On May 9, 2013, federal prosecutors unsealed charges against eight defendants for allegedly stealing $2.8 million from New York banks in two separate cyber-attacks, each executed within hours. Simultaneously, additional co-conspirators stole more that $42 million from other banks across the world (see CNN article). While cybercrimes may involve identify theft by stealing personal information, high-dollar cybercrimes, such as these, demonstrate the growing need for robust cybersecurity at private institutions. In responding to this need, it may be wise to stay informed of developments at the federal level.
For example, along with various enforcement actions, the federal government is being proactive in preventing cybercrime. After cybersecurity legislation failed to pass in 2012, on February 12, 2013, the President signed an executive order calling for “Cybersecurity Information Sharing” between the federal government and private industry by “increas[ing] the volume, timeliness, and quality of cyber threat information shared with U.S. private sector companies.” In doing so, these private companies “may better protect and defend themselves against cyber threats.” Interestingly, the Order also directs the Director of the National Institute of Standards and Technology (NIST) (through the Secretary of Commerce) to lead the development of a “Cybersecurity framework” including the development of standards and processes to address cyber risks.
Just prior to the executive order, Rep. Hank Johnson (D-Ga.) introduced the Application Privacy, Protection, and Security (APPS) Act on January 16, 2013 to address data security risks associated with mobile applications. The bill requires mobile application developers to “provide transparency through consented terms and conditions, reasonable data security of collected data, and [the elimination of] data collection by opting out of the services or deleting the user’s personal data to the greatest extent possible.” The bill delegates enforcement of its provisions to the Federal Trade Commission (FTC), a key player in cybersecurity. As of 2011, numerous data breaches and the compromise of customers’ personal information have led the FTC to file 31 legal actions against companies for failing to implement a reasonable data security program (and thus violating § 5(a) of the FTC Act, 15 U.S.C. § 45(a)).
In addition to staying informed of these developments, private companies desiring to be proactive and to prevent data security breaches can look to the data security guidance already being used and promulgated by the federal government, such as NIST Special Publication (SP) 800-37, Rev. 1, and NIST SP 800-53, Rev. 4. The guidance is already followed by most federal agencies (including DOD), and can assist with implementing effective data security controls (e.g., applying the appropriate encryption to an information system containing personally identifiable information (PII)).
Leslie Barnes
Law Clerk (Contractor Responsibility)
United States Air Force
