Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Joanne McNabb

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is Joanne McNabb, Director of Privacy Education and Policy for the California Attorney General’s Office.  Joanne discusses the findings and recommendations in the recently released 2014 California Data Breach Report.  She also offers insight into some of the key factors the Attorney General’s Office considers in deciding whether or not to investigate a breach.  Finally, she discusses changes in California privacy law that will go into effect on January 1 – including SB568, the so-called “online eraser” for minors seeking to delete unwanted posts, and AB1710, which extends data security requirements to companies that “maintain” personal information, not just those that own or license it.  Finally, she settles a dispute only privacy lawyers could find interesting regarding the scope of AB1710’s provision requiring identity theft prevention/mitigation services.

We almost got through the week without any NSA news, but the FISA court made the news for doing exactly what you’d expect – renewing the section 215 orders for metadata.  More interesting was the news from Turkey, which effectively rewrites the history of cyberwar, which no longer begins with Stuxnet.  It looks as though Russia launched a distinctly kinetic and sophisticated cyberattack in 2008 on the Turkish-Azeri pipeline that threatened to break its chokehold on Caspian oil.  Michael Vatis takes the day off to file an amicus brief in support of Microsoft in the fight over overseas warrants.

The Sony breach fallout continues to be severe.  Things are bad enough that the Hollywood Reporter is asking me to write op-eds.  We question whether Sony is really resorting to “active measures” to block distribution of the stolen files.  And Aaron Sorkin calls the media “dishonorable” for publishing all these leaked documents.  Funny, but I don’t remember him saying the same thing when it was Manning and Snowden putting stolen docs on the front page.

Chris Conte explains the SEC’s new cybersecurity rules for exchanges and other trading platforms.

And the lame duck allows cybersecurity legislation to pass in a convoy:  Five cybersecurity bills, all modest in impact, were adopted by Congress in the last few days:

  • S. 1691 – allowing pay flexibility to attract cybersecurity professionals;
  • H.R. 2952 – requiring DHS to adopt a workforce strategy and assessment plan;
  • S. 2519 – authorizing  DHS to run an integration center providing threat information to civilian agencies and modifying federal government data breach rules;
  • S. 1353 – a very NIST-centered set of authorizations for cybersecurity awareness, research and workforce measures that may or may not be funded
  • S. 2521 – confirming DHS’s role in providing FISMA oversight under OMB guidance

And Sony has company.   It turns out that an Iranian hack on the Sands Las Vegas may be first cyberattack on US soil.  Both Sony and Sands join the DDOS attacks on our banks as cyberattacks on the US that have gone unanswered.  Instead of a digital Pearl Harbor, it looks as though we’re getting a lot of digital Sudetenlands.

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the forty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Shane Harris

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our interview focuses on Shane Harris and his new book, @War:  The Rise of the Military-Internet Complex.   It’s a good read and a good book, marred by the occasional deployment of easy lefty tropes – government contractors are mercenaries, the military sees war as an opportunity to expand turf, cybersecurity is a threat to privacy, anonymity is all about rights, etc.  But Harris is first and foremost a storyteller, and his zeal for the story is far more important to him than ideology.  When he tells the story of the guys who used cybertactics to break al Qaeda in Iraq during the surge, or of the banks’ cyberbattle with Iran, he lets the reader decide who to root for.

We talk about some of the more surprising stories that Harris tells, including:

  • The (contested) claim that Chinese hackers caused a large Florida blackout by mistake
  • The mismatch between an estimated 300-1000 US government hackers and China’s estimated 20 thousand  (A land war in Asia could be coming to a network near you)
  • Harris’s controversial suggestion that the banks may be assembling their own zero-day exploits in preparation for a hackback campaign against Iran
  • The possibility that foreign governments systematically compromised the networks of American natural gas pipeline companies in preparation for an attack – and whether we’d even know when cyberweapons had been used

In our news roundup, we start with This Week in NSA, but the latest Intercept story on NSA and cell phone interception is so boring and opaque it’s practically encrypted.  So we switch to This Week in GCHQ.  At the suggestion of a listener, we mine the UK parliamentary report on the killing of a soldier on the streets of London for lessons about the need for MLAT reform in the United States.

Verizon escapes an FTC investigation without an eternal oversight regime.  Why?  Because of its aggressive effort to cure a security flaw or because the FTC realized it had overreached?  You be the judge.

We unpack the judicial decision refusing to dismiss bank claims against Target for its credit card breach, raise questions about a Boston hospital’s surprisingly cheap settlement of a privacy case arising from a stolen laptop.  And then dive into the biggest breach case of the year, maybe the decade:  Sony.  We think North Korea did the hack, and the lack of a US response could have bad consequences for the country.  Among other things, the only bad guys we’ll ever see in future movies are Serbs.  And US government officials, of course.

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the forty-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

A Week of Bad News and Good News in Cybersecurity – Here’s What You Need to Know

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

It was a busy week for companies and government agencies struggling to combat the growing threat of cyber-attacks, with some bad news and some good news.  Here’s what you need to know, and how we can help.

What you Need to know

First, the bad news:

  • Lawsuits against Target move forward and lawsuits against Home Depot pile up:  Target faces over 90 lawsuits arising from its data breach last holiday season, including suits filed by consumers, banks, credit card companies, and shareholders.  Last week a federal judge in Minnesota rejected Target’s efforts to dismiss the lawsuits by the banks, clearing the way for banks to go after merchants for alleged negligence in cybersecurity.  Meanwhile, Home Depot revealed in its most recent quarterly SEC filing that it already faces at least 44 lawsuits, as well as investigations by multiple state and federal regulators, arising from the breach it announced just three months ago.  The price tag from the breach so far is reportedly $28 million, but that number will likely grow exponentially in the months ahead.  It has also been reported that Home Depot, like Target, suffered the breach in part because hackers were able to get into its system through a third-party vendor.
  • Destructive malware used in Sony Pictures attack and Iran-based hacking group attacks targets worldwide:  Sony Pictures has been victimized by an attack that resulted in the leak of several completed films as well as information about executive compensation and other personal information about employees.  The malware used in the attack reportedly wipes data from computers in a way that makes it nearly impossible, if not impossible, to recover it.  The FBI is warning other US businesses that they face a similar threat.  Meanwhile, the FBI also released an alert to US businesses in multiple sectors about coordinated cyber-attacks originating from Iran.  A private security firm released a report about the same hacking group, indicating that victims included a defense contractor as well as companies in the energy, transportation, automotive, and medical services sectors.

Now, the good – or at least encouraging – news:

  • FTC declines to pursue case against Verizon:  The FTC recently ended an investigation into allegations regarding Verizon’s security practices for customer routers.  But unlike FTC investigations into more than 50 other companies, this inquiry ended without a consent decree requiring fines or burdensome compliance audits.  On the contrary, the FTC closed its inquiry without taking any action based on Verizon’s strong, proactive remedial measures and the quality of its overall data security practices relating to routers.
  • DOJ Criminal Division announces new Cybersecurity Unit:  Leslie Caldwell, the Assistant Attorney General for DOJ’s Criminal Division, announced the formation of a new Cybersecurity Unit within the Criminal Division’s Computer Crime and Intellectual Property Section.  The new unit will act as a central hub to provide legal guidance and expertise for US and foreign law enforcement agencies and to support cybersecurity activities by public and private sector partners.  Those functions are not now – indeed, CCIPS does all of them right now.  But CCIPS has historically lacked the resources to tackle the increasingly global cybercrime problem on the scale it requires, so if the creation of the new Unit means more high-level attention and resources to the effort, then it’s a great step.  But the critical test will be whether new resources are devoted to the section to support the new Unit, so it is more than just a new line on an organizational chart.

What you need to do now

The key takeaways from these developments are:

  • Test your privacy and security program:   If you get breached, you will be sued and investigated.  Just ask Target and Home Depot.  That means it’s important to have a vetted cybersecurity program in place before a breach occurs, and to test and adapt that program as risks and threats evolve.  The best way to defend yourself later when courts and regulators are looking at your conduct is to take proactive measures now, before an incident occurs.  Steptoe can help you review and revise your security program, under the protection of the attorney-client privilege, to mitigate your risk of an incident now and to reduce your litigation exposure later.  We’ve released a free data breach toolkit to help companies better understand how to address these risks.
  • Test your incident response plan and team:  Poor breach response can make a bad situation much, much worse.  A breach is a crisis, and Steptoe can help you test your company’s ability to respond to all aspects of the crisis – including technical, legal, and public relations — through a breach simulation.  That way you can be confident that when the real thing occurs, your people will be able to handle it effectively.
  • Your vendors’ cybersecurity practices could pose a risk to your network:  Target and Home Depot both demonstrate that a hacker can get into your system though one of your vendors or suppliers.  How much do you know about your vendors’ cybersecurity practices?  Do you have contracts with your vendors that obligate them to maintain certain levels of security, and to indemnify you for a breach on your system?  Steptoe can review your vendor management program to help protect you from this third-party risk.
  • Law enforcement engagement and information-sharing are critical:  Sharing of cyber-threat information between the government and private sector has never been more important.  And one of the most challenging parts of breach response is the question of whether and how to engage with law enforcement.  Steptoe has unparalleled government cyber experience and relationships, including former DOJ, FBI, DOD, and DHS officials with responsibility for cybercrime and cybersecurity.

If you have questions about these recent developments or would like to discuss steps to address your cybersecurity and litigation risks, please contact our cybersecurity team: Stewart Baker at 202.429.6402; Michael Vatis at 212.506.3927; or Jason Weinstein at 202.429.8061.

Steptoe Cyberlaw Podcast – Interview with Troels Oerting

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest for the week is Troels Oerting, the head of EC3, Europe’s new cybercrime coordination center.  He talks about EC3’s role in the recent take down of over 400 darknet sites, arrests of travelers using fake credit cards and of users of the Blackshades Remote Access Tool.  He repeats his view that there are probably only a hundred talented criminal writers of malware, whose work is then used by a host of dimmer bulbs.  So striking at the hundred could make a big difference.  Troels Oerting thinks we’re in a position to hurt a number of them.

The interview compares US and European willingness to name and shame Chinese PLA hackers.  I ask Troels if he’d order the arrest of any of the five indicted PLA hackers if they vacationed in Europe.  And we compare US and EU legal constraints on private sector “direct action” against hackers.

This week in the NSA:  NSA’s privacy officer speaks; and she has a sense of humor.  Regin schools hackers around the world, and German hypocrisy about NSA spying is on full display.  It turns out that Angela Merkel’s phone was being tapped by the Brits, the Chinese, the Russians and even the North Koreans.  But Merkel has yet to say that Russian, Chinese, or North Korean spying reminds her of the Stasi; only NSA seems to remind her of Communist espionage.  Meanwhile, the BND reveals that it too spies on everyone but Germans, and that it has a remarkably narrow definition of who qualifies as “German.”

Michael Vatis previews a Supreme Court argument about when online abuse passes from colorful imitations of rap lyrics to prosecutable threats.  Jason Weinstein counts the growing library of lawsuits against Home Depot and evaluates the risk.

Doug Kantor, a Steptoe government affairs partner specializing in cybersecurity issues, gives a rundown on the new, Republican-dominated Congress, including the many chair changes in both House and Senate.  Firedoglake makes an appearance.

Meanwhile, US tech companies have become all-purpose European whipping boys.  They don’t volunteer enough information about terrorists to satisfy the Brits.  They don’t hide enough “right to be forgotten” information to satisfy the European privacy regulators.  And they make too much money for the European Parliament, which wants to break up Google.

The Justice Department has claimed a scalp in its campaign against spyware.  Jason has the back story.  And it’s a good thing the All Writs Act didn’t come with a sunset clause, or it would too would be attracting the wrath of EFF and Silicon Valley.  Michael explains why the act is now part of Apple’s future, and Google’s too.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the forty-fifth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Sal Stolfo

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest for episode 44 of the Steptoe Cyberlaw Podcast is Sal Stolfo, Professor at Columbia University’s Computer Science Department and CEO of Allure Software.  Stolfo brings an attacker’s sensibility to network security approaches usually dominated by defensive thinking.  His approach to computer security includes flooding the network with plausible fake documents wired to alarm when touched by a user.  The alarm, in turn, shuts down a user’s access and prompts for a second form of authentication.  Documents that are successfully exfiltrated persistently attempt to beacon back to the home network, betraying the attacker and his customers long after the hack.  He’s already deploying some of these concepts commercially.  It’s the kind of active defense even the Justice Department should love.

In our news roundup, This Week in NSA is dominated by speculation that the 215 program will never die.  Conventional wisdom says that the metadata program will ride into the sunset on June 1, 2015.  But a “transition” note could allow the program to last for years.   Meanwhile, the NSA director, Admiral Mike Rogers, is warning that China and one or two other countries have the ability to bring down the electric grid in the United States.

The FTC has gone to mediation with Wyndham, but no one is betting that the mediation will succeed.  And the FTC’s settlement with TRUSTe puts the privacy certification company under the FTC’s thumb for years.

Telephone companies have long been the most government-friendly of technology firms, but that may be changing.  Now even the heir of Ma Bell’s name, AT&T, has filed an amicus brief demanding clearer standards before the government could get access to location information.

One solution is for the government to cut out the middleman and get the location information directly from the consumer – by offering fake cell towers to connect to.  But that tactic, and the secrecy surrounding “stingray” collection, has its costs.  Baltimore has abandoned a criminal case to keep from describing the technology and how it’s used.  And a North Carolina judge has unsealed hundreds of stingray orders.

In the words of the old country song, how can I forget you if you won’t go away?  Much as we wish the right to be forgotten would go away, that’s looking less and less likely. Google’s Global Privacy Council, Peter Fleischer, has disclosed new details about how the search giant administers the right.  And Norway has (unsurprisingly) followed the rest of Europe in adopting the doctrine.  But most troubling is the news from France, where Google is facing fines of €1000 a day for refusing to apply a French defamation takedown order to its Google.com domain – or, more accurately, for not letting a French judge censor what Americans can read.

Finally, in our first item derived from a listener request (h/t Lee Baumgardner), we look at the regulatorily challenged transport company, Uber, and its potential liability for a steady stream of privacy flaps, including its unwisely but appropriately named “God Mode.”

Tune in next week when our guest will be Troels Oerting the Assistant Director, Head of European Cyercrime Centre (EC3).

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the forty-fourth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm

Steptoe Cyberlaw Podcast – Interview with Ambassador Sepulveda

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is Ambassador Daniel Sepulveda, the man charged with managing the US relationship with the International Telecommunications Union.  The ambassador helps us make sense of the recent ITU meeting in Busan, South Korea, where efforts to validate a greater government role in internet affairs seem to have been turned back for another four years.  Markham Erickson, a Steptoe partner specializing in internet law, also joins regulars Jason Weinstein, Michael Vatis, and me.

This week in NSA:  The USA Freedom Act is showing signs of life, as Senator Reid promises Senator Leahy floor time in the lame duck session.  But with Senator Feinstein opposed to the Judiciary-written bill, and the House having passed a different one, it’s still a long haul to get a bill to the President before the lame duck limps into history.  After a year-and-a-half-long Snowden-induced cringe, the US is again raising Chinese espionage more aggressively.  But that’s the only thing that has changed in the US-China dialogue on cyberespionage.  Just ask the Postal Service and the NOAA weather network.

We try out a new feature:  The Law Behind the Headlines, where we provide the legal background behind tech stories in the news:

  • Remember that Insecam website that streams video from thousands of video surveillance cameras that are still using the manufacturers’ default login credentials?  To Jason, it looks like the world’s most public confession to thousands of criminal violations.
  • And according to the press, law enforcement uses flying DRT Boxes (not to mention ground-based stingrays) to imitate cell towers and thus locate particular phones very accurately.  But to do so, the machines have to accept and then drop thousands of connections from the phones of ordinary Americans who aren’t suspects.  Is that legal?  How is it different from the NSA’s program of collecting data but not looking at it?  And can we get the US Marshal’s service to actually connect some of the calls they get from dead spots out in Great Falls?  Answers to all these questions in the podcast!

This week in bad law:  the Ninth Circuit will be revisiting the too-creative Kozinski opinion that based a takedown order on the dubious copyright claim of an actress who appeared in in “The Innocence of Muslims.”

This week in data breaches:  Anthem Blue Cross puts a bunch of medical advice and data in the subject line of its emails to patients.  That doesn’t inspire confidence in its data security, but is HIPAA violated?  Maybe not, Jason explains.

Argentina’s Supreme Court joins the great debate over search engine liability, spurring Michael and Markham to a debate of their own.  A Justice Department advocate admits to a mistake in oral argument on how forthcoming companies can be in NSL disclosures.  We debunk left/lib claims that the mistake is a government “misrepresentation.”

Google has weighed in on another privacy issue, essentially taking Europe’s side in a long-running debate over whether and how non-Americans should be covered by the Privacy Act.  I argue that changing the Act would simply enable European unilateralism in the long privacy debate with the United States.  Amb. Sepulveda and I tangle over whether the demand is a legitimate part of negotiations over the data protection US-EU Safe Harbor Agreement.

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the forty-third episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe Cyberlaw Podcast – Interview with Orin Kerr

Posted in Cloud Computing, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

We share the program this week with Orin Kerr, a regular guest who knows at least as much as we do about most of these topics and who jumps in on many of them.  Orin, of course, is a professor of law at George Washington University and well-known scholar in computer crime law and Internet surveillance.

This week in NSA:  With NSA Director playing good cop in Silicon Valley, new GCHQ director Robert Hannigan seemed happy to play bad cop, releasing an op-ed saying that US tech companies were providing the “command-and-control networks of choice for terrorists and criminals” and would need to do a better job of cooperating with governments to combat terror and crime.  If nothing else, the speech is a hint to Silicon Valley that its clout in the Obama administration does not foretell success in fighting other governments’ surveillance goals.

And, with the election over, and it looks more likely than not that the GOP will end up with a 54-46 majority next year.  We surmise that this means no action on the USA Freedom Act (or Sen. Grassley’s substitute) until Spring 2015.

Finally, the DC Circuit heard argument in the appeal of Judge Leon’s famously exclamatory invalidation of NSA’s 215 metadata program.  As expected, Larry Klayman did nothing to help his case, and the panel was considerably more skeptical about the challenge than the Second Circuit panel that heard many of the same issues.  Our best guess from the arguments:  The Second Circuit decides that the program is inconsistent with section 215, the DC Circuit finds that the program is constitutional and that statutory issue has been waived, so there’s no split in the circuits until the Ninth Circuit rules, at which point the whole issue is cert-proof anyway because the statute has expired or been revised.

Talk about opening a can of worms.  The Supreme Court’s decision in Riley that cell phones can’t be searched without a warrant has now spawned fights about what the warrant should say, and how many limits it should set on what the police can look at.  The Nebraska Supreme Court has weighed in – but leaves the police more or less in limbo.

Whether the contents of a webmail account are protected from government search depends on the webmail provider’s terms of use.  Or so says the Southern District of New York, in a decision none of us can understand or really get behind.

Speaking of the Southern District of New York, prosecutors there may singlehandedly make more tech surveillance law than the rest of the country.  They’re fighting with a phone manufacturer to get help unlocking a suspect’s phone.

And a Virginia court has ruled – to our utter lack of surprise – that suspects may be forced to apply their fingers to cellphones protected by fingerprint readers.  More interesting is whether they can be forced to enter “patterns” or tell the police which finger unlocks their phone (our view: no and no).

Google has finished its “right to be forgotten” road trip, and Americans’ freedom to read accurate information is on the block in Europe.  An official of the European Commission made clear that the Commission would not rest until it had imposed its link censorship regime on google.com and Google’s American users.  The administration’s response?  Crickets.

Data retention is making a comeback in Europe, as Sweden joins the UK in demanding continued retention despite a European Court of Justice ruling against the directive that originally led to retention requirements.

Is the financial industry worried enough about cybersecurity that it’s actually calling for more activist government action?  SIFMA’s latest call comes close.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the forty-second episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with John Lynch

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies, Uncategorized

Our guest is one of the most highly regarded cybercrime prosecutors in the country – John Lynch, the Chief of the Computer Crime and Intellectual Property Section (CCIPS) in DOJ’s Criminal Division.  Among other things, John talks about how DOJ is organized to investigate and prosecute cybercrime and about its efforts to strengthen partnerships with and build capacity among foreign law enforcement partners in what is increasingly a global fight.  John also reflects on the impact of the Snowden leaks on domestic law enforcement and on the challenges the courts and prosecutors are facing dealing with electronic evidence issues in a time of rapidly changing technology.  And we talk about the role of the private sector in cyber defense.

This Week in NSA:    “Second leaker” identified by the FBI – does Snowden have a spare bedroom?  GCHQ says it can access data provided by the NSA without a warrant.  That bothers privacy groups, who apparently are unfazed by the fact that GCHQ can also access data on its own citizens without a warrant, and can get a warrant without seeing a judge.  On a related front, former FBI Director Bob Mueller calls the Snowden leaks “devastating” to efforts to investigate and disrupt national security threats, in the process noting that the US is unique in terms of the level of judicial review required for electronic surveillance.

The ITU continues to try to take control of the Internet.  Law firms become a focus of hacking concern, as NYDFS letter puts spotlight on vendor management.  A Private sector coalition engages in what you might call active defense against “Axiom” group of Chinese hackers.  The FCC becomes America’s latest de facto data protection authority.

Move over China, as FireEye identifies a Russian cyberweapon.  Meanwhile, a DARPA official basically says that since we use the same popular software, we’re making it too easy for hackers.

And we bring you another candidate for Dumbest Privacy Case of the Year, involving both privacy and cleavage.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the forty-first episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Robert Litt

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is Robert (Bob) Litt, the General Counsel of the Office of the Director of National Intelligence.  Bob has had a distinguished career in government, from his clerkship with Justice Stewart, his time as a prosecutor in the Southern District of New York and at Main Justice, and more than five years in the ODNI job.  This week in NSA:  The latest fad in news coverage of the agency is a hunt for possible conflicts of interest in its leadership.  And it’s having an effect.  Two high-ranking NSA seniors, the CTO and the head of signals intelligence have recently left positions that drew scrutiny for getting too close to private industry.  I ask him whether we should be pleased or worried about the trend toward individual converts to Islam carrying out random attacks with whatever weapon comes to hand.  Prudently, he refuses to be drawn into my comparison of Islamists to the Manson Family.  We debate whether the USA Freedom Act has a chance of passage in the lame duck Congress – and whether it should, focusing among other things on how the act’s FISA civil liberties advocates would function and what ethical rules would govern their day jobs.  And we explore another ODNI project – implementing the President’s directive on protecting the privacy of foreign nationals while gathering intelligence.  Are the nation’s spies really required to wait until a foreign target’s speech goes beyond what the first amendment protects before they collect and analyze the remarks?  Will the requirement for advance justification for collection projects institutionalize risk aversion at NSA?  And can government officials look forward to intelligence reports that read like this: “[SYRIAN NATIONAL 1] asked [IRAQI NATIONAL 1] to kill [US PERSON 1]”?

Our news roundup begins with the sudden press interest in possible conflicts of interest in NSA’s leadership.  The Supreme Court takes another privacy case – one with no obvious federal connection.  Lots of city ordinances require hotels to keep guest registries – and to let the police inspect those registries on demand.  But the 9th circuit recently held en banc that these laws touch the privacy interests of the hotel owner, not just the guests, and that the laws are unconstitutional if they offer no opportunity for prior judicial review of the police demand.  Just what we need:  another opportunity for the Roberts Court to pad a narrow ruling with a lot of ill-considered dicta about Smith v. Maryland.

Harking back to last week’s interview with Tom Finan about insurance coverage for cyber incidents, we discover that where there’s insurance coverage there are also insurance coverage disputes.  The head of Steptoe’s insurance coverage practice explains the P.F. Chang dispute with Travelers Insurance and hints that it’s in the first wave of what could be thirty years of litigation.  Not that there’s anything wrong with that.

FBI Director Comey isn’t alone in complaining about Silicon Valley’s reluctance to help law enforcement.  Leslie Caldwell, the new head of the Justice Department’s criminal division, has joined the chorus.

According to the Stored Communications Act, companies like Google may not provide the contents of emails in response to subpoenas.  So what do civil litigants do when they need access to Gmail accounts in, say, divorce cases?  The usual solution is for the court with jurisdiction over the civil suit to order the litigants to “consent” to the disclosure of their email messages.  But is court-ordered consent really consent?  According to a California appeals court, it is.  Michael explains.

Whoa!  The FCC really is taking cybersecurity seriously.  It’s proposing $10 million in fines for two carriers who stored hundreds of thousands of “Obamaphone” beneficiaries’ personal data on a server accessible by anyone on the internet.

Confusion over when you need a warrant to get third party information continues to roil the courts.  The Florida Supreme Court raises the bar for cell-site location data.  And the NJ AG plots a counter-attack on a billing record warrant requirement in the Garden State.  Michael suggests a new feature to keep all the litigation straight:  This Week in Smith v. Maryland.

Lawyers with banks for clients have a new reason to upgrade their cybersecurity.  As the banks struggle with increasingly sophisticated intrusions, they’re sharing the pain, demanding that their contractors and suppliers adopt stronger cybersecurity.  Law firms are expressly included, since they’ve been targeted frequently for what inevitably will be called “bank shot” intrusions.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the fortieth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Tom Finan

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

Our guest today is Tom Finan, Senior Cybersecurity Strategist and Counsel at DHS’s National Protection and Programs Directorate (NPPD), where he is currently working on policy issues related to cybersecurity insurance and cybersecurity legislation.  Marc Frey asks him why DHS, specifically NPPD, is interested in cybersecurity insurance, what trends they are seeing in this space for carriers and other stakeholders, and what is next for their role in this space.  He is incredibly forthcoming in his responses and even asks listeners to email him  with their feedback.

This week in NSA:   The House and Senate Judiciary chairs call for action on USA Freedom Act.  And nobody cares.  We conclude that the likelihood of action before the election is zero, and the likelihood of action in a lame duck is close to zero.  But next week we’ll be interviewing Bob Litt, one of the prime negotiators for the intelligence community on this issue, and he may have a different view.

The Great Cable Unbundling seems finally upon us, as several content providers announce that they’re willing to sell content direct to consumers over the Internet.  Does that mean more support for net neutrality?  Not necessarily.  Stephanie Roy explains.

Are parents responsible for what their adolescent kids do and say on Facebook?  That makes sense, if you’ve never had adolescent kids.  Maybe that explains why Michael Vatis sees merit in the Georgia appellate court decision finding potential liability.  It reversed the trial court, which had granted summary judgment in favor of the parents of a kid who set up a fake and defamatory Facebook page in the name of a classmate he hated.  The facts are a little odd.  The kid who set up the page never took it down, even after he’d been caught and punished by school and parents.  The appeals court thought that the parents had a “supervisory” obligation to make their child delete the fake account, and that they could be held liable for negligently failing to do so.  It’s quite possible, though, that everyone in this case is a Privacy Victim; the issue could have been hashed out with a phone call from the parents of the victim to the parents of the perpetrator, but according to the press, “the child’s parents didn’t immediately confront the boy’s parents because their school refused to identify the culprit.”  Because privacy.

FBI Director Comey comes out swinging for CALEA reform, saying in a speech at Brookings that the law needs to be updated to require cooperation from makers of new communications systems when the FBI has a court order granting access to those systems.

When it comes to regulating on other topics, though, the Justice Department is a little less restrained; it has opened the door to a round of new disability claims against websites, offering a roadmap to what it thinks the law requires.

The right to be forgotten is attracting more flak in Europe, as the BBC announces a competing “right to remember” website devoted to publicizing stories that Google has delinked.  It’s Auntie BBC v. Nanny Europe.  Cue popcorn.  Unhappily, a “progressive” group most famous for relentlessly sliming Google on privacy issues has urged the search engine to bring the right to be forgotten  to the United States.  Sigh.

In breach news, TD Bank pays $850,000 to the state AGs over a “breach” that may never have happened.  TD lost a backup tape in transit, and the data wasn’t encrypted.  Was anyone’s data actually compromised by the loss of the tape?  The AGs don’t say.  They just want their money.  And they get it.

The Russians are getting sloppy, or maybe they’re taking a leaf from China’s book – figuring it doesn’t matter if they get caught. And caught they have been, by iSight Partners, which reports that Russian hackers used a Microsoft zero-day to target Western governments and Ukraine.  Meanwhile, the FBI is warning about another and even more sophisticated set of Chinese government hackers.  And hackers are now adding a new form of targeted attack to their arsenal a tactic that combines spearphishing with watering hole attacks.  They’re targeting ads at users that take them to a compromised website that serves malware.

And, in good news for privacy skeptics, the Video Privacy Protection Act gets a narrow reading.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail ( +1 202 862 5785).

Download the thirty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.