April 29, 2016 What’s trending on NP Privacy Partner

Hacktivism poses business risks, vehicle cybersecurity faces challenges, privacy cases continue to raise diverse claims, HHS develops a task force, a high profile breach targets “beautiful people,” and privacy questions linger as the government accesses iPhones. Here’s what’s trending in data privacy and security.

Cybersecurity

Are privacy and security-minded hacktivists another risk of doing business? Businesses are likely familiar with some of the “usual suspects” when it comes to hacking— cybercriminals, foreign-state supported individuals and the default “bad actor,” but some of the shadowy figures behind more recent leaks involving commercial entities have expressed motives more along the lines of “hacktivists.” They may simply want to reveal information for the sake of revelation.

Hacktivism (“hacking” plus “activism”) is where political/social agendas and bad acts meet in the exploitation and infiltration of computers and networks. Government agencies are largely the traditional targets of hacktivism, and, to be clear, there is a constant debate about whether hacktivism is a force for “good” or a force for “evil.”

As we have seen more recently, the goal of a leak may not necessarily be individual monetary gain (unlike the deployment of ), but instead to put the spotlight on a company’s security or privacy practices. Given consumers’ interest in the security and privacy of their information, it is not unreasonable to expect hacktivism to take on a more socially-minded flavor in the coming years. And the impact of a socially-motivated breach is not necessarily different from a commercially-motivated breach.

Some of the more recent socially-motivated leaks appear to have happened after someone simply discovered a vulnerability and decided to exploit it to demonstrate weak security. One recent example, at the end of last year, the actor behind the VTech breach explained that he had no plans to use or sell the information he obtained from the toy makers’ customer database. The individual apparently used a SQL injection, a well-known method for purging information from servers, to obtain personal information of 12 million users, including 6.4 million minors. VTech was promptly investigated by several states’ attorneys general and was the subject of class actions in federal court.

This newsletter is intended as an information source for the clients and friends of Nixon Peabody LLP. The content should not be construed as legal advice, and readers should not act upon information in the publication without professional counsel. This material may be considered advertising under certain rules of professional conduct. Copyright © 2015 Nixon Peabody LLP. All rights reserved. Regardless of the motive behind the breach (and whether it was truly altruistic from the start), the costs to VTech were still the same.

This does not mean that commercial entities are necessarily being targeted by hacktivists (and there is no indication that anything but financial gain will ever be the number one motivation for hacks), but certainly if someone “trips” upon a system vulnerability there could be real consequences. So, companies should continue to focus on their own networks and vulnerabilities, and understand that it’s not just the information that is being targeted, but a company’s security and processes, as well.—Kate A.F. Martinez

GAO report addresses vehicle cybsersecurity The Governmental Accounting Office (“GAO”) has released a report noting that the Department of Transportation (“DOT”) and the automobile industry have undertaken important cybersecurity initiatives, but the GAO warns that the DOT needs to define its role in responding to a real-world attack on vehicles’ software. The GAO undertook its study because the amount of software code has grown exponentially to support growing automotive safety and other features. The report stresses that “[m]odern vehicles contain multiple interfaces—connections between the vehicle and external networks—that leave vehicle systems, including safety-critical systems, such as brakes and steering, vulnerable to cyberattacks. Researchers have shown that these interfaces—if not properly secured—can be exploited through direct access to a vehicle, as well as short-range and long-range wireless channels.”

The GAO reviewed existing regulations and literature and interviewed officials from the DOT, and the Departments of Commerce, Defense and Homeland Security; industry officials; and 32 selected stakeholders, including automakers, suppliers, vehicle cybersecurity firms and subject matter experts. A majority of the industry stakeholders (23 out of 32) agreed that wireless attacks, such as those exploiting vulnerabilities in vehicles’ built-in cellular-calling capabilities, which could access and target vehicles from anywhere in the world, would pose the largest risk of passenger safety. Some stakeholders, however, emphasized that such attacks remain difficult to implement because of the required time and expertise and that, to date, they have not been reported outside of the research environment.

Several industry-led initiatives will help automakers and parts suppliers identify and mitigate vehicle cybersecurity vulnerabilities and address the challenges faced by industry stakeholders. For example, two U.S. industry associations have promoted the establishment of an American Information Sharing and Analysis Center to collect and analyze intelligence information and provide an forum for members to share threat and vulnerability information.

The GAO notes that, while the DOT’s National Highway Traffic Safety Administration (“NHTSA”) has undertaken steps to addressed vehicle cybersecurity issues, the NHTSA should enhance steps to define more fully its role in responding to a real-world vehicle cyberattack. The NHTSA has added research capabilities in the cybersecurity area and developing guidelines to assist the industry in determining when cybersecurity vulnerabilities should be considered a safety threat meriting a recall. The NHTSA is also examining the need for governmental standards or regulations, but may not make any final determinations before 2018. While acknowledging the importance of these initiatives, the GAO warns that the NHTSA’s response efforts to a vehicle cyberattack could be slowed unless its staff has a plan of action to quickly identify the required responsive actions. The GAO’s report sends an important message that cyber threats will only increase as vehicles become smarter. Collaborative efforts and continuing initiatives involving both the public and private sectors will be vital to ensure proactive and preventative measures to protect our vehicles and passenger safety.—Steven M. Richard

Privacy Litigation and Class Action

Credit union files suit against Wendy’s in wake of First Choice Federal Credit Union (“First Choice”) filed suit against The Wendy’s Company (“Wendy’s”) in the Western District of Pennsylvania asserting claims of negligence after Wendy’s customers’ data and payment cards were exposed in a data breach. First Choice Federal Credit Union v. The Wendy’s Company, et al. (No. 2:16-cv-506)

In the suit, the credit union argues that it and other financial institutions have borne the costs of the fast food chain’s “inadequate approach to data security,” which it claims resulted in a massive data breach and fraudulent charges on payment cards issued by financial institutions across the country. First Choice alleges that the costs incurred include canceling and reissuing compromised cards and reimbursing customers for fraudulent charges.

Citing industry standards (such as PCI DSS and the movement away from magnetic stripe to chip technology) and state and federal statutes (including Section 5 of the FTC Act), First Choice argues that Wendy’s point of sale systems were largely outdated and that the restaurant company failed to use reasonable data security measures to properly handle and protect payment card information. First Choice also alleges that was installed on Wendy’s systems for months before detection and that Wendy’s failed to promptly notify the public and financial institutions. Because of this, according to First Choice, were able to collect large amounts of sensitive information before anyone was made aware of the issue.

This case is just getting off the ground; none of the defendants have appeared as of yet, but Wendy’s has previously been sued by consumers for the same event, and that litigation is still in its early stages with a pending motion to dismiss.

This is not the first instance of card issuers filing suit in the wake of a breach. Payment card issuers settled their claims against Target after 2013’s major data breach in a deal that is pending approval in the District of Minnesota.

Though financial institutions are well-equipped to deal with fraud, it is clear that they are focusing their sights on companies that are the front lines of consumer sales and using industry standards as a basis for liability post-breach. Companies that seek to comply with the PCI DSS standards and industry best practices, in particular, should review those standards and work with security and technology experts to ensure that all systems are in compliance.—Kate A.F. Martinez

Privacy group backs hacked employees, argues breach is an injury-in-fact for purposes of standing Last week, the Electric Privacy Information Center (“EPIC”), a public interest research group based in Washington, D.C., filed an amicus brief in support of a proposed class of workers who claimed that the payroll firm Paytime, Inc. was negligent in failing to secure their information before an April 2014 hack. The case is currently on appeal in the Third Circuit after it was dismissed by a lower court last year.

In April 2014, approximately 233,000 workers had their personal information including Social Security numbers and bank account information stolen by hackers who hacked payroll company Paytime, Inc. In June 2014, individuals who were victims of the hack brought a lawsuit against Paytime. However, last year a district court judge dismissed the case finding that the workers failed to show that they had actually been harmed by the breach because they could not prove the information had been misused or that misuse was imminent and thus lacked standing under Article III. The workers appealed to the Third Circuit.

In support of the workers, EPIC filed an amicus brief last week stating that the hack itself should be consider sufficient harm for the purposes of standing. Specifically, EPIC argued that at the pleading stage the workers did not need to show downstream consequences of the breach. In addition, EPIC warned that not permitting cases like this to go forward would shield companies from liability, particularly when such hacks are preventable.—Rachel L. Conn

Health Care and HIPAA

HHS gathers veteran health care professionals to lead Cybersecurity Task Force Earlier this month, the Department of Health and Human Services (“HHS”) announced the members of the Health Care Industry Cybersecurity Task Force. The task force was created as a result of the Cybersecurity Information Sharing Act of 2015. The Act requires HHS, in cooperation with the Department of Homeland Security (“DHS”), and the National Institute of Standards and Technology (“NIST”), to build a task force capable of improving the safety of data and the security of life-saving medical devices. In order to do so, HHS gathered representatives from hospitals, pharmaceutical companies, medical device manufacturers, health information technology developers and vendors, as well as insurers and patient advocates, among others.

As the size and scope of attacks on health care information systems continue to accelerate, Secretary Burwell and HHS believe formation of the task force is a significant step toward safety and security. Task force members were selected based on recommendations from a panel of HHS, DHS and NIST experts, and include private and public sector risk management, , and health information technology professionals.

Over the next year, the task force will identify the best ways organizations across all industries are keeping data secure. The task force will discuss these practices over the course of the next year and eventually share their findings with Congress and the public early in 2017. As technological advances continue to create new and innovative ways of improving care and care-coordination, the task force will work to ensure the safety and security of these innovations.

Thanks to Dominic O’Keefe for his significant contributions to the research and drafting of this piece.—Gretchen E. Harper

Data Breach

BeautifulPeople.com hacked: sensitive personal data of 1.1 million users leaked The information of 1.1 million users of the dating site, BeautifulPeople.com, which claims to cater only to attractive people, has been identified with being for sale on the dark web. Among the user information allegedly disclosed: sexual preference, relationship status, income, address, geolocation data, education and personal characteristic information, such as eye color, height and weight. The information is not reported to include financial account information or passwords, but may have also exposed 15 million private user messages. The impact is reportedly limited to members who joined prior to mid-July 2015.

This event is a lot less dramatic than last year’s hack of the Ashley Madison site, where hackers obtained account details and e-mail addresses of 32 million users of the extramarital affairs site. And though the information disclosed in the Beautiful People hack is not the type of highly sensitive information that tends to get attention, such as social security numbers, the effects can still be very real for those impacted.

According to reports, the vulnerability in the site’s servers may have been attributed to a software setting controlled by users (which may have included default, blank credentials, a setting that was allegedly remedied in a recent software update) that was detected and locked down by the company, but not before someone was able to get their hands on this sensitive data.

This most recent leak is a good reminder to companies to stay on top of software updates, pay close attention to software configuration and settings, check for vulnerabilities and remedy as necessary.—Kate A.F. Martinez

Mobile Technology

New York Apple warrant case is over: the government (once again) got access to iPhone data without Apple’s help Last fall, a federal judge in New York refused to grant the government’s application for help from Apple to gain access to the data on an iPhone obtained pursuant to a warrant. Magistrate Judge James Orenstein expressed skepticism from the outset that the colonial-era All Writs Act, and the cases interpreting it, authorized the government to compel Apple’s help.

Before Judge Orenstein definitively ruled, the issue received national attention when the government sought to compel Apple’s help to access data from the iPhone of one of the San Bernardino shooters. The federal judge in the San Bernardino case approved the government’s request. But the case went away when the government got access to the iPhone data with help from an unidentified third-party, presumably a . Recent statements by FBI Director James Comey suggest that this hacker received in excess of $1 million for his or her efforts.

In late February, Judge Orenstein finally denied the government’s application and, in early March, the government appealed his order to the district court. Presumably in light of the outcome in San Bernardino, the New York district court asked the government if it intended to proceed with its appeal. The government in early April said that it did and that it “continues to require Apple’s assistance in accessing the [iPhone] data.” Apple unsurprisingly questioned the necessity of its help to the government, a requirement under the All Writs Act—particularly since the iPhone in the New York case was running an older (and more easily accessible) operating system than the iPhone in the San Bernardino case. On April 22, the New York case came to an end. The government in a letter to the district judge said: “Yesterday evening, an individual provided the passcode to the iPhone at issue in this case. Late last night, the government used that passcode by hand and gained access to the iPhone. Accordingly, the government no longer needs Apple’s assistance to unlock the iPhone, and withdraws its application.”

According to a Wall Street Journal article, the defendant in the New York case (who pled guilty and is awaiting sentencing), only recently learned that his iPhone was the subject of a legal battle and gave the passcode to investigators.

The resolution in the New York case, as well as in the San Bernardino case, seems to belie the government’s claim that Apple’s help is necessary, as the All Writs Act requires, to unlock password-protected iPhone data. Also, since there will be no appeal, Judge Orenstein’s order in the New York case denying the government’s application under the All Writs Act will stand. While this order lacks precedential value in other jurisdictions, Judge Orenstein’s analysis may influence other judges. Based on recent events, it seems fair to say that this issue is not going away.—Susan G. Feibus

Private third-party hack of iPhone could have far-reaching effects for Apple and FBI The Federal Bureau of Investigation may decide not to inform Apple, Inc. how it cracked the San Bernardino terrorist’s iPhone last month. As many are aware, the FBI suddenly dropped its widely publicized court battle demanding Apple assist the FBI’s efforts to gain access to the terrorist’s device after a private party approached the FBI with a solution. It has been reported that the FBI paid over $1 million to purchase the hacking tool from a private party, but now does not intend to inform Apple how it worked. This raised the question of whether the FBI even can legally disclose the security flaw to Apple.

Privacy advocates contend that the FBI’s decision to stay quiet decreases the likelihood that Apple will identify the vulnerability and develop a way to prevent the issue in future devices. However, in a recent NPR interview, Robert Knake, former director of cybersecurity policy for the Obama administration’s National Security Council, intimated that it may not be the FBI’s decision to disclose the vulnerability even if it wanted. As he stated, “We may be in a situation where, if the government does decide it wants to disclose this vulnerability, it may have to figure out how it can legally do that,” further extrapolating, “Does it have the right to disclose that or are those rights held by the company that discovered the vulnerability in the first place?” The Wall Street Journal quoted Christopher Soghoian, chief technologist at the American Civil Liberties Union, regarding the FBI’s decision as stating, “If the government can circumvent the process merely by buying vulnerabilities, then the process becomes a farce,’’ and that “[t]he FBI is not interested in cybersecurity.”

Concern stems from the fact that not only the FBI, but also third-party hackers, could identify the vulnerability before Apple, which would create a wide-spread cybersecurity and privacy issue for millions of iPhones subject to attack. This concern is heightened by the possibility that the private third-party that sold the software to the FBI could turn around and sell that same software to the next highest bidder, placing the privacy of millions of iPhone users up for auction. The developing issue places another wrinkle in the ongoing debate between privacy and law enforcement as the FBI’s engagement of a private company to access one iPhone could open millions of iPhone users to possible attack and create an open market for this type of software—a development that makes both the FBI and Apple’s jobs more difficult in the future.—William H. Wynne For more information, please contact:

— Rachel L. Conn at [email protected] or 415-984-8216 — Susan G. Feibus at [email protected] or 312-977-4877 — Gretchen E. Harper at [email protected] or 312-977-4143 — Kate A.F. Martinez at [email protected] or 585-263-1332 — Steven M. Richard at [email protected] or 401-454-1020 — William H. Wynne at [email protected] or 401-454-1127

NP Privacy Partner Blog Staying ahead in a data-driven world: insights from our Data Privacy & Security team.