Author: Brian Roux

The Consumer Financial Protection Bureau (“CFPB”) filed an interesting consent order in re: Dwolla, Inc. concerning their cyber security practices. 1)See “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices”, available at http://www.consumerfinance.gov/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/.)) The order begins with CFPB identifying that it found, “deceptive acts and practices relating to false representations regarding [Dwolla’s] data-security practices”. 3)In re: Dwolla, Inc. Rec. Doc. 1 at 1 File no. 2016-CFPB-0007 (CFPB) available at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf. As I’ve covered in other blog posts regarding the FTC enforcement actions, the deceptive argument is not new, and other agencies are expanding their enforcement actions even where there is no deception or misrepresentation. ((Compare FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1 (asserting claims under both the deceptive and unfairness prongs of its authority). The interesting part with this CFBP consent order is the continuing expansion of regulators taking companies to task for bad cyber-security practices, and that vague claims that might otherwise be considered puffery are being interpreted as a misrepresentation (at least at the agency level).

The CFPB findings can be grouped into two broad categories: discrete specific failures, and more generally vague descriptions of its services. The specific failures are obviously bad and deceptive practices. For example, Dwolla claimed a certain set of information it collected was stored encrypted, but it did not in fact, encrypt all of that information. It also claimed to be PCI compliant, but was not in fact PCI compliant. Those are not controversial for deceptive practices.

The more generalized description of some services as “safe” or “secure”, or describing security practices as surpassing or leading industry standards becomes more dicey. What does it mean to be secure? What constitutes “safe”? The problem with cyber-security is that safe and secure is a relative term that must be judged on an ever changing basis. 100% safety and security is simply not possible. In sales terms, these might be asserted as “puffery”, but regulators are not taking them that way. The CFPB also took Dwolla to task for not “implement[ing] data-security policies and procedures reasonable and appropriate for the organization”. 2)In re: Dwolla at 7.

Many of the specific failures (such as not maintaining a written data-security plan) are becoming more important as regulators are forcing companies to defend their practices after security incidents or data breaches. The defensibility requires documentation to really be persuasive that such incidents were not because of bad practices. Like in Dwolla, criticisms for not conducting ongoing risk assessments, penetration testing, and employee training are becoming common in regulatory actions. There is one certainty – rigorous data security practices are not a luxury, and treating them as optional or an afterthought creates significant exposure.

References   [ + ]

1.See “CFPB Takes Action Against Dwolla for Misrepresenting Data Security Practices”, available at http://www.consumerfinance.gov/newsroom/cfpb-takes-action-against-dwolla-for-misrepresenting-data-security-practices/.)) The order begins with CFPB identifying that it found, “deceptive acts and practices relating to false representations regarding [Dwolla’s] data-security practices”. ((In re: Dwolla, Inc. Rec. Doc. 1 at 1 File no. 2016-CFPB-0007 (CFPB) available at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf.
2.In re: Dwolla at 7.
3.In re: Dwolla, Inc. Rec. Doc. 1 at 1 File no. 2016-CFPB-0007 (CFPB) available at http://files.consumerfinance.gov/f/201603_cfpb_consent-order-dwolla-inc.pdf. As I’ve covered in other blog posts regarding the FTC enforcement actions, the deceptive argument is not new, and other agencies are expanding their enforcement actions even where there is no deception or misrepresentation. ((Compare FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1 (asserting claims under both the deceptive and unfairness prongs of its authority).

On February 16, 2016, a magistrate judge in the Central District of California issued an order, under the All Writs Act, compelling Apple to assist the FBI in searching an iPhone 5C that belonged to Syed Rizwan Farook. Farook was one of the terrorists participating in the December 2, 2015 mass shooting at the Inland Regional Center in San Bernadino, California. 1)See “Memorandum of Points and Authorities” included with “Government’s Ex Parte Application for Order Compelling Apple Inc to Assist Agents in Search” at 1 [Rec Doc not available] Case No. ED 15-CR-0451M.

Within less than 24 hours, many articles and blog posts materialized dissecting the order and pondering its implications. 2)See “EFF to Support Apple in Encryption Battle” available at https://www.eff.org/deeplinks/2016/02/eff-support-apple-encryption-battle; See “Some note on Apple decryption San Bernadino Phone” available at http://blog.erratasec.com/2016/02/some-notes-on-apple-decryption-san.html; See “No, A Judge Did Not Just Order Apple To Break Encryption On San Bernadino Shooter’s iPhone, But To Create A New Backdoor” available at https://www.techdirt.com/articles/20160216/17393733617/no-judge-did-not-just-order-apple-to-break-encryption-san-bernardino-shooters-iphone-to-create-new-backdoor.shtml The public commentary and outrage even resulted in Tim Cook, CEO of Apple, posting an open letter on Apple’s website restating the case for encryption technology and vowing to fight the order. 3)See “A Message to Our Customers” available at http://www.apple.com/customer-letter/ Commentators have varied from describing what the FBI is seeking from a “Master Key” to a design flaw to a non-issue. I have a more concerning thought, which is the purpose of this blog post.

Observe this language from the order:

“Providing the FBI with a signed iPhone … Software Image File (“SIF”) that can be loaded onto the SUBJECT DEVICE. The SIF will load and run from Random Access Memory (“RAM”) and will not modify the iOS on the actual phone, the user data partition or system partition on the device’s flash memory. … The SIF will be loaded via Device Firmware Upgrade (“DFU”) mode, recovery mode, or other applicable mode available to the FBI.” 4)Order Compelling Apple, Inc. to Assist Agents In Search at 2 [Rec Doc not available] Case No. ED 15-CR-0451M (emphasis added).

The language mirrors that in the Declaration of Christopher Pluhar which was submitted in support of the government’s motion. The suggested purpose of this assistance is to (1) circumvent the phone’s wipe-after-10-failed-lock-code-entries feature, (2) remove software delays between lock code attempts, and (3) allow unlock codes to be transmitted programmatically to the device. Essentially, the FBI wants help being able to brute forth the 4 digit pin code that locks the iPhone so they can get at its data. (Brute forcing a 4 digit lock code is trivial if the erase after 10 failures feature is disabled.) That, however, is not the danger that this order represents.

The form of assistance specified in the order, as suggested by the FBI, is that Apple should provide a modified version of iOS that can be loaded onto the device which will render the three assistances requested. That method, if possible, will result in a jurisprudential work around to the legislative process and the present debate over phone security and the limits of government backdoors. The key to understanding this is the language describing the Signed SIF’s characteristics. It must (1) be loaded via, inter alia, recovery mode, (2) be loaded and run from RAM, and (3) not modify any of the flash memory. The FBI just requested that the court compel Apple into creating a method of live booting iOS on an iPhone. Let’s call this fbiOS.

What is live booting? In simple terms, a Live Boot environment boots an entire operating system into a computer system’s memory rather than installing it to storage. 5)See generally “Live CD” available at https://en.wikipedia.org/wiki/Live_CD These types of environments are very common in Linux distributions to let users test or experience Linux without having to commit to installing it – and many specialized distributions dedicated to forensics, penetration testing, or recovery functionality also exist. 6)See e.g. https://livecdlist.com/

Why does the FBI seem to want this? The key element, is the specification of DFU or Recovery Mode as one of the ways the hypothetical live bootable custom fbiOS must be loadable. (See “iOS Security” September 2015, available at https://www.apple.com/business/docs/iOS_Security_Guide.pdf )) Ordinarily, these two modes are used for restoring an iPhone (or other iOS device) that has become inoperable – and importantly without the lock code.

“When an iOS device is turned on, its application processor immediately executes code from read-only memory known as the Boot ROM. This immutable code, known as the hardware root of trust, is laid down during chip fabrication, and is implicitly trusted. The Boot ROM code contains the Apple Root CA public key, which is used to verify that the Low-Level Bootloader (LLB) is signed by Apple before allowing it to load. This is the first step in the chain of trust where each step ensures that the next is signed by Apple. When the LLB finishes its tasks, it verifies and runs the next-stage bootloader, iBoot, which in turn verifies and runs the iOS kernel.” 7) Id. at p 5 (discussing the “Secure boot chain” of an iOS device).

If any stage of the secure boot chain fails, it triggers Recovery Mode which permits the iOS install to be updated or restored. If the Boot ROM fails (the first step) it enters DFU mode. Recovery Mode allows either attempting to “update” which reinstalls iOS without loss of data or “restore” which results in loss of data – think of it as the difference between reinstalling an operating system over itself to repair corruption of the operating system and having to do a clean install because the file system became corrupted. 8)See “If you can’t update or restore your iPhone, iPad, or iPod touch” available at https://support.apple.com/en-us/HT201263

Let’s put these pieces together. Restore Mode will let you reinstall iOS without deleting the device’s data and without inputting the lock code. The FBI wants to be able to put its proposed fbiOS on the device in this mode – while leaving the data undisturbed. It wants its fbiOS to disable all software based security measures and provide a way for it to programmatically brute force lock codes. Finally, it wants fbiOS to load and run completely in memory.

If it successfully compels Apple to do these discrete things, it will be able to argue to future courts in future cases that Apple should make any number of features available to assist in investigations because it already demonstrated being able to do the hard part – creating fbiOS that can live boot a phone from recovery mode with custom modifications – so any other changes are trivial and not burdensome.

Imagine this one step further – since this proposed fbiOS is a validly signed version of iOS, the FBI could slip fbiOS onto any investigatory target – and that installation would leave no trace once the phone was rebooted. The ability to surreptitiously install fbiOS on an iPhone or other iOS device gives the FBI exactly what it has been craving – its own bespoke backdoor. Imagine instead of allowing them to brute force your passcode, it simply waited for the next time you entered it before cheerfully texting it to the FBI – or waited until you unlocked your phone to begin streaming its contents to them as those contents became readable to the application processor. If this parade of horribles came to be, you can be sure every other government would want their own version of fbiOS – and the security progress made over the last few years would vanish in a heartbeat.

The first item of good news is, what the FBI requested may not be possible. Whether it is technologically plausible to boot an iPhone from recovery mode with a modified version of iOS is a question only someone with much more in-depth knowledge of iPhone hardware than I possess can answer – if the answer is no (or becomes no for future iPhones) then the parade of horribles is called off for bad weather. Although, it would be a more murky question if DFU mode was used to modify the Low-Level Bootloader first, and then the modified LLB used to facilitate an fbiOS style live boot from Recovery Mode.

The second item of good news is, the FBI’s request to disable the delay between passcode attempts may only be possible, if at all, in this particular case because it is an older iPhone. The phone here is an iPhone 5C which has the older A6 processor. “On devices with an A7 or later A-series processor, the delays are enforced by the Secure Enclave. If the device is restarted during a timed delay, the delay is still enforced, with the timer starting over for the current period.” 9)Id. at p 12; See also Id. at p 7 (explaining the Secure Enclave). The A7 chip, with the Secure Enclave feature, debuted in the iPhone 5S in 2013. Apple’s continued emphasis on building in hardware based security mechanisms may have headed this entire problem off before it started.

The third item of good news is we can expect rigorous briefing of the issues present in this case from Apple itself, and a plethora of Amici Curiae.

The opinions expressed in this blog post are mine alone, and are not the opinions of my firm. Likewise, this post is not intended as nor conveyed for the purpose of providing legal advice. I am a lawyer, but I am not your lawyer.

References   [ + ]

1.See “Memorandum of Points and Authorities” included with “Government’s Ex Parte Application for Order Compelling Apple Inc to Assist Agents in Search” at 1 [Rec Doc not available] Case No. ED 15-CR-0451M.
2.See “EFF to Support Apple in Encryption Battle” available at https://www.eff.org/deeplinks/2016/02/eff-support-apple-encryption-battle; See “Some note on Apple decryption San Bernadino Phone” available at http://blog.erratasec.com/2016/02/some-notes-on-apple-decryption-san.html; See “No, A Judge Did Not Just Order Apple To Break Encryption On San Bernadino Shooter’s iPhone, But To Create A New Backdoor” available at https://www.techdirt.com/articles/20160216/17393733617/no-judge-did-not-just-order-apple-to-break-encryption-san-bernardino-shooters-iphone-to-create-new-backdoor.shtml
3.See “A Message to Our Customers” available at http://www.apple.com/customer-letter/
4.Order Compelling Apple, Inc. to Assist Agents In Search at 2 [Rec Doc not available] Case No. ED 15-CR-0451M (emphasis added).
5.See generally “Live CD” available at https://en.wikipedia.org/wiki/Live_CD
6.See e.g. https://livecdlist.com/
7. Id. at p 5 (discussing the “Secure boot chain” of an iOS device).
8.See “If you can’t update or restore your iPhone, iPad, or iPod touch” available at https://support.apple.com/en-us/HT201263
9.Id. at p 12; See also Id. at p 7 (explaining the Secure Enclave).

The FTC brought an administrative action against LabMD, a Georgia based medical testing lab, because of a security incident occurring within the company. A decision by the administrative law judge came out recently essentially saying the FTC failed to carry their burden in proving actual or likely substantial harm to consumers.1)See “Initial Decision Docket No. 9357” at 88, available at https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf. The dismissal is, of course, now on appeal to the commission, but I think LabMD is not very important because it is based on bad facts for an enforcement action. The only thing LabMD might stand for is the severe financial consequences of having to fight an FTC action even if your company’s failure did not actually hurt anyone (LabMD is essentially out of business now, and winding up operations). Wyndham, on the other hand, is a clear warning of the terrible consequences that come when the FTC takes issue with your cybersecurity failures – consequences which may include having the FTC looking over your shoulder for decades should you lose or settle.

As I wrote previously, the Wyndham case is a much more important precedent with implications for cybersecurity practices and data breach responses.2)See “Understanding the Implications of FTC v. Wyndham on Data Security Practices, available at http://hanrylaw.com/2015/09/11/understanding-the-implications-of-ftc-v-wyndham-on-data-security-practices/ . In fact, the FTC and Wyndham have proposed a settlement that is now awaiting court approval.3)See “Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk”, available at https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment . The Settlement terms give a glimpse into what standards the FTC will be holding other companies to in the aftermath of a data breach.4)See “Wyndham’s settlement with the FTC: What it means for businesses – and consumers”, available at https://www.ftc.gov/news-events/blogs/business-blog/2015/12/wyndhams-settlement-ftc-what-it-means-businesses-consumers .

 

Wyndham Settlement

The settlement imposes a rigorous set of actions that Wyndham must take over the next twenty (20) years.5)See “Proposed Stipulated Order For Injunction”, available at https://www.ftc.gov/system/files/documents/cases/wyndhamproposedstiporderfullyexecuted.pdf .

Wyndham will be required to establish a “comprehensive information security program” that is “fully documented in writing” and consisting of “administrative, technical, and physical safeguards” appropriate to its size, complexity, the scope of its activities, and the sensitivity of data it holds.6)Id. at 4-5. This program will also mandate designated employees that are accountable for its implementation and oversight, ongoing risk assessments, implementing safeguards to control risk identified in the assessments, to enforce similar requirements on vendors it uses, and to continuously update its program based on results from mandated monitoring/testing.7)Id. at 5-6.

Wyndham must also conduct annual assessments using qualified assessors to ensure its compliance with relevant security standards “at least as thorough as Version 2.0 of the PCI DSS Risk Assessment Guidelines.” 8)Id. at 7. In the event of a sufficiently large breach, they will be obligated to commission, “a PCI Forensic Investigator Final Incident Report”.9)Id. at 8.

Ongoing reporting and recordkeeping requirements are imposed including notification requirements.10)Id. at 11-12. The most problematic requirement, however, is that the order would permit the Commission, “to seek discovery, without further leave of Court” under the various Federal Rules of Civil Procedure that deal with discovery for a period of at least 23 years.11)Id. at 13 (describing section VI. “Compliance Monitoring” applies as long as Wyndham is subject to any obligations in parts I or II of the order plus three years thereafter, and part I has a 20 year duration).

Conclusion

The settlement’s prescribed “comprehensive information security program” is something Wyndham should have had in place regardless. These programs and their constituent policies are reasonable and necessary efforts that all companies should have. The requirements in that portion of the proposed order are very much in line with recommendations being drafted by the data breach response brainstorming group in the Sedona Conference Working Group 11 (disclosure statement: I am part of the brainstorming group drafting those recommendations). The unfortunateness of Wyndham’s position is the loss of some control over its policies and the additional requirements imposed on it by the remainder of the proposed order.

In my opinion, Wyndham stands for the proposition that the innocent age when cybersecurity issues could be glossed over has passed. The numerous high profile data breaches over the past two years alone have raised public awareness and concern. Regulators have clearly taken notice on both the state and federal levels, and enforcement actions are going to become more common when companies do not take reasonable steps to address cybersecurity, data breach response planning, and consumer protection.  People may hate paying lawyers, but an ounce of prevention is definitely worth at least a pound of litigation later in the cybersecurity and data breach arena.

References   [ + ]

1.See “Initial Decision Docket No. 9357” at 88, available at https://www.ftc.gov/system/files/documents/cases/151113labmd_decision.pdf.
2.See “Understanding the Implications of FTC v. Wyndham on Data Security Practices, available at http://hanrylaw.com/2015/09/11/understanding-the-implications-of-ftc-v-wyndham-on-data-security-practices/ .
3.See “Wyndham Settles FTC Charges It Unfairly Placed Consumers’ Payment Card Information At Risk”, available at https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-unfairly-placed-consumers-payment .
4.See “Wyndham’s settlement with the FTC: What it means for businesses – and consumers”, available at https://www.ftc.gov/news-events/blogs/business-blog/2015/12/wyndhams-settlement-ftc-what-it-means-businesses-consumers .
5.See “Proposed Stipulated Order For Injunction”, available at https://www.ftc.gov/system/files/documents/cases/wyndhamproposedstiporderfullyexecuted.pdf .
6.Id. at 4-5.
7.Id. at 5-6.
8.Id. at 7.
9.Id. at 8.
10.Id. at 11-12.
11.Id. at 13 (describing section VI. “Compliance Monitoring” applies as long as Wyndham is subject to any obligations in parts I or II of the order plus three years thereafter, and part I has a 20 year duration).

The Federal Trade Commission (FTC) is very active and interested in data breaches and other cyber security incidents. The federal government and many state governments are slowly adding legislation that specifically addresses issues of cyber security and data breach reporting, but while those efforts slowly produce narrowly focused legislation, the FTC is trail blazing by using its existing and broad authority to regulate unfair business practices. 1)See 15 USC § 45(a). Using this broad authority granted by congress over a century ago, the FTC is actively bringing regulatory actions and filing suits against companies whose cyber security practices are inadequate and result in data breaches. These actions often result in consent decrees which have long term consequences for the companies that settle with the commission. Occasionally, a company will dig in for an extended legal battle. One such case is the FTC v. Wyndham action which recently produced an appellate decision from the Third Circuit which has significant implications for cyber security practices. 2)See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015).

I read Court opinions so you don’t have to, thus this post will discuss (1) a brief summary of the Wyndham data breaches, (2) the FTC’s authority under the “unfairness” prong, and (3) the importance of the Third Circuit opinion as a contour of likely future FTC actions. I will conclude by discussing future liability concerns in the wake of data breaches especially in the context of the FTC.

WYNDHAM DATA BREACHES

In the FTC’s complaint, it lays out what it contends are the salient facts behind three data breaches of Wyndham’s networks. 3)See FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1. Essentially, the systems in question consist of (1) the terminals at the hotels (“Property Management System”), (2) servers in a datacenter located in Phoenix, AZ (“Central Reservation System”), and (3) connections between the local hotel network and the Wyndham corporate networks. 4)Id. at ¶¶ 14-9. (more…)

References   [ + ]

1.See 15 USC § 45(a).
2.See FTC v. Wyndham Worldwide Corp., 2015 U.S. App. LEXIS 14839 (3d Cir. N.J. Aug. 24, 2015).
3.See FTC v. Wyndham Worldwide Corp., Case No. 2:13-cv-01887 (D.N.J. 2012) R. Doc. 1.
4.Id. at ¶¶ 14-9.

I wrote briefly about the Hacking Team Data Breach yesterday in the context of data breaches generally. This is an interesting area of the law because of all the high profile breaches in the last couple of years, the upsurge in interest in cyber liability insurance products, and increasing numbers of regulatory regimes both domestically and abroad. The Sedona Conference Working Group 11 is in the process of drafting a number of documents related to all of this, so the Hacking Team breach occurs at an interesting time. This blog post is going to split into three points: (1) What was/is “Hacking Team”; (2) What was breached?; (3) What is the potential impact short and long term. (more…)

Ashley Madison is a website devoted to facilitating adultery. That is literally their customer base – married individuals seeking to cheat on their spouses. Their trademark slogan is, “Life is short. Have an affair.” They further self-describe their operation as, “… the most recognized name in infidelity …” A widely reported breach of their servers resulted in a still disputed number of records being exfiltrated from Ashley Madison’s servers. (See Krebs. “Online Cheating Site AshleyMadison Hacked”, http://krebsonsecurity.com/2015/07/online-cheating-site-ashleymadison-hacked/, retrieved 2015-07-23).  The situation is still developing, but I summarize and cite pertinent information here and also examine the company’s use of copyright takedown notices as part of its containment strategy.

(more…)