Portfolio Media. Inc. | 860 Broadway, 6th Floor | New York, NY 10003 | www.law360.com Phone: +1 646 783 7100 | Fax: +1 646 783 7161 | [email protected] Calif. Report Signals More Data Breach Crackdowns To Come By Erin Coe Law360, San Diego (July 02, 2013, 10:46 PM ET) -- The California attorney general’s recent report finding that companies could have prevented 1.4 million Californians from being victimized by data breaches last year if stricter encryption measures had been in place is another sign that her office plans to boost enforcement against businesses experiencing breaches and to spur consumer protection legislation, experts said Tuesday. Attorney General Kamala Harris’ report, issued Monday, revealed that 131 data breaches were reported to her office in 2012, the first year in which companies and state agencies had to notify the office of any breach potentially affecting more than 500 Californians. The report showed that of the more than 2.5 million Californians who fell prey to data breaches last year, 1.4 million would have been protected had companies used adequate encryption measures when transmitting personal information out of their secure networks. “This report is another signal from the office that it is going to be conducting investigations and bringing enforcement actions against companies that experience breaches,” said Tanya Forsheit, a founding partner of InfoLawGroup LLP. Harris has already made clear that her office plans to ramp up enforcement in the privacy and cybersecurity spaces, according to Forsheit. After setting up an e-crime unit to prosecute identity theft and data intrusions in 2011, Harris rolled out a privacy enforcement unit to prosecute violations of California and federal privacy laws in July 2012. In October, her office put dozens of companies on notice that they needed privacy policies for their mobile applications to comply with state law, and it later sued Delta Air Lines Inc. over its “Fly Delta” app. “[The California attorney general] intends to increase enforcement efforts, particularly where data is not encrypted,” Forsheit said. The report's message is that no company can rest on its laurels, believing yesterday’s data security protections are adequate, according to Joseph Lynyak III, a Pillsbury Winthrop Shaw Pittman LLP partner. “An increasing amount of personnel and financial resources will be required to avoid governmental agencies ... taking steps to protect the integrity of citizens’ confidential information,” he said. But the report also serves to warn companies that if they don't step up their efforts to protect consumer data, Harris is prepared to call on the state legislature, according to Jon Fox, a consumer advocate at the California Public Interest Research Group. “Businesses seek to minimize costs by doing the bare minimum for what is required either legally or based on pressure from consumers,” he said. “I think actions like this ... set fire under the feet of industry. If industry doesn’t catch up and provide more robust security for consumers’ data, legislators will move in.” The report recommends that lawmakers approve a measure sponsored by Harris that would require individuals and companies that maintain computerized data about their clients or customers to notify them if a security breach is detected. S.B. 46, carried by California Senate Majority Leader Ellen M. Corbett, D-East Bay, seeks to amend the existing breach notice law to require notification for breaches of online credentials, including customers’ usernames and passwords. “That would significantly expand the breach notice requirement,” Forsheit said. “If California made a change like this, other states would likely follow.” The report also indicates that Harris is interested in boosting companies' transparency about breaches so that affected consumers can keep a sharper eye on their finances, according to Fox. “[Harris] is doing an important job in making sure that as industry and technology progress forward, consumers aren’t thrown under the bus because of [company] cost savings,” he said. “If a company designs an app that provides a service to customers and collects information on them, the app has to be up front with how data is collected and being used, and the company ultimately has to protect the information it has.” Forsheit expects Harris' report will motivate companies to put encryption measures in place or upgrade their security systems, much like the attorney general’s October notices spurred companies to implement privacy policies for their mobile apps. “These reports by regulators ... do create action,” she said. “They do help companies, and because they are very user-friendly and meant to educate, companies can use that guidance as a way to help support their internal programs and provide incentives for internal programs to proceed and grow.” But Fox said that recent breaches at big corporations like Citigroup Inc. — which revealed in June 2011 that account information such as names, account numbers and email addresses for about 360,000 North American customers had been accessed in a breach — haven't been enough to incentivize companies to adequately update their security measures, and that this report wouldn't be either. “Unfortunately, I don’t think self-regulation is happening quick enough to protect consumers,” he said. “Businesses know all the risks and problems, but they aren’t doing anything and they think [a breach] won’t happen to them.” If the report doesn’t goad companies to get their act together, the legislature will probably have to step in, he said. “If this report doesn’t get their attention, the next thing that will is when an employee walks off with a flash drive of their customer data or someone hacks into their system or a virus attacks their system and they lose a significant amount of customer data,” he said. “Unfortunately, we probably need legislation to force businesses to do the right thing.” But legislation that seeks to put more obligations on companies is likely in store for a fight. In May, Google Inc. and Facebook Inc. were able to stall A.B. 1291, which would have forced companies to respond to consumer requests for their data by providing a copy of all the personal information they hold on the consumer, as well as the names and addresses of all data brokers, advertisers and others who have been granted access to the information. The author of the measure, Assemblywoman Bonnie Lowenthal, D-Long Beach, delayed action on the bill until at least January, after struggling to garner support in the face of opposition from the tech firms. Still, privacy measures are not going away in the state. In the past year, at least 16 privacy bills were introduced, and such measures will likely continue the upward trend, Fox said. Instead of fighting these measures tooth and nail, companies should try to engage in the legislative process, Fox said. “Businesses should work with legislators and make sure laws are not too broad or specific to help them serve their customers better,” he said. Federal legislation also continues to be proposed. In June, U.S. Sen. Pat Toomey, R-Pa., and two other U.S. senators unveiled a bill that would replace a patchwork of state data breach notification laws with a uniform national standard for securing personal information and alerting consumers in the event of a security lapse. But despite its potential benefits for companies, the bill, like similar federal bills before it, was not expected to gain much traction, Forsheit said. “If a federal law passed with a single standard with respect to certain data and it preempted state laws, it would provide more certainty for companies that are looking to comply,” she said. --Additional reporting by Gavin Broady. Editing by Kat Laskowski. All Content © 2003-2013, Portfolio Media, Inc. U.S. energy companies seen at risk from cyber attacks: CFR report WASHINGTON | Wed Jun 26, 2013 12:11am EDT (Reuters) - U.S. oil and natural gas operations are increasingly vulnerable to cyber attacks that can harm the competitiveness of energy companies or lead to costly outages at pipelines, refineries or drilling platforms, a report said on Wednesday. The energy business, including oil and gas producers, was hit by more targeted malware attacks from April to September last year than any other industry, said the Council on Foreign Relations (CFR) report, citing data from a Houston-based security company, Alert Logic. Cyber attacks on energy companies, which are increasing in frequency and sophistication, take two main forms, the CFR report said. The first kind, cyber espionage, is carried out by foreign intelligence and defense agencies, organized crime, or freelance hackers. These parties covertly capture sensitive corporate data or communications with the goal of gathering commercial or national security intelligence. U.S. energy companies are subject to frequent and often successful attempts by competitors and foreign governments to access long-term strategic plans, bids tendered for new drilling acreage, talks with foreign officials and other trade secrets, the report said. A campaign against U.S. energy companies by hackers based in China, called Night Dragon by McAfee, a leading security company that is part of Intel Corp, began in 2008 and lasted into 2011. The campaign stole gigabytes of material, including bidding data in advance of a lease auction. One unidentified energy company official believes his company lost a bid in a lease auction because of the attack, the CFR report said. Many companies are either unaware of similar attacks or are afraid to disclose them for fear of upsetting investors, it said. "That's too bad because it makes it harder for Washington to help them and it also makes it harder for the public to be aware of what threats are out there," said Blake Clayton, a fellow in energy and national security at CFR and a co-author of the report.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages189 Page
-
File Size-