Cybersecurity:

What Does a Breach Mean to

Your Job, Identity or Security?Your Job, Identity or Security?

American Bar Association David Z. Bodenheimer

Public Contract Law Section Crowell & Moring LLP

Toronto, Canada August 7, 2011

© 2011 Crowell & Moring LLP

Cyber Contrarians

Why Cyber Contrarians are Clueless

“pork-hungry politicians”

“no substantive basis”for cybersecurity threats

2

for cybersecurity threats

“ulterior motives andconflicts of interest”

“The $100 billion Washington will spend on cybersecurity inthe next decade may be less about guarding America froma real threat, and more about enriching revolving-door lobbyistsand satisfying pork-hungry politicians.”

“‘The notion that our power grid, air traffic control system,and financial networks are rigged to blow at the press of abutton would be terrifying if it were true,’ Brito and Watkinswrite. “But fear should not be a basis for public policymaking.’The public has been given no substantive basis for suchfears.” [Carney, The Washington Examiner (Apr. 28, 2011)]

Signs of the

Cyber Apocalypse

© 2010 Crowell & Moring LLP

74% Expect Foreign Attack

Cyber 9/11 on Banks

4S. 773

Foreign Cyber Threats

Foreign Penetration of Grid

“The Chinese are relentless and don’tseem to care about getting caught. Andwe have seen Chinese networkoperations inside certain of ourelectricity grids. Do I worry about thosegrids, and about air traffic control

5

grids, and about air traffic controlsystems, water supply systems, and soon? You bet I do.”

(Joel Brenner, head of U.S. Office ofNational Counterintelligence Executive,Apr. 21, 2009)

“Cyberspies have penetrated the U.S. electrical grid and leftbehind software programs that could be used to disrupt thesystem, according to current and former national securityofficials.

The spies came from China, Russia and other countries, theseofficials said, and were believed to be on a mission to navigatethe U.S. electrical system and its controls. The intrudershaven’t sought to damage the power grid or other keyinfrastructure, but officials warned they could try during a crisisor war.

“‘The Chinese have attempted to map our infrastructure, suchas the electrical grid,’ a senior intelligence official. ‘So havethe Russians.’”

Chinese Cyber Threats

Chinese Cyber Threats

• 40,000 Hackers: “There are fortythousand Chinese hackers who arecollecting intelligence off U.S.information systems and those of ourpartners.” (Adm. McConnell, Jan. 2008)

China Cyber Dominance

“According to its “Cyber WarfareDoctrine,” China’s military strategy isdesigned to achieve global “electronicdominance” by 2050, to include thecapability to disrupt financialmarkets, military and civilian

6

• Daily Attacks. “A defence force sourcesaid yesterday that attacks initiated fromChina occurred almost on a daily basis”(Australian Defense Force, Apr. 2009)

• Classified Data Compromised. “aChina-based cyber espionage network hadaccessed 1200 computers in 103 countriescontaining classified documents.” (MunkCentre for Int’l Studies, Apr. 2009)

markets, military and civiliancommunications capabilities, andthe electric grid prior to the initiationof traditional military operations.”*Securing the Modern Electric Grid fromPhysical and Cyber Attacks: House HomelandSecurity Subcomm. (July 21, 2009)

Grid Attack > $700 Billion

FERC Warning $700 Billion Threat

“For a society that runs on power, the

7

“greater than the August 2003 blackout”

“For a society that runs on power, thediscontinuity of electricity to chemicalplants, banks, refineries, hospitals, andwater systems presents a terrifyingscenario. Economists recentlysuggested that the loss of power to athird of the country for three monthswould result in losses of over $700billion.”

262 Million Breaches (2009)

Compromised Personal Records (‘09)

“2008 Data Breach Total Soars: 47% Increase over2007” Identity Theft News (Identity Theft Daily, Jan. 5, 2009)

Records with sensitive personal information involved in

8

Records with sensitive personal information involved insecurity breaches in the U.S. since January 2005:

262,442,156 records (Privacy Rights Clearinghouse, June 11, 2009)

“Millions of Americans have been victimized, their privacyviolated, their identities stolen, their lives upended, and their wallets

emptied.” (President Obama, May 29, 2009)

514 Million Breaches (2011)

271 Million RecordsExposed Since June 2009

Records with sensitive personalinformation involved in security breachesin United States since January 2005:

533,686,975 records

9

533,686,975 recordsJune 4, 2011

262,424,592 recordsJune 4, 2009

[www.privacyrights.org]

“According to the PrivacyRights Clearinghouse, morethan 340 million recordscontaining sensitive personalinformation have beeninvolved in data securitybreaches since 2005.”

Cybersecurity:

Why General Counsels & CFOs

Need to Worry – Now!Need to Worry – Now!

Secrets

Gone?© 2011 Crowell & Moring LLP

Cyber Risks – SEC Scrutiny

Security Problem

- Not disclosing material risks

Impact

SEC scrutiny or actions

“Cyber risk management is a critical corporate

11

“Cyber risk management is a critical corporateresponsibility. Federal securities law requirespublicly traded companies to disclose ‘material’risks and events, including cyber risks andnetwork breaches. A review of past disclosuressuggests that a significant number of companiesare failing to meet these requirements.” [NewsRelease, May 12, 2011]

Cyber Risks – Shareholders

Security Problem

- Risking personal data

Impact

Shareholder or private suits

$20 Million Suit. Countrywide’s lax

Sony Breach – 101 Million

“In addition to losing an estimated revenuestream of $10 million a week, Sony willprobably have to reimburse customers whopay for its premium service, rebuild itscomputer systems and beef up securitymeasures, said Michael Pachter, an analystwith Wedbush Securities who said the

12

$20 Million Suit. Countrywide’s lax“internal procedures” & security breach[Courthouse News, Apr. 5, 2010]

Stock-Price Hit. “Sony fell 2.3percent to 2,262 yen” after securitybreach of 101 million records.[Bloomberg News (May 6, 2011)]

$6.75 Million/Incident. “averagecost per incident of a data breach” inU.S. [Sen. Comm. Hearings, Sept. 2010]

with Wedbush Securities who said theincident could cost the company $50million.” [L.A. Times, Apr. 28, 2011]

Cyber Risks – Lost IP

2x Library of Congress

“As an example of the threat, oneAmerican company had 38 terabytesof sensitive data and intellectualproperty exfiltrated from itscomputers – equivalent to nearlydouble the amount of text contained

Bet-the-Company

$1 Trillion Losses. “Cyber criminalsstole intellectual property frombusinesses worldwide worth up to$1 trillion.” [President Obama, 2009]

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

“Greatest Damage” “The greatest

13

double the amount of text containedin the Library of Congress.”[Sen. Sheldon Whitehouse (May 10,2010)]

2 x

“Greatest Damage” “The greatestdamage to the American economy fromcyber attacks is due to massive theftsof business information.” [Scott Borg(Dir., U.S. Cyber Consequences Unit)]

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

$400 Million Theft. “A singleemployee of an American companywas convicted of stealing intellectualproperty reportedly worth $400million.” [President Obama, 2009]

Cyber Risks – FCA Actions

Security Problem

- Improper disposal of data

Impact

False Claims Act suit

“PLASTILAM, INC. failed to take

14

“PLASTILAM, INC. failed to takesufficient steps to safeguardconfidential data, including the namesand Social Security numbers of over100 Medicare beneficiaries. Theinvestigation revealed that a numberof misprinted beneficiary cards werediscarded, whole, in an unsecureddumpster.”

Cyber Risks – Suspension

Security Problem- Misuse of DoD data

Impact Suspension Loss of $5B Contract

L-3 Trips as LockheedSnatches $5 Billion Contract

“A disputed U.S. military contract worth up to$5 billion was finally awarded to LockheedMartin Corp. (LMT) this week after the U.S.

15

“But earlier this month the deputygeneral counsel of the U.S. Air Forcesuspended the L-3 unit responsiblefor the work from receiving neworders because of the investigation.Employees at L-3’s special supportprograms division were accused ofcopying government emails andforwarding them without the author’sknowledge.”

$5 billion was finally awarded to LockheedMartin Corp. (LMT) this week after the U.S.Air Force launched an investigation intopossibly inappropriate email activities at rivalL-3 Communications Corp. (LLL).

L-3, a New York-based provider of militaryand aerospace equipment, reduced its 2010outlook as a result of the lost contract, whichrepresented about 3% of its 2009 revenue,according to a government filing. Full-yearprofit is now expected to be in a range of$8.09 to $8.29 a share, compared to a priorview of $8.13 to $8.33 a share.”

Cyber Risks – Acquisitions

Security Problem

- Security as selection factor

Impact

Lost Government work

Major legislation & agency actions to

RFP Requirements

“The proposal will be evaluatedfor an effective plan and timelineto meet the DoD DIACAPdocumentation requirementswithin allowed timeframes.”

16

Major legislation & agency actions tomake cybersecurity a significantfactor in federal acquisitions

Senate & House legislation

President’s proposals

Agency competitions

Cyber Risks – Protests

Security Problem

- Multiple security breaches

Impact

Protests

“However, the USAJOBS screenshot,

Monster Hackers Also HitUSAJobs.gov (Aug. 31, 2007)

“It now appears that Monster.comknew about a breach of its systemsalmost a month before Symantec told

17

“However, the USAJOBS screenshot,memoranda from OPM and OMBdiscussing the Government’s policy onsafeguarding social security numbers,and the three sets of internetarticles discussing Monster’s pastsecurity breaches ensure thecompleteness of the administrativerecord and shall be admitted.”

Allied Tech. Group v. U.S., (Fed. Cl. 2010)

knew about a breach of its systemsalmost a month before Symantec toldMonster of a massive phishingoperation targeting Monster.comusers. That long of a lag is"inexcusable," said W. DavidStephenson, a homeland security andcorporate crisis managementconsultant, "after the legacy of pastproblems."

Cyber Risks – Congressional,DOJ & IG Investigations

Security Problem

- Failure to install safeguards

Impact

IG investigation

False statement risk

Thompson, Langevin DemandInvestigation into DepartmentCyber Attacks (Sept. 24, 2007)

18

False statement risk

Criminal exposure “criminal investigation”

“fraudulent statement”

Cyber Risks – State Actions

Florida AG vs. Certegy

• 5.9 million records stolen

• Florida Safeguards Rule

• Info Security Program– Designate accountable staff

19

– Designate accountable staff

– Assess risks

– Implement safeguards

• $850,000 Fine to AG

• $125,000 to Seniors Group

• Annual Security Report

• 5-Year Scrutiny

Cyber Risks – State Actions

Conn. AG Action

• Stolen computer drive

• 1.5 million medical &financial records (500,000Conn. Residents)

Another Conn. AG Action

Connecticut AG to Lead Coalitionof States Investigating Google

20

• Added InformationSecurity Safeguards

• $250,000 to Conn. AG

• $1 million of ID theftinsurance

• 2-year credit monitoring

“The Connecticut Attorney General’s Officewill lead a coalition of a ‘significant number ofstates’ in investigating Google Inc.’s collectionof data from unsecured wireless internetconnections, AG Richard Blumenthal (D) saidin a June 21 statement.”

of States Investigating Google

WiFi Data Collection(Privacy Law Watch, June 24, 2010)

Cyber Risks – Liability

Security Problem

- IT security technology fails

Impact

Insurance coverage?

Contractor liability?

What Happens When YouSell IT Security that Fails?

• Gov. Contractor Defense– Commercial specifications

• SAFETY Act Coverage

21

Contractor liability? • SAFETY Act Coverage– No terrorist attack

• 85-804 Indemnification– Limited agency authority

• Legislative Proposals– Political limitations

Boyle vs. UTC,487 US 500(1988)

Cyber Risks – Warfare Risks

Security Problem

- Supporting cyber war

Impact

Unknown risks & liability

International Law

$50 Billion Lawsuit

“One lawsuit alone, filed May12 by a purported nationalclass of Verizon customers,seeks $50 billion in damages.”

[“Court Will Decide State Secrets Issues First in

22

International Law- Authority to attack?

US Law- Electronic surveillance & wiretapping

laws

- Covert operations (Title 10 vs. 50)

- Posse Comitatus (DoD & CONUS)

- 5th Amendment takings

[“Court Will Decide State Secrets Issues First inNSA Phone Surveillance Class Action Suit,Privacy Law Watch, June 9, 2006]

Cyber’s Toughest Topics

Cyber Issues

• Managing Risk

• Sharing Information

• Partnering (Pub/Private)

Cyber Challenges

SEC/shareholder scrutiny

Authority & WikiLeaks

Working Models

23

• Partnering (Pub/Private)

• Waging Cyber War

• Addressing Liability

Working Models

Private Rights of Action

Public/Private RiskAllocation

Questions?

David Z. Bodenheimer

Crowell & Moring LLP

24

dbodenheimer@crowell.com

(202) 624-2713

15269209