Cyber Alert: Security Vulnerabilities: You Don’t Need a Breach to Face Regulatory Scrutiny

by Alston & Bird
Contact

Those who track newsworthy data breaches and other cybersecurity incidents know what type of fallout to expect from these events. Class action lawsuits from consumers, shareholders and financial institutions are now not an exception, but are increasingly becoming expected. Similarly, since the Federal Trade Commission (FTC) began focusing on data security nearly 15 years ago, it has engaged in enforcement actions against numerous companies that were subject to a data breach or other security compromise. State attorneys general have also joined the fray. Notably, these consequences are post hoc, in that they stem from the actual occurrence of a security incident that results in data compromise, loss or exposure. Recently, however, there has been an increase in regulatory and litigation actions based not on breaches or security incidents but on identified security vulnerabilities alone that, if exploited, could result in data compromise, leakage or exposure and so pose a potential risk of harm, whether economic or otherwise, to customers and consumers.

One possible explanation for this gradual change is that vulnerabilities are increasingly being brought to light through various means such as bug bounty programs, which are not only being adopted by more and more companies, but by a wider range of industries. Bug bounty programs (also referred to as vulnerability disclosure programs) provide incentives such as cash, airline miles or just recognition to security researchers who report vulnerabilities to companies. These programs are gaining increased legitimacy and publicity, underscored by Apple recently announcing that it would pay up to $200,000 for information on serious security vulnerabilities. According to a recent report, the number of companies with such programs has more than tripled year over year since 2013, with significant gains seen in the financial services, automotive, health care and retail sectors. U.S. government agencies are also increasingly encouraging their regulated entities to adopt vulnerability disclosure programs, with announcements in the first half of 2016 by the FDADepartment of Transportation and Commerce Department on this front.

In addition to identifying vulnerabilities through corporate-sponsored bug bounty programs, security researchers and hackers (with a wide range of motivations) frequently identify vulnerabilities and bring them to the attention of companies without such programs, sometimes with an expectation (or in some cases even a demand) that they receive a fee. After alerting known-impacted companies, they often publicly post information regarding vulnerabilities to spread awareness.

Regulator Scrutiny

One side effect of the rise in bug bounty programs, and disclosures by security researchers and others, is a commensurate increase in publicly known security vulnerabilities that can, in turn, lead to increased scrutiny from regulators (and the plaintiffs’ bar) who become aware of the previously undisclosed vulnerabilities through these methods. For example, the FTC and FCC recently initiated parallel investigations into mobile device makers and carriers, prompted in part by an Android vulnerability known as “Stagefright” that became public after being reported to Google’s bug bounty program last year. The vulnerability affected almost 1 billion Android devices and would have allowed attackers to remotely execute code merely by sending a text message to a device. Google paid the reporting security research firm $50,000 for their efforts, which allowed Google to develop and push out a patch.

In May, the FTC and FCC announced they had sent letters to several mobile device manufacturers (including Google) and mobile carriers seeking detailed information regarding, among other things, their “processes for reviewing and releasing security updates for mobile devices” and the “vulnerabilities that have affected those devices.” The FCC specifically highlighted Stagefright in its press release announcing the inquiry. The FTC appears poised to continue considering enforcement actions related to security vulnerabilities—in response to the spate of ransomware attacks, FTC Chairwoman Edith Ramirez recently stated that a “company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.”

Several regulators have also been granted authority that would allow them to sanction companies before a vulnerability is ever exploited in the wild. The SEC’s Office of Compliance Inspections and Examinations (OCIE), for instance, has initiated enforcement actions against a number of investment advisers, companies and broker-dealers for failing to have adequate written policies and procedures reasonably designed to protect customer records and information, as required under the Safeguards Rule of the Gramm–Leach–Bliley Act. For example, it recently penalized Craig Scott Capital for its employees’ use of personal email addresses to conduct business involving sensitive customer data in contravention of the Safeguards Rule. While OCIE’s enforcements have in some cases arisen from actual security incidents—as was the case in their most recent action against a major financial institution—in cases such as the one against Craig Scott Capital, OCIE has sanctioned companies merely based on the risk posed by certain conduct.

The Financial Industry Regulatory Authority (FINRA) operates under the same data security regulation as OCIE and has also engaged in enforcement actions against broker-dealers based solely on the risk posed by a particular practice. For instance, in one case in late 2015, FINRA sanctioned a member for, among other things, failing to have written supervisory procedures in place to ensure that customer information is “kept confidential, safeguarded, and encrypted prior to sending.” The SEC’s and FINRA’s willingness to initiate actions where there is only a risk of harm due to inadequate policies is just a short logical step from bringing enforcement actions related to security vulnerabilities alone.

Other regulators have explicit legal authority to engage in enforcement actions based solely on a risk of harm. For example, the FTC is empowered to declare acts or practices in or affecting commerce to be unfair or deceptive. For the FTC to use its unfairness authority, the act or practice must cause or be likely to cause substantial injury to consumers (the Consumer Financial Protection Bureau (CFPB) operates with similar authority). In a recent enforcement action, the FTC used this authority to allege that HTC America “engaged in a number of practices that, taken together, failed to employ reasonable and appropriate security in the design and customization of the software on its mobile devices.” These practices, in turn, allegedly “introduced numerous security vulnerabilities … which, if exploited, provide third-party applications with unauthorized access to sensitive information and sensitive device functionality.” Notably, the FTC alleged that the vulnerabilities put consumers at risk of financial and physical injury and other harm.

The FTC has also used the deception prong of its authority to settle with companies that break promises (whether explicit or implicit) to engage in reasonable security practices based on unmitigated vulnerabilities. In one case, the FTC alleged that a company’s iOS application failed to validate SSL certificates, giving rise to a vulnerability in the manner the application transmitted sensitive data. When a security researcher contacted the company about the issue, the report on the vulnerability was miscategorized and was not addressed until the FTC staff contacted the company. Accordingly, among other things, the FTC alleged that the company failed to provide reasonable and appropriate security by failing to appropriately test the application and maintain an adequate process for receiving and addressing vulnerability reports from third parties. The FTC further alleged that because an attacker could have intercepted sensitive data such as payment card information or login credentials transmitted from the application, that information could have, in turn, been misused and led to identity theft or other harms. Because the company had represented that they had reasonable and appropriate security in place, the FTC alleged it had made false and misleading representations in violation of Section 5 of the FTC Act.

Litigation from Identified Vulnerabilities

Regulators aren’t the only entities leveraging security vulnerabilities to take legal action—the plaintiffs’ bar has also sought to bring lawsuits based on vulnerabilities alone. Because of the Stagefright Android vulnerability, Samsung is now facing litigation in the Netherlands, where the half-million member Dutch Consumers’ Association is alleging that the device maker engaged in unfair trade practices by failing to push out critical updates to its devices and providing inadequate information about vulnerabilities.

In the U.S., a plaintiffs’ firm identified vulnerabilities at several law firms during a year-long investigation into law firm data security. Using the findings from its investigation, the firm filed a class action against an unnamed Chicago law firm seeking injunctive relief (that the firm fix the identified vulnerabilities) as well as damages under the theory that the firm’s clients had been overpaying for services because part of their payments were allocated to keep the clients’ data secure. The action was filed under seal, ensuring not only that the vulnerabilities were not made public (and so could not be exploited by hackers) but also that the identity of the defendant law firm remained confidential. Once the law firm patched the security vulnerabilities, though, the plaintiffs moved to unseal the complaint and publicly unveil the firm’s identity, creating a potentially strong incentive for settlement.

This type of security vulnerability action is translatable beyond law firms to a broad range of entities, including SaaS/PaaS providers and any manufacturer whose products could be at risk due to a cyber attack, including Internet of Things and medical device manufacturers and automakers. This type of litigation, if successful, could create a monetary incentive for security researchers to partner with a plaintiffs’ firm to bring similar actions and could create a tension between whether researchers identify vulnerabilities through bug bounty programs or the courts.

Another new avenue for security researchers to profit from identified vulnerabilities recently opened up: partnering with an investment firm to “short” the stock of the company with the vulnerability before publicly disclosing the issues. In late August, the security firm MedSec partnered with Muddy Waters Capital to release a report regarding vulnerabilities in cardiac care devices manufactured by St. Jude Medical. According to reports, Muddy Waters agreed to pay MedSec based on the degree to which the report caused the price of St. Jude’s shares to fall—the deeper the decline, the more MedSec was paid. St. Jude’s stock fell almost 5 percent shortly after the report was released. And soon after that, a patient filed a class action complaint against St. Jude using the information from the MedSec report. For security researchers, this approach carries potential added risks—in response to the report, St. Jude filed a lawsuit against Muddy Waters and MedSec alleging, among other things, defamation, market manipulation and violations of a state deceptive trade practices act.

Practical Steps

In light of the growing trend of regulatory action and litigation resulting from the mere existence of cybersecurity vulnerabilities in products and services, and even from inadequate policies in corporate cybersecurity programs, companies may want to focus their efforts beyond just preventing actual data breaches and become more proactive in identifying and remediating vulnerabilities. Numerous regulators have emphasized the importance of conducting vulnerability assessments, including for software and other products being released to consumers. It is similarly important to have a formal system for addressing identified vulnerabilities.

Internal testing may also be supplemented by a bug bounty program or, at a minimum, a process for receiving, reviewing and, as necessary, remediating vulnerabilities reported by third parties. This can enable the company to remediate security vulnerabilities in a discreet manner and resolve issues before any potential litigation. Entities can also monitor and track vulnerabilities identified by security researchers in white papers or reported in the news, since not addressing those publicly known issues could lead to scrutiny from regulators. Lastly, companies should actively follow enforcement actions by the FTC and other pertinent regulators. By identifying any security vulnerabilities at similar companies leading to regulatory penalties, entities can assess their own organization for similar issues.

It is important to recognize that not looking for or ignoring vulnerabilities may make your company more vulnerable from a liability perspective. While in the past, personnel who caught wind of a potential vulnerability and were slow to address it (or chose to actively ignore it) may have escaped scrutiny, the current legal liability landscape increasingly demands active, and even proactive, engagement with vulnerability management.


View Alert as PDF

[View soure.]

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird
Contact
more
less

Alston & Bird on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.