Nov 162017

Jason C. Gavejian writes:

The United State Supreme Court recently denied certiorari in Nosal v. United States, 16-1344, declining to weigh in on the scope of unauthorized access under the Computer Fraud and Abuse Act (“CFAA”). The Ninth Circuit held in Nosal that David Nosal violated the CFAA by using his past assistant’s password to access his former employer’s computer system after his access credentials were expressly revoked. (For Nosal case history see our past blog posts here and here.)

Read more on Workplace Privacy, DataManagement & Security Report

Public shaming likely but GOP wary of new laws after Equifax breach

 Posted by at 8:22 am  Business Sector, Commentaries and Analyses, Federal, Hack, Legislation  Comments Off on Public shaming likely but GOP wary of new laws after Equifax breach
Sep 242017

AP reports what I’ve basically been telling everyone already.

Prospects are good for a public shaming in the Equifax data breach, but it’s unlikely Congress will institute sweeping new regulations after hackers accessed the personal information of an estimated 143 million Americans.

Since early this year, President Donald Trump and the Republican-led Congress have strived to curb government’s influence on businesses, arguing that regulations stifle economic growth. Lawmakers have repealed more than a dozen Obama-era rules and the House voted in June to roll back much of Dodd-Frank, the landmark banking law created after the 2008 economic crisis that was designed to prevent future meltdowns.

Read more on KPC News.

Senator Warren introduces Equifax bill; launches industry probe

 Posted by at 8:37 am  Business Sector, Commentaries and Analyses, Federal, U.S.  Comments Off on Senator Warren introduces Equifax bill; launches industry probe
Sep 152017

Chris Sanders reports:

U.S. Senator Elizabeth Warren said on Friday she has begun an investigation into Equifax’s (EFX.N) massive data breach and, along with 11 other Democratic senators, will introduce a bill to give consumers the ability to freeze their credit for free.

Warren, who has built a reputation as a champion of consumers and often challenges the finance industry, also wrote letters to Equifax and its rival credit monitoring agencies TransUnion (TRU.N) and Experian (EXPN.L), federal regulators, and the Government Accountability Office for information to see if new federal legislation was needed to protect consumers.

Read more on Reuters.

The fact that she has to ask is somewhat depressing. Why haven’t they been listening to us for the past dozen years or so while we’ve been getting cyber-laryngitis from screaming about these problems?

Freezing a credit report for free will save consumers some money, sure, but that still fails to deal with the bigger issues: that these companies collect and store information on us without our consent and there are no statutory consequences for poor or sloppy security. As we’ve noted many times here, the FTC does not have the authority under Section 5 to impose monetary fines for a data breach. Yes, perhaps they can get a consent decree, but what/where is the “OMG, we can’t risk THAT happening to us” penalty or consequence to motivate firms?

CHINA: first 100 days of Cybersecurity Law sees active enforcement and more guidelines, but still uncertainties

 Posted by at 9:05 am  Commentaries and Analyses, Federal, Non-U.S.  Comments Off on CHINA: first 100 days of Cybersecurity Law sees active enforcement and more guidelines, but still uncertainties
Sep 042017

Carolyn Bigg of DLA Piper writes:

Almost 100 days have passed since the new PRC Cybersecurity Law came into force. While the enforcement environment is becoming clearer – and shows data protection and cyber security in China is a real risk to be taken seriously – most of the new guidelines published to try to add meat to the bones of the new law are unfortunately still in draft; and there are still major uncertainties around who is a KIIO, and how and when network operators can transfer data overseas.

Key developments over the Summer include:

Actual enforcement action: as widely reported in the press, there has been a flurry of enforcement activity by the CAC under the new Cybersecurity Law, including very high profile investigations into some of the biggest online platforms in China, as well as enforcement notices being issued at a local level. This has been alongside the ongoing crackdown on illegal VPN use, meaning a very busy Summer for the regulators. It reinforces our predictions that the combination of an organised, proactive regulator – alongside greater regulatory engagement through assessment, certification and whistleblowing mechanisms in the new law – means the enforcement risk in China is now much higher, and the new law cannot be ignored.

Draft KIIO regulations: the CAC published for consultation its draft Regulations on Protection of Critical Information Infrastructure Security on 10 July 2017. Some of the key draft proposals include:

Read more on Privacy Matters. 

In developments elsewhere, Mark Young of Covington & Burling writes that the UK government is  proposing a cybersecurity law with serious fines. A published consultation The consultation

includes a proposal to fine firms that fail to implement “appropriate and proportionate security measures” up to EUR 20 million or 4% of global turnover (whichever is greater).

Read more on InsidePrivacy.

Wondering how our own cybersecurity is progressing? I found it outrageous that President Trump recently congratulated Finland on its cybersecurity program and suggested that we would be right up there with them soon when the reality is that more than 1/4 of President Trump’s advisors recently resigned en masse, citing, in part, the President’s lack of attention to serious national security matters involving cybersecurity. Gah…..

Is The Hutchins Indictment Over Malware Unconstitutional?

 Posted by at 3:55 am  Commentaries and Analyses, Federal, Hack, Legislation, Malware, Of Note, U.S.  Comments Off on Is The Hutchins Indictment Over Malware Unconstitutional?
Aug 212017

Alex Berengaut of Covington & Burling analyzes some of the legal issues raised by the indictment of Marcus Hutchins (@malwaretechblog) for allegedly creating and conspiring to sell malware known as the Kronos banking trojan. He writes, in part:

Since Hutchins’ indictment, commentators have questioned whether the creation and selling of malware—without actually using the malware—violates the two statutes under which Hutchins was charged: the Computer Fraud and Abuse Act and the Wiretap Act.[1] It is likely that these issues will be litigated as the case unfolds.

But there is another question raised by the indictment: whether it violates Hutchins’ constitutional rights to charge him for his alleged conduct under any statute in this country. Several circuits—including the Seventh Circuit, where Hutchins’ case will be heard—have recognized that the federal government cannot charge anyone, anywhere in the world irrespective of their connections to the United States.[2] As the Second Circuit has put it, “[i]n order to apply extraterritorially a federal criminal statute to a defendant consistently with due process, there must be a sufficient nexus between the defendant and the United States so that such application would not be arbitrary and fundamentally unfair.”[3]

Read more on Covington & Burling Inside Privacy.