The Green Sheet Online Edition
April 25, 2016 • Issue 16:04:02
Facilitating collaboration to safeguard sensitive data
The first half of this decade ushered in a new era of banditry, piracy and even all out military action within the cyberspace realm. Criminal gangs left the streets for the avenues of DSL lines to the detriment of consumers and vendors. Even as Target finally settles claims involving the 2013 theft of customer credit card information, security vulnerabilities continue to be identified and exploited by hackers.
2015 saw cyberattacks resulting in the compromise of consumer personal information for 12 million customers of electronic toy maker VTech, 37 million users of the infamous dating website Ashley Madison, and 80 million patient records of the nation's second largest health insurer, Anthem. Even more disconcerting, credit reporting agency Experian fell victim to hacking in September 2015 when the names, addresses, Social Security numbers, dates of birth and passport ID numbers of 15 million people were compromised. Cybersecurity can no longer be brushed aside: all industries are at risk.
The fact that the electronic payments industry is a prime target for cyberattacks should be obvious to all stakeholders. The interception of consumer credit card and bank account data necessitates attacks on this industry. However, merchant service providers (MSPs), ISOs and POS equipment vendors may forget that the personal and financial data of merchants is also at risk.
When opening accounts for new merchants, ISOs regularly digitize and transmit a trove of sensitive personal information – canceled checks with bank account numbers, driver's licenses of business owners, pay stubs and income statements – to online databases to arrange for equipment leases and payment processing. All of this data is transmitted through the Internet and can be accessed remotely with a login and password. As such, all stakeholders in the electronic payments industry are at risk, not just the ones who deal directly with consumer information.
Laws addressing cybercrime
Recognizing the new threats on the horizon, the Electronic Transactions Association pushed early on for new laws to aid private industry in the combat of cybercrime, including the recently enacted Cybersecurity Information Sharing Act of 2015. Originally introduced by Senator Dianne Feinstein, D-Calif., on July 10, 2014, the bill ultimately failed to reach a full Senate vote before the end of session. It was later reintroduced as S.754 for the 114th Congress. The ETA supported the measure and on Oct. 19, 2015, signed a letter authored by the Protecting America's Cyber Networks Coalition urging its passage.
The act was not without its share of controversy. The Electronic Frontier Foundation opposed the act, fearing it would give companies free rein to disclose the private communications of their users to the government without a warrant, and "broad immunity to spy on – and potentially even launch countermeasures against – innocent users." The Computer & Communications Industry Association also raised concerns that the act did not adequately protect the privacy of users or sufficiently limit the permissible use of information received by the government.
Nonetheless, the bill was incorporated into H.R. 2029, the Consolidated Appropriations Act, 2016, in the House of Representatives on Dec. 15, 2015. The President signed the bill into law two days later.
The final version of CISA can be found in Division N, Title N of H.R. 2029. The act mandates that the Director of National Intelligence, Homeland Security, Department of Defense and the Attorney General jointly develop procedures for the "timely sharing of classified cyber threat indicators and defensive measures" between private businesses and the federal government, as well as state and local governments. The Attorney General and the Secretary of Homeland Security must submit interim policies and procedures to Congress within 60 days of the law's enactment, and final policies and procedures are due 180 days after enactment.
The act authorizes private entities to monitor, for cybersecurity purposes, any information that is stored on, processed by or transiting an information system owned by that entity or any system that the private entity is authorized to monitor. Private entities are also authorized to employ defensive measures to protect their rights and property, and to share related information with other entities, the federal government, and state or local governments.
Guidance for responsible disclosure
Also mandated within the act, the Secretary of Homeland Security must ensure that the public has access to the processes developed by which private entities may share cyber threat and defensive procedure information with the federal government. While the exact details of this mandate have not been spelled out yet, one can anticipate the cyberattack equivalent of a WeTip crime-reporting hotline for private businesses to report and share information on cyberattacks.
To encourage openness with government agencies, the act allows businesses providing information to the federal government to do so without waiving any privileges or protections for that information, including trade secret protection. Additionally, information provided by nonfederal entities, including private businesses, to the federal government will automatically be treated as "the commercial, financial, and proprietary information" of the provider and exempt from disclosure to the public.
Further, the act requires the government to develop guidelines to protect the confidentiality of information provided and to establish time limits for the retention of such information. To facilitate cooperation between private businesses, the act specifically exempts the sharing of information between private entities from antitrust laws to the extent that it is related to the prevention, mitigation or investigation of a cybersecurity threat.
Perhaps of greatest interest to private businesses, the new law grants private entities immunity from liability from any cause of action for monitoring and sharing information pursuant to CISA so long as such monitoring and sharing is conducted in accordance with the rules set forth. The purpose of this immunity is to encourage private entities to quickly report cyberthreats so that the government can take decisive action without fear of lawsuits from persons whose personal information might be revealed in such disclosures.
It is important to note that CISA does not give private businesses free license to disclose all sensitive information about its customers. To the contrary, the act imposes a duty on private businesses to review such information first and remove personal or identifying information of specific individuals where that information is not directly related to a cybersecurity threat.
Safe collaboration options
Although the initial rulemaking for the new law has not yet been completed, businesses can expect the act to create a safe harbor for them to cooperate with government entities and disclose information necessary to address cybersecurity threats without the threat of litigation over privacy issues. Companies can also expect guidelines for sharing information among themselves to improve cybersecurity without running afoul of antitrust laws.
The result is that companies may now collaborate to improve cybersecurity and provide information necessary to respond to an active data breach or cyberattack. To take advantage of this immunity, however, companies must stay apprised of the regulations ultimately adopted by the federal government and follow them to the letter.
This could be accomplished by assigning a program manager to adapt existing cyber security policy to permit the information sharing for both prevention of and response to cyberthreats. Such a policy should spell out under exactly what circumstances information may be disclosed, to whom it may be disclosed, the specific purpose of such disclosure and steps to redact such information where it falls outside the scope of that purpose.
Internal policy development for CISA-compliant communication must also run in tandem with industry-wide cybersecurity collaboration. Within the payments industry, security managers will need to establish CISA-compliant lines of communications both up- and downstream so that cybersecurity information provided by a merchant is transmitted seamlessly, securely and in compliance with CISA regulations as it travels all the way from the merchant to the sponsor bank.
Likewise, banks will need to establish lines of communication allowing them to collaborate with merchants where a cybersecurity threat endangers everyone downstream of that bank. Ultimately, as the regulations for enforcement of CISA are finalized, the electronic payments industry should consider developing an industry-wide standard for communication and collaboration to ensure that the liability shield for CISA remains in effect, while at the same time allowing members of the industry to quickly anticipate and respond to cybersecurity threats.
Consequences for security deficits
Ultimately, while CISA does not mandate cooperation, the electronic payments industry still faces stiff consequences for security lapses and data breaches. The Federal Trade Commission now actively pursues administrative actions for "unfair or deceptive acts" under 15 U.S.C. § 45(a) against companies with allegedly deficient cybersecurity measures. This practice was recently upheld by the 3rd Circuit Court of Appeals in F.T.C. v. Wyndham Worldwide Corp.
That case stemmed from three successful data breaches of Wyndham Worldwide's computer systems in 2008 and 2009, resulting in the theft of personal and financial data for hundreds of thousands of consumers and leading to over $10.6 million dollars in fraudulent charges. The FTC alleged that Wyndham failed to take reasonable measures to protect consumer data, by, among other things:
- Storing credit card data in plain readable text
- Failing to use readily available security measures
- Failing to employ "reasonable measures to detect and prevent unauthorized access" to its computer network or to "conduct security investigations"
- Failing to follow "proper incident response procedures when the attacks were discovered.
The court ultimately held that a company's failure to maintain reasonable and appropriate data security, if proven, could constitute an unfair method of competition in commerce, making FTC sanctions appropriate. This ruling effectively creates an affirmative duty for commercial entities to protect sensitive electronic data in their possession.
While the court did not specify exactly what constitutes reasonable and appropriate data security measures, it did note that the FTC issued a guidebook in 2007, titled Protecting Personal Information: A Guide for Business, which provides a checklist of practices that form a "sound data security plan." The guidebook does not state that any particular practice is required, but it does caution against many practices Wyndham allegedly engaged in.
In light of the Wyndham ruling, one can assume that all major banks are adapting their cybersecurity policies to comply with the FTC's suggested practices and are taking full advantage of CISA to collaborate on cybersecurity. It's possible that the banks may even flow down their new policies to MSPs and ISOs in the form of new contractual requirements. Nonetheless, ISOs cannot depend on the larger players for guidance on cybersecurity compliance. If Wyndham made anything clear, it's that complacency is not an option.
What ISOs can do
Additionally, ISOs face unique risks regarding the sensitive merchant data they acquire and forward to MSPs to process new applications for payment services. Unfortunately, ISOs do not have the same resources for the all-out offensive that banks have. Instead, they must turn to the tired old cliché of "work smarter, not harder." On an individual level, ISOs must:
- Identify exactly what sensitive information they collect and store about merchants that could be misused by a criminal enterprise (such as scanned images of canceled checks, driver's licenses, and merchant sales information)
- Determine whether existing safeguards for handling information are sufficient to protect against cyberattacks.
At an absolute minimum, ISOs should consult the 2007 FTC guidebook to gain a basic overview toward protecting sensitive information. ISOs with sufficient resources may consider turning to in-house or outside cybersecurity consultants for plans to further improve their defensive measures against cyberattack, and the immunities provided by CISA would allow ISOs to freely share information with these consultants.
ISOs without the resources for a full time cyber-bodyguard should consider collaborating to develop policies and procedures to protect merchant information. These would include:
- Standards for encrypting transmitted data
- Storing data on protected servers
- Secure deletion and destruction of such data once it is no longer needed
- Establishing rules for the conduct of their employees and agents to prevent the accidental introduction of malware into computer systems
- Perhaps most importantly, establishing a response to possible data breaches or cyberattacks that spells out exactly what information to disclose and to what authority.
ISOs need not reinvent the wheel when it comes to cybersecurity collaboration; industries that handle classified information, such as defense contractors and aerospace manufacturers, have been under greater threats of cyberattack for decades, and have learned much about cybersecurity through trial and catastrophic error. Through the National Industrial Security Program (NISP), the federal government has worked with these entities to develop written policies to address cyberthreats.
Perhaps the most robust information security program available for private industry, NISP was established in 1993 by Executive Order 12829 and charged with managing the distribution and handling of classified information among private industry. NISP maintains and publishes the NISP Operating Manual, or NISPOM, which contains the standard procedures and requirements for private entities handling classified information. Chapter 8 of NISPOM addresses information security and safeguarding against data breaches.
While many of the protocols required are specific to military programs and would constitute overkill for an ISO, it nonetheless represents a good starting point for any standardized program for the safeguarding of sensitive information.
Ultimately, a number of resources are available to ISOs to develop collaborative cybersecurity efforts. Exactly what approach is sufficient depends largely on the as yet unpublished regulations to be promulgated by the government over the next few months. However, one thing is clear – businesses in possession of sensitive electronically stored information have a duty to safeguard it.
ISOs that lack policies for safeguarding information or fear that their efforts are inadequate should consult both information technology and legal consultants to establish policies and procedures that are sufficient to avoid liability, but do not exceed the mandate for collaboration afforded by CISA. Doubtless, the path will become clear in the coming months as proposed CISA regulations are published.
James Daube, attorney at Global Legal. Global Legal has advised electronic payment companies and their affiliates on every aspect of their businesses. Global Legal attorneys are payments litigators who defend regulatory investigations, civil enforcement actions and class actions. They are experts at instituting regulatory compliance procedures to avoid liability, as well as negotiating payments agreements, mergers and acquisitions. Please contact email@example.com
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.