Category: Privacy, Data Protection & Security

 

The Small Business Cyber Training Act of 2017

Senator James Risch (R-ID) introduced “The Small Business Cyber Training Act of 2017” at the end of June when it was referred to the Senate Committee on Small Business and Entrepreneurship.^[i] The bill would amend a section of the Small Business Act to “require cyber certification for small business development center counselors.” If passed, the Small Business Administration would be required to establish a program to assist small businesses by developing a cyber counseling program. Small businesses tend to be easy targets for hackers because they serve as vendors for larger companies, which provide entry into those companies systems. For example, the Target breach that occurred a few years ago involved hackers accessing systems via an HVAC vendor, whose customer was a local Target store. When hackers got inside the vendor’s system, they were able to gain access to the vendor’s network and subsequently had access to Target’s network. Once they entered Target’s network, the rest was history.^[ii]

The challenge facing legislation tailored to small businesses is the common perception that cybersecurity is a very expensive proposition. Because of this perception, many small businesses are faced with deciding between investing in a potentially costly proactive plan or waiting for a data breach to occur and cleaning up the mess after the fact. In most cases, it appears that small businesses prefer to do nothing, because why invest in something that may or may not happen? Unfortunately, businesses that believe proactive cybersecurity planning is too expensive are the ones typically targeted and ultimately lose not only data, but also customers, and their reputation.

 

The International Communications Privacy Act

“The International Communications Privacy Act,”^[iii] originally introduced by Senator Orrin Hatch (R-UT) in 2016, and reintroduced July 2017, would amend the Electronic Communications Privacy Act (18 U.S.C. 2510-22)^[iv] to include measures to safeguard data stored abroad. The proposal calls for the U.S. Department of Justice to obtain a warrant in order to access any information that is stored on servers outside the United States. The legislation requires that the Department of Justice follow the normal protocol of notifying a foreign government of its intent to file a warrant only if the foreign government has no objection to the warrant. If the foreign government objects, the matter will be taken before a judge and the judge will get to decide if the US’ interest in the data that is the subject of the warrant, outweighs the foreign government’s refusal.

This legislation is relevant because of a pending matter involving the US Department of Justice and Microsoft over the use of a warrant in order to retrieve data that is stored in Ireland.^[v] As the legislation begins the review process through designated committees, we will be keeping an eye on potential changes to the text as the international policy implications behind such a bill could very well change. Additionally, there has been a common trend amongst International Trade communities that treat customers’ information as a commodity. Several nations have begun passing laws requiring the storage of their nationals’ data to be located within their country and not abroad, unless the foreign company or country meets their data privacy standards. 

 

The Internet of Things (IoT) Cybersecurity Improvement Act of 2017

The third and final bill involves the inter-networking of electronic devices and products connected to the Internet that are capable of collecting and exchanging data (such as “Wearables” like Apple Watches or Fitbits, “Smart Home” products like Nest or Amazon’s Echo, and even connected cars)^[vi] otherwise known as the Internet of Things (“IoT”).^[vii] Introduced by Senator Mark Warner (D-VA) on August 1, and referred to the Committee on Homeland Security & Governmental Affairs, “The Internet of Things (IoT) Cybersecurity Improvement Act of 2017” calls for the Federal government to develop cybersecurity standards that vendors would agree to comply with if they wish to sell their products to the Federal government.^[viii] (The official text of the proposed bill should be updated by the Government Publishing Office after the August recess.)^[ix] As more products are becoming dependent on the Internet, and allow for more extensive collection and exchange of personal data, they create more opportunities for hackers to gain access to private information. Requiring vendors to either comply with the Government’s cybersecurity standard or the industry’s standard will benefit us all because that standard will be used when these same products are introduced to the commercial market. This requirement for cybersecurity compliance for vendors is especially important following the massive data breach experienced by the Office of Personnel Management in June 2015. The Office of Personnel Management experienced a loss of millions of active and retired government employees’ personnel file. The breach was an embarrassment to the agency because the files that were hacked included spies and the breach exposed how badly protected the agency’s network was against hacking.^[x]

 

In closing, these three bills are examples of the attempts by the Congress to become proactive in addressing cybersecurity issues. With constantly evolving technology comes new and improved ways to utilize these tools. Each one of the proposed bills discussed above address three different aspects of cybersecurity and the impact it has on the global community; The importance of enabling small businesses to assess their data privacy needs; The global impact and aspects involved in cybersecurity; and the potential uses and abuses provided by new technology.

As these bills progress through the Senate, it is important to diligently assess the parameters of current technology while at the same time ensuring that regulations do not hinder innovation. Following the August Recess, the Senate will begin reviewing these bills during which we will continue to provide updates and insight into the potential changes to come.

The DOJ’s warrant sought out information stored on a server in Ireland. Microsoft refused to hand over the requested data under the pretense that the warrant referred only to materials in the United States and not those outside of the country. The dispute over the warrant’s validity went to the Second Circuit Court of Appeals, which ruled that the DOJ could not use their warrant pursuant to the Stored Communications Act. The court reasoned that the Congress did not intend for the prevision regarding warrants to be executed outside of US territory. The Court also recognized that the Stored Communications Act needed to be revised due to the fact that the law was passed before the Internet became prevalent.

Recently, the DOJ announced that it would draft a “legislative fix” to address the Second Circuit’s ruling. However, there is a tool that the DOJ currently has at it’s disposal to address this issue. That tool is the Mutual Legal Assistance Treaty.[ii] Mutual Legal Assistance Treaties (MLATs) are agreements between the United States and foreign governments in matters involving a criminal investigation.[iii] The focus of these treaties is cooperation between the countries’ respective law enforcement agencies. However, there are only a few of these treaties between foreign governments and the US. A major criticism of using MLATs regarding emails or other communications stored on servers is the amount of time it would take to obtain the warrant and review the collected information. Given the immediacy of reviewing emails and other forms of cyber communications, the DOJ fear that such information will be permanently lost.   

Based on the DOJ’s comments, it would appear that they intend to bypass the MLATs. Although the DOJ’s proposal is still in the beginning stages, Congress needs to be wary in granting them such powers. The major problem with the idea of bypassing MLATs is the issue of reciprocity. Reciprocity under international law allows country A to execute its laws on country B when country B executes its laws on country A. The application of this law may have a potentially damaging effect. For instance, imagine China or Russia executing search warrants pursuant to their criminal laws against individuals who criticize their governments via twitter or email and seeking that information on American servers. 

Congress needs to be very judicious and careful in granting extraterritorial reach for US search warrants as it revises the Stored Communication Act. The Department Of Justice must also recognize that the rules regarding data and the flow of data are still evolving. Foreign policy makers are still tuned in to organizations such as the NSA and other countries’ abilities to spy on conversations from any part of the world. Instead, the DOJ needs to make every effort possible to reach out to its counterparts in the EU and other international bodies to implement a special type of MLAT as it relates to email or other cyber communications. By developing a specific treaty relating to legal assistance involving electronic communication and data storage with congressional action, DOJ may have a more appropriate way of addressing such problems.

October was Cybersecurity Awareness Month. It seemed everyday we were hit with news of cyber attacks or the release of hacked emails. While we tend to think of these events away from home, they are not. How many times have you received countless suspicious looking emails in the past week? Did you open them?

For business owners, do you have a cybersecurity plan in place in the event that your company is hit with a cyber attack? But having a plan is only the first step. The next step is training your employees. A recent article by Inforsecurity Magazine states that 80% of US employees lack having cybersecurity awareness.

According to their survey, the overwhelming majority of US employees were not able to recognize malware, disposed of information safely as well as identify other methods that hackers use in order to get into a computer’s network. The major cause for this failure is a lack of consistent training. A cybersecurity breach most often starts when we open an email or click on a link that does not appear to be valid.

Having a cybersecurity plan and training your employees is vital for your company’s health. Relying on your cyber-insurance policy is not sufficient. Lack of planning will result in the skyrocketing of your expenses due to the emergency nature of containing the data breach. Not having a cybersecurity plan is like coming back to your home severely damaged by a hurricane and not having homeowner’s insurance.

As October ends and we head into November, this is a great opportunity to review or even develop a cybersecurity plan. Unlike hurricanes, cyber attacks are sudden and without warning. The most effective way of limiting damages is through preparation.

Please do not hesitate to contact us to help you review your cybersecurity plan or develop one that is tailored for your company.

The resulting damages have finally caused campaign leaders to directly address the devastating affects of data breaches and how important it is to be proactive. Ms. Donna Brazile, the interim DNC Chair has announced the formation of a Cybersecurity Advisory Board. The board’s goal is to review cybersecurity policies and ensure that data leaks do not happen again.

The announcement of the newly created board, however has met criticism at the seemingly weak attempt at legitimate prevention. Experts in the field were quick to point out a major flaw – Out of four members that make up the DNC board, none of them have a technical background in cybersecurity. One critic of the under qualified panel, Senior Legislative Manager at the DC-based internet policy group Access Now voiced his concern in an article by Vocativ. “Washington D.C. has a history of omitting technologists from conversations about cybersecurity. The threats to cybersecurity continue to grow. It is imperative to have technology experts who understand the reach and ramifications of tools and decisions in the room when policies are being decided upon,” he states.

Although the policies and actions the DNC Advisory Board may implement are unknown, the lack of software and technology experts or experienced cybersecurity professionals is a concerning indication of its’ potential. The issue of cybersecurity is a fluid situation and requires the ability to fully comprehend the evolution of technology and new developments, whether it is a new virus or different breach attempts by bad actors. The lack of experience and background in the implementation of technology, as well as dedication to proactively securing personal data, can create an unrealistic expectation in successfully protecting your company’s information.

At PobleteTamargo we recognize the importance of creating policies that will complement the products you will use to protect your client’s information. For more information on types of prevention and preparation for potential breaches see our Privacy, Data Protection & Security page.

Read more from Part I of Data Security and Presidential Campaigns Here.