managing Cyber Risk: Insurance and Coverage Cases

The scope of the risk and uncertainty involved in data breaches and other cybersecurity incidents suggests that insurance should play a key role in any organization’s risk management strategy. The specialty cyber risk insurance market is rapidly developing, although not yet mature. Among other ambiguities, there is relatively little case law interpreting either traditional or specialty liability policies in connection with cyber liability claims.

The question of how courts will decide cyber insurance litigation became front page business news when a case stemming from the massive Sony Playstation data breach was decided by a New York trial court. Zurich American Insurance v. Sony Corp. of America, No. 651982/2011 (N.Y. Sup. Ct. 2014). The court held that Sony had no coverage for its data breach-related losses under a standard form of Comprehensive General Liability (CGL) policy. In a bench ruling, the court found that there was no “publication” of the data because Sony had tried to keep it secure and it was disclosed only because of the criminal activity of hackers. Sony filed an appeal, but the case settled after appellate arguments.

In another example under a traditional policy, Recall Total Information Management, Inc. v Federal Insurance Co., 83 A.3d 664, 147 Conn. App. 450 (2014), aff’d, 115 A.3d 458, 317 Conn. 46 (2015), a cart full of computer backup tapes containing employee information fell out of a van used by a subcontractor of a records storage company. Some of the tapes were taken by an unknown person and were never recovered. The subcontractor’s insurance policy defined covered “personal injury” to include “injury, other than bodily injury property damage, or advertising injury, caused by an offense of . . . electronic, oral, written or other publication . . . of material that . . . violates a person’s right to privacy.” Id. at 672, 147 Conn. App. at 462. As in the Sony case, the court held that the information on the tapes had not been subject to “publication” because there was no evidence that any third party had actually accessed the information. In addition, the court held that losses relating to notification costs under state data breach notification statutes did not comprise the sort of “injury” covered by the policy. The court therefore granted summary judgment in favor of the insurer. Id. at 671-73, 147 Conn. App. at 461-65.

Not every case, however, has been decided in favor of the insurer. A good example of a case involving a traditional liability policy in which insured prevailed is Travelers Indemnity Co v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014). The policy in this case obligated Travelers to cover losses from damages arising from “electronic publication” of material that “gives unreasonable publicity to” or “discloses information about” a person’s “private life.” Id. at 767. Portal Healthcare provided electronic medical records services to Glen Falls Hospital. Due to an unspecified error, which did not seem to involve hacking, two patients of Glen Falls who searched their own names on Google discovered that their medical records came up as the first search result. Id. at 768. The court held that the records were subject to “publication” because they were made available over the Internet, even though their availability was unintentional and even though there was no evidence they had been accessed by any member of the general public. The court also found that this constituted unreasonable publicity and disclosure as those terms were used in the policies. Therefore, the court granted summary judgment in favor of the insured. Id. at 771-72.

There will undoubtedly continue to be claims and litigation over traditional policies for some time. However, the Insurance Services Office’s (“ISO”) standard commercial general liability (“CGL”) policy forms were changed by ISO in 2013 and 2014 to limit and exclude coverage for privacy and data breach claims. See CG 24 13 04 13 (2012) (limiting personal and advertising injury liability); CG 21 06 05 14 – Exclusion for Access or Disclosure of Confidential or Personal Information and Data-Related Liability – With Bodily Injury Exception; CG 21 07 05 14 – Exclusion for Access or Disclosure of Confidential or Personal Information and Data-Related Liability – Limited Bodily Injury Exception Not Included; CG 21 08 05 14 – Exclusion for Access or Disclosure of Confidential or Personal Information (Coverage B Only).

The specialty cyber risk market will therefore become increasingly important. Cases are just beginning to arise under these specialty policies.  A recent case in federal district court in Utah has been described as the first coverage case involving a cyber risk coverage form. See Travelers v. Federal Recovery Services, Inc., 103 F. Supp.1297 (D. Utah 2015). The relevant form was a Travelers “Cyberfirst Policy” with a “Technology Errors and Omissions Liability Form” which provided coverage for an “errors and omissions wrongful act.” Id. at 1298. “Errors and omissions wrongful act” was defined in the policy as “any error, omission, or negligent act.” Id. at 1298-99.

Federal Recovery Acceptance (“FRA”), a data storage, processing, and backup company, had a services contract to handle a client’s customer account data. The client was being acquired by another company and requested return of its client data. FRA allegedly withheld the data and demanded a ransom payment beyond that allowed under its contract. The client sued FRA and related defendants for tortious interference, promissory estoppel, conversion, breach of contract, and breach of the implied covenant of good faith and fair dealing. FRA and the related defendants tendered the defense to Travelers, which filed an action for declaratory relief and accepted the tender under a full reservation of rights. Id. at 1299-1300.

The court held that Travelers did not have a duty to defend because “none of Global’s allegations involve errors, omissions, or negligence.” Id. at 1302. Instead, FRA was allegedly intentionally withholding the data.
Another case involving a specialty cyber risk policy recently was recently filed in federal court in California. Columbia Casualty Co. v. Cottage Health System, No. 2:15-cv-03432 (C.D. Cal.). Columbia had issued a “NetProtect 360” policy to Cottage Health. See Complaint for Declaratory Judgement and Reimbursement of Defense and Settlement Payments (“Complaint”), Columbia Casualty Co. v. Cottage Health System, Case No. 2:1-cv-03432 (C.D. Cal. May 7, 2015), 2015 WL 2201797. The policy covered losses for “privacy injury” and “privacy regulation proceedings.” However, the policy contained an exclusion for “failure to follow minimum required practices.” The exclusion stated that Columbia is not liable for any loss “based upon, directly or indirectly arising out of, or in any way involving . . . any failure of an Insured to continuously implement the procedures and risk controls identified in the Insured’s application for this insurance and all related information submitted to the Insurer in conjunction with such application . . . .” Complaint, ¶ 26. As part of its application for the policy, Cottage Health had submitted a “Risk Control Assessment,” which required it to respond to questions about security patches, threat assessment, audits of third party vendors, and other cybersecurity practices. Id., ¶ 29.

Cottage Health System’s electronic medical records provider allegedly failed to secure a server with encryption, resulting in the exposure of approximately 32,500 patient records. Cottage Health was named in a class action under California’s Confidentiality of Medical Information Act, Cal. Civil Code § 56 et seq., and ultimately agreed to a $4.124 million class settlement. Cottage Health also faced an investigation by the California Department of Justice. Columbia agreed to fund the settlement under a reservation of rights. Complaint, ¶¶15-22. The Complaint alleged, on information and belief, that Cottage Health provided false responses to the security-related questions in the application, and that as a result, Columbia had no liability under the Policy. Complaint, ¶¶30, 39-58.
Columbia’s Complaint was dismissed without prejudice pending the completion of an alternative dispute resolution procedure agreed to by the parties. See Order Granting Motion to Dismiss, Columbia Cas. Co. v. Cottage Health Sys. 2015 WL 4497730 (C.D. Cal. July 17, 2015). Nevertheless, the initiation of this proceeding by Columbia signaled that issuers of cyber risk policies may be willing to test insureds’ compliance with required security programs in court.

If there is a pattern in these cases, it may be that – not surprisingly – insurers will contest coverage for a variety of reasons under both traditional CGL and specialty cyber policies. Indeed, a number of very recently filed coverage cases confirm this intuition. See, e.g., New Hotel Monteleone, LLC v. Certain Underwriters at Lloyd’s of London, No. 15-11711, 2015 WL 9608250 (Orleans Parish, LA, December 10, 2015) (coverage claim arising from hacking incident resulting in stolen payment card information); Certain Underwriters at Lloyd’s of London v. Wunderland Group, LLC, No. 2015-CH-18139, 2015 WL 9608250 (Cook County, Ill., December 15, 2015) (coverage claims relating to insider attack / trade secret misappropriation); Ameriforge Group, Inc. v. Federal Ins. Co., No. 2016-00197, 2016 WL 1366311 (Harris County Tex. January 4, 2016) (coverage claims relating to phishing attack). Even specialty policies may not cover risks such as cyber-extortion by a vendor, or they may require the insured to implement a rigorous cyber hygiene program. The precise language of the coverage and exclusions, as well as the precise nature of the incident, will be at issue in any coverage challenge. An insurance program should be carefully evaluated and cyber hygiene should be continuously monitored as part of a comprehensive cyber risk mitigation strategy.