Here are my slides from the University of South Carolina Law School symposium on civil liability in data breach cases.
Here are some key sources discussing the recent cyber attack on Ukraine’s power grid:
On November 9, 2015, Judge Richard Leon issued a preliminary injunction against the NSA bulk data collection program. On November 10, in a per curiam Order, the D.C. Circuit stayed the preliminary injunction pending the government’s appeal. Last Friday, November 20, the Circuit denied the plaintiffs’ emergency request for rehearing of the stay order en banc. In a somewhat unusual move, Circuit Judge Brett Kavanaugh wrote a concurrence to the Order denying the request for hearing en banc. Judge Kavanaugh states in the concurrence that “the Government’s metadata collection program is entirely consistent with the Fourth Amendment.” Concurrence at 1. Judge Kavanaugh states that the bulk data collection program satisfies the “special needs” exception under the Fourth Amendment because it “serves a critically important special need — preventing terrorist attacks on the United States.” Id. at 2. According to Judge Kavanaugh, “that critical national security need outweighs the impact on privacy occasioned by the program.” Id.
In my view, Judge Kavanaugh’s concurrence is troubling. An emergency petition for en banc review is an extraordinary request that can be denied for many reasons without opining on the merits. It is difficult to see how Judge Kavanaugh could reach such an easy conclusion about the NSA program in the context of an emergency en banc petition, without full briefing and argument on the merits. Unfortunately, it seems that the threat of terrorist attacks will remain with us in the foreseeable future. While the threat is deadly serious, the ordinary rule of law cannot remain suspended in a perpetual state of exception, or else it is a rule of power and not of law.
The ability of an ISP or social media site to block access to controversial or inflammatory content is a difficult issue at the intersection of cybersecurity and Internet governance. In a case just decided by Judge Lucy Koh in the Northern District of California, Facebook won dismissal on the pleadings of Sikhs for Justice’s (“SFJ”) claim that Facebook blocked access to SFJ’s page in India.
SJF’s claim was based on Title II of the Civil Rights Act of 1964, 42 U.S.C. § 2000a, which provides that “[a]ll persons shall be entitled to the full and equal enjoyment of the goods, services, facilities, privileges, advantages, and accommodations of any place of public accommodation . . . without discrimination or segregation on the ground of race, color, religion, or national origin.”
The court held that SJF’s Title II claim is barred by the Communications Decency Act (“CDA”), 47 U.S.C. § 230. This holding was consistent with other cases holding that ISPs are publishers entitled to CDA immunity.
Cases like this are important for Internet governance because of the gate keeping role played by large ISPs, search providers, and social media sites such as Facebook. If these gate keepers can arbitrarily block access to sites a government finds objectionable, traditional political sovereigns can exercise significant control over the Internet. On the other hand, if these gate keepers cannot accede to the wishes of governments in territories where they have users without threat of liability elsewhere, users in one country (such as the U.S.) could use local law to thwart the policies of another country (such as India).
Yesterday the New York State Department of Financial Services sent a letter to members of the Financial and Banking Information Infrastructure Committee announcing a plan to enact new cybersecurity regulations for financial institutions. The regulations would require covered entities to
- Maintain written internal cybersecurity policies and procedures;
- Maintain policies and procedures to ensure the security of data held by third party providers;
- Adopt multi-factor authentication for some resources;
- Designate a CISO responsible for the institution’s cybersecurity program;
- Adopt procedures and guidelines to ensure the security of applications used by the entity;
- Employ personnel adequate to manage the entity’s cyber risks;
- Conduct annual penetration testing and quarterly vulnerability assessments;
- Maintain an audit trail system; and
- Notify the Department of cyber incidents.
While most sophisticated financial institutions already engage many of these functions, the regulations would add a new dimension to compliance. The requirement to employ certain kinds of personnel, in particular, will be controversial.
Federal prosecutors unsealed indictments against three men who allegedly engaged in a sprawling cybercriminal enterprise that hacked into J.P. Morgan Chase & Co. and several U.S. financial institutions.
Judge Richard Leon in the District of Columbia federal court has again issued a preliminary injunction against the continuation of the NSA bulk telephony metadata collection program. The bulk collection program is set to expire on November 29, 2015 under the USA FREEDOM Act, so the injunction in this case will not have long-term impact. Judge Leon’s reasoning, however, could be important to the evaluation of future government data collection programs. As Judge Leon stated in his November 9, 2015 Memorandum Opinion, this
will not . . . be the last chapter in the ongoing struggle to balance privacy rights and national security interests under our Constitution in an age of evolving technological wizardry. Although this Court appreciates the zealousness with which the Government seeks to protect the citizens of our Nation, that same Government bears just as great a responsibility to protect the individual liberties of those very citizens.
Mem. Op. at 42. The first portion of Judge Leon’s Opinion addresses the plaintiffs’ standing to challenge the NSA program. I will address the standing issue in another post.
On the likelihood of success on the merits, Judge Leon found that the plaintiffs likely will be able to prove that the NSA bulk collection program violates the Fourth Amendment. According to Judge Leon, plaintiffs “have a very significant expectation of privacy in an aggregated collection of their telephony metadata,” the government’s intrusion on that interest is very broad, and the government has not shown the program has successfully fulfilled the goal of protecting the nation from terrorism. Mem. Op. at 28-37. Judge Leon also found that the plaintiffs likely would suffer irreparable harm absent a preliminary injunction and that the public interest favors injunctive relief. Id. at 37-42.
One notable aspect of Judge Leon’s Opinion is his discussion of expectations of privacy in relation to mobile technology. He suggests that “Americans’ constant use of cellphones for increasingly diverse and private purposes illustrates the attitude with which people approach this technology as a whole” and that “a person’s expectation of privacy is not radically different when using his or her cellphone to make a call versus to check his or her bank account balance.” Id. at 29. Moreover, Judge Leon notes, mobile devices are a necessary part of modern life and therefore entail stronger expectations of privacy than high-security environments that most people enter only occasionally, such as airports.
Another notable aspect of the Opinion is Judge Leon’s often colorful descriptions of the NSA program and the government’s arguments in its favor. Here is a sampling: the bulk data collection program “is a sweeping, and truly astounding program that targets millions of Americans arbitrarily and indiscriminately” (Id. at 31); it is “absurd to suggest that the Constitution favors, or even tolerates, such extreme measures!” (Id. at 32 (exclamation point in original)); the government’s evidence in support of the program’s efficacy is “[n]ot exactly confidence inspiring!” (Id. at 35 (exclamation point in original)); “the Government . . . suggests that this Court should defer to [its] judgment . . . Please!” (exclamation point in original)); “the Government incredibly argues that the [newly added] plaintiffs’ claim of irreparable harm is necessarily undercut by their more than two-year delay in joining this suit . . . . Come on!” (Id. at 38, n. 22 (exclamation point in original)); the government argues that the Court must “defer to Congress’ ‘determination’ that continuing the Program during the 180-day transition period is the best way to protect the public interest. . . . Not quite!” (Id. at 39 (exclamation point in original)); “Congress, of course, is not permitted to prioritize any policy goal over the Constitution . . . . Nor am I!” (Id. at 40 (exclamation point in original)); “[t]his Court simply cannot, and will not, allow the Government to trump the Constitution merely because it suits the exigencies of the moment”) (Id.).
Earlier today, Judge Leon denied the government’s emergency application for a stay of the preliminary injunction pending appeal, and the government filed an appeal with the D.C. Circuit.
I presented this morning at PLI’s annual “Think Like a Lawyer, Talk Like a Geek” seminar. Here is my presentation, which focuses on cyber risk insurance issues.
An interesting cyber insurance coverage case was filed recently in the the Northern District of Atlanta involving bitcoin payment processor Bitpay. Bitpay’s CFO was spear phished, leading to an improper transfer of bitcoins valued at $1.8 Million. Bitpay had been issued a Commercial Crime Policy by Hanover Insurance Group, which included coverage for “Computer Fraud,” as follows:
We will pay for loss of or damage to ‘money’, ‘securities’ and ‘other property’ resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the ‘premises’ or ‘banking premises’:
a. To a person (other than a ‘messenger’) outside those ‘premises’; or
b. To a place outside those ‘premises.’
Hanover denied the claim because, according to Hanover, the transfer of bitcoins as a result of spear phishing did not “directly” result from the use of a computer. This kind of spear phishing attack, Hanover stated in its denial letter, does not entail “a hacking or unauthorized entry into Bitpay’s computer system fraudulently causing a transfer of Money.” Hanover further argued that “there is an important distinction between fraudulently causing a transfer, as the Policy language requires, and causing a fraudulent transfer, which is what occurred upon the CEO’s approval of the bitcoin transactions after receiving the fictitious emails.” Finally, Hanover argued that “the term ‘premises’ is defined in the policy as, ‘the interior of that portion of any building you occupy in conducting your business'” and does not over bitcoins “held online, and transferred online.” After further attempts to obtain coverage were unsuccessful, Bitpay filed the coverage action.
If the case does not settle, it will be interesting to see how the court construes the disputed terms in the context of this bitcoin spear phishing scam.