Blog

Category Archives: Cybersecurity

Liability Protection for Firms That Share Cybersecurity Information?

binary-1187194_960_720

In November 2015, I wrote about a symposium conducted by the FBI and Secret Service to partner with the private sector on shared cybersecurity concerns.  One of the open issues from that symposium concerned potential liability for firms that shared cybersecurity information with law enforcement.  Those issues were supposed to be addressed in the Cybersecurity Act of 2015, which the President signed into law December 18, 2015.

Were they?  The Act includes provisions that deal with some of the concerns from firms that share information with law enforcement and with one another. The statute provides the following:

  • For private entities that share information with the federal government in accordance with the Act, the law provides that there is no legal cause of action against those entities.[1]
  • Cyber threat indicators and defensive measures that private entities share with federal government or with a state, tribal or local government under the Act may not be used to regulate those entities, including enforcement actions.[2]
  • Private entities do not waive privilege when they share information with the federal government.[3]
  • Private entities can declare shared information to be proprietary and confidential.[4]
  • Sharing of cyber threat information among private entities will not violate antitrust laws.[5]

The government can only use business-supplied information for a “cybersecurity purpose.”  That is, the information can only be used to protect “an information system or information that is stored on, processed by, or transiting an information system from a cybersecurity threat or security threat or security vulnerability.”[6] Nor can the government release that shared information to the public, including through freedom of information requests made to federal, state, and local government.[7]

Is the Act significant?  Some commentators have yawned.  One called the law’s focus “fairly modest,”[8] and stated that “companies are not especially concerned about potential liability arising from such sharing.”[9]  Forbes wrote that the bill “will likely be ineffective in the prevention of cybercrime[, and has been]…criticized for the litany of privacy issues it could potentially introduce.  At its best, the bill…[is] a step in the right direction in the fight against cybercriminals.”[10] And while some contend that many companies are already sharing cybersecurity information,[11] other tech companies (such as Apple and Twitter) have stated they would not participate in the sharing program.[12]

But others have pointed to the Act’s protections to businesses that choose voluntarily to share information.  Those include:

  • An expansive safe harbor from liability, with protections for private entities from civil, regulatory, and antitrust liability.[13]
  • No requirement that firms act after they receive shared cybersecurity information.  Though not acting creates its own problems: the law does not shield those firms from liability. “An entity that receives information about a cybersecurity threat to its networks may remain subject to claims premised on common law causes of action such as negligence if it fails to respond diligently.”[14]
  • Authorizing private entities to use defensive cybersecurity measures on a firm’s information systems and those of other consenting entities. Note, though, that the Act doesn’t green-light measures that go on the attack against hackers, in order to “destroy, render unusable, provide unauthorized access to, or substantially harm third­party information systems.”[15]

To benefit from the Act, firms are required to take certain steps, including removing personally identifiable information not directly related to a cybersecurity threat, from information provided to either the government or shared with another firm.[16] And “[e]ntities that share information should keep clear records evidencing their compliance with [the Act] to ensure they can benefit from its liability protections.”[17]

The new law may ultimately call for reduced expectations.  That understood, the Act could result in a little more certainty for firms that share cybersecurity information with one another and with the federal government.

Bohdan S. Ozaruk
Of Counsel, Jones Morrison, LLP

________________________________________

The information in this article is for general use, and may not be applicable in all situations.  You should not act on it without specific legal advice based on your particular circumstances. The views expressed in this article should not be attributed to Jones Morrison LLP, its attorneys, or its clients.


[1] Cybersecurity Act of 2015 §106(a)-(b) (“[n]o cause of action shall lie…against any private entity, and such action shall be promptly dismissed, for the monitoring of an information system….[and] for the sharing or receipt of a cyber threat indicator or defensive measure….”) (Act)

[2] Sullivan & Cromwell discusses The Cybersecurity Act of 2015, CLS Blue Sky Blog, (Jan. 6, 2016) 4/7, http://clsbluesky.law.columbia.edu/2016/01/06/sullivan-cromwell-discusses-the-cybersecurity-act-of-2015/ (Blue Sky Blog)

[3] Act, §105(d)(1) (“shall not constitute a waiver of any applicable privilege or protection provided by law, including trade secret protection.”)

[4] Act,, §105(d)(2) (cyber threat or defensive measure…shall be considered the commercial, financial, and proprietary information of such…entity when so designated by the…entity….”)

[5] Act,, §104(e)(1) (“it  shall  not  be  considered  a  violation  of  any provision of antitrust laws for 2 or more private  entities  to  exchange  or  provide  a  cyber  threat  indicator  or  defensive  measure,  or  assistance  relating  to  the  prevention,  investigation,  or  mitigation  of  a  cybersecurity  threat,  for  cybersecurity  purposes….”)

[6] Act,, §102(4).  An “information system” is “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.”  Id., §102(9)(A) (incorporating by reference, 44 U.S.C. §3502(8)).

[7] Act,, §105(d)(3)(B) (“cyber threat or defensive measure…shall be…withheld, without discretion, from the public under section 552(b)(3)(B)…and any State, tribal, or local provision…requiring disclosure of information or records….”)

[8] Cadwalader, President Obama Signs Cybersecurity Act of 2015 to Encourage Cybersecurity Information Sharing, (Dec. 24, 2015), http://www.cadwalader.com/resources/clients-friends-memos/president-obama-signs-cybersecurity-act-of-2015-to-encourage-cybersecurity-information-sharing (Cadwalader).

[9] Id.

[10] Forbes, The Problems Experts And Privacy Advocates Have With The Senate’s Cybersecurity Bill, 1/6, http://www.forbes.com/sites/abigailtracy/2015/10/29/the-problems-experts-and-privacy-advocates-have-with-the-senates-cybersecurity-bill/print/

[11] Forbes, 3/6

[12] Corey Bennett, Major Tech Group Comes Out Against Cyber Bill, The Hill (Oct. 15, 2015, 12:34 PM), http://thehill.com/policy/cybersecurity/257029-major-tech-group-opposes-cyber-bill (cited in Cadwalader)

[13] Blue Sky Blog, 2/7 (“Once triggered, CISA’s safe harbors from liability are broad. Private entities sharing information are generally shielded from civil, regulatory, and antitrust liability based on their sharing.”)

[14] Blue Sky Blog, 2/7.

[15] Blue Sky Blog, 2/7.

[16] Cybersecurity Act, §104(d)(2) (“A  non-Federal  entity  sharing  a  cyber  threat indicator… shall,  prior  to  such  sharing…review  such  cyber  threat  indicator  to assess  whether  such  cyber  threat  indicator  contains  any  information  not  directly  related  to  a  cybersecurity threat that …identifies  a  specific  individual  and  remove such information; or…implement and utilize a technical capability  configured  to  remove  any [such personally identifiable] information….”)

[17] Blue Sky Blog, 2/7.

FBI and U.S. Secret Service Host Cybersecurity Outreach Effort

banner-909710_640

On October 22, 2015, the FBI and U.S. Secret Service hosted a meeting of representatives from both agencies, along with representatives from the financial services sector.  The meeting was in connection with law enforcement’s stated desire for a “partnership” with the private sector on common concerns about cybersecurity.  The FBI has stated that “after more than a decade of combating cybercrime through a nationwide network of interagency task forces, the FBI has evolved its Cyber Task Forces (CTFs) in all 56 field offices to focus exclusively on cybersecurity threats.”[i]  Both agencies also discussed coordination among and within their agencies, so that law enforcement’s cyber efforts are not patchwork.

Law enforcement benefits from private sector reporting, particularly as it affects crime solving and trends.  But law enforcement also offers the businesses resources for detection and prevention.

Some statistics:

  • Average annualized cost of cybercrime from a benchmark sample of U.S. organizations was $15 million, representing a nearly 20 percent increase year over year.[ii]
  • The average time it takes to resolve a cyber-attack (46 days) has increased by nearly 30 percent during the most recent six-year period.[iii]
  • The average cost incurred to resolve a single attack totals more than $1.9 million.[iv]
  • small organizations incur a “significantly” higher per capita cost for cybercrime than larger organizations. [v]
  • The most costly cybercrimes are caused by denial of service, malicious insiders and malicious code. Those crimes accounted for more than 50 percent of all cybercrime costs per organization on an annual basis. [vi]

Some of the takeaways from the meeting:

  • Businesses should report cyber breaches immediately to the FBI or Secret Service, or as soon as practical.  More information about doing so is located at http://www.ic3.gov/default.aspx and http://www.secretservice.gov/investigation/#cyber Both agencies emphasized that businesses can contact either agency, since both share information about cyberattacks and investigations.
  • The FBI and Secret Service both regard businesses compromised by cyber-attacks as “victims,” not as prospective referrals to regulators.  They make no promises, however, that law enforcement won’t refer a matter to a regulator in an appropriate circumstance.  Recent legislation, passed in the U.S. Senate, may provide some protections to business for cyber information sharing with law enforcement.  That legislation “would extend protections to organizations [that] decide to share information with the Department of Homeland Security and the FBI, pooling it in a database designed to aid U.S. authorities in their ongoing war with cybercriminals.”[vii]  But whether these “protections” include regulatory referral is unclear.[viii]  And the legislation as of this writing has not been enacted into law.
  • The FBI and Secret Service will not provide post-incident remediation to a cyber-attacked business.  But the agencies provide pre-attack generalized assistance, including outreach to public and private sector partners, by providing strategic reports and sector-specific threat briefings.  And the FBI provides the public with a post-attack online reporting mechanism for suspected Internet-facilitated crime, including intellectual property theft and online fraud.

The FBI’s resources:

  • The FBI’s website provides information about InfraGard, a non-profit organization and public-private partnership between the FBI and business members.  The program “brings together representatives from the private and public sectors to help protect our nation’s critical infrastructure and key resources from attacks….”[ix]
    • InfraGard members get access to an FBI secure communications network featuring an encrypted website, web mail, listservs, and message boards. The website plays an integral part in information-sharing efforts, and can disseminate threat alerts and advisories. It also provides information about intelligence products from the FBI and other agencies, and last year posted more than 1,000 of them, along with giving InfraGard members the ability to offer feedback.
    • You can get more information from InfraGard’s public website (https://www.infragard.org/) or contact your local FBI field office.  Membership in InfraGard includes:
      • a secure information portal, iGuardian, which is allows industry-based partners to share cyber intrusion incidents in real time and receive training and cyber threat reports. All iGuardian incident submissions are processed through the FBI’s CyWatch website (cywatch@ic.fbi.gov) for immediate action.
      • Malware Investigator, a secure online venue that collects file identifiers, virus scanning, and malware mitigation.
      • The FBI provides prevention and mitigation techniques for computer intrusion.  That information is located at http://pdxccc.org/wp-content/uploads/Prevention_v4.pdf.

These resources will be particularly valuable for businesses whose management has not been appropriately focused on cybersecurity.  The data on cybercrime and the headlines about breaches speaks for itself.  Businesses should assume they will be targeted, not “if,” but “when.”

Bohdan S. Ozaruk

Attorney, Jones Morrison, LLP


[ii] Marketwatch, Annual Study Reveals Average Cost of Cyber Crime per Organization Escalates to $15 Million, (Oct. 16, 2015), available at http://www.marketwatch.com/story/annual-study-reveals-average-cost-of-cyber-crime-per-organization-escalates-to-15-million-2015-10-06

[iii] Id.

[iv] Id.

[v] Id.

[vi] Id.

[vii] Legaltech News, What CISA Means for Organizations and Their Data (Nov. 3, 2015), available at http://www.legaltechnews.com/id=1202741474408/What-CISA-Means-for-Organizations-and-Their-Data#ixzz3qjKmSQuM

[viii] A recent law blog stated that “[a]s a general proposition, companies sharing information about “’cyber threats’” through the reporting mechanisms outlined in CISA would be awarded liability protection from lawsuits relating to data sharing.”  Data Security Law Blog of Patterson Belknap Webb & Tyler LLP, Truth or Consequences: Does the Senate’s Information Sharing Bill Really Help Business? (Oct. 30, 2015) (emphasis added), available at http://datasecuritylaw.com/blog/truth-or-consequences-does-the-senates-information-sharing-bill-really-help-business/

Cybersecurity and the Financial Firm

sure-538718_640

You may have become associated with a broker-dealer or investment adviser because your background was finance. Or marketing.  Or even political science, law, or psychology. Not technology. So why is cybersecurity your problem? 

Because the regulators have said it is.

Starting in 2014, the SEC “launched an initiative to examine broker-dealers and investment advisers’ cybersecurity compliance and controls” and would “continue th[o]se efforts [in 2015] and…expand them….”[a]  Specific to investment advisers, the SEC provided guidance this year that funds and advisers “may wish to consider,” and which includes:

  1. periodic assessments of a firm’s unique information gathering and storage, unique or general cyber threats to the firm and its clients, and technology to mitigate those threats;
  2. “a strategy…designed to prevent, detect and respond to cybersecurity threats”
  3. implementation of that strategy “through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.”[b]

Likewise, FINRA has made it clear that broker-dealers “should develop, implement and test incident response plans. Key elements of such plans include containment and mitigation, eradication and recovery, investigation, notification and making customers whole.”[c]

The regulators have backed up their admonitions with bite.  As of May 2014, “[t]he SEC and FINRA…brought more than 10 enforcement cases against firms based, at least in part, on cybersecurity­ related failures.”[d]  Those failures included “(1) cybersecurity governance; (2) protection of firm networks and customer information; (3) vendors and outsourcing; and (4) responding to cybersecurity breaches.”[e]  And those violations were costly. The sanctions for those breaches ranged “from … $100,000 to $450,000. The only exception [was] a $27,500 fine imposed against a small firm…for a procedural violation without any customer harm.”[f]

 

What does a financial firm need to do? For starters, create a protocol to identify cyber risk unique to that firm and then create a process to manage that risk. Recently, a federal agency (the Federal Financial Institutions Examination Council (FFIEC))[g] facilitated that process by publishing its Cybersecurity Assessment Tool.[h]  According to the FFIEC, the Tool helps “institutions identify their risks and determine their cybersecurity preparedness[, and]…provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”[i]   As such, it provides some reassurance for firms, since the structure of the Tool “confirms regulatory focus on risk mitigation and adequate management of cybersecurity preparedness, not wholesale elimination of all risk of cyber breaches.”[j]

Financial firms may mitigate some future pain by using this tool. “This [FFIEC] guidance may…impact how regulators, or in the event of a problem, courts hearing civil lawsuits, assess both the institution’s level of preparedness and how the company’s directors and officers discharged their responsibilities in creating and maintaining cybersecurity measures.”[k]  And the risk mitigation isn’t just for the financial firms. It is also for their officers and directors:  “FFIEC set forth specific expectations for the boards of financial institutions (as well as their CEOs), signaling not only the importance of governance in enterprise­-wide cybersecurity risk management, but clarifying that future regulatory examinations will focus specifically on whether the Board fulfilled its cybersecurity-related responsibilities.”[l]

Cyber security is now practically old news. Firms should not only have in place written protocols for cybersecurity, but should be tweaking and testing their existing systems and documenting all cyber breaches. Doing so is not only good business, it shows the kind of firm-wide diligence that might reassure the regulators that your firm is “on it.” Cyber threats will only become more sophisticated, and cyber security will continue to be a priority with the regulators, as data breaches and their consequences continue to headline the news. Do what’s necessary. Use the Cybersecurity Assessment Tool, or whatever other tool does the job, to assess the effectiveness of your protocols. Don’t become the subject of a regulatory enforcement referral because you or your firm fell short.

 

Bohdan S. Ozaruk

Attorney, Jones Morrison, LLP


[a] SEC National Exam Program, Examination Priorities for 2015, at 3, located at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf

[b] IM Guidance Update, No. 2015-02 (Apr. 2015), at 1-2, located at http://www.sec.gov/investment/im-guidance-2015-02.pdf

[c] FINRA Report on Cybersecurity Practices (Feb. 2015) (“FINRA Report”), at 2, located at https://www.finra.org/file/report-cybersecurity-practices

[d] B. Rubin, What To Expect From SEC, FINRA Cybersecurity Enforcement (May 5, 2014) (“B. Rubin, What To Expect”), located at http://www.law360.com/articles/534388/what-to-expect-from-sec-finra-cybersecurity-enforcement

[e] B. Rubin, What To Expect

[f] B. Rubin, What To Expect

[g] The FFIEC “is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions.”  https://www.ffiec.gov/about.htm

[h] Located at https://www.ffiec.gov/cyberassessmenttool.htm

[i] https://www.ffiec.gov/cyberassessmenttool.htm

[j] A. Swaminathan, J. Halper, A.  Kim, H. Ullman, N. Nahabet, New Guidance for Financial Institution Directors and Officers In Cybersecurity Preparedness (Aug. 26, 2015), at 1, located at https://www.orrick.com/Events­and­Publications/Pages/New­Guidance­for­Financial­Institution­Directors­and­Officers­In­Cybersecurity­Preparedness.aspx

[k] A. Swaminathan, J. Halper, A.  Kim, H. Ullman, N. Nahabet, New Guidance for Financial Institution Directors and Officers In Cybersecurity Preparedness (Aug. 26, 2015) (“New Guidance-Cyber”), at 1, located at https://www.orrick.com/Events­and­Publications/Pages/New­Guidance­for­Financial­Institution­Directors­and­Officers­In­Cybersecurity­Preparedness.aspx

[l] New Guidance-Cyber, at 1.

 

 
CONTACT MANAGING PARTNER
Stephen J. Jones
Direct Dial For All Offices
914.713.9311  
Telephone
914.472.2300