On May 7, I appeared on the PBS Newshour to discuss an appeals court ruling on the National Security Agency’s (NSA) program that collects the phone data of millions of Americans.  The US Court of Appeals for the Second Circuit found that the program is illegal and not sanction by the Patriot Act.

The full interview can be viewed at PBS Newshour.

Most people who’ve heard of “Bitcoin” know it only as a virtual currency sometimes used by criminals.  But there are entrepreneurs, engineers, venture capitalists, and bankers who are betting big on the untapped economic potential of the “blockchain” – the underlying technology that makes Bitcoin run.  In a sense, Bitcoin is just the first “app” to use the blockchain technology.  There will be many other apps in the years to come that could transform the way we do business, the way we move assets, and, through the Internet of Things, even the way we live.  But for the blockchain’s potential to be realized, Bitcoin cannot be perceived as the “currency of criminals” – and that means law enforcement has to be able to go after those who would use Bitcoin and the blockchain to commit crimes.

One of my responsibilities at the Justice Department was overseeing the Criminal Division’s cybercrime and transnational organized crime programs.  Based on that perspective, I recently did a backgrounder for Coin Center – “How Can Law Enforcement Leverage the Blockchain in Investigations?” – which discusses how, contrary to popular belief, Bitcoin and the blockchain technology actually provide significant advantages for law enforcement in conducting investigations of those who would seek to exploit this technology for criminal purposes.

I recently did a guest a blog for ID Experts regarding the cyber risks facing health insurers in the wake of the Anthem and Premera breaches.  The post, “More Health Insurer Data Breaches Are Coming – What Can You Do to Prepare?,” provides an overview of what other health insurers can do to mitigate their risk of a breach and to respond effectively if and when one occurs.

I hope you will join us on Thursday, May 7 from 6:00 pm – 9:00 pm for the “Triple Entente Beer Summit” at The Washington Firehouse (1626 North Capitol Street Northwest, Washington, DC).  This live recording of the three podcasts – Steptoe Cyberlaw Podcast, Lawfare Podcast, and Rational Security – will be your chance to meet the voices behind the podcasts, ask all of your burning cyberlaw questions, and support Lawfare.

Tickets to the event can be purchased at Lawfare.

The executive order allowing the President to impose OFAC sanctions on hackers is good news.  I’ve been calling on the government for several years to go beyond attribution to retribution.  See, for example this post from 2012, this Foreign Policy article, and this recent podcast with Juan Zarate.  Similar sentiments were expressed in a 2013 report by the American Bar Association.

The good news from the Sony case is how much better and faster we’ve gotten at attributing network espionage and network attacks.  But that won’t do much good until we can also punish those we identify.

This order offers a real possibility that we can.  Even the hackers don’t want to work for government forever; they hope to run startups just like everybody else, but that will be hard with an OFAC sanction hanging over their heads.

And the companies that benefit from stolen trade secrets could also find themselves sanctioned, since the order extends to them as well. Sanctions can be applied to any company that is:

responsible for or complicit in, or to have engaged in, the receipt or use for commercial or competitive advantage or private financial gain, or by a commercial entity, outside the United States of trade secrets misappropriated through cyber-enabled means knowing they have been misappropriated, where the misappropriation of such trade secrets is reasonably likely to result in, or has materially contributed to, a significant threat to the national security, foreign policy, or economic health or financial stability of the United States.

The program is a bit of an empty shell right now:  it authorizes but doesn’t apply sanctions to any hackers.  But if it’s used wisely it could be a game changer — the first real deterrent to cyberspying and cyberattacks.

The House Intelligence Committee has now adopted a manager’s amendment to what it’s now calling the “Protecting Cyber Networks Act.”  Predictably, privacy groups are already inveighing against it.

I fear that the House bill is indeed seriously flawed, but not because it invades privacy.  Instead, it appears to pile unworkable new privacy regulations on the private sector information-sharing that’s already going on.

The key point to remember is that plenty of private sector sharing about cybersecurity is already going on.  There aren’t a lot of legal limits on such sharing, unless the government is getting access to the information.  If it is, providers of internet and telecom services can’t join the sharing because an old privacy law bars them from providing subscriber information to the government in the absence of a subpoena.

The House bill solves that problem by allowing sharing to occur, “notwithstanding any other law.”  But overriding even a dysfunctional and aging privacy law quickens the antibodies of the privacy lobby.  So they’ve been pressing for kind of “privacy tax” on information sharing – specifically, they want assurances that  personal data will be removed from any threat information that companies share.

Everyone recognizes, at least in theory, that this can’t be a blanket exclusion; some threat data shouldn’t be separated from personal data.  If an IP address or email account is being used to distribute malware, those things are threat information.  And they are also personal data, since some human being is probably tied to the address or account.  If personally identifying information about attackers can’t be shared under the bill, then the bill won’t do much good.

The bill tries to square the circle by allowing companies to share data about attackers; a company sharing information is only required to screen out personal data that is “not directly related to a cybersecurity threat.”

So far, so good.  But how does a company know that the information it’s sharing really identifies only persons “directly related to a cybersecurity threat”?  Unfortunately, the kind of intelligence that is routinely shared today does not come with that kind of guarantee.  Critical Stack is a start up which aggregates publicly available threat intelligence.  A quick look at its sources reveals that much of the threat information is collected with tools that are automated and therefore imperfect.  Your IP address can get on the list if you are innocent but happen to act like an attacker – perhaps by pinging certain ports or having your IP address temporarily misused.

So, if I share such imperfect information under the House bill, do I get the benefit of liability protection or not?  My guess is not.  Under the bill, companies must “take reasonable efforts to …  remove any information  [that the company] reasonably believes at the time of sharing to be personal information of, or information identifying, a specific person not directly related to a cybersecurity threat.”  In the real world, companies will know that the information they’re sharing is not perfect, that it flags as suspicious accounts and addresses that turn out not to be a threat.

Knowing that, how can the company say that it “reasonably believes” it has removed all information identifying a specific person except for information about persons “directly related to a cybersecurity threat”?  It can’t.  (I note that this was not a problem under the earlier version of the bill, which required deletion of data about persons a company “knows” not to be a threat; the question is who bears the burden of uncertainty, and the new bill puts it squarely in the sharing company.)

All this means, I think, that lawyers will end up scrubbing any methodologies that generate threat information before their company decides to share.  That’s expensive, and the lawyers won’t give a lot of clean opinions.

End result: under the House bill, the privacy tax is so high that fewer companies will share threat data, and the ones who do will share less.

It’s not clear that this bill will do anything to encourage information sharing.

Cyberspies can’t count on anonymity any more.

The United States (and the private security firm Mandiant) stripped a PLA espionage unit of its cover two years ago with a detailed description of the unit’s individual hackers; that report was followed by federal indictments of members of the unit that described them and their activities is great detail. More recently, the President outed North Korea for the attack on Sony. And as if to underscore the growing confidence of the intelligence community in its attribution capabilities, the Director of National Intelligence almost casually tagged Iran for a destructive cyberattack on Sheldon Adelson’s Las Vegas Sands gambling empire.

That’s good news, but it’s only a first step. To make a real difference, attribution has to yield more than talk.

Unfortunately, neither the companies victimized by network intrusions nor their governments have yet found ways to turn attribution into deterrence. No one expects to see members of the PLA in federal court any time soon. The administration’s public sanctions on North Korea were barely pinpricks. And Iran could be forgiven for concluding that its cyberattacks were rewarded by concessions in the nuclear enrichment negotiations.

But that’s not the last word. I attended a recent international conference where a surprising number of European officials signaled their eagerness to confront countries engaged in cyberespionage against their industries. They assumed that they could identify the countries that were stealing corporate secrets.

What they wanted were legal remedies — and remedies of a particular kind. They didn’t want to punish the hackers, who all too often are well protected by government. What they wanted was a way to punish the hackers’ customers — the state-owned companies who were benefiting from the theft of competitors’ intellectual property. Unlike the hackers, those companies can’t hide at home forever. To get the full benefit of their shiny new stolen technology, they have to sell their products globally. Which means they have to submit to the law and the jurisdiction of western nations.

But what law? Does a company victimized by cyberespionage have any legal remedies against the company that received the stolen data? That’s the question European (and American) trade officials were beginning to ask.

Faced with that question, I found three plausible legal remedies for companies that are victimized by hacking aimed at their corporate intellectual property. Here they are.

First, victims of cyberespionage could sue the foreign company benefiting from the theft of trade secrets. A company can be sued under the Uniform Trade Secrets Act (UTSA) if it uses “a trade secret of another without express or implied consent” and it “knew or had reason to know that [its] knowledge of the trade secret was derived from or through a person who had utilized improper means to acquire it.” UTSA § 1(2)(ii)(B)(II). So if the foreign company had reason to believe that it was receiving data stolen from a competitor’s network, it is at grave risk of liability under the UTSA.

The UTSA has been adopted in one form or another in forty-eight states, and plaintiffs can sue for damages, including “actual loss,” “unjust enrichment . . . that is not taken into account in computing actual loss,” and “exemplary damages” for “willful and malicious” violations. UTSA § 3(a), (b). All of those damages would seem to apply where the defendant was complicit in an attack on the plaintiff’s corporate network.

Second, the federal Computer Fraud and Abuse Act (CFAA) allows private suits against anyone who “intentionally accesses a computer without authorization,” obtains information, and causes at least $5,000 of loss. 18 U.S.C. § 1030(a)(2)(C). That certainly applies to the hackers themselves; but what about the recipients of the stolen data? They’re liable too, at least if they can be shown to have “conspired” with the intruders. 18 U.S.C. § 1030 (b). Proving conspiracy poses a higher hurdle than meeting the UTSA’s “reason to know” standard; some courts say that a charge of conspiracy requires “specific allegations of an agreement and common activities.” See, e.g., NetApp, Inc. v. Nimble Storage, Inc., No. 5:13-cv-05058, 2014 WL 1903639, at *13 (N.D. Cal. May 12, 2014). But there will be many times when the evidence strongly suggests both. For example, if the theft of data was more than just a one-off event, there is every reason to believe that the beneficiary of the thefts was actively telling the thieves what to steal.

A third remedy is section 337 of the Tariff Act of 1930. It allows the International Trade Commission (ITC) to bar the importation of goods produced using stolen trade secrets. The ITC may exclude such goods from the United States if they are the result of “unfair methods of competition . . . the threat or effect of which is to destroy or substantially injure an industry in the United States.” 19 U.S.C. § 1337(a), (d). “Unfair methods of competition” includes a federal common law cause of action for the theft of trade secrets, which closely mirrors the provisions of the UTSA. See TianRui Grp. Co. v. Int’l Trade Comm’n, 661 F.3d 1322, 1327–28 (Fed. Cir. 2011). A complaint can be filed in the ITC even if the theft of trade secrets occurred abroad, so long as the theft violated the laws of the place where the secret was stolen. Id. at 1328. Although Section 337 does not allow for the recovery of money damages, a victim of commercial cyberespionage can at least make sure he’s not competing in the United States against products that are produced using his trade secrets and intellectual property.

In short, there are surprisingly robust legal remedies not just against cyberspies but against the companies who benefit from the spies’ intrusions. But that is not the end of the matter. Just having a good legal case does not mean that a victim will bring suit. There are plenty of practical reasons why a lawsuit might not be prudent even with the law on your side. But that’s a topic for another day, and another post.

Recently, I was the keynote speaker for CityNationalBank’s “Cyberespionage: Who Wants Your Data? And What Can You Do About It?,” where I discussed the increased cyberattacks on law firms involved in international mergers and acquisitions.

Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability. That hope is understandable. Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy.

Those who see tort law as a cybersecurity savior are now getting their day in court. Literally. Mandatory data breach notices have led, inevitably, to data breach class actions. And the class actions have led to settlements. And those freely negotiated deals set what might be called a market price for data breach liability, a price that can be used to decide how much money a company ought to spend on security.

So, how much incentive for better security comes from the threat of data breach liability? Some, but not much. As I’ve been saying for a while, the actual damages from data breaches are pretty modest in dollar terms, and the pattern of losses makes it very hard to sustain a single class, something that forces up the cost of litigation for the plaintiffs.

You can see this pattern in recent data breach settlements. I put this chart together for a talk on the subject at the Center for Strategic and International Studies. While the settlements below all have complications (Sony’s settlement was mostly in free game play, for example), they all cap the defendants’ total liability. And what’s striking about the caps is how low a price these agreements set, especially on an individual basis, where $2.50 per victim looks to set the high end and 50 cents the low. Of course, to determine how much you spend annually to avoid that liability, a company would have to discount the settlement price by the probability of a breach in any given year. Even Sony doesn’t have a breach every year, so a probability adjustment cuts the value of avoiding liability to something between a half and a tenth. At those prices, I wouldn’t expect much change in corporate cybersecurity budgets.

(I know that these charts don’t account for the biggest claims in cases like Target and Home Depot — banks suing for the cost of reissuing credit cards. That’s a very different theory of liability mainly applicable to a limited number of big retailers. In the end I doubt that liabilities to issuing banks will drive much cybersecurity either, not because the claims are low — they’re more likely to be in the $50 per card range — but because establishing liability will not be all that easy and because things like tokenization will likely prove much cheaper than improving security.)

It was a busy week for companies and government agencies struggling to combat the growing threat of cyber-attacks, with some bad news and some good news.  Here’s what you need to know, and how we can help.

What you Need to know

First, the bad news:

  • Lawsuits against Target move forward and lawsuits against Home Depot pile up:  Target faces over 90 lawsuits arising from its data breach last holiday season, including suits filed by consumers, banks, credit card companies, and shareholders.  Last week a federal judge in Minnesota rejected Target’s efforts to dismiss the lawsuits by the banks, clearing the way for banks to go after merchants for alleged negligence in cybersecurity.  Meanwhile, Home Depot revealed in its most recent quarterly SEC filing that it already faces at least 44 lawsuits, as well as investigations by multiple state and federal regulators, arising from the breach it announced just three months ago.  The price tag from the breach so far is reportedly $28 million, but that number will likely grow exponentially in the months ahead.  It has also been reported that Home Depot, like Target, suffered the breach in part because hackers were able to get into its system through a third-party vendor.
  • Destructive malware used in Sony Pictures attack and Iran-based hacking group attacks targets worldwide:  Sony Pictures has been victimized by an attack that resulted in the leak of several completed films as well as information about executive compensation and other personal information about employees.  The malware used in the attack reportedly wipes data from computers in a way that makes it nearly impossible, if not impossible, to recover it.  The FBI is warning other US businesses that they face a similar threat.  Meanwhile, the FBI also released an alert to US businesses in multiple sectors about coordinated cyber-attacks originating from Iran.  A private security firm released a report about the same hacking group, indicating that victims included a defense contractor as well as companies in the energy, transportation, automotive, and medical services sectors.

Now, the good – or at least encouraging – news:

  • FTC declines to pursue case against Verizon:  The FTC recently ended an investigation into allegations regarding Verizon’s security practices for customer routers.  But unlike FTC investigations into more than 50 other companies, this inquiry ended without a consent decree requiring fines or burdensome compliance audits.  On the contrary, the FTC closed its inquiry without taking any action based on Verizon’s strong, proactive remedial measures and the quality of its overall data security practices relating to routers.
  • DOJ Criminal Division announces new Cybersecurity Unit:  Leslie Caldwell, the Assistant Attorney General for DOJ’s Criminal Division, announced the formation of a new Cybersecurity Unit within the Criminal Division’s Computer Crime and Intellectual Property Section.  The new unit will act as a central hub to provide legal guidance and expertise for US and foreign law enforcement agencies and to support cybersecurity activities by public and private sector partners.  Those functions are not now – indeed, CCIPS does all of them right now.  But CCIPS has historically lacked the resources to tackle the increasingly global cybercrime problem on the scale it requires, so if the creation of the new Unit means more high-level attention and resources to the effort, then it’s a great step.  But the critical test will be whether new resources are devoted to the section to support the new Unit, so it is more than just a new line on an organizational chart.

What you need to do now

The key takeaways from these developments are:

  • Test your privacy and security program:   If you get breached, you will be sued and investigated.  Just ask Target and Home Depot.  That means it’s important to have a vetted cybersecurity program in place before a breach occurs, and to test and adapt that program as risks and threats evolve.  The best way to defend yourself later when courts and regulators are looking at your conduct is to take proactive measures now, before an incident occurs.  Steptoe can help you review and revise your security program, under the protection of the attorney-client privilege, to mitigate your risk of an incident now and to reduce your litigation exposure later.  We’ve released a free data breach toolkit to help companies better understand how to address these risks.
  • Test your incident response plan and team:  Poor breach response can make a bad situation much, much worse.  A breach is a crisis, and Steptoe can help you test your company’s ability to respond to all aspects of the crisis – including technical, legal, and public relations — through a breach simulation.  That way you can be confident that when the real thing occurs, your people will be able to handle it effectively.
  • Your vendors’ cybersecurity practices could pose a risk to your network:  Target and Home Depot both demonstrate that a hacker can get into your system though one of your vendors or suppliers.  How much do you know about your vendors’ cybersecurity practices?  Do you have contracts with your vendors that obligate them to maintain certain levels of security, and to indemnify you for a breach on your system?  Steptoe can review your vendor management program to help protect you from this third-party risk.
  • Law enforcement engagement and information-sharing are critical:  Sharing of cyber-threat information between the government and private sector has never been more important.  And one of the most challenging parts of breach response is the question of whether and how to engage with law enforcement.  Steptoe has unparalleled government cyber experience and relationships, including former DOJ, FBI, DOD, and DHS officials with responsibility for cybercrime and cybersecurity.

If you have questions about these recent developments or would like to discuss steps to address your cybersecurity and litigation risks, please contact our cybersecurity team: Stewart Baker at 202.429.6402; Michael Vatis at 212.506.3927; or Jason Weinstein at 202.429.8061.