Tabletop for NJSBA Second Annual Cybersecurity Conference

Here is a tabletop exercise I drafted that we’ll be running at the Second Annual NJSBA Cybersecurity Conference.

Acme Corp. manufactures and sells industrial control systems (ICS).  ICS devices integrate computer chips, hardware and software and can be programmed to monitor, regulate and control various components of commercial manufacturing, assembly and packaging plants.  For example, the following video shows an Acme ICS serving as the controller for water bottling plant:

ACME’s ICS devices are network enabled and come bundled with a software suite that allows users to monitor and control the devices through a web interface.

Acme also provides installation and maintenance services for its ICS equipment.  Each ICS device must be configured for the systems it will control, which involves the creation of custom computer code.  The computer code, and sometimes the hardware, must periodically be updated if the underlying system configuration changes or if Acme develops performance enhancements, bug fixes, or security patches.  In a larger installation, Acme’s fees for installation and maintenance can exceed the costs of the initial hardware purchase, and the total contract price can exceed ten million dollars.

Acme maintains detailed information about each of its installations, including specific configuration information, networking details, and backup copies of computer code.  This information is stored in numerous documents in a variety of formats, including, for example, Word documents, Excel spreadsheets, Powerpoints, e-mails, and plain text files, on systems used by various Acme business units.  Files may reside on individual computer hard drives, internal company file servers, portable media (such as thumb drives), company-owned and personal laptops, smartphones and tablets, and commercial cloud-based storage such as Google Drive and Dropbox.

ISSUE 1:  A number of management-level Acme employees recently received emails purporting to have been sent by Sol Fish, Vice President for Client Relations at Acme.  The emails instruct the recipients to log into a newly-established sales database through a hyperlink in the email using their existing Acme network log-in credentials.  Fish did not send these emails, however, nor has Acme created any new sales database.  Meanwhile, Fish has received an email from Carl Kent, a business reporter for the Broad Street Journal, inquiring about the fact that the full technical specifications for an ICS installation at the Port Newark were posted this morning on a number of business and government blogs.  In fact, Acme won a contract to improve the automation of shipping cranes and other devices at the Port.  The contract was controversial because of unsubstantiated allegations of bid rigging, cost overruns, and other political complaints.  The full technical specifications are confidential for security concerns among other reasons.  An obvious inference is that the spearphising attack may have allowed someone to obtain and post the confidential specifications.

ISSUE 2:  In addition, Fish has received an angry call from Bill Brazos, the CEO of Consolidated Fulfillment Centers, Inc.  Consolidated owns and operates large warehouse and fulfillment centers for major online retail companies.  Brazos claims that an Acme ICS system installed at a Consolidated facility in Edison, NJ contained a vulnerability that allowed hackers to obtain information concerning consumers to whom products were being distributed through the Consolidated facility.   Brazos says “millions” of customer accounts may have been compromised.

WannaCry Ransomware and Legal Fault

The WannaCry Ransomware attack has spread throughout the world over the past week.  Fingers are pointing at Microsoft for the vulnerability in earlier versions of Windows, at the NSA for creating the leaked exploit, and at North Korea for allegedly perpetrating the attack.  There is blame to go around, but if we were to assess comparative fault the victim is also substantially to blame, for at least two reasons, one obvious and one less obvious:

First, the obvious reason:  the attack affected older versions of Windows, including Windows XP, which has not been supported by Microsoft since 2014.  However frustrating Microsoft’s update and support cycle might seem, and whatever transaction and opportunity costs are involved in switching an organization to a newer OS, it is negligent to continue using an outdated, unpatchable OS.

Second, the less obvious reason:  the attack exploited Port 445, a networking port used by those older versions of Windows for peer-to-peer connections with printers and the like.  A basic component of any cybersecurity compliance program — in addition to using updated, patched software — is to conduct regular port audit scans and to configure firewalls to block unnecessary ports.  Given the low cost of this kind of precaution, failure to conduct port audits is almost certainly negligence.


Presentation on Cybersecurity and the Economic Loss Doctrine

Here are the slides for my presentation on cybersecurity and the economic loss doctrine at the NJICLE 2016 Cybersecurity Conference.

LabMD Enforcement Stayed

150px-us-federaltradecommission-seal-svgThe FTC’s enforcement action against LabMD has been stayed in an unusual grant of emergent relief by the Eleventh Circuit.  The FTC’s Opinion in LabMD essentially established a negligence balancing test for cybersecurity compliance.  A negligence balancing test requires a rough evaluation of the burden of avoiding a risk (B) compared to the probability of loss (P) and extent of loss (L):  B >< PL.  Such a test is incredibly difficult to apply in the cybersecurity context because the probability of loss is close to 1, the potential loss is enormous, and the burden of taking adequate precautions to prevent loss is also potentially enormous.

A big part of the problem in applying this calculus is the definition of “loss” or “harm.”  In LabMD, the FTC found that the mere unauthorized disclosure of a file containing personal information is a harm and that reputational or emotional harm to affected consumers, apart from any showing of financial loss, is a kind of substantial injury that must be considered.  In the tort context, recovery for emotional harm without related personal injury or property damage is difficult and controversial, and is usually handled under theories of intentional or negligent infliction of emotional distress.  Recovery for reputational damage is perhaps even more difficult and controversial, because such claims usually arise under the law of defamation, which involves first amendment concerns, or a cause of action such as “public disclosure of private facts,” which requires an act of “publication” by the defendant.

The relevant section of the FTC Act in evaluating the LabMD standard  is section 45(n):

The Commission shall have no authority under this section or section 57a of this title to declare unlawful an act or practice on the grounds that such act or practice is unfair unless the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.

The Eleventh Circuit found that the FTC Act likely does not provide remedies for intangible harms and that the phrase “likely to cause” in section 45(n) means something more than a low probability of occurrence.  Opinion, at 9-10.  The Eleventh Circuit’s Opinion is a bit unclear on this point, but I think the court is getting at the heart of how a negligence balancing test is applied.  The “P” in B >< PL will be something between 0 and 1.  As long as it is above 0, there could be a duty of care depending on the values of B and L.  The Eleventh Circuit seems to think “P” has to pass a certain threshold before the FTC’s statutory authority is triggered.  Opinion, at 10 (stating “we do not read the word ‘likely’ [in section 45(n)] to include something that has a low likelihood.”).

I’m sympathetic to the Eleventh Circuit’s concerns about whether the FTC should be in the business of creating a new negligence standard for cybersecurity enforcement.  Focusing on the “P,” however, is not the best approach because the probability of some loss from cybersecurity incidents for any business today is 1 or close to 1.  As we often say in the cybersecurity business, if not if you’ll get hacked, it’s when.  A more important statutory question, it seems to me, is whether mere “reputational” or “emotional” privacy harms are the kind of “substantial injury to consumers” Congress originally tasked the FTC with redressing.

The FTC, Ransomware, and You

150px-us-federaltradecommission-seal-svgRansomware” is malicious software that enables attackers to hold computer data or a computer network hostage until a ransom is paid.  Ransomware often encrypts all the files on a system, making them unusable until the attacker supplies an encryption key.  An FBI Alert issued last week stated that ransomware infections are at an “all-time high.”  According to the FBI Alert, just one recent strain of ransomware infected about 100,000 computers per day.  Id.  Commenting on the Alert, security expert Brian Krebs said “[w]hat we can expect is not only more targeted and destructive attacks, but also ransom demands that vary based on the attacker’s estimation of the value of the data being held hostage and/or the ability of the victim to pay some approximation of what it might be worth.”

The ransomware threat is troubling from the perspective of business continuity, lost productivity, lost data, and possible ransom payment costs.  The threat is also troubling from a legal perspective because in public comments earlier this month, FTC Chairwoman Edith Ramirez suggested that failure to address vulnerabilities that could be exploited by ransomware can comprise an FTC Act violation.  This means companies now face two kinds of liabilities from ransomware:  business costs, and civil liability to the FTC and perhaps private litigants.

The Federal Trade Commission has no specific statutory mandate over cybersecurity compliance.  Nevertheless, the FTC has made cybersecurity enforcement central to its institutional mission.  Legal challenges to the FTC’s authority over cybersecurity so far have failed.  In FTC v. Wyndham Worldwide, 799 F.3d 236 (3rd Cir. 2015), for example, the Third Circuit held the FTC’s statutory mandate under the Federal Trade Commission Act, 16 U.S.C. § 45(a), to prevent “unfair methods of competition in commerce” encompasses cybersecurity policies and requirements relating to a company’s customer data.  And the FTC recently concluded that the FTC Act’s general balancing test for determining if an act or practice is “unfair” applies to cybersecurity issues.  See In the Matter of LabMD, Docket No. 9257, Opinion of the Commission (July 29, 2016).

These risks are particularly difficult to manage because of the FTC Act’s standard of liability and the nature of ransomware.  Under Section 5(2) of the FTC Act, an act or practice is “unfair” only if

(1) it “causes or is likely to cause substantial injury to consumers;”

(2) the injury “is not reasonably avoidable by consumers themselves”; and

(3) the injury is “not outweighed by countervailing benefits to consumers or competition.”

In the Matter of LabMD, at 9 (quoting 15 U.S.C. § 45(n)).  In LabMD, the Commission stated that “’[t]he touchstone of the Commission’s approach to data security is reasonableness.’”  Id. at 11 (quoting Commission Statement Marking the FT’s 50th Data Security Settlement, at 1 (Jan. 31, 2014)).  While a “reasonableness” standard sounds reasonable, the statutory test essentially encodes a kind of “negligence balancing test” in which “reasonableness” is measured by the risk and probability of harm in comparison to the burden of taking precautions.  Most of us will remember – with varying degrees of fondness – this test from Judge Learned Hand’s famous opinion in U.S. v. Carroll Towing Co., 159 F.2d 169 (2d Cir. 1947):  B >< PL.

The problem with this kind of test in relation to cybersecurity is that the probability of some loss is very high and the scope of the loss could be enormous.  This means just about any kind of precaution could be considered reasonable.  Indeed, in LabMD, the Commission found that LabMD “did not employ basic risk management techniques or safeguards such as automated intrusion detection systems, file integrity monitoring, or penetration testing.”  In the Matter of LabMD, at 11.   “Penetration testing,” which involves employing “white hat” hackers to probe a network for vulnerabilities, can be a valuable part of a cybersecurity hygiene program, but it is a stretch to suggest that penetration testing should always be employed by every entity on every kind of network.  See SANS Institute InfoSec Reading Room, Penetration Testing:  Assessing Your Overall Security Risks Before Attackers Do (June 2006).

The U.S. Department of Justice has published an interagency technical guidance document on protecting networks from ransomware that could serve as a useful rough measure of reasonable care.  According to the Justice Department guide, preventive measures against ransomware should include a number of specific technological measures together with an “awareness and training program.”  Id. at 3-4.  The guide notes that “[b]ecause end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.”  Id. at 3.  The DOJ’s guide also includes lists of instructions for business continuity and for incident response if infected with ransomware.  See id. at 4-5.

The growth in ransomware and other cybersecurity threats and the FTC’s aggressive enforcement posture suggest that companies should carefully consider their preparations for ransomware and other malware attacks in conjunction with legal counsel.  And even with what seem like reasonable preparations, companies of every size must prepare for an adverse incident.  In this regard, the following DOJ recommendations for incident response is particularly noteworthy:

Contact law enforcement immediately. We strongly encourage you to contact a local field office of the Federal Bureau of Investigation (FBI) or U.S. Secret Service immediately upon discovery to report a ransomware event and request assistance

Id. at 5 (emphasis in original).

Contacting the FBI or Secret Service might be a good idea, because ransomware attackers often are connected to foreign criminal syndicates and might even help finance terrorism.  However, companies should keep in mind the FTC’s commitment to enforcing its broad unfairness standard against companies suffering from ransomware attacks.  In addition, companies sometimes decide to pay the ransom quietly in order to regain access to their data.  Brian Krebs, for example, describes an incident in which a company’s finance department “didn’t bat an eyelash when asked to authorize several payments of $600 to satisfy the Bitcoin ransom demanded by the intruders: After all, . . . the data on one of the infected systems was worth millions — possibly tens of millions — of dollars, but for whatever reason the company didn’t have backups of it.” Once the government is involved, a quiet ransom payment might not be possible – if it is even considered lawful under the circumstances.  Any investigation of the incident, and particularly any coordination with the FBI, should involve legal counsel to protect privilege and limit liability as much as possible.