As we noted back in October, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The most recent issue of Inside Counsel follows up on the latest views on this Guidance, including a quote from me.
Interesting article in Friday's Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government. Perhaps the best part of the article is the citation of statistics from Symantec's annual Internet Security Threat Report: Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:
Interesting article in Friday's Wall Street Journal on potential cybersecurity legislation to improve information sharing between industry and government. Perhaps the best part of the article is the citation of statistics from Symantec's annual Internet Security Threat Report: Trends for 2009 and 2010 on how many customer has updates Symantec sent out to address new attacks customers were facing:
My colleague Dayle Cristinzio, former Legislative Director for Senator Harry Reid, has provided me with the amendments to Senate Bill1867, the Department of Defense Authorization Act. Among these amendments is one from Sen. McCain, amendment #1229, which could provide greater cybersecurity collaboration between the Department of Defense and the Department of Homeland Security.
I was interviewed and quoted as part of a Compliance Week article on the new SEC guidance on disclosures of cyber security incidents:
Colin Zick, a partner at law firm Foley Hoag, says the guidance is too general and that companies will have to think hard when assessing what information to disclose. “There are a lot of cyber-incidents, and there are lots of ways how these will affect your business,” he says. When companies are contemplating the definition of cyber-incidents, they should think expansively, he adds. “Think of data breach, data loss, and denial of service on your Websites when an attack occurs. The [SEC staff] wants you to do this risk assessment so you will understand what this is about,” he said.
On October 13, the SEC issued CF Disclosure Guidance: Topic No. 2: Cybersecurity.
This guidance provides the Division of Corporation Finance's views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. It follows Chairman Schapiro's June 2011 letter to Senator Rockefeller on the subject.
Increasingly, alliances are viewed as an important way to improve data security. The Washington Post reports that the National Security Agency is now working with Internet service providers to thwart cyberattacks against defense firms by foreign adversaries. We have previously noted two other initiatives: the Advanced Cyber Security Center (to which Foley Hoag serves as legal counsel).and InfraGuard, a Federal Bureau of Investigation program. One of the oldest and best examples of successful collaboration is PCI, the credit card industry's security program.
Incident 1: UNC Data Breach Exposes Information On Over 100,000 Women Listed In Mammogram Registry
The University of North Carolina at Chapel Hill recently disclosed a data breach that exposed information on 160,000 women, including the Social Security Numbers of 114,000. Original reports estimated that more than 200,000 women were affected. The source of the breach was a computer intrusion into a server housing the Carolina Mammography Registry, which is "a 14-year-old project that compiles and analyzes mammography data submitted by radiologists across North Carolina."
Evidently, the breach was discovered in July, but it may have occurred over two years ago. According to Matt Mauro, chairman of the UNC Department of Radiology, traces of computer viruses were found on a UNC School of computer server dating back to 2007 were found on the server. The school delayed in notifying those affected while it conducted a forensic investigation to determine exactly who was affected. To this point, however, the school still does not know who committed the breach or where the attack originated from, how the server (which had all required security measures) was breached, or whether any data was actually downloaded.
Links:
Incident 2: Massachusetts Inmate Pleads Guilty to Charges that He Hacked Prison Computer While Incarcerated, Accessed Personal Information On 1,100 Correctional Officers
On September 14, 2009, Francis G. Janosko pled guilty to charges that he hacked a legal research computer provided to inmates in the Plymouth County Correctional Facility. A highly restricted computer terminal was provided to inmates for the sole purpose of allowing them access to legal research resources. Janosko apparently circumvented security measures restricting the computer to legal research tools and obtained accessed the administrator's username and password, the prison's internal network, and a report listing the names, birthdays, Social Security Numbers and contact information for 1,100 current and former prison personnel. He also used the computer to send email and download publicly-available photographs and videos.
A grand jury in Boston indicted Janosko for these activities about a year ago in a sealed indictment (.pdf). In the plea agreement (.pdf) recently reached with the U.S. Attorney's Office in Boston, federal prosecutors have agreed to dismiss the original charge of aggravated identity theft in exchange for Janosko's guilty plea to charges under the Computer Fraud and Abuse Act. Janosko has agreed to accept an additional incarceration of 18 months for the hack. Sentencing in the case is scheduled for December 15th.
According to recent reports from the Wall Street Journal and Computerworld, on June 30 the United States Secret Service, the Italian police and Italian postal service reached an agreement for the establishment of an international task force to fight cybercrime, including identity theft and computer hacking. Mark Sullivan, the director of the Secret Service, stated that cybercrime "is not a borderless crime and we believe there needs to be a reaction at an international level." While it may seem odd at first for the Secret Service, whose most obvious mission is to protect members of the U.S. government and visiting heads of state, to be involved in a fight against cybercrime, the agency actually has a dual mission: both to protect heads of state and "to safeguard the nation's financial infrastructure and payment systems to preserve the integrity of the economy. Moreover, Congress has given the agency authority to investigate offenses under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. sec. 1030(d).
The task force will be named the European Electronic Crime Task Force, will be based in Rome and, according to Italian police, will be open to other European countries. Its main focus will be to combine the resources and efforts of the United States and European Union nations in order to fortify cyber-defenses for government sites hosting sensitive data. The Italian Postal Service (and, presumably, other entities that decide to contribute) will exchange alerts with the Secret Service, monitor computer networks across Europe using Italian Postal Service software for threats, and coordinate to quickly respond to attacks. According to the articles, the Italian Postal Service now makes more money from banking and insurance services than from traditional sending of letters and packages. Given this shift in focus, it has developed a software that can review electronic monetary transfers for suspcious signs.
Ironically, and as discussed in more detail elsewhere, the announcement of this new task force came just a few days before the Secret Service's website, along with the websites of the Treasury Department and Federal Trade Commission, were paralyzed due to cyberattacks, which government officials speculate originated from North Korea. Perhaps the Secret Service should have first established a task force with Asia?
Links:
On the 4th of July an organized series of Denial of Service (DOS) attacks were launched against a number of U.S. government websites (including the White House, Treasury Department and the Federal Trade Commission websites), as well as several websites associated with the South Korean government and a handful of corporate targets (the Washington Post and Nasdaq stock exchange). [If you are wondering what a DOS/DDOS attack is, brief explanations are available from U.S. Computer Emergency Response Team (CERT) and CNET.]
The U.S. government routinely faces threats like these (note coverage of prior events in 2001 and 2000), but the recent attacks have been especially long lasting, apparently very well coordinated and sophisticated, and “remarkably successful”. In fact, a number of government websites were brought down over the weekend and some are still experiencing service problems as a result of this attack. [As of this posting, the FTC website is still showing signs of overload.] Of particular note is that the website of at least one agency charged with investigating cybercrime violations in the United States, the Secret Service website, was successfully brought down by this attack.
At the moment, the source of the attack is unknown, but some are reporting that North Korea is behind the attack. In particular, there is some suggestion that North Korea may be running a “cyber warfare unit” which is tasked with hacking into military websites and disrupting traffic to those sites. If such reports are accurate, then we have seen a demonstration that a hostile government has the capability to disrupt traffic to government websites, even the websites of government agencies involved in cyber security. Of course, the apparent impact of these attacks has been minimal, they have effectively disrupted the use of public websites, but there appears to be little lasting impact.
U.S. officials have not issued any public comment on the attacks.
Links:
Enter keywords:
Add this blog to your feeds or put your e-mail in the box below and hit GO to subscribe by e-mail.
The Foley Hoag Security, Privacy and the Law Blog focuses on the security and privacy issues encountered by businesses thatMore...