Third Circuit Reviews FTC’s Authority To Enforce An “Unreasonable Failure” To Protect Against A Cyber Attack

Today, the Third Circuit heard oral argument in a case that may have a profound impact on the Federal Trade Commission’s enforcement authority over corporate cybersecurity.  The question presented to the Court of Appeals is whether the FTC can pursue an enforcement action against a company under Section 5 of the FTC Act if the FTC believes that a cyber-hack occurred due to the company’s “unreasonable failure” to protect consumer data. The FTC alleges that Wyndham Worldwide did not “employ reasonable and appropriate measures to protect personal information against unauthorized access.”  As a result, the FTC claims, Russian data hackers were able to breach the hospitality company’s information system on three occasions between 2008 and 2010, stealing more than 619,000 credit card numbers, and causing more than $10 million in ...
Continue Reading...


Cyber Breaches Prompt Government Action

Several government entities are taking action to address the growing rise of cyber-attacks as more fully explained in Goldberg Segalla’s Insurance & Reinsurance Report. As reported in a post by Frederick J. Pomerantz and Aaron J. Aisen, in response to a cyber breach at a major insurer, Connecticut lawmakers are considering legislation requiring insurance companies to encrypt sensitive information.  Furthermore, the Federal Government is considering several proposals  including a Consumer Privacy Bill of Rights and standardized consumer notification procedures.  Similarly, as discussed in a post by Frederick J. Pomerantz and Alex J. Yastrow, the New York State Department of Financial Services has announced its intention to take measures to ensure that insurers have strong cyber hacking defenses in place to protect customer data.  As legislators and regulators attempt to deal ...
Continue Reading...

Cyber-Attack Class Actions Are On The Rise

After a barrage of media coverage over the release of The Interview, Sony Pictures now finds itself in federal court defending against seven class action lawsuits filed less than a month after the North Korean government hacked its computer system.  Sony became aware of this “unprecedented” attack, in which it reportedly lost over 100 terabytes of data, on the morning of November 24th.  The first class action complaint, Corona v. Sony Pictures Entm’t, Inc., was filed on December 15, 2014 — two days later, the U.S. Government announced that North Korea perpetrated the cyber assault.  The lead plaintiffs in Corona, both former employees of Sony, claim that the company ignored concerns about weaknesses in its data security that left the company vulnerable to attack.  The plaintiffs in all seven class actions allege, ...
Continue Reading...

Cyber Attack Immobilizes Dutch Government Websites

As reported by the BBC, most of the Dutch government’s websites were rendered inoperable after a successful distributed denial of service (DDoS) cyber-attack on Tuesday, when servers were flooded with traffic, rendering the sites virtually inoperable.  A number of private sites were also breached, and the attack also affected communications provider Telford.  As the BBC noted, these attacks “highlighted the vulnerability of public infrastructure.” An official from the Dutch Government Information Service, Rimbert Kloosterman, remarked that the complexity and size of the government’s websites had rendered back-up systems useless.  The host of the Dutch government’s website, Prolocation, lost the use of its telephone lines as a result of the attack, which initially presented itself as an internal technical problem, and not an outside attack. Industry experts believe that the DDoS attacks are ...
Continue Reading...

ACE Group and The Institutes Launch Dedicated Cyber Risk Programs

This week, two major industry players announced the launch of dedicated cyber risk programs. ACE Group, one of the world’s largest multiline property and casualty insurers, announced the launch of its new dedicated cyber risk business unit in response to internal research showing that cyber risk is a “top three” emerging issue among European risk managers.  ACE first established its global cyber practice in 2014, and is seeking to strengthen its leadership in this new risk area with the addition of full-time dedicated cyber underwriting experts in Paris, Frankfurt, Rotterdam, Milan and Madrid, with support from cyber specialists in the Nordics, Poland, Switzerland and Czech Republic. The Institutes also announced a Managing Cyber Risk certification program for insurance professionals focusing on mitigation of risk exposures and proper responses to cyber threats.  A ...
Continue Reading...

Department of Homeland Security Must Assess Cyber Risks to Building Access and Control Systems

The U.S. Government Accounting Office (GAO) issued a report this month calling on the Department of Homeland Security (DHS) and General Services Administration (GSA) to develop and implement a strategy to address cyber risks to building and access control systems, including the computers that monitor and control building operations such as elevators, electrical power, and heating, ventilation, and air conditioning.  As these systems are increasingly connected to other information systems and the Internet, there is greater vulnerability to cyber attacks, which, the report explains, “could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or their occupants.” The Interagency Security Committee (ISC), a unit within Department of Homeland Security that develops mandatory security standards for all nonmilitary federal facilities, has been ...
Continue Reading...

Digital Cloning: Hacking Your Fingerprints

While your biometrics may be as unique as a snowflake, they can still be digitally captured, copied and used to gain access to your “secure” computer network and data storage facilities.  Using standard photos taken during a press event in October and commercially available software, a 31-year-old member of Europe’s largest association of hackers successfully re-created a digital fingerprint of German defense minister Ursula von der Leyen.  The digital print could then be used not only to fool security software, but with the increasing sophistication of 3D printers, to turn the digital print into a physical replica. Fingerprints, which are widely used on Samsung and Apple devices, as well as human voices and faces are being dismissed by a growing number of experts as “insecure” static information, as opposed to ...
Continue Reading...

Hacker Gains Control of German Steel Mill Operations

The  German Federal Office for Information Security (BSI) has issued a report revealing that a sophisticated hacker was able to take control of a steel mill’s computerized production system, forcing an unscheduled shut-down that caused “massive damage” to the physical plant. By using targeted emails, known as “spear phishing,” employees were tricked into opening messages that extracted login names and passwords and transmitted that information to the hacker without detection. The hacker, in turn, used the data to gain limited control of the automated system, causing plant failures and unscheduled shutdown. While most cyber-attacks target data, there is an increasing number of attacks on physical equipment and machinery in the industrial setting. In Iran, hundreds of uranium enrichment centrifuges were decommissioned in 2010 after they were infected by the Stuxnet ...
Continue Reading...

Mandatory Reporting and “Cyber Mission Forces” Created in 2015 National Defense Authorization Act (NDAA)

Beyond appropriating $560,000,000,000 for military spending for 2015, the Defense Authorization Act passed this month expands the role of the military in wide range of areas, including strategic programs in outer space, budgeting and accounting for a new “cyber mission” major force program category, and new mandatory reporting of “cyber incidents” by government contractors and agencies. Title XVI, Subtitle C of the Senate Amendment to H.R. 3979, “Cyber-Related Matters,” first directs the Secretary of Defense to submit with the 2017 budget a new program for the training, manning and equipping of the cyber mission forces, together with program elements, as well as to create executive agents for new “cyber and information technology training ranges” who oversee all test facilities, test beds, and software and personnel development, all under the supervision of the ...
Continue Reading...

Cybsersecurity Starts at the Top

This summer, the Federal Financial Institutions Examination Council (FFIEC), made up of the FED Board of Governors and FDIC, among others, conducted a Cybersecurity Assessment at over 500 community financial institutions to evaluate their ability to handle cyber risks.  While the data is still being analyzed in order to assist with future guidance and regulations, last month the FFIEC Cybersecurity Assessment’s “General Observations” were released. What is striking about the General Observations, which are not to be construed as guidance, is that they call out “the board of directors and senior management” of financial institutions, telling them to become actively engaged, to understand the risks, and to discuss issues “routinely.” So, while companies are waiting for new guidance, the FFIEC went out of its way to say that the new ...
Continue Reading...