Image Source: Portal Gda []

By Lucy Kelly

Ransomware attacks have made headlines across the globe in recent months.[1]  While many of the biggest cyber-attacks make the news, a majority of attacks do not, or are broadcast to only a small subset of Americans.[2]  Currently, there is a patchwork of state and federal laws and regulatory guidance that require companies to disclose any cyber-attacks or vulnerabilities.[3]  It is widely debated whether implementing more legal direction and regulations, either on the state or federal levels, will do more harm overall.[4]  For example, announcing cyber-attacks too early can alert the attackers to more vulnerabilities and could further decrease societal distrust in new technologies.[5]

The most frequently cited federal guidance on this issue is vague, doing little to define what is the “material information” that should be disclosed.[6] The SEC guidance, promulgated in December 2011, was released in an effort to be “consistent with the relevant disclosure considerations that arise in connection with any business risk,” and aimed to provide a “roadmap” for companies facing cyber incidents or attacks.[7] The guidance was an attempt to include information regarding cyber incidents, attacks, and vulnerabilities in the types of information that are essential to investors before investing in a company.[8]

However, much of the discussion in this area of law (and guidance) focuses on personal data.[9]  For example, Washington D.C.’s data breach notification law requires D.C. businesses to provide written or electronic notices to their clients in the event of a breach in which the attacker obtains personal data.[10]  “Personal information” within the meaning of the D.C. statute includes only names, phone numbers, addresses, and/or social security numbers, passwords, or financial information.[11]  So what happens when more personal, sinister attacks are made on consumers for non-financial purposes?

Consider the recently discovered FruitFly malware that has been infecting Mac computers since 2001.[12]  Malwares like FruitFly discover personal information incidentally, through spying on the users, but may spy for a while before gaining any information that fits codified definitions.[13] For example, the cybersecurity expert who discovered FruitFly in January 2017 said that “the malware was created by a single hacker who wants to ‘spy on people for perverse reasons.’”[14]  While companies in this position may not be required by the SEC to disclose anything to the public, malwares like Fruitfly post a health and safety issue, and Apple should be required to do more to alert the millions of users than create a patch that may or may not have worked.[15]

The answer should not be to run to policy makers on Capital Hill to create regulations which force companies to disclose any type of attack as soon as it occurs.[16]  Instead, encouraging big private sector players (i.e. Apple) to begin alerting their users to the dangers of malwares like FruitFly might actually make the public believe that they do have some control over their personal information. Many companies are behind on current cybersecurity strategies, so the private sector must be more intentional about cybersecurity to withstand cyber attacks.[17] While it may valuable to require disclosure on the federal level, regulators and state legislators should focus attention on attacks like Fruitfly where the data potentially obtained does not necessarily fall within the definitions already in place.[18]

In an age where governments and private corporations are routinely attacked — entities who have billions more in resources than the average consumer — it is advantageous to stop worrying about whether the consumer will ‘lose all faith in technology’ if she is alerted to a malware attack, and to start incentivizing corporations to give her access to information that enables her to protect herself, even when the corporation cannot.[19] Furthermore, consumers do not react to data breaches as strongly as companies argue, so encouraging more vocal and timely announcements will likely not harm reputations[20] but will instead craft more educated consumers[21] and push other companies to better secure their systems.

[1] See Alanna Petroff & Selena Larson, Another big malware attack ripples across the world, CNN Money (June 28, 2017); Risk Based Security, Data Breach QuickView Report: 2016 Data Breach Trends – Year in Review (Jan. 2016) (“In 2016, 4,149 cybersecurity breaches were publicly reported, involving unauthorized access to or disclosure of over 4.2 billion records.”).

[2] See Risk Based Security, supra note 1 (Indicating that data breaches are so numerous that they cannot all possibly be newsworthy.)

[3] See Roland L. Trope, Sarah Jane Hughes, The SEC Staff’s “Cybersecurity Disclosure” Guidance: Will It Help Investors or Cyber-thieves More?, ABA Bus. L. Today (Dec. 2011) (“[T]he SEC’s Division of Corporate Finance quietly issued new guidance (Guidance) describing disclosures of cybersecurity incidents and attacks and the prevention and remediation measures that public companies (Registrants) have suffered or may suffer, and of the prevention and remediation expenses they have expended or may expend (CF Disclosure Guidance: Topic No. 2—Cybersecurity).”). See also Catherine Bragg, Data Breach Notifications: State Law Requirements, ABA Under Construction Vol. 18, No. 2 (Winter 2017) (overviewing state laws, with examples).

[4]See Andrea Castillo & Denise Zheng, Should Companies Be Required to Share Information About Cyberattacks?, The Wall Street Journal (May 22, 2016) (“How do we limit the damage and, more important, restore confidence in online security? That is a question that bedevils policy makers as much as it does network analysts and computer scientists.”); Jason P. Gonzalez, Tiana M. Butcher, Carolyn Lowry, Trending Cybersecurity Disclosures, Nixon Peabody LLP Cybersecurity Alert (Jan. 19, 2017)

[5] Gonzalez et al., supra note 4 (“Requiring companies to report when they’ve been attacked and to share details about how it was done might help strengthen cyberdefenses for everyone . . . Conversely, allowing breached companies to work on solutions in secret may fix problems quickly and prevent reputational harm.”).

[6] CF Disclosure Guidance: Topic No. 2, SEC, note 3 (Dec. 2011) (merely noting that “information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”).

[7] Id.

[8] Id.

[9] See Catherine Bragg, supra note 3.

[10] D.C. Code § 28-3851 (2007).

[11] Id. at § 28-3851(3)(A).

[12] See Chris Smith, Nasty Mac malware can control your webcam and record everything you type, BGR Media (Jul. 25, 2017)

[13] Id.

[14] See Don Reisinger, New Details Emerge About Scary Apple Mac Threat Fruitfly, Fortune (Jul. 24, 2017)

[15] Id. (“In January, Apple responded to the threat by patching the hole that allowed Fruitfly to attack users. However, Fruitfly variants have cropped up that could still target unprotected Macs.”).

[16] See Nick Ismail, Cyber security industry believes GDPR is ‘stifling innovation, Information Age (Jul. 12, 2017) (explaining that the European General Data Protection Regulation (GDPR) is doing just this and is stifling innovation). See generally James Gattuso, Ensuring Cybersecurity: More Red Tape Is Not the Answer, The Heritage Foundation (Jun. 5, 2012) (exploring proposed federal legislation in 2012 which would have potentially imposed massive requirements through vague writing).

[17] Liam Lambert, Cyber Security – Attacks, Effects And The Role Of The Law, The Market Mogul (Jan. 5, 2017)  (“Contemporary business practice in regards to cyber security appears to be lacking, with companies relying on simple employee education and “one size fits all” security technologies.”).

[18] See D.C. Code § 28-3851(3)(A) (2007).

[19] David Gilbert, How to Secure Your Webcam, CompariTech (Aug. 17, 2016)

[20] Branden R. Williams, Consumer Attitudes Toward Breaches, Branden Williams 1, 9 (2016)

Consumers are quick to return to breached merchants: In every single case, the majority of consumers returned to that location nearly three months after the breach. Consumers returning to shop at these locations may not have been aware of the breach, which taken alone is a finding for discussion. They appear to either be unfazed or unaware of breaches in a way that materially changes their shopping behavior. Less than 2% (on average) have not returned since a breach went public.

[21] Kenneth Olmstead & Aaron Smith, Report: Americans and Cybersecurity, Pew Research Center (Jan. 26, 2017) (reporting that “just over half of internet users utilize public Wi-Fi networks, including for tasks like online banking or e-commerce,” proving that the American public needs some serious education on personal cybersecurity).

Share this post