A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

Cybersecurity & Antitrust

Recently the United States federal antitrust enforcement agencies — the Federal Trade Commission and the Justice Department’s Antitrust Division — issued a joint policy statement designed to “make it clear that they do not believe that antitrust is, or should be, a roadblock to legitimate cybersecurity information sharing.” The release made headlines globally, but the real story is that the risk of antitrust exposure for exchange of cyber risk information, even among direct competitors, was and remains almost non-existent.

international business

That is because the U.S. antitrust laws (principally Section 1 of the Sherman Act) prohibit horizontal conspiracies and agreements among rivals, like price fixing, that harm competition. In some areas, information exchange can be competitively problematic, for instance where firms share non-public bidding or price data, or M&A transactions where the deal parties “gun jump” by acting as if they were already merged instead of continuing to compete independently. Yet as the policy statement confirmed, “cyber threat information typically is very technical in nature and very different from the sharing of competitively sensitive information such as current or future prices and output or business plans” and is thus “highly unlikely to lead to a reduction in competition.”

That’s hardly new. More than a decade ago DOJ said exactly the same thing in approving a proposal for cybersecurity information sharing in the electric industry, and Antitrust Division chief Bill Baer called the 2014 reaffirmation “an antitrust non-brainer.” But perceptions can have consequences, and some had voiced the fear that the exchange of IT security information among competitors could present a slippery slope, a forum for the kind of hard-core anticompetitive agreements the government loves to prosecute. At least that is what the White House, which called antitrust law “long a perceived barrier to effective cybersecurity,” reasoned in encouraging the FTC-DOJ clarification. So clearing away the underbrush of misinformation should help reassure business executives that companies which share technical cybersecurity information such as indicators, threat signatures and security practices, and avoid exchanging competitively sensitive information like business plans or prices, will simply not run afoul of the antitrust laws.

Continue reading Cybersecurity & Antitrust

Cybersecurity: When Guidelines Become Rules

So much media attention was paid to the spectacular collapse of U.S. Senate deliberations on a cybersecurity bill in August — and the Obama Administration’s controversial move to fashion an Executive Order on the subject — that few if anyone focused on the biggest change affecting the data protection landscape. The Securities & Exchange Commission (SEC) guidelines on disclosure of cyber attacks by publicly traded corporations have become de facto rules for at least six companies, including Google Inc. and Amazon.com Inc., according to recent agency enforcement letters.

virusspot.jpgLast fall, the SEC completed a long process of issuing staff “guidance” on when cybersecurity risks must be disclosed in public company securities filings (annual reports, 10Qs, etc.). The sensible conclusion was that if a hack or intrusion would be “material” to an ordinary investor, corporations need to disclose the cyber risk and discuss their actions to ameliorate or prevent it. Unlike Y2K, however, these guidelines, released by the SEC’s corporate finance section, did not come with a “safe harbor” for disclosing companies. In 1999, congressional legislation created a legal safety zone for Y2K disclosures, avoiding liability under the Securities Act of 1934, that has not been replicated with respect to more general cybersecurity risks.

The recent SEC enforcement steps also have taken place at the corporate finance division level, but presumably with the informal approval at least of SEC Chair Mary Schapiro. In these cases, the agency “requested” that a number of large Internet companies clarify or modify their SEC filings to disclose cyber incidents that previously had not been reported to investors. In April, the SEC asked Amazon to disclose in its next quarterly filing that hackers had raided its Zappos.com unit, stealing addresses and some credit card digits from 24 million customers in January, which Amazon did.  Google likewise agreed in May to put a previously disclosed cyber atack in its formal earnings report. AIG, Hartford Financial Services Group, Eastman Chemical and Quest Diagnostics were also asked to improve disclosures of cyber risks, according to agency staff correspondence reported by Bloomberg News.

As one example, here is the relevant excerpt from the corporate finance staff’s May 2, 2012 letter to Google CEO Larry Page:

We note your disclosure that if your security measures are breached, or if your services are subject to attacks that degrade or deny the ability of users to access your products and services, your products and services may be perceived as not being secure, users and customers may curtail or stop using your products and services, and you may incur significant legal and financial exposure. We also note your Current Report on Form 8-K filed January 13, 2010 disclosing that you were the subject of a cyber attack. In order to provide the proper context for your risk factor disclosures, please revise your disclosure in your next quarterly report on Form 10-Q to state that in the past you have experienced attacks. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 at http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm for additional information.

The difference between fall 2011 and spring 2012 is that, irrespective of the formal legal effect of staff guidance, the SEC is using its administrative processes to produce a disclosure result not specifically compelled by the agency’s rules for corporate securities filings. That in itself is not surprising, since the securities laws and implementing SEC regulations are broad enough to encompass any factor, whether financial or otherwise, that could affect stock prices. Here, the SEC staff opined in its guidance that basic SEC rules about market manipulation, insider trading and misleading shareholders (e.g., Rule 10b-5) required disclosure of cyber incidents and cybersecurity risks by any business potentially affected by hacking. And that’s obviously not confined to online retailers or Web-centric businesses.

The bigger question is how businesses can protect themselves from the embarrassment of such compelled, government-mandated cyber disclosures and the even greater potential for fines and formal enforcement actions the SEC may utilize in the  IT security realm going forward. Here are a few pointers:

  • Do not assume that merely because your business is not online, cybersecurity cannot affect the company. Hundreds of “brick and mortar” retailers, for instance, have had consumer credit card records breached.
  • Treat data security just like your securities lawyers treat any other risk to the business’s future, since that is how federal regulators view cyber risks.
  • Do not assume the SEC’s focus on cybersecurity is limited to public companies, because the underlying rules cited by its corporate finance division apply just as much to private placements as they do to proxy solicitations and 10K reports.
  • When disclosing IT security risks, make sure they are balanced by something concrete and proactive to prevent, or diminish the severity of, cyber attacks. Otherwise diclosures may have the opposite effect of encouraging shareholder class action litigation.
  • Work closely with compliance counsel, IT technology experts and your insurance carriers to develop workable cybersecurity assessment and intrusion notification regimes, internally and externally. This should not only reduce legal exposure, but going forward lower the company’s costs for cyber insurance. Periodic outside reviews should provide both comfort and legal protection to CEOs or CFOs signing SEC submissions.

These SEC staff actions were balanced by the traditional caveat that “our comments or changes to disclosure in response to our comments do not foreclose the Commission from taking any action with respect to the company or the filings and the company may not assert staff comments as a defense in any proceeding initiated by the Commission or any person under the federal securities laws of the United States.”  But the chances the full SEC would prosecute a public company for following staff suggestions are remote. On the other hand, for public corporations that ignore this lesson, and fail to disclose cybersecurity risks, we suspect only pain and expense — most likely in a Commission prosecution or fine — lie in their SEC futures. So rules are really rules, even when they are not.

Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.

 

More CFAA Uncertainty

We’ve written previously about the Computer Fraud and Abuse Act (CFAA) being limited by judicial interpretation, especially for employers as civil plaintiffs, and offered tips on alternatives to controlling unauthorized access to or use of enterprise IT systems by employees. Reports Of The Computer Fraud and Abuse Act’s Demise Have Been Greatly Exaggerated | Information Intersection. The terrain is getting even murkier.

The Court of Appeals for the Ninth Circuit last April in Nosal gave the statute a limited construction, holding that the “exceeds authorized access” offense is “limited to violations of restrictions on access to information, and not restrictions on its use.” That may make sense from the perspective of a law dating to 1984 and initially designed to criminalize physical damage to computing systems, but not from the perspective of how courts transition precedent from one technical era into another. The CFAA is not that old. Yet already we are confronted with an increasing conflict as to its basic scope when applied to civil remedies for insiders who exceed their authority and injure corporate good will or IP. Indeed, cybersecurity experts often warn that the greatest threats to business IT systems and the information they store arise not from hackers, but dishonest or disaffected employees, even “well-meaning insiders.”

Last week the Fourth Circuit added more fuel to the CFAA fire in WEC Carolina Energy Solutions LLC v. Miller, extending Nosal to civil claims and concluding that the law does not codify violations of corporate information technology policies. The employer’s IT policy (as this blog recommended) prohibited employees from using company information without authorization and from downloading information to their personal computers. So was use of information in violation of that policy, but obtained from a computer an employee is otherwise authorized to access, “without authorization” or “exceed[ing] authorized access”?

The WEC Carolina court said no. Unauthorized access applies to an employee who has “approval to access a computer, but uses his access to obtain or alter information that falls outside the bounds of his approved access…. Notably, neither of these definitions extends to the improper use of information validly accessed.” They do not cover information misuse alone, the court reasoned, because as a criminal statute the CFAA must be construed in accordance with the plain meaning of its language so defendants have fair warning about punishable conduct. The Fourth Circuit also rejected the “cessation-of-agency” theory espoused by the Seventh Circuit. Under this theory, if as an employee you use a corporate computer network in breach of your company’s policy, you have violated your fiduciary duty and therefore any right of access is terminated by operation of law, making ongoing use of the network a violation of the CFAA. The Fourth Circuit held that this approach would improperly suck in “millions of ordinary citizens” who innocently check Facebook or sporting event scores while at work.

Our conclusion here likely will disappoint employers hoping for a means to rein in rogue employees. But we are unwilling to contravene Congress’s intent by transforming a statute meant to target hackers into a vehicle for imputing liability to workers who access computers or information in bad faith, or who disregard a use policy. Providing such recourse not only is unnecessary, given that other legal remedies exist for these grievances, but also is violative of the Supreme Court’s counsel to construe criminal statutes strictly.

The ambiguities inherent in the often-amended CFAA are growing as aggressive litigants vie for competing interpretations. They expose the often-secret reality that the statute was not structured for an era when most employees have company-issued computing devices and are permitted remote BYOD access to corporate IT systems. The argument that the CFAA regulates the workplace today because everyone uses what the statute classifiues as “protected computers” (used in interstate commerce, i.e., with an Internet connection) is on its last legs. We do suspect that the wide gulf among the federal appellate courts may inspire the Supreme Court to take up a CFAA case next term, which begins in October 2012, but even if review is accepted a decision would likely not be handed down until 2013 or even 2014. Employers obviously cannot wait that long and, given political paralysis on cubersecurity in the Senate, a legislative clarification seems extremely unlikely.

The lesson: employers should keep tabs on the CFAA, but put more of their IT and IP protection ”eggs” into confidentiality agreements, NDAs and other “baskets” that do not raise the linguistic disputes and uncertainty plaguing civil CFAA litigation today.

Note: Originally written for and reposted with permission of my law firm’s Information Intersection blog.