Data breaches are as common as the common cold—unfortunately, just as incurable. Run a news search on “data breaches” and you’ll find that all kinds of institutions—major retailers, tech companies, universities, even government agencies—have been vulnerable at some point. Now run a search on “data breaches,” but include the word “lawsuit.” You’ll find that many of these cases are going to court, but ultimately getting dismissed. What’s going on?
First, you should look at some of these lawsuits more closely: are they filed against the alleged perpetrators of the data breach? Many of them aren’t; those perpetrators are usually hackers who live outside the country or are unable to pay a money judgment. (In legal parlance, that’s known as being judgment proof.) Faced by those limitations, individual victims of data breaches frequently settle for the next best thing: going after the institutions that endured the breach.
Often, this isn’t fair—the institutions are victims too. The point here is that although going after the institutions looks like an easy win from “deep pockets,” that seldom turns out to be the case.
It’s with the third and final point—demonstrating injury—that plaintiffs have the most trouble. Why? Because courts view injury in fiscal terms; you need to show that you actually lost something, not simply that you might. So even if you were the victim of a data breach, as long your data hasn’t yet been compromised, it doesn’t really count as injury.
There have been exceptions, when the court greenlit cases based mainly on speculative injury, but these usually ended in a settlement before a legal precedent could be set. (See cases against Home Depot, Target, Adobe, and Sony.) For the most part, the fiscal view of injury has prevailed—reinforced in 2013, when the Supreme Court, weighing in on Clapper vs Amnesty Int’l, determined that a plaintiff cannot proceed with a data breach lawsuit unless he or she can demonstrate actual injury or at least imminent threat of injury, each one measurable in economic loss. Otherwise, mere perception of injury is too tenuous to establish legal standing, which a case requires to go forward, and the lawsuit will probably get tossed.
The challenge of establishing legal standing recently made its way to the Supreme Court in Spokeo v. Robins. In that case, a plaintiff filed suit against the “people search engine” Spokeo for publishing false information about him. The issue before the Court was this central question of how much injury must be shown for a case to go forward. Prospective plaintiffs were optimistic that the high court would affirm a lower court’s decision that speculative injury was indeed enough. Alas, the Supreme Court sidestepped the issue and punted it back to the lower court for further review. The Court nonetheless reinforced the general tenets that, for a plaintiff to have standing to bring a case, he must allege an “injury in fact” that is both “concrete and particularized.” There is still room for the lower court to broaden the approach to what constitutes an injury, but the Supreme Court’s ruling keeps the status quo in place.
For now, individuals whose data has been compromised generally must be satisfied with what the institutions offer them after a breach occurs: free credit checks and/or access to credit monitors. Do checks and monitoring seem inadequate? Not if you think about what type of harm people face after a data breach. Individuals can detect and report problems in the event someone actually misuses their data. If they keep on top of it, their credit scores will not be impacted. Moreover, credit card companies and other financial institutions will bear the cost of any unapproved charges. In the event of further problems, plaintiffs can then take their injury to the legal system and have their day in court. But at this point, the courts are right to keep this type of class action litigation at bay.
The IRS has unveiled a secure web application, the International Data Exchange Service (IDES), for cross-border data sharing. IDES will allow Foreign Financial Institutions (FFIs) and tax authorities from other countries to transmit financial data on U.S. taxpayers’ accounts, via an encrypted pathway, to the IRS.
The tool is part of the IRS’s effort to track U.S. taxpayer income globally. It is intended to assist FFIs and foreign tax authorities in their compliance with the U.S. Foreign Account Tax Compliance Act (FATCA). The act requires that financial institutions send to the IRS financial information of American account holders or face a hefty 30 percent withholding penalty on all transfers that pass through the U.S. With such steep fines, FFIs and their respective countries across the globe have agreed to comply with FATCA and submit account holder information, regardless of conflicts with their local laws. According to the IRS website, some 112 countries have signed intergovernmental agreements with the U.S., or otherwise reached agreements to comply, and more than 145,000 financial institutions have registered through the FATCA registration system.
IRS Commissioner John Koskinen called the portal “the start of a secure system of automated, standardized information exchanges.” According to the IRS, IDES will allow senders to encrypt data and it will also encrypt the data pathway. IDES reportedly works through most major web browsers.
It may sound efficient and it may even be secure; but IDES also serves as a reminder of the contradiction between FATCA and data privacy laws of many of the FATCA signatory countries. The conflict is part of why FATCA has earned the billing by many as an extra-ordinary extra-territorial law and an example of American overreach.
Countries like the United Kingdom, France, Italy, and Germany have data protection laws that restrict disclosure or transfer of individual’s personal information. To accommodate their own laws, these countries have entered agreements with the U.S. whereby FFIs report to their national tax authorities and the tax authorities then share data with the IRS. (The agreements highlight the questionable value to countries of their data protection laws—at least insofar of U.S. account holders are concerned—as they willingly sidestep their policies to avoid U.S. withholding penalties.)
Meanwhile, as FATCA-compliant countries prepare to push data overseas to the U.S., the E.U. is publishing factsheets directed to its citizens indicating that data protection standards will not be part of agreements to improve trade relations with the U.S. The E.U. is also working on more stringent data protection rules for member countries to strengthen online privacy rights. Are the E.U. member countries speaking out of both sides of their mouths? Or are they trying an impossible juggling act? Between the implementation of FATCA reporting and the growing concern of data privacy among FATCA signatory countries, these countries are bound either for intractable conflict or the continued subrogation of the rights of those citizens also designated U.S. taxpayers (an unfortunate result for dual citizens with minimal U.S. ties).
Regardless of ultimate upshot of this conflict, U.S. taxpayers—including those living abroad—should take heed that FATCA reporting is underway. You should consider how to disclose any unreported global income before your bank does it for you.
Several news publications have been making much ado about a tactic the FBI used in 2007 to locate an individual suspected in a series of bomb-threats to Washington state high schools. The FBI created a fake news article, falsely representing it as an Associated Press publication, and sent a link to the suspect’s MySpace account. The article headline, which was directed at the suspect, was meant to entice him to go to the link. It worked. The suspect clicked on the link, which enabled the FBI to download malware on his computer and identify his location and Internet Protocol address. The suspect was subsequently arrested, charged and prosecuted in state court.
Newspapers and other media outlets have recently decried the FBI’s use of the AP’s name and brand recognition to further its purposes. The AP’s director of media relations noted in an October 2014 statement: “This ploy violated AP’s name and undermined AP’s credibility.” The Seattle Times complained that such action not only crosses the line, but erases it (the statement was made when the paper believed its publication was involved). The controversy is somewhat understandable: journalists want to ensure their perceived independence; they don’t want to be seen as a tool of the powers that be.
But media concern over the FBI’s use of the AP name may be slightly overstated. The FBI did not publish the fake news article for broad dissemination. It directed the article to one suspect only. Nor is it exactly unprecedented for investigators to hold themselves out as something they are not in order to gain the trust of and nab wrongdoers. Should all cool teens (however they self-describe these days) complain that Narcs are undermining their reputation and street cred? Without these undercover operations, a major tool to FBI investigations would be lost, not to mention fodder for the popular television series that made Johnny Depp famous. FBI and other enforcement agencies regularly use deception to catch criminals. Everyone knows this, including the wrongdoers at whom deceptive practices are targeted.
Some argue that there is a colorable difference between impersonating a fake individual or persona and impersonating the press. If the impersonation were on a large scale and were relatively public, the deception would be problematic. People wouldn’t know what journalism was credible and what journalism wasn’t (not that this isn’t already a subject a some debate…). But narrowly-focused operations directed exclusively at suspects who are the subject of a search warrant is a different scenario, and that’s the scenario that appears to be in play here. Where the FBI employs such tactics well enough into an investigation to support a search warrant, including having probable cause that the suspect is involved in criminal activity, using deception, which is an efficient way to locate the individual, doesn’t seem too alarming.
Of course, it is important to emphasize that legal process is everything. If the FBI were to disseminate fake news articles to gain computer access at the launch of an investigation, before it had a target, before it had probable cause, and before it had its actions approved judicially by a search warrant, such tactics would risk impacting innocent individuals and undermining news sources.
Court: Police Need Warrant to Search Phone. But Guess What? They Get to Keep Your Phone While They Get One.
Will cops still get access to cell phone data post arrest? You bet. Today’s Supreme Court decision just means they need to get permission from a judge before they start searching who you have been texting. And odds are very good, that permission will be granted.
In a unanimous decision authored by Chief Justice Roberts, the United States Supreme Court held that law enforcement officers may not conduct warrantlesssearches of cell phones that are seized incident to an arrest. But just because police cannot immediately search mobile phones, doesn’t mean they cannot immediately seize them in connection with an arrest. Indeed, the benefit of today’s decision by our country’s highest court may be limited to the two defendants who brought the case (and of course any similarly situated defendants).
The named defendant in Riley v California is David Riley. After Riley was stopped for a traffic violation, he was arrested and the police officer seized his cell phone incident to that arrest. When the officer accessed the data on the phone (without a search warrant), he noticed the repeated use of an identifier associated with the Bloods street gang. Later, a detective reviewed the cell phone records and noticed gang-related content, including a photo of Riley standing in front of a car that was used in a shooting weeks earlier. Riley was convicted of multiple crimes related to that shooting and received a sentence of 15 years to life.
The second case resolved today involved Brima Wurie, who had been arrested in connection with a drug sale. After Wurie’s arrest, police took him to the police station where officers confiscated his flip phone. A few minutes later, Wurie’s phone showed an incoming call from “my house.” The officers opened the phone, accessed the call log to determine the number of the incoming call, and then traced the number back to Wurie’s apartment, which they secured. After obtaining a search warrant, the officers searched the apartment and seized drugs, a gun, ammunition, and cash. At trial, Wurie was convicted on three drug-related counts and sentenced to more than twenty years in prison.
The key here to note is that in neither case did law enforcement obtain prior permission to search the cell phones belonging to Riley and Wurie. The narrow question presented to the Court therefore was whether it is permissible for law enforcement to search cell phone data incident to an arrest where no court has authorized such a search. In holding that such a search violates the Fourth Amendment of the US Constitution, the Court considered but rejected as not relevant prior cases where so-called “warrantless” searches passed constitutional muster. For example,
· In Chimel v. California, the Court recognized that the Fourth Amendment permits warrantless searches of the arrestee and areas within his immediate control if necessary to protect officer safety or to preserve evidence.
· In Arizona v. Gant, the Court held that officers may search a car incident to arrest if the arrestee is unsecured and within reaching distance of the passenger compartment or if the officer reasonably believes evidence of the crime of arrest may be found.
Because there were no such exigent circumstances present in Riley or Wurie’s arrest, the Court concluded that the need for cell phone data searches does not outweigh the corresponding intrusion on individual privacy, and thus a warrant was required. This of course is the right result. Digital cell phone data does not, by itself, of course, threaten officer safety. And a warrantless search of cell phone data is not necessary to preserve evidence. The Court recognized an individual’s privacy interest in digital cell phone data is considerable: cell phones have immense storage capacity, collect many types of records in one place, and often contain years’ worth of data.
In this regard, today’s decision is a victory for privacy rights. Law enforcement officers will not be permitted to conduct warrantless searches of cell phones for digital evidence. But if you are arrested, don’t assume law enforcement will let you keep your phone. Today’s decision may not allow for a warrantless search of your phone, but there is nothing prohibiting law enforcement from securing a phone post-arrest and seeking permission from a court to search it. And the chances that a court will grant such a request are close to 100%.
Last month, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) formally announced its cybersecurity initiative in a Risk Alert. The initiative followed up on OCIE’s announced prioritization of cybersecurity preparedness as part of its 2014 Examination Priorities. The initiative is also timely because the general public is becoming more conscious of cybersecurity risks and its dangers as they learn of major breaches at Target Corp., Neiman Marcus, Michaels Stores Inc., and other companies. The security of personal information is even more important at financial services companies, which often have a large amount of sensitive personal information about their customers.
The OCIE’s approach is refreshingly proactive: “OCIE’s cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.” Further, the areas of cybersecurity assessment are quite broad and they cover “the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
Importantly, the OCIE examination is detailed and specific about ensuring the adequacy and efficacy of cybersecurity measures. For example, the list of questions regarding identification of cybersecurity risks requires exact dates and times and is prefaced with “please provide the month and year in which the noted action was last taken; the frequency with which such practices are conducted; the group with responsibility for conducting the practice…”.
Further, the OCIE examination questions require naming the person(s) conducting the cybersecurity measures and when those measures were last checked or implemented. For example, the questions on identification of risks/cybersecurity governance include:
- Who (business group/title) conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences, and in what month and year was the most recent assessment completed?
- Please describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated.
Similarly, the questions regarding a written cybersecurity incident response policy seeks a copy of the policy, the year it was most recently updated, whether there are tests to assess the policy, who conducts the tests, and when and by whom the last test was conducted. Likewise, the questions on event detection processes seek the month and year of the most recent test.
The examination questions also seek a summary of any actual cybersecurity incidents, the services affected, nature of the breach, the availability of services during the breach, and number of other questions about each cybersecurity incident. Notably, although the examination requires companies to provide a large amount of information, the SEC explicitly issued a disclaimer that the “factors are not exhaustive, nor will they constitute a safe harbor.”
Nonetheless, it is good to see the SEC take a proactive approach to the cybersecurity risks posed to financial institutions. Hopefully, this will flow down to other companies because cybersecurity is a hot-button topic that is very concerning to customers and unlikely to be fully resolved soon. With cooperation between government agencies and the private industry, we can be hopeful that cybersecurity risks can be mitigated. As SEC Chair White has noted, there is a “compelling need for stronger partnerships between the government and private sector” to address cybersecurity threats.
LinkedIn has filed a suit against John Does in response to a spate of “data scraping” perpetrated by unknown individuals, in violation of the website’s terms and conditions.This is the latest federal case in the Northern District of California in which a tech company seeks to enforce its contractual provisions through the criminal statute Computer Fraud and Abuse Act (CFAA).
Starting in May 2013, unidentified individuals unleashed automated software programs which bypassed LinkedIn’s security measures in order to create thousands of new member accounts. Once established, these new accounts could be used to view millions of LinkedIn member profiles. The software bots copied personal information off of those viewable pages, which contain extensive personal information. Although we can’t know exactly what the information was used for until the perpetrators are identified, these individuals could potentially use this personal information to steal members’ identities or conduct phishing or other scams.
LinkedIn has since disabled the bot-created accounts and implemented additional security measures to prevent a similar incident. The company instituted the “John Does” lawsuit in order to use the legal discovery process to serve subpoenas which may help identify the attackers. LinkedIn based its legal complaint, in part, on violations of the CFAA. But is the CFAA a sound legal basis on which LinkedIn can bring its claims?
The CFAA states that whoever “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains…information from any protected computer” violates the CFAA and commits a crime. In this case, the bots created LinkedIn member accounts in order to view other LinkedIn member accounts and gather information. According to LinkedIn, the use of bots violates the terms and conditions that each user must agree to when opening an account. Did the drafters of the CFAA intend to reach this type of conduct? If LinkedIn is right, what appears to be conduct supporting a traditional breach of contract may become fodder for a potential criminal violation.
The Ninth Circuit addressed a somewhat similar issue in United States v. Nosal, a case in which a former employee, David Nosal, convinced some of his former colleagues to help him start a business by downloading customer lists from the former employer’s computer network. Although the employees had unrestricted access to the lists, their use of the lists violated the employer’s policy prohibiting the use of work computers for non-business purposes. The Department of Justice indicted Nosal under the CFAA for aiding and abetting this action. Nosal filed a motion to dismiss, which the district court granted. On appeal to the Ninth Circuit, the government argued that the CFAA applied to the employees’ use of the customer listseven though their access to the lists was permitted.
The Ninth Circuit rejected the government’s argument, stating that “[t]he government’s interpretation would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute. If Congress meant to expand the scope of criminal liability to everyone who uses a computer in violation of computer use restrictions—which may well include everyone who uses a computer—we would expect it to use language better suited to that purpose.”
By: Karl Smith and Casselle Smith
The value of Bitcoin, the hottest and most widely traded virtual currency, plunged a little over a week ago, after China’s central bank issued a statement that the government is banning financial institutions from trading in the virtual currency.The price of a single Bitcoinfell from roughly $1200 on December 5th to less than $600, early morning December 8th. Thereafter it recovered somewhat selling for around $700 as of December 16. At the time of this posting (12/18), the price had fallen once again to $571.
This time last year, Bitcoin were selling for roughly $13 apiece. Economists and financial experts have struggled to explain the meteoric rise price to investors and to a public increasingly interested in the virtual currency. In many ways, the soaring price for Bitcoin looks like a classic bubble: Speculators pay out of the nose for Bitcoin, hoping to unload them to an “even greater fool” who will come along later with the same plan. At first blush, this type of bubble appears to resemble a pyramid scheme that must inevitably collapse once all potential speculators have bought in.
Bitcoin, however, has important features that differentiate them from other bubble-prone assets. The fact that the crash coincided with a change in policy from the Chinese government makes it even more likely that the special features of Bitcoin have played an important role in their use.
The design of Bitcoin allows for almost completely secure and anonymous transactions. Users don’t have to trust that a bank or other financial intermediary will keep their information secret. For the most part, the very nature of a Bitcoin transaction does this. Consequently, the currency has attracted substantial interest from users engaged in illicit transactions. Some of these are of the kind familiar to American readers. The website Silk Road, for example, specialized in selling narcotics and accepting Bitcoin as payment; it has been shuttered by U.S. law enforcement.
The Chinese government’s ban on Bitcoin arose from a different sort of illicit transaction that is less familiar to Americans because it are designed to get around regulations that the United States does not impose… Here’s the rub: the Chinese government limits its citizens’ ability to invest outside of the country because it wishes to provide a large pool of capital available to Chinese industries. Since Chinese investors have limited choice, Chinese banks can offer them paltry rates of return that guarantee that the value of their investments will fail to keep up with inflation. Naturally, Chinese investors wanted a way out, and many of them turned to Bitcoin.
Chinese investors would buy Bitcoin using the local currency, the Yuan. They would then transfer the Bitcoin to a bank or other financial institution outside of China and have that institution sell the Bitcoin and invest the proceeds outside of China. When the investor was ready to cash in, she would simply instruct the financial institution to sell the foreign investments, use the proceeds to buy Bitcoin, and then transfer the Bitcoin back to her.
This loophole allowed Chinese investors to earn higher rates of return without being caught by the authorities. For a time, the Chinese government allowed the loophole to remain open. On Wednesday, however, the Chinese government banned financial institutions and, importantly, online platforms like Biadu.com, from doing any business in Bitcoin. Baidu is a Chinese search engine that, like Google,forms the backbone of how users connect online. Without Baidu’s help,finding someone to buy or sell Bitcoin in the first place becomes exponentially more difficult.
Fear that the Chinese market for Bitcoin would dry up seemed to lead speculators to dump the currency following the announcement. It also exposes the fundamental weakness of Bitcoin: while they allow enormous anonymity for users, connecting with a broadbase of other users requires using a platform which almost necessarily does not seek anonymity. If it did, potential users would not know of their existence.
Regulators don’t have to crackdown on users themselves but simply on the websites and platforms that connect them.
There is no readily apparent US or European analogue to the Chinese monetary policy that motivated the country’s crackdown. Hence, China’s stance does not necessarily indicate that an international sea change is afoot with respect to the legal nature of Bitcoin and other emerging virtual currencies. Nonetheless, to the extent that Bitcoin’s surge in value was precipitated by Chinese investors’ thirst for international investment capabilities, the recent crash highlights the currency’s deep vulnerability to changes in financial regulation around the world.
Karl Smith is the Creator and Chief Curator of Modeled Behavior, a leading international finance and economics blog currently hosted on Forbes. He blogs mostly on macroeconomics, rationality, philosophy, and futurism.
Last month, federal prosecutors in Nevada filed a motion to dismiss an indictment that shined a bright light on overly broad federal criminal statutes and the abuse of prosecutorial discretion in using them.
John Kane and Andre Nestor were each charged in an indictment in January 2011 with one count of conspiracy to commit wire fraud and one count of computer fraud in violation of the Computer Fraud and Abuse Act (CFAA), the same law that was used to prosecute Internet activist Aaron Swartz and Andrew Auernheimer.
The indictment alleged that Kane and Nestor used an exploit on video poker machines to defraud casinos and win money that they were not entitled to, which “exceeded their authorized access” on the machines in violation of the CFAA. Kane, who reportedly spent an extremely significant amount of time playing video poker, discovered a bug in the software of the video poker machine that allowed for him, and later his co-defendant Nestor, to achieve large payouts on certain slot machines through a series of moves where he switched games and made bets at different levels. There is absolutely nothing illegal about pressing buttons on slot machines to change the amount of money you are betting or to switch games you are playing, but the prosecution alleged that doing this exceeded lawful access. The court agreed with the defendants and ruled in favor of their motion to dismiss the CFAA count in the indictment.
The CFAA was enacted in 1986 to protect computers that there was a compelling federal interest in protecting, such as computers owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA prohibits accessing a computer without proper authorizationor it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service.
In November, after filing nine stipulations to continue the trial date, the government filed a motion to dismiss the remaining conspiracy to commit wire fraud charges against both Kane and Nestor because “the government has evaluated the evidence and circumstances surrounding court one [wire fraud conspiracy] and determined that in the interest of justice it should not go forward with the case under the present circumstances.”
Although the charges were ultimately dismissed,the issue remains that these charges never should have been brought in the first place. Kane and Nestor had to deal with open criminal charges against them for nearly three years. There are proper uses for statutes such as the CFAA, but the people and the courts should demand that the government only use them for their intended purposes. Prosecutions taking broad and unjustified interpretations of these statutes are not justified.
Cybersecurity, Federal Criminal (Other), Federal Criminal Procedure, Fraud, White-collar crime
Earlier this week, attorneys for convicted computer hacker Andrew “Weev” Auernheimer filed their opening brief in their appeal to the U.S. Court of Appeals for the Third Circuit to have his conviction overturned.
In 2010, Auernheimer’s co-defendant Daniel Spitler, who agreed to plead guilty in 2011, discovered a flaw in AT&T’s iPad user database, that he used to collect 114,000 email addresses. Auernheimer then disclosed those email addresses to Gawker, who published a redacted form of some of the account information. The disclosure of the email addresses attracted significant media attention and ultimately forced AT&T to change their security protocols.
Last November, Auernheimer was found guilty by a jury after a five day trial of violating the Computer Fraud and Abuse Act (CFAA) and conspiracy to gain unauthorized access to a computer without authorization. He was sentenced in March to 41 months imprisonment to be followed by three years of supervised release.
The CFAA prohibits accessing a computer without proper authorization, which is the same statute that Internet activist Aaron Swartz was convicted of violating. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service. Last month “Aaron’s Law” was introduced in Congress, which would amend the CFAA to prevent prosecutors from charging an individual with violation a company’s terms of service and from bringing multiple charges against an individual for the same act.
The government’s brief is due on July 22 and Auernheimer will then have the opportunity to file a reply brief by August 5.
We will know in a matter of months how the Third Circuit will rule on Auernheimer’s appeal and whether his conviction and sentence will be upheld. This case raises some very interesting issues on the scope of computer crime laws and prosecutorial discretion. Is the conduct of Auernheimer the type that we need to devote government resources to send a person with no criminal record to prison for a significant period of time?
President Obama’s February 12 State of the Union address included the announcement of an executive order intended to permit greater sharing of information about possible threats to the nation’s cyber security among private companies and between private companies and the government.
“We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets,” Obama said in the speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems.”
The executive order permits businesses to enter voluntary information-sharing agreements in which they provide the government with information about possible cyber threats to the grid. In return, the government is permitted to provide private companies with classified technical information.
This is an admirable goal, and we support the president’s efforts to keep the nation safe in this way. However, it’s not the end of the story.
Last year, legislation was introduced in Congress to provide protection from liability to companies that share information about possible cyber attacks with each other and with the government. That legislation, however, did not pass, and some form of it will be introduced again this year. Sen. Tom Carper (D-Del.), the new chairman of the Senate Homeland Security and Governmental Affairs Committee, has pledged to make a cyber security bill a high priority.
One important aspect of possible legislation of this type is whether it contains adequate safeguards to protect privacy. Last year, privacy advocates pointed out that in the name of protecting the nation against cyber threats, many versions of the bill contained provisions that allowed for “nearly unlimited monitoring of user data.”
If a final bill contains adequate privacy safeguards, we would support it, along with the executive order, as a means of keeping the nation safe.