Cyberattacks on businesses and developments in cybersecurity law took prominent places on the world’s front pages in 2015. As 2016 unfolds, we are not seeing an abatement in this growing trend. Cyberattacks will only continue to grow in scale and severity.
Cybercriminals successfully stole staggering amounts of financial information, large sums of money, and health records – millions of individuals’ personal and sensitive data. Even the US government was not immune, suffering an attack that exposed highly sensitive background-check and biometric information. In 2015, attackers’ techniques were more advanced than in past years, often evidencing skillful social engineering woven into sophisticated long-term technical exploits. Gone are the days of the one-hit “smash and grab,” where victim organizations could quickly triage, stop the incursion and return to business as usual. Both nation-state-funded and independent attackers exhibited sophistication and remarkable patience in operations lasting months or even years.
First reported cyberattack on power company: In December, destructive malware infected several regional power authorities in the Ukraine and led to wide-scale power outages.
The Internet of Things: A leading global information technology company reviewed ten of the most popular IoT devices, including televisions, webcams, home thermostats, remote power outlets, sprinkler controllers, door locks, home alarms, scales and garage door openers. Almost all of the devices raised privacy and security concerns, including insufficient password complexity and length, failure to encrypt communications and insecure web interfaces.
DEVELOPMENTS IN LAWS AND REGULATIONS
2015 also brought developments in case law and regulations governing liability, remedies and new preventative measures to ward off attackers.
Instructive circuit court decisions: In FTC v. Wyndham, the Third Circuit affirmed the Federal Trade Commission’s authority to regulate cybersecurity. In a data breach class action, Remijas v. The Neiman Marcus Group LLC, the Seventh Circuit confirmed that a plaintiff can demonstrate requisite injury-in-fact suffered to establish standing simply by facing an increased risk of future harm (i.e., an increased risk of possible identity or credit card theft without having actually suffered either). Whether other circuits will follow these decisions remains to be seen.
Data breach class action settlements, board of director liability: Several major data breach consumer class actions settled, including over $100 million in pledged settlement money for one retailer-defendant. Claims were increasingly filed against boards of directors for violating their fiduciary duty related to cybersecurity oversight.
Cybersecurity guidance: Federal and state regulators, organizations and industry associations chimed in with recommendations and mandates for organizations to shore up cybersecurity programs or face increased liability.
Data transfers between the EU and US: The EU Data Protection Directive prohibits the transfer of personal data outside the European Economic Area unless the destination country has sufficient data protection measures. In October, the European Court of Justice invalidated the Safe Harbor framework, which since 2000 had permitted US companies to transfer data by certifying compliance with seven privacy principles.
The EU and US also negotiated a new data sharing agreement, expected to be finalized in 2016. Instead of self-certification under the original Safe Harbor, the new agreement places greater oversight responsibility on the US Department of Commerce and Federal Trade Commission. The new agreement will also provide a means by which consumers can seek redress if their data is misused by companies. Find out more in our recent alert
NEW SECURITY MEASURES
Many American credit card holders are receiving new chip cards as part of a multi-year rollout of chip and PIN technology designed to reduce payment card fraud. The adoption of so-called EMV cards in the United States will reduce – but not eliminate – payment card fraud. EMV is a technical standard for smart payment cards, ATMs and payment terminals. Notably, EMV does not protect online transactions.
WHAT’S AHEAD: OUR PREDICTIONS
During 2016, we will likely see another increase in cyberattacks, and we will see cybersecurity being taken more seriously by its potential victims. Boards of directors will learn more about cybersecurity risk governance and focus more attention on cybersecurity oversight. Courts will continue to address pieces of the puzzle and evolve the current state of law on liability for cybersecurity incidents. Many companies will increase their investment in cybersecurity – one leading financial services company announced in February 2016 that it will spend $500 million on cybersecurity this year alone, for example. Many companies will succeed in fending off attacks, and others will not. And some may find themselves forced to give in to cybercriminals’ demands – for instance, also in February, a California hospital revealed that it had paid a ransom – in hard-to-trace bitcoin – to cybercriminals who had used ransomware to seize control of the hospital’s computers.
Tara Swaminatha, Of Counsel in the IPT group and based in Washington, DC, has over 15 years of experience in information security and privacy. A former federal prosecutor, she counsels clients through incident responses and investigations into data breaches and other cyberincidents. Reach her at email@example.com.