News

Advising clients is sometimes like the old joke about how to outrun a bear – make sure you are faster than the other guy.  Cybersecurity and the law is just as cutthroat and a new trend in litigation makes it more important than ever for companies to employ the gold standard in cybersecurity, leaving the weak to be eaten by class action plaintiffs.

Few lawsuits seeking damages against industry for loss of Personally Identifiable Information (“PII”) because of identity theft have made the news lately.  You would think the multiple and serious breaches that occurred over the last few years would generate a blizzard of litigation.  Cyber Security breaches occur almost daily, so often that we only hear about the major ones – the Target breach, the Sony hack, the OPM debacle, Anthem and Ashley Madison and Home Depot (to name a few).

During my keynotes I have taken to asking my audiences (sometimes in the thousands) to raise their hands if they have received a dreaded “identity monitoring letter.”  Though not tested by any true empirical rigor, the older and more professional the crowd, the more likely a forest of hands will reach upward.  Each year the question receives more hands, and if we don’t stop this trend of massive-scale identity breaches, the majority of adults in the US may find themselves subscribing to identity monitoring companies that benefit from the carrion left in the wake of a cyberattack.

In light of the number of people who have lost their PII to these breaches, one would think that an enterprising lawyer would gobble them all up after a breach and lock them into a massive class action lawsuit against the corporation that failed them.  Why don’t we hear about these billion dollar lawsuits? And while we are at it, what, exactly, is an identity worth these days?

According to a December 2014 report by Dell SecureWorks, counterfeit identities have trended favorably for thieves who need to support their fraud business – passports, fake identity kits, utility bills, driver’s licenses and Social Security numbers. $250 buys you a new identity, including a SSN, name and address.  For just $100 more, they will throw in a utility bill for ID verification purposes.

Around $250 to $350.  That’s what your identity sells for on the black market.  But a savvy lawyer can sue for more.  Let’s look at the issue from another direction.  What is the potential harm (on average) for someone who has lost their identity?

According to a September 2015 US Department of Justice, Bureau of Justice Statistics Bulletin (NCJ 248991), an estimate of 17.6 million persons (or 7% of all US residents over 16 years old) were victims of identity theft in 2014.  According to the report, the mean direct (monetary amount the offender obtained from using the victim’s PII) and indirect (other costs caused by the identity theft, such as legal fees, bounced checks, and other miscellaneous expenses) loss from victims reporting identity theft was $1,343.

If we assume that the DOJ’s statistics are sound, and we look at just one cyber security breach – say the Anthem hack – it boggles the mind that some enterprising lawyer didn’t gather all (approximately) 80 million people informed that their identities may have been lost because of the breach, multiply by $1,343, and sue Anthem for over $107 billion.  To return to my earlier question: why don’t we hear about these billion dollar lawsuits?

Until very recently, courts have consistently dismissed class action lawsuits making claims about cybersecurity breaches for lack of “standing.”  The courts ruled that plaintiffs bringing these suits couldn’t show any future injury based on the potential unauthorized use of their private information.  Indeed, most plaintiffs in these cases could only claim that a future threat existed that their identity could be sold and used illegally sometime down the road.

However, In July 2015, in what may become a landmark case, the Seventh Circuit in Remijas v. Neiman Marcus Group, 794 F. 3d 688 (7th Cir. 2015) allowed a case to proceed under a “substantial risk of future harm” standard because the harm was found to be “certainly impending.”
In mid-December 2013, Neiman Marcus learned that fraudulent charges had shown up on the credit cards of some of its customers and discovered potential malware in its computer systems. Nine days later, Neiman Marcus publicly disclosed the data breach and sent individual notifications to the customers who had incurred fraudulent charges. The company confirmed that 350,000 cards were potentially exposed and 9,200 of those 350,000 cards were known to have been used fraudulently.

Various groups of plaintiffs filed class action lawsuits. All of the plaintiffs claimed that they had used a credit or debit card at a Neiman Marcus. However, the majority of the plaintiffs alleged “only that their data may have been stolen.”  Neiman Marcus moved to dismiss the complaint for lack of standing and for failure to state a claim. On September 16, 2014, the district judge granted the motion exclusively on standing grounds, and the plaintiffs appealed to the Seventh Circuit.

The Seventh Circuit (which covers federal courts in Illinois, Indiana, and Wisconsin) reversed the district court decision and found standing despite a lack of significant proven harm.  To find standing, the Seventh Circuit stated that plaintiff’s must allege that “the data breach inflicted concrete, particularized injury on them; that Neiman Marcus caused that injury; and that a judicial decision can provide redress for them.”  Citing a 2013 Supreme Court Case, the Seventh Circuit opinion stated that allegations of future harm can establish standing if harm is “certainly impending.” Clapper v. Amnesty Int’l, 133 U.S. 1138 (2013).  The court reasoned that the purpose of a data breach is to steal private information in order to use it.  Therefore, the plaintiffs should not have to wait until hackers commit identity theft in order to have standing to bring the lawsuit, because there is an “objectively reasonable likelihood” that an injury will occur.  In other words, for hacking cases, a substantial risk of future harm was enough to meet the Supreme Court standard set in Clapper, because the risk of future harm is less speculative and more real.

The Seventh Circuit’s decision bears watching.  If other Circuits and jurisdictions follow suit and allow class action plaintiffs to sue organizations that suffer cybersecurity breaches, the landscape of cybersecurity litigation will change.  Billion dollar cases will no longer rest on a company’s ability to dismiss a claim for lack of standing, but on a reasonableness standard where companies will be held against a harsh light of whether they took reasonable and proactive steps to protect the information of their customers.

Cybersecurity is currently an unregulated industry with a few sets of best standards to loosely guide organizations.  Companies that fail to employ the best and complete methods to protect themselves – to achieve a gold standard – will be eaten by the bear and become buried in the avalanche of litigation hanging right over the horizon.

See my Recent Article in the THE HILL:

Payments technology must keep improving to stay ahead of fraudsters
By Eric O’Neill

On Wednesday, the House Small Business Committee will hold a hearing on the Europay, MasterCard, Visa (EMV) chip payment system which offers a more secure payment system for credit card transactions.  But while the new technology is a big improvement, it does not signal an end to credit card fraud. The FBI recently issued a bulletin warning consumers to remain vigilant, despite the new technology.

If you’re unfamiliar with the technology, EMV credit cards include a small microchip that encrypts your card information when you use it at a specially equipped payment kiosk. If the kiosk is appropriately configured, it cannot access the real credit card number, just an encrypted version of it, thwarting a virus, for example, from pilfering it during the transaction.
However, an FBI press release includes a succinct summary of any effort to prevent fraud: “no one technology eliminates fraud and cybercriminals will continue to look for opportunities to steal payment information.” In the case of the EMV technology, this is true for several reasons:

First, because many retailers haven’t upgraded their point-of-sale infrastructure, the cards currently still include a magnetic strip that is more vulnerable to theft.  Second, the technology doesn’t necessarily stop thieves from using the information printed on the face of the card for online purchases where only the number is used. Third, as in Europe, thieves can turn to identity theft to work around EMV technology.

The EMV cards are a major improvement, and demonstrate the industry’s dynamic approach to combating fraud. But the FBI’s warning reminds us that a more holistic approach is required to deter thieves.

Preventing fraud isn’t like building a bridge, a one-time task that lives on for decades with minimal maintenance. It’s a never-ending battle, requiring active and constant vigilance.

Criminals, especially Chinese and Russian hackers, are executing increasingly sophisticated efforts that have confounded law enforcement and require a more proactive security approach.

If you introduce technology that makes cards more resistant to fraud for in-person purchases, criminals will increase targeting of online purchases where additional technology is needed to secure payments.  If you secure the payments process, hackers will target unsecure data as seen in the massive Target breach, as well as millions of lost card numbers at Home Depot. In both cases, viruses on the computers that process in-store credit card purchases scooped up to 70 million names, mailing addresses, email addresses and phone numbers – everything a spy would need to steal an identity.  For these reasons, researches are actively seeking to improve the security of the technology and reduce the chinks in the payment process armor.

Though some are touting chip and pin as a panacea, the credit card of the future likely will contain a cryptographic “token” rather than a four-digit pin.  A complex token solves a few flaws in chip and pin technology, namely that thieves can crack a four digit pin, steal it by “shoulder surfing” in the checkout line, or use social engineering to trick a consumer into handing the number over to someone they think they should trust.
On the process side, financial institutions have made great strides to examine “big data,” collected over a vast number of purchases, to identify purchase patterns specific to individuals that may indicate fraud. When a consumer departs from their typical pattern – purchases in Europe for those that do not travel or sudden gasoline purchases by someone who doesn’t own a car – a fraud alert can respond rapidly to the theft and prevent a snowball effect of further fraudulent transactions.

Credit card fraud costs the economy billions of dollars every year. Although banks and other institutions shoulder the lion’s share of the risk, consumers face potentially devastating legal and administrative challenges in recovering from fraudulent transactions and stolen identities.

Policymakers must realize that staying ahead of thieves is an ongoing process. EMV is great technology, but as the FBI warned: “no one technology eliminates fraud.”

O’Neill is a former FBI counterintelligence operative and a cyber security consultant at The Georgetown Group.

Below is an article from the Wall Street Journal reporting on recent attacks by Tehran on our oils and gas companies.  The cyber attacks have probed, and apparently were able to gain access to control system software that could presumably be used to damage or sabotage our energy industry.

The article notes that based on a survey of 150 power companies, “more than a dozen utilities reported ‘daily,’ ‘constant’ or ‘frequent’ attempted cyberattacks,” and one said it was the target of about 10,000 attempted cyberattacks each month. The report found that many electric utilities were adopting only mandatory cybersecurity standards and not implementing voluntary added precautions.

This is concerning, and I believe that an attack similar to what Saudi oil company Aramco endured could happen here on US soil.  You may recall that in August 2012, attacks destroyed 30,000 Aramco computers in August 2012.  The electric-power industry is not yet fully prepared to fend off cyber attacks, especially those that are funded by a foreign government.

And if an attack occurs?  We can be sure that the US Government will step in quickly to regulate the cuber capabilities of our energy industry.  It is therefore critical for companies engaged in infrastructure to establish themselves as forward thinkers in cyber defense and response.

The full article from the Wall Street Journal is below.  If you would like to speak about ways your company’s cyber defense capabilities can be improved, please contact me at eoneill@georgetowngroup.com

Iran Hacks Energy Firms, U.S. Says Oil-and-Gas, Power Companies’ Control Systems Believed to Be Infiltrated; Fear of Sabotage Potential

By SIOBHAN GORMAN and DANNY YADRON

WASHINGTON—Iranian-backed hackers have escalated a campaign of cyberassaults against U.S. corporations by launching infiltration and surveillance missions against the computer networks running energy companies, according to current and former U.S. officials.

In the latest operations, the Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. They proceeded “far enough to worry people,” one former official said.

The developments show that while Chinese hackers pose widespread intellectual-property-theft and espionage concerns, the Iranian assaults have emerged as far more worrisome because of their apparent hostile intent and potential for damage or sabotage.

U.S. officials consider this set of Iranian infiltrations to be more alarming than another continuing campaign, also believed to be backed by Tehran, that disrupts bank websites by “denial of service” strikes. Unlike those, the more recent campaigns actually have broken into computer systems to gain information on the controls running company operations and, through reconnaissance, acquired the means to disrupt or destroy them in the future, the U.S. officials said.

In response, U.S. officials warn that Iran is edging closer to provoking U.S. retaliation.”This is representative of stepped-up cyber activity by the Iranian regime. The more they do this, the more our concerns grow,” a U.S. official said. “What they have done so far has certainly been noticed, and they should be cautious.”

The U.S. has previously launched its own cyberattacks against Iran. The Stuxnet worm, developed and launched by the U.S. and Israel, sabotaged an Iranian nuclear facility.

The latest campaign, which the U.S. believes has direct backing from the Iranian government, has focused on the control systems that run oil and gas companies and, more recently, power companies, current and former officials said. Control systems run the operations of critical infrastructure, regulating the flow of oil and gas or electricity, turning systems on and off, and controlling key functions.

In theory, manipulating the software could be used to delete important data or turn off key safety features such as the automatic lubrication of a generator, experts said.

Current and former U.S. officials wouldn’t name the energy companies involved in the attacks. or say how many there were. But among the targets were oil and gas companies along the Canadian border, where many firms have operations, two former officials said.

The officials also wouldn’t detail the precise nature of the evidence of Iranian involvement. But the U.S. has “technical evidence” directly linking the hacking of energy companies to Iran, one former U.S. official said.
Iranian officials deny any involvement in hacking. “Although Iran has been repeatedly the target of state-sponsored cyberattacks, attempting to target Iran’s civilian nuclear facilities, power grids, oil terminals and other industrial sectors, Iran has not ever retaliated against those illegal cyberattacks,” said Iran’s spokesman at the United Nations, Alireza Miryousefi. “In the lack of international legal instruments to address cyberwarfare, Iran has been at the forefront of calling for creating such instruments. We categorically reject these baseless allegations used only to divert attentions.”

So far, the infiltrations don’t appear to have involved theft of data or disruption of operations. But officials worry the reconnaissance undertaken to datewill provide hackers the information they need to do damage in the future. Computer infiltration experts often identify so-called backdoors in computer systems that permit repeated entries.

While there is no evidence that systems have been tampered with, some U.S. officials have likened the types of infiltrations seen in the U.S. to those at oil company Saudi Aramco that eventually enabled attacks that destroyed 30,000 computers in August 2012.

It isn’t clear whether the hackers are the same individuals responsible for Saudi Aramco or those involved in the relentless set of attacks that have bombarded bank websites, temporarily knocking them offline.
The U.S. Department of Homeland Security earlier this month warned of an escalation in threats against computerized control systems, but it didn’t cite Iran as the origin of the threat.

In recent months, however, U.S. officials have grown increasingly alarmed by the growth of what defense officials describe as a continuing series of cyberattacks backed by the Iranian government, including its elite Quds Force. The threat has grown quickly; as recently as 18 months ago, top intelligence officials were largely dismissive of Iranian hacking capabilities.

Underscoring the Obama administration’s growing concern, the White House held a high-level meeting late last month on how to handle the Iranian cybersecurity threat. No decisions were made at that meeting to take action, however, and officials will reconvene in coming weeks to reassess, a U.S. official said.

“It’s reached a really critical level,” said James Lewis, a cybersecurity specialist at the Center for Strategic and International Studies, who frequently advises the White House and Capitol Hill. “We don’t have much we can do in response, short of kinetic warfare.”

The Obama administration sees the energy-company infiltrations as a signal that Iran hasn’t responded to deterrence, a former official said.

In October, then-Defense Secretary Leon Panetta issued a veiled threat to Iran, which he did not name in his speech, by warning the Saudi Aramco hack represented a dangerous escalation in cyberwarfare. Since then, the Iranian attacks have only ramped up.

Unlike Chinese hacking, the Iranian infiltrations and cyberattacks appear intended to disrupt and possibly damage computer systems. “The differentiator is the intent. Stealing versus disrupting raises different concerns,” the U.S. official said. “That’s why they’re getting a fair amount of attention.”
The recent growth of Chinese infiltrations primarily has been aimed at stealing military and trade secrets, not doing damage.

“The Chinese believe in stability, and they operate on a 50-year plan,” said Tom Kellerman, vice president of Trend Micro, a cybersecurity research firm. “Iran has been successfully ostracized from global economics. It is in their best interest to pursue destructive cyberattacks to not only empower themselves but to signal to the Western world they are capable in cyberspace.”

Cybersecurity specialists say the electric-power industry remains under-prepared to fend off attacks, particularly ones backed by a foreign government.

“If you were worried about cyberattacks against electric utilities five years ago, you’re still worried today,” said Jacob Olcott, a former cybersecurity aide on Capitol Hill now at GoodHarbor Consulting. “Some within the electric sector have become more savvy about security in recent years. Many are not.”

Lawmakers on Capitol Hill are stepping up pressure to bolster cybersecurity in the electric-power sector. Reps. Edward Markey (D., Mass.) and Henry Waxman (D., Calif.) issued a report this week citing security gaps in the computer networks running the electric grid.

Based on a survey of 150 power companies, the report found that “more than a dozen utilities reported ‘daily,’ ‘constant’ or ‘frequent’ attempted cyberattacks,” and one said it was the target of about 10,000 attempted cyberattacks each month. The report found that many electric utilities were adopting only mandatory cybersecurity standards and not implementing voluntary added precautions.

A version of this article appeared May 24, 2013, on page A4 in the U.S. edition of The Wall Street Journal, with the headline: Iran Hacks Energy Firms, U.S. Says.

Russia’s security services have detained a U.S. diplomat who they claim is a CIA agent caught in the process of recruiting a Russian agent. The diplomat, Ryan Fogle, a third secretary at the U.S. Embassy in Moscow, was allegedly caught carrying spy equipment including disguises, written instructions and packages of 500 Euro notes.

This looks a lot like a setup to me. The significant public exposure of the detention and the pictures splashed across Russian television indicate the purpose of the arrest is political.

The alleged spy equipment is also suspect. I find it highly unlikely that a trained CIA operative would be walking the Moscow streets with a “spy bag” containing such a generically Hollywood collection of items including a compass, map of Moscow, two very bad wigs, knives and what looks like an ancient cell phone. I suspect that this kit is little more than a plant by the Russians to enhance the story of an American caught attempting to recruit Russian citizens to spy on Russia.

I also don’t see the point in carrying all these items if Fogle’s purpose was to provide a letter to his potential agent asking him or her to set up a Google account to receive further instructions.

Finally, the Russian security service typically will leave in place a known CIA officer so that they can surveil him in order to locate the Russian spy he is trying to recruit.  Just as our FBI has a pretty good idea regarding the identities of Russian diplomats who are actually undercover spies, the Russian security service knows quite a bit about who our CIA people are.  Burning Fogle’s cover is a waste of intelligence information because the FSB will now need to work to identify the replacement we inevitably send.

It is far more likely that the Russians used Fogle – whether he is CIA or not – to embarrass the United States in order to gain some political advantage with the Russian people.  Putin is an excellent spymaster who is not above such maneuvering.  I’m also curious to see whether our FBI makes a similar arrest of a Russian Embassy operative.  The spy game can often include quite a bit of equivalent retaliation – we’ll have to wait and see how Washington decides to handle  Russia’s decision to beach the gentleman’s agreement among spies.

On May 9 the Department of Homeland Security warned of a heightened risk of a cyberattack that could disrupt the control systems of U.S. companies providing critical infrastructure services, including cellphone networks, water and electric utility grids.  The warning comes on the heels of a new wave of attacks against US energy companies.  So far the attacks appear to be probes into the processing control systems, and Homeland Security has not revealed where the attack s originated.

This news is of great concern.  The United States infrastructure is primarily maintained by private industry that is currently vulnerable to cyber attacks.  While the government has recently taken some steps to address the issue through sharing of information and advice, no concentrated effort to keep our lights on and water flowing has yet been proposed.

In general, attacks against US companies have been rooted in espionage – the theft of trade secrets and confidential information.  These new probe attacks appear to focus on access to networks that provide energy or drive American industry.

The warning underscores the immediate need for US industry to implement robust cyber defense safeguards.  The first step in protecting from cyber attacks is to understand a corporation’s vulnerabilities.  Just as the attacks appear to be probing industry for intrusion pathways, a corporation can proactively assess its own network and lock down potential vulnerabilities.  In light of the recent warning, a vulnerability assessment is not just part of best business practices, it is critical to protect the future health of the company.

If you’d like some help or more information on how you can conduct a vulnerability assessment –The Georgetown Group has a robust cyber security practice. Email me if you need help.

For further reading on the issue, the New York Times and Washington Post have recently reported on the warning.

Click below to see my interview with Dan Matheson on CTV’s Morning Express regarding the Cleveland Ohio kidnappings.  During the interview, we scrutinized the police investigation and whether the police had diligently pursued tips that could have led to an earlier rescue.  I counseled that we are early in the investigation, and it is critical to understand that the police are sifting through quite a large amount of data, including interviews of the victims, to understand what happened in that house, and to build the case for the prosecution.  It is very likely that the police are conducting their own internal investigation into various allegations by neighbors that police either did not respond to 911 calls, or did so haphazardly.  There is currently no evidence that these calls were logged, and we will need to wait and see what the police investigators determine.

We are all very interested to hear what the full story will reveal.

https://www.ctvnews.ca/video?clipId=922942&playlistId=1.1273674&binId=1.810401&playlistPageNum=1