#MLWashingtonCyberWatch

Amid the flurry following former FBI Director James Comey’s firing last week, President Trump marked his 111th day in office on Thursday, May 11th by signing an executive order targeting national cybersecurity.

The long-awaited order is the first step in fulfilling Trump’s promise to address national cybersecurity concerns and it arrives as threats of international hacking and cyberattacks reach an all-time high. It establishes three overarching cybersecurity priorities for the United States: (1) protecting federal networks, (2) reinforcing critical IT infrastructure, and (3) protecting the American public in the online space. The full text of the executive order can be found here.

While the order includes few actionable items, it sets strict deadlines for government agencies to produce risk reports and recommendations for improving their data security practices, signifying an important call to action from the executive branch that places risk management at the forefront.

Modernizing & consolidating federal networks

Consolidating to the cloud will likely be the first major step toward overhauling the government’s administration-wide cybersecurity protocol. In a press briefing last Thursday, White House Homeland Security Advisor Tom Bossert addressed what he views as fractured, agency-specific IT security practices across the government, noting that “[if] we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts.”

The move to modernize is an extension of similar efforts from the Obama administration to bolster cybersecurity, an area in which Bossert says the administration made “a lot of progress … [but] not enough.” In line with advancing these efforts, the executive order requires federal agencies to use the Framework for Improving Critical Infrastructure Cybersecurity developed in 2014 by the National Institute of Standards and Technology (“NIST”) to manage cybersecurity risk. Coincidentally, the Framework may be revised soon as the NIST recently closed a comment period on an updated draft that it circulated in January 2017, and per the executive order any successor document to the Framework will become the operative version to be used by government agencies. Separately, Rep. Will Hurd (R-TX), Chairman of the House Information Technology Subcommittee, recently reintroduced H.R. 2227, the “Modernizing Government Technology Act,” which secures more efficient funding for the modernization of federal IT infrastructure and is expected to hit the floor of the House of Representatives within the next couple of weeks.

Reinforcing critical infrastructure

The second prong of the executive order requires the Secretary of Homeland Security to prepare an audit of potential vulnerabilities across the country’s infrastructure systems – from financial and telecommunications systems to utilities including water and electricity. Improving transparency about the security gaps in these systems is crucial, especially as traditional data breaches are losing ground to more devastating Distributed Denial of Service (DDoS) botnet attacks made possible by the growing Internet of Things, or “IoT” (see our blog post here for a discussion of the House’s efforts to address growing security concerns around the IoT).

Protecting the public online

Finally, President Trump’s executive order urges policies aimed at protecting U.S. citizens from domestic and foreign online threats. In addition to increasing the number of cybersecurity experts working with the White House, Bossert suggested that following through on such policies will require greater partnerships between the federal government and the private sector. Indeed, the government currently relies on technology from large, long-time vendors, many of which may not be prepared to grapple with the significant and evolving risks becoming apparent across the data security landscape. Independent technology startups are proving to be the heart of progress in new cybersecurity measures, and the government will need to cultivate solid relationships with these players if it wants to stay ahead in the cybersecurity arena.

President Trump’s executive order has received some criticism for its breadth, but overall has been commended by cybersecurity experts as a balanced step in the right direction. Time will tell whether the resulting policies will make a meaningful difference in the country’s ability to fend off attackers in the ever-evolving online battleground.

In another example of increased restriction on the rights of non-U.S. Citizens, last week the Department of Homeland Security (“DHS”) published a policy memorandum limiting the privacy rights of immigrants and foreign nationals under the Federal Privacy Act of 1974.  This new guidance was issued to bring DHS policy in line with President Trump’s January 25 executive order.

The Privacy Act was established to govern the collection, maintenance, use and dissemination of personally-identifiable information maintained by federal agencies.  The Privacy Act, with specific exceptions, prohibits disclosure of such records without the consent of the individual.  It also provides individuals a means to access and amend their records.

Previous DHS guidance stated that such personally-identifiable information would be treated the same, regardless of citizenship.  However, consistent with the January 25 executive order, the new guidance provides that immigrants and nonimmigrant foreign nationals may not utilize these provisions and may only access their information through a request made pursuant to the Freedom of Information Act (FOIA).  Additionally, they may not request amendments of their records.  Furthermore, in connection with the new guidance, DHS stated that it permits the sharing of such information about immigrants and nonimmigrant foreign nationals from agency records with federal, state and local law enforcement.

In response to the current Administration’s “citizen-centric” policies, we are seeing an increased interest in applications for naturalization by U.S. Lawful Permanent Residents.

Originally posted in Mintz Levin’s Immigration Law Blog on May 2, 2017

We are anxiously waiting to learn the fate of the data breach notification statute recently passed by state lawmakers in New Mexico. The bill remains on the desk of the governor who has until the end of the week to sign the legislation into law. If she does, New Mexico will join 47 other states (along with the District of Columbia, Puerto Rico, and the Virgin Islands) to impose at least some obligations on persons or entities holding personal information in the wake of a security incident.  We may need to update the Mintz Matrix soon. Continue Reading Better Late Than Never: New Mexico on the Cusp of Enacting Data Breach Notification Statute

With Inauguration Day upon us, it’s time for a #MLWashingtonCyberWatch update.   President-elect Donald Trump has vocalized his support for the future of “cyber” throughout his campaign – but how will members of his cabinet act, or refuse to act, on his vision for that future?

During the past two weeks, the United States Senate has been holding confirmation hearings for Mr. Trump’s cabinet selections. Pointed questioning from senators has surfaced many issues of critical importance to the American people, among them the future of privacy and cybersecurity. The incoming administration will confront significant issues in these areas such as the use of back-door encryption, mass data collection and surveillance, and international cybersecurity threats. The nominees for Attorney General, Secretary of the Department of Homeland Security (“DHS”), and Director of the Central Intelligence Agency (“CIA”) were each questioned about how they will navigate these concerns as part of the Trump Administration. In this installment of #MLWashingtonCyberWatch we are discussing highlights from these hearings. Continue Reading #MLWashingtonCyberWatch: Nominees Discuss Future of Cybersecurity

It’s a new year, and time for the Financial Industry Regulatory Authority (FINRA)’s annual Regulatory and Examination Priorities Letter (the “2017 Letter”)    We remind regulated entities of this list of examination priorities every year, because cybersecurity appears high on the list every year.  2017 is no exception.

The 2017 Letter

FINRA has been increasing its on-site examinations and enhanced risk-based surveillance “to apply a nationally consistent approach to identify and focus on material conduct at firms…”   Among the operational risks listed in the 2017 Letter, Cybersecurity is listed first, and according to FINRA, “remain[s] one of the most significant risks many firms face, and in 2017, FINRA will continue to assess firms’ programs to mitigate those risks.”

Firms should be prepared for FINRA reviews of methods for preventing data loss, including understanding of data (e.g., its degree of sensitivity and the locations where it is stored), and its flow through the firm, and possibly to vendors.  FINRA may assess controls firms use to monitor and protect this data, for example, through data loss prevention tools. In some instances, FINRA has been known to review how firms manage their vendor relationships, including the controls to manage those relationships, and this line of examination is expected to continue.  Importantly, the 2017 Letter recognizes the nature of the “insider threat” and expresses FINRA’s intent to inquire into what controls firms have in place to acknowledge and manage that “insider threat”.    According to the 2007 Letter:  “The nature of the insider threat itself is rapidly changing as the workforce evolves to include more employees who are mobile, trusted external partnerships and vendors, internal and external contractors, as well as offshore resources.”

The WORM Actions

As if to emphasize the seriousness of the inquiries, FINRA issued a series of Letters of Consent at the end of December, levying fines totaling $14 million against 12 firms, and discussed the record-keeping requirements at the core of the December regulatory actions in its 2017 Letter.

Specifically, Securities & Exchange Commission and FINRA rules require member firms to maintain certain electronic records in a non-erasable, non-rewritable format, known by the acronym WORM, for  “Write Once, Read Many”.  This format prevents the alteration or destruction of records stored electronically.

in its press release, FINRA explained that WORM format requirements were essential to FINRA’s investigative duties. FINRA noted how the volume of sensitive financial data stored electronically by members had risen exponentially in the past decade. This increase in the amount of sensitive information stored by FINRA members coincides with increasingly aggressive attempts to hack into electronic data repositories. “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records. Ensuring the integrity of these records is critical to the investor protection function because they are a primary means by which regulators examine for misconduct in the securities industry.

FINRA found that the each of the 12 fined firms failed to follow required document retention regulations in various ways outlined in the Letters of Consent.

Brad Bennett, FINRA’s current chief of enforcement, will be stepping down shortly.  #MLWashingtonCyberWatch will be keeping an eye on what, if any, changes may come with the new administration in 2017. Only time will tell whether FINRA will continue its aggressive enforcement actions or if we will see a softening of FINRA’s actions.   Regardless of the regulatory inquiries, firms should continue to take actions to improve cybersecurity resilience and investor protection.   For a quick review of the FINRA Report on Cybersecurity Practices, check out our webinar recording.

Google’s recent changes to its privacy policy are coming under fire from a complaint filed late last year with the Federal Trade Commission (“FTC”) that accuses the company of downplaying “transformational change” in its handling of user data.  #MLWashingtonCyberWatch will be keeping track of how the 2017 FTC addresses this complaint.

On June 28, 2016, Google notified its users of changes to its privacy policy that would “give you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.” However, a complaint submitted by advocacy groups Consumer Watchdog and Privacy Rights Clearinghouse on December 5th (the “Complaint”) alleges that not only are the changes themselves in violation of previous agreements between Google and the FTC as well as Section 5 of the Federal Trade Commission Act which prohibits unfair or deceptive acts or practices in or affecting commerce, but also that the announcement of these changes intentionally misled users who, in the words of the Complaint, “had no way to discern from the wording that Google was breaking from a nearly decade-old practice.” Continue Reading #MLWashingtonCyberWatch: 2017 FTC and Google Complaint

 

The Obama White House has grappled with cybersecurity more than any administration in history: China’s 2009 hack of Google, the 2015 Office of Personnel Management breach, and the recent investigation of Russian cyberattacks during the 2016 election, to name just a few examples. In the midst of the president-elect’s transition efforts, President Obama’s administration has published what it considers to be a blueprint for enhancing the cybersecurity capabilities of government institutions and our digital consumer society today and for years beyond Inauguration Day.   Continue Reading #MLWashingtonCyberWatch: White House Releases Cybersecurity Report Aimed at New Administration