Cybersecurity 2016 Year in Review

PoliticsUS v. Apple: In February, the FBI sought Apple’s assistance in decrypting an iPhone used by one of the San Bernardino terrorists, a request denied by Apple. Ultimately the FBI’s decrypted the iPhone without Apple’s help. The debate over the creation of “back doors” into encrypted devices, and user privacy vs. law enforcement, can be expected to continue.Voter registries and voting machines: In the run-up to the election, there were substantial concerns that both voting machines and registries may be attacked as a means to disrupt or influence the Presidential election. For a number of reasons, including the different machines and processes used across the country, this was possibly the only “non-story” of this election year. See our post from October.Hacking of political databases: Documents and e-mails of the Democratic National Committee and certain of its high profile members were hacked and distributed publicly.  Some government agencies have stated that the hacking was attributable to agents of the Russian government. Congressional hearings are scheduled to begin this month. See our post from October.LegislationCybersecurity Act of 2015: Signed by President Obama on December 18, 2015, the Cybersecurity Act of 2015 began to be implemented in 2016.  The Act focuses on an array of issues including information sharing with respect to cyber threats and defenses, improvement of cyber defenses within government agencies and greater criminal penalties for certain actions. See our posts from April ( I and II) and June.Privacy Shield: For years US companies developed privacy policies dealing with non-public information of EU residents under the “safe harbor” rules between the EU and the Federal Trade Commission. When the EU ruled that the “safe harbor” arrangement was inadequate in October of 2015, US companies lost the protections of the safe harbor. In July of 2016 a new “Privacy Shield” was approved by the EU. As noted in our July blogpost, Privacy Shield has several important differences from the former safe harbor rules and companies seeking certification need to carefully review the new arrangement. See our posts from February, March, April, and July.GDPR: In April 2016, the European Parliament, European Commission and the Council of Ministers adopted the General Data Protection Regulation (GDPR) in an effort to strengthen data protection for individuals in the EU. The GDPR will take effect in May 2018 and will replace the existing EU data protection directive. The GDPR extends the scope of EU data protection law to foreign companies processing data of EU residents and harmonizes regulations among EU member states. GDPR Principles include: fair, lawful and transparent processing; purpose limitation; data minimization; accuracy; retention periods; data security; and accountability.BusinessWhen devices attack: the Internet of Things promises internet accessibility to virtually any device – from a refrigerator to a thermostat. As we found out in October, IoT devices can also be hacked and used for nefarious purposes – such as supporting a Distributed Denial of Service attack on certain websites. As noted in our October blogpost, calls for enhanced digital security immediately followed this attack.  IoT spending is estimated to reach $20 billion by 2020.  See our post from November.Yahoo & Yahoo: In September Yahoo announced that data associated with 500 million accounts was stolen in 2014. In December Yahoo reported that a separate attack in 2013 compromised more than 1 billion accounts.Ransomware attacks on healthcare organizations: Healthcare organizations continued to be targets for hackers in 2016 with dozens of reported incidents. Many of these involved ransomware, with some organizations opting to pay and others refusing to do so. Healthcare organizations remain popular targets for hackers and seekers of ransomware.Point of Sale breaches at Wendy’s and other restaurants: In July, the Wendy’s food chain reported that in a two pronged attack over a 5 month period, over 1,000 restaurant point of sale systems were infected with malware to steal cardholder names, addresses, card number and other data.Artificial Intelligence in our homes: 2016 marked the rise of Amazon’s Alexa and Google Home’s voice activated, artificial intelligence home assistants. While not an issue of hacking (to date), the wealth of information processed by these devices about the activities of its human housemates has already been the subject of discovery disputes in civil and criminal litigation and a focus of concern to privacy experts.FTC Regulation: The Federal Trade Commission continues to be the leading federal enforcement agency in the cybersecurity and privacy space – emboldened by a favorable ruling in the Wyndham Hotels case at the end of 2015 (discussed here). However, challenges to the FTC’s broad interpretation of its privacy and cybersecurity authority continued to play out in 2016, including a notable challenge by LabMD. In November of 2016, an appellate court agreed to stay the FTC enforcement order against LabMD pending appeal of the prior FTC ruling directing the company to take corrective data security measures. The company’s appeal, arguing that the FTC overstepped its enforcement authority, is pending.