By Neil Bloomfield and Lindsey Frye. The legal and regulatory landscape continues to evolve in an effort to meet the pervasive and destructive effects of cyber attacks. 2017 brought a substantial increase in the number of attacks and the severity of the breaches. Hacking victims disclosed former breaches to be more serious than originally reported, while others delayed disclosure of the hacks entirely. Cyber attacks affected both the private and public sectors with equal force. Attacks were launched by private and state-sponsored groups, making cyber defense a popular talking point for government leadership.
In fact, the new administration appears to be more focused on defense than enforcement. Most of the new cyber-related measures were directed toward strengthening government agencies’ cyber networks, but they also acknowledge the seriousness of the cyber threat to all sectors, both public and private. The Federal Trade Commission (FTC) continued to be the primary federal data breach regulator, but its 2017 enforcement activity in response to data breaches was limited as and it is unclear whether other authorities—state authorities in particular—will fill the enforcement gap.
There Appears to Be No End in Sight for Cyber Attacks
According to the 2017 Ponemon Institute Cost of Cyber Crime Study, there was an increase of 27.4% in cyber attacks in 2017. In terms of types of attacks, in ransomware attacks more than doubled as a percentage of the cyber attacks observed by the Institute. Another study found that “ransomware attacks in 2017 through October have surpassed total figures for 2016 by 62%.”
State Sponsored Cyber Attacks
State sponsored cyber attacks continue to present the most dangerous forms of cyber attacks. In May, North Korea sponsored a worldwide cyber attack using a ransomware known as WannaCry to encrypt victim’s data and demand ransom payments in Bitcoin. The attack affected victims around the world including the UK’s National Health Service and FedEx. In December, the United States publicly blamed North Korea for the attack.
In June, ransomware known as NotPetya affected companies around the world. It was largely used to target Ukraine, but other victims of this attack included DLA Piper, one of the world’s largest law firms, and Danish shipping giant Maersk. Maersk reported it will have to spend $200 to $300 million to recover from the attack. The CIA recently attributed the attack to Russian military hackers intending to disrupt Ukraine’s financial system.
While not exactly state sponsored, at least some of the cyber attacks perpetrated this year were the result of the National Security Agency’s hacking tools being stolen by the Shadow Brokers, an anonymous hacking group. The NSA’s tools were then released and led to a number of cyber attacks.
Private Party Cyber Attacks
Outside of the known state sponsored attacks, 2017 saw several additional large-scale cyber attacks.
Credit reporting agency Equifax announced that hackers gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers. Over 240 class action lawsuits have been filed against Equifax, including one by the Independent Community Bankers Association (ICBA) for damage to the banks caused by the breach. The company reported $87.5 million in expenses related to the hack, but stated it was impossible to estimate how much the attack would ultimately cost the company. In November 2017, a 50-state class action was filed alleging 83 causes of action against Equifax, claiming the company failed to employ a security patch that led to the breach, and that plaintiffs suffered harm because of missteps Equifax took after the breach.
Service providers continue to be a focus for attacks. In essentially a repeat of the Panama Papers hack that resulted in the theft of offshore financial data for some of the most wealthy and influential individuals in the world, the Appleby law firm announced it was hacked in October 2017. The breach resulted in a leak of more than 13 million documents, dubbed “The Paradise Papers,” which are similarly focused on offshore accounts and structures of wealthy individuals. Accounting firm Deloitte disclosed in September that a hack compromised a server containing client emails. At least six of Deloitte’s clients were informed that their information was “impacted” by the hack.
In October, Yahoo announced that every single one of its 3 billion accounts was affected by the data breach that occurred in 2013. After this announcement, former and present Yahoo, Verizon and Equifax executives were required to testify before the Senate Commerce Committee.
In November, Uber disclosed its attempt to cover up a 2016 data breach in which hackers obtained names, email addresses and phone numbers from 57 million customers. The driver’s license numbers of 600,000 drivers were also obtained. Uber paid a 20-year old hacker in Florida $100,000 to keep the breach a secret. Government authorities in multiple jurisdictions are investigating Uber’s conduct in regards to the breach. Three senior security managers resigned from Uber, and the former Chief Security Officer Joe Sullivan was fired.
As evidenced by the Uber attack, one of the worst responses to a hack is a cover-up or delayed disclosure. In addition to the reputational damage a cover-up will cause, companies can incur additional liability by not immediately revealing an attack. Many states have laws requiring companies to notify the state attorney general within 45 days if a breach affects a certain number of residents of that state. The state of Washington has already sued Uber for violation of this law, and at least four other state Attorneys General have opened investigations into Uber’s failure to disclose the breach.
Federal Regulatory Trends
The Trump administration’s response to cyber attacks it its first year has focused more on prevention that enforcement.
President Trump directed significant funding toward the nation’s cybersecurity infrastructure through the National Defense Authorization Act (NDAA), which includes the Modernizing Government Technology (MGT) Act, which funds IT system and infrastructure upgrades across the government. The White House also issued a report enumerating general steps government agencies should take to ramp up the modernization effort. In addition, in his remarks on his administration’s first published national security strategy, which includes a plan to defend federal networks from cyberattacks, President Trump stated, “we will develop new ways to counter those who use domains, such as cyber and social media, to attack our nation or threaten our society.”
In response to the significant cyber threat facing the country, President Trump nominated and the Senate confirmed Kirstjen Nielsen to lead the Department of Homeland Security (DHS). Nielsen has significant cybersecurity experience; she served on the Homeland Security Council during the George W. Bush administration and was a member of the Resilience Task Force of the Center for Cyber & Homeland Security committee at George Washington University. In December, the House passed a bill to reorganize a directorate within DHS to the “Cybersecurity and Infrastructure Security Agency.” If the bill passes, the agency would be a standalone unit handling cyber and critical infrastructure protection.
The SEC was involved in a number of headlines related to cyber attacks as both victim and regulator. In August, the SEC issued a risk alert, highlighting cybersecurity observations from examinations of 75 firms. Then in September, the agency announced that its EDGAR system was attacked in 2016, giving hackers potential access to non-public trading information. The SEC pushed forward on cybersecurity, announcing the creation of a new Cyber Unit within its Enforcement Division in late September. The Cyber Unit brought its first enforcement action in December, alleging a Canadian company violated securities law in raising $15 million through an initial coin offering (ICO).
The Trump administration also took two notable steps which reduced potential enforcement and oversight for cyber attacks. First, President Trump took steps to limit the power of the CFPB, which was set to be a primary cyber-regulator in the U.S. The President cut CFPB funding in his 2018 proposed budget, and in November, Trump named a CFPB critic – Mick Mulvaney – as acting director of the CFPB, who has since asked for no additional funding for the agency. Additionally, under the leadership of Secretary Tillerson, the State Department closed the office responsible for coordinating on cyber issues with other countries. The Office of the Coordinator for Cyber Issues was established under President Obama, and will be folded into the State Department’s Bureau of Economic and Business Affairs.
The Federal government has also sought to assist at the state level. Congress passed the Strengthening State and Local Cyber Crime Fighting Act of 2017, which authorizes the National Computer Forensics Institute, which will provide state and local officials with resources to handle cybercrime threats. In addition, there has been significant activity on Capitol Hill centered on the protecting local election and local voting databases from interference or a cyberattack.
State Regulatory Trends
The state regulator most active in the cyberspace this year was the New York Department of Financial Services (NYDFS). In March, NYDFS’s cybersecurity requirements for financial services companies became effective, requiring banks and other financial services institutions to establish and maintain a cybersecurity program designed to protect consumers. Covered entities were required to be in compliance by August 2017. Additionally, in response to the Equifax breach, NYDFS proposed new regulations requiring credit reporting agencies to comply with the cybersecurity requirements for financial service institutions.
While strides were made in how cyber attacks in the U.S. will be addressed by government authorities, the pace of the attacks and their impact continue to have devastating consequences. We expect both of these trends to continue in 2018.
Neil Bloomfield has more than a decade of experience advising major financial institutions, and other highly regulated entities in responding to government investigations, including responding to global investigations into LIBOR and other reference rates, foreign exchange trading, and the allegations raised by the Panama Papers. He also frequently advises clients as they implement programs to comply with regulatory requirements, including requirements created by Recovery and Resolution Planning and CCAR.