Privacy and Cybersecurity - 2017 Year in Review

2017 was another year of challenges in the cybersecurity world. While far from a comprehensive list, some of the key stories are:BREACHESEquifax: The Equifax breach was significant for being one of the largest in history (more than 145 million individuals) and for the type of data involved (Social Security numbers, addresses, etc.). Class action lawsuits and government investigations (state and federal) followed this breach. While it will take some time for all the repercussions to unfold, Equifax’s pre- and post-breach actions have drawn and will continue to draw considerable scrutiny.Uber: Uber’s 2017 disclosure of its 2016 breach affecting more than 57 million customers and drivers and allegations of cover-up attempts raises some of the same reporting issues as Equifax. In addition, Uber’s admitted “failure to notify affected individuals or regulators” will test how different governments and government agencies (at the city, state, and federal levels of both the U.S. and foreign countries) will enforce the many breach disclosure laws around the globe.Securities and Exchange Commission: The SEC’s disclosure of its 2016 breach, which may have facilitated insider trading, raises a different concern – how do companies who are obligated to report information to a government regulator protect themselves when the regulator is breached?Deloitte: One of the Big Four accounting firms also reported a breach in 2017. This one affected company email accounts, with a concern that sensitive information could have been accessed.Bitcoin: In December, bitcoin mining marketplace NiceHash suspended operations for at least 24 hours due to a cyber attack that resulted in 4,700 stolen bitcoins (current value: $76 million). This incident, and others like it, raise concerns about the security of the increasingly popular cryptocurrencies.Yahoo!: In October 2017, Yahoo! finally disclosed that its prior breaches, dating back to 2014, impacted all 3 billion of its user accounts. LEGISLATIONNew York: New York State’s Department of Financial Services introduced cyber regulations that will impact both New York and many non-New York businesses. The New York regulations will require entities to have more robust cyber operational risk management practices in areas such as cyber risk governance, cyber risk management, and incident response and resilience.Federal Law: Following the Uber and Yahoo! breach stories, three senators introduced the Data Security and Breach Notification Act in December, which would require companies to report data breaches within 30 days. Under the proposed law, an individual who knowingly conceals a data breach could face up to five years in prison.China: Since becoming effective in May 2017, the China Cybersecurity Law has caused concern among companies doing business in China and companies collecting data on Chinese residents. On its face, the law appears to apply to any entity transmitting data between two or more computers. Clarifications have been promised by the Chinese government. See our post here for more information.General Data Protection Regulation (GDPR): GDPR will become effective in May 2018, but due to its heightened privacy requirements, many companies began preparing for compliance in 2017. While an EU-focused regulation, it affects any business collecting or processing the data of EU residents. Meanwhile, the EU-US Privacy Shield program for cross-border data transfer remains in place for now, but faces continued scrutiny in Europe. We blogged about the Privacy Shield here.Litigation: So far, large data breaches have spawned many class action lawsuits, but plaintiffs have been largely unsuccessful in showing that they have standing to sue. We anticipate that standing will continue to be a hotly contested issue in 2018. As hackers begin to use stolen information, more individuals may be able to show a concrete injury and, therefore, may have an increased ability to demonstrate standing (e.g., an injury in fact) and damages directly resulting from a breach. NEW AND GROWING CONCERNSIOT: In 2016, the “Mirai” botnet infected networked cameras, internet routers, and other devices via weak or default passwords. Those compromised devices were then used to create outages on many popular websites. In 2017, the “Reaper” botnet used actual software-hacking techniques to break into devices. At last count, the Reaper botnet has broken into more than a million devices.The Connected Home: “Always on” and always-listening devices (e.g., Google Home, Amazon Alexa) in our homes, including a new Amazon camera, are creating new legal issues as companies, individuals, and law enforcement seek to obtain and use their data in various civil and criminal proceedings, demonstrating the continued struggle between the convenience of these devices and the collection of personal and private data on many aspects of peoples’ daily lives. Similarly, earlier this year, certain Smart TV manufacturers were forced to deal with the consequences of excessive recording. See our post here for more information.Biometric Privacy: Concerns over the collection and privacy of biometric data accelerated in 2017 as more than 32 class action lawsuits were filed under the Illinois Biometric Information Privacy Act. Unlike other states, the Illinois act provides for a private cause of action for consumers and employees with respect to their biometric information.Politics: Last year, we reported on the concerns regarding voting machines being hacked. This continues to be an issue both at home and abroad. We also reported here on the broad powers of U.S. Customs to search international travelers’ laptops, phones, and other electronics at the border. THREATSGrowth of Ransomware: The WannaCry and Petya attacks are unpleasant examples of the new wave of ransomware. The fact that this malware was apparently stolen from U.S. government agencies was shocking on its own. In addition, the ability of this malware to broadly shut down company systems demonstrates a threat that goes well beyond stealing or holding hostage personal information. For more information on these or other cybersecurity concerns, please contact a member of the Thompson & Knight CyberSecurity team.