© 2018 The Texas Lawbook.
By Justin S. Cohen and Michael C. Titens of Thompson & Knight
(Jan. 8) – 2017 was another year of challenges in the cybersecurity world. Here is a look back at some of the top stories from this past year.
Breaches
Equifax: The Equifax breach was significant for being one of the largest in history (more than 145 million individuals were affected) and for the type of data involved (personal information, such as Social Security numbers and addresses). Class action lawsuits and state and federal investigations followed this breach. While it will take some time for all the repercussions to unfold, Equifax’s pre- and post-breach actions have drawn and will continue to draw considerable scrutiny.
Uber: Uber’s 2017 disclosure of its 2016 breach affecting more than 57 million customers and drivers, and allegations of cover-up attempts, raised some of the same reporting issues as Equifax. In addition, Uber’s admitted “failure to notify affected individuals or regulators” will test how different governments and government agencies (at the city, state, and federal levels of both the U.S. and foreign countries) will enforce the many breach disclosure laws around the globe.
Securities and Exchange Commission: The SEC’s disclosure of its 2016 breach, which may have facilitated insider trading, raised a different concern – how do companies who are obligated to report information to a government regulator protect themselves when the regulator is breached?
Deloitte: One of the Big Four accounting firms also reported a breach in 2017. This one affected the company’s email accounts. There were fears that sensitive information could have been accessed.
Bitcoin: In December, bitcoin mining marketplace NiceHash suspended operations for at least 24 hours due to a cyberattack that resulted in 4,700 stolen bitcoins (current value: $76 million). This incident, and others like it, raise concerns about the security of the increasingly popular cryptocurrencies.
Yahoo!: In October, Yahoo! finally disclosed that its prior breaches, dating back to 2014, impacted all 3 billion of its user accounts.
Legislation
New York: New York State’s Department of Financial Services introduced cyber regulations that will impact New York businesses and many companies outside the state. The New York regulations will require entities to have more robust cyber operational risk management practices in areas such as cyber risk governance, cyber risk management, and incident response and resilience.
Federal law: Following the Uber and Yahoo! breach stories, three senators introduced the Data Security and Breach Notification Act in December, which would require companies to report data breaches within 30 days. Under the proposed law, an individual who knowingly conceals a data breach could face up to five years in prison.
China: Since becoming effective in May, the China Cybersecurity Law has caused concern among companies doing business in China and companies collecting data on Chinese residents. On its face, the law appears to apply to any entity transmitting data between two or more computers. Clarifications have been promised by the Chinese government. See our post here for more information.
General Data Protection Regulation (GDPR): GDPR will become effective in May 2018, but due to its heightened privacy requirements, many companies began preparing for compliance in 2017. While the regulation is EU-focused, it affects any business collecting or processing the data of EU residents. Meanwhile, the EU-US Privacy Shield program for cross-border data transfer remains in place for now, but faces continued scrutiny in Europe. We blogged about the Privacy Shield here.
Litigation: So far, large data breaches have spawned many class action lawsuits, but plaintiffs have been largely unsuccessful in showing that they have standing to sue. We anticipate that standing will continue to be a hotly contested issue in 2018. As hackers begin to use stolen information, more individuals may be able to show a concrete injury and, therefore, may have an increased ability to demonstrate standing and damages directly resulting from a breach.
New and growing concerns
Internet of things: In 2016, the “Mirai” botnet infected networked cameras, internet routers and other devices via weak or default passwords. Those compromised devices were then used to create outages on many popular websites. In 2017, the “Reaper” botnet used actual software-hacking techniques to break into devices. At last count, the Reaper botnet has broken into more than a million devices.
The connected home: “Always on” and always-listening devices (such as Google Home and Amazon Alexa) in our homes, including a new Amazon camera, are creating new legal issues as companies, individuals and law enforcement seek to obtain and use their data in various civil and criminal proceedings. This demonstrates the continued struggle between the convenience of these devices and the collection of personal and private data on many aspects of peoples’ daily lives. Similarly, earlier this year, certain Smart TV manufacturers were forced to deal with the consequences of excessive recording. See our post here for more information.
Biometric privacy: Concerns over the collection and privacy of biometric data accelerated in 2017 as more than 32 class action lawsuits were filed under the Illinois Biometric Information Privacy Act. Unlike other states, the Illinois act provides for a private cause of action for consumers and employees with respect to their biometric information.
Politics: Last year, we reported on concerns regarding voting machines being hacked. This continues to be an issue both at home and abroad. We also reported here on the broad powers of U.S. Customs to search international travelers’ laptops, phones and other electronics at the border.
Threats
Growth of ransomware: The WannaCry and Petya attacks are unpleasant examples of the new wave of ransomware. The fact that this malware was apparently stolen from U.S. government agencies was shocking on its own. In addition, the ability of this malware to broadly shut down company systems demonstrates a threat that goes well beyond stealing or holding hostage personal information.
Stephen E. Stein also contributed to this article.
© 2018 The Texas Lawbook. Content of The Texas Lawbook is controlled and protected by specific licensing agreements with our subscribers and under federal copyright laws. Any distribution of this content without the consent of The Texas Lawbook is prohibited.
If you see any inaccuracy in any article in The Texas Lawbook, please contact us. Our goal is content that is 100% true and accurate. Thank you.