Cybersecurity

Legal Developments and Trends in Cybersecurity for 2012

Published on: April 24, 2012 | by Law Offices of Salar Atrizadeh

Computers and computing activities play an increasingly integral role in daily life in America, affecting our financial activity, social interactions, and more. With an increased level of dependence on networked devices comes the risk of theft, or even attacks, on and through our computer networks. While the business community has already recognized the importance of cybersecurity, the government and legal system are finally responding in five key areas.

National security. The federal government has made cybersecurity a central feature of its national security strategy. Recognizing the risk of an attack on the nation’s computer networks by a foreign power or sub-national group, the Department of Defense created a comprehensive strategy for cybersecurity (PDF file) in 2011. The strategy treats “cyberspace” as its own “operational domain,” requiring specialized training and organization. The government has also taken steps to combat online theft, which can include not only monetary theft but theft of intellectual property and identity theft. The latter has become more and more sophisticated as thieves find ways to exploit personally identifiable information (PII) stored online.

Federal legislation. The Obama administration proposed legislation outlining ten points for cybersecurity protection. These generally included protection of the American people, the nation’s infrastructure, and the federal government’s networks and computer systems. Several bills pending in Congress address aspects of cybersecurity. The controversial Cyber Intelligence Sharing and Protection Act (CISPA), for example, allows sharing of data between companies and the National Security Agency in order to investigate and combat cybersecurity threats.

State legislation. Protection of government data, PII, and personal privacy have informed numerous state statutes enacted in the past ten years. California passed a law requiring notification of cybersecurity breaches in 2003, and forty-six other states and the District of Columbia followed suit. Laws requiring “reasonable” levels of security for protected information exist in at least ten states, and numerous states are enacting statutes protecting people from wiretapping and other monitoring of electronic activity.

Regulatory initiatives. Multiple regulatory agencies have addressed cybersecurity concerns through additional regulations, guidelines, and enforcement actions. The U.S. Security and Exchange Commission (SEC), for example, recently issued a new set of guidelines for publicly-traded companies. The guidelines address disclosure of cybersecurity breaches as a means of making information available to investors. The FBI, meanwhile, established a joint task force to investigate cyber threats.

New Laws and Guidelines on Cybersecurity Disclosures Both Protect and Endanger Personal Information

Published on: April 17, 2012 | by Law Offices of Salar Atrizadeh

When hackers breached the e-commerce firm Zappos in January, they may have compromised the personal information of as many as 24 million users. Legislatures in several states, including California, have responded to attacks such as this one by passing laws enhancing cybersecurity investigation and enforcement, and increasing requirements for disclosure of cyberattacks. The U.S. Securities and Exchange Commission (SEC) has also issued new guidelines for businesses and individuals under attack. The key issue to consider, in light of these new laws and regulations, is how much disclosure is not enough, and how much is too much.

The SEC is recommending disclosure of cyberattacks to an unprecedented degree. A new set of guidelines issued in October 2011 advises publicly-traded companies to disclose details of cybersecurity breaches as part of the quarterly 10-K report. Companies should disclose any and all cyberattacks, regardless of whether they caused a loss. The SEC even encourages companies to disclose “cyberrisks,” even in the absence of a breach. This potentially benefits investors, the SEC says, by providing comprehensive information about both actual and potential losses due to hacking and other cyberattacks. At the same time, extensive disclosure could put companies at greater risk by exposing weaknesses to hackers. Companies must carefully consider how much, or how little, to disclose. Too much disclosure could make them vulnerable to attack. Too little disclosure could make them vulnerable to lawsuits by investors.

State laws regarding cybersecurity disclosures are typically not as stringent as the SEC’s guidelines. California passed the first such law a decade ago. That law applies to any person or business that owns or licenses computer data containing a California resident’s “personal information,” such as social security number, home address, driver’s license number, and so forth. In the event of a breach that would reasonably lead to an unauthorized person obtaining the personal information, an owner or licensor of personal data must notify the person whose personal information may have been breached.

Forty-six states have followed California’s lead and passed similar laws. California has actually fallen behind some states that have passed laws with stricter disclosure requirements. A new law that took effect on January 1, 2012, requires an individual or business to notify the state attorney general of a cybersecurity breach if the breach affects more than five hundred California residents. The notice must include specific details of the type and size of the breach, and a toll-free number to allow users to contact credit agencies.

California Cyber Stalking and Harassment Laws

Published on: December 18, 2011 | by Law Offices of Salar Atrizadeh

In California, the stalking laws are included under Section 646.9 of the Penal Code, which states that any person who willfully and maliciously, and repeatedly follows or harasses another person and who makes a credible threat with the intent to place that person in reasonable fear for his or her safety or that of an immediate family member is guilty of stalking. Stalking cases may include additional related charges such as: (1) Trespassing; (2) Vandalism; (3) Burglary; (4) Criminal Threats; and (5) Obscene, Threatening, or Annoying Phone Calls.

Please keep in mind that willfulness is a standard related to the culprit’s state of mind. For example, when the person is acting purposefully, then he/she has the “conscious object” of engaging in conduct and believes or hopes that the attendant circumstances exist. If the person is acting knowingly, then he/she is practically certain that his conduct will lead to the result. If the person is acting recklessly, then he/she is aware that the attendant circumstances exist, but nevertheless engages in the conduct that a “law-abiding person” would have refrained from. If the person acts negligently, then he/she is unaware of the attendant circumstances and the consequences of his conduct, but a “reasonable person” would have been aware. Finally, if the person acts with strict liability, then mental state is irrelevant and he/she is strictly liable.

In the last few years and with the emerging of the world wide web, a new kind of stalking has developed which is also called “cyber stalking.” This type of misconduct occurs when the violator utilizes the Internet, electronic mail (e-mail) or other communication devices to harass and stalk others. For example, it can occur by sending e-mails to the victim, impersonating another person in online chat rooms and e-mail messages, and disseminating lies in cyberspace. It is also important to note that the Internet is a cheap and efficient method for “cyber stalkers” to anonymously cause harm to their victims.

SEC States Companies Should Disclose Cyber Attacks in Filings

Published on: July 15, 2011 | by Law Offices of Salar Atrizadeh

The Securities and Exchange Commission stated that publicly-traded companies should disclose the threat and potential impact of cyber attacks that pose a risk to their investors.

The commission made its comments in a letter to Senator Jay Rockefeller, chairman of the Senate Commerce Committee, that was released on June 8, 2011. Last month, Senator Rockefeller and four other Democratic senators wrote a letter to SEC Chairman Mary Schapiro, urging the agency to issue guidance on disclosure of data- security risk, including “material network breaches,” attacks that may result in the theft of intellectual property or trade secrets.

Should the United States Plan for a Smarter Defense Against Cyber-Villains

Published on: July 15, 2011 | by Law Offices of Salar Atrizadeh

The threats from cyberspace grow more powerful and pernicious. Companies like Sony Corporation, Google Inc., and Lockheed Martin have admitted startling security lapses. The International Monetary Fund, last month suffered a breach leading to the loss of highly sensitive data. The United States Congress and executive branch agencies face approximately 2 billion attacks in cyberspace per month in 2010.

The Data Security and Breach Notification Act of 2010

Published on: September 4, 2010 | by Law Offices of Salar Atrizadeh

The Data Security and Breach Notification Act of 2010

To help protect personal information on the Internet and elsewhere, California enacted seminal legislation in 2000, which was significantly strengthened with the passage of SB 1386 in 2002. Since then, other states have enacted similar legislation.

State activity, however, may be preempted by proposed federal legislation. On August 5, 2010, S. 3742, the Data Security and Breach Notification Act of 2010 (the “Act”), the most recent federal effort to preempt state laws on the subject, was introduced by Sen. Mark Pryor (D,AeeArk), chairman of the Subcommittee on Consumer Protection, Product Safety, and Insurance, and co-sponsored by Sen. John D. Rockefeller IV (D,AeeW.Va.), Chairman of the Senate Commerce Committee. Less protective of consumers than California law, among other things, the Act:

Cybersecurity Emergency and Presidential Powers

Published on: August 16, 2010 | by Law Offices of Salar Atrizadeh

Our nation can be threatened not only by physical attacks on terra firma, but also in Cyberspace. Indeed, Cyber attacks could threaten all sorts of mission critical systems.

For this reason, aides to Senator Jay Rockefeller reportedly have been working recently on a revised draft Senate bill that would give the President broad powers in the event of a Cybersecurity emergency, and that apparently would go so far as allowing the President to temporarily seize control over computer networks in the private sector.

This power is akin to the power President Bush exerted when he grounded commercial aircraft in the wake of the September 11, 2001 World Trade Center and Pentagon attacks, according to a reported Senate source.

India eyes Google and Skype in security crackdown

Published on: August 16, 2010 | by Law Offices of Salar Atrizadeh

Associated Press: India may ask Google and Skype for greater access to encrypted information once it resolves security concerns with BlackBerrys, which are now under threat of a ban, according to a government document and two people familiar with the discussions.

The 2008 terror attacks in Mumbai, which were coordinated with satellite and cell phones, helped prompt a sweeping security review of telecommunications ahead of the Commonwealth Games, to be held in New Delhi in October.

On July 12, officials from India’s Department of Telecommunications met with representatives of three telecom service provider groups to discuss interception and monitoring of encrypted communications by security agencies.

FBI’s access to e-mail and Web data raises privacy fears

Published on: July 30, 2010 | by Law Offices of Salar Atrizadeh

WASHINGTON ,— Invasion of privacy in the Internet age. Expanding the reach of law enforcement to snoop on e-mail traffic or on Web surfing. Those are among the criticisms being aimed at the FBI as it tries to update a key surveillance law.

With its proposed amendment, is the Obama administration merely clarifying a statute or expanding it? Only time and a suddenly on guard Congress will tell.

Federal law requires communications providers to produce records in counterintelligence investigations to the FBI, which doesn’t need a judge’s approval and court order to get them.

WikiLeaks Does Not Know The Source of Leaked Data

Published on: July 29, 2010 | by Law Offices of Salar Atrizadeh

WikiLeaks’ chief claims his organization doesn’t know who sent it some 91,000 secret U.S. military documents, telling journalists that the website is set up to hide the source of its data from those who receive it.

Editor-in-chief Julian Assange says the added layer of secrecy helps protect the site’s sources from spy agencies and hostile corporations. He acknowledged that the site’s anonymous submissions raised concerns about the authenticity of the material, but said the site has not yet been fooled by a bogus document.

Assange made the claim in a lengthy hour talk before London’s Frontline Club late Tuesday, in which he outlined the workings of WikiLeaks and defended its mission.