“But the emails” – companies’ SEC filings reflect ransomware risks

Data Protection Report - Norton Rose Fulbright

The Equifax breach will likely devour the entire breach news cycle in the near term, given the size of the incident and that it gets to the essence of the company’s business of maintaining some of the most sensitive consumer information. Still, in what for the moment might seem like a more pedestrian risk, companies continue to be affected by ransomware.  One of the unique aspects of ransomware is that it does not involve just stealing information, but makes the information unavailable to the business. If critical information is unavailable, there is operational impact and often a material effect that companies must disclose publicly.

Most recently, WannaCry and Petya demonstrated the ability of ransomware to exploit security vulnerabilities, spread quickly and, in some cases, cripple company operations. Here is how some companies have addressed it.

General ransomware risk disclosures

In the energy sector, at least two companies — Concho Resources and Repsol — have disclosed ransomware risks. Concho’s 8-Ks from Q1 and Q2 2017 reference ransomware in the “Forward Looking and Cautionary Statements” section, where the company lists events and developments “regarding the Company’s future financial position, operations, performance, business strategy…” There, Concho lists cybersecurity risks, specifically ransomware, phishing, and data breaches as potential threats that could adversely affect the company.

Similarly, Repsol addresses ransomware in its 40-F filings as one of the cyber risk factors for the company. The company discloses that cyber risk factors, including ransomware, result in increased industry-wide concern about cyber threats intended to disrupt business that “could have a negative financial effect on the Company’s operational performance and earnings, as well as the Company’s reputation.”

IBM’s most recent 10-K identifies ransomware as a cyber risk that could impact the company’s business by causing “the loss of access to critical data or systems.”

Ransomware incident disclosures

Companies have also made specific disclosures about ransomware after experiencing an attack.

In one example of a post-attack disclosure, FedEx’s most recent 10-K (May 2017) discusses the impact of the WannaCry and Petya attacks on FedEx systems and subsidiaries. Specifically, the disclosure states that a FedEx subsidiary “TNT Express experienced a significant cyber-attack” but that the company was at the time still unable “to determine the full extent of its impact, including the impact on …  results of operations and financial condition,” concluding that likely “the financial impact will be material.”  The 10-K also warns that FedEx is unable to “estimate when TNT Express services will be fully restored” and that it may be “unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted.”

Our take

It has been about 10 years since the TJX breach opened companies’ eyes to potential risks of not being vigilant in protecting their data and systems. As attackers have become more discerning and sophisticated, the impact of breaches on companies has moved from the realm of plaintiffs’ counsel imagination to real operational impact.  Ransomware locks up important data that can stop a company in its tracks, and massive breaches like the one impacting Equifax create existential threats for companies that live and die by data.  Companies that have avoided experiencing serious harm from breaches should use every publicized incident as an opportunity to remind management that more can and should be done to protect critical data and systems.  And, in the aftermath of such an attack, companies must consider whether they have a duty to report the potential harm from the attack to the public and shareholders.


Norton Rose Fulbright nominated for Cyber Law Firm of the Year

Norton Rose Fulbright has been shortlisted for ‘Cyber law firm of the year’ at the Insurance Insider Cyber Ranking Awards 2017. Voting is now open, and you can show your support for Norton Rose Fulbright by casting your vote ahead of the award ceremony on 29 September 2017.

The category of “Cyber law firm of the year” is a new addition to the Cyber Ranking Awards and provides brokers and underwriters with a chance to vote for the law firm that they believe has contributed the most to bringing innovative solutions to market over the past 12 months. We are honored to be included as a nominee, and believe that it reflects our leading experience within the cyber insurance sector.

Norton Rose Fulbright provides data protection, privacy and incident response services around the globe, and works closely with the insurance industry to address cyber and technology-related risks.

Delaware amends data breach notification law

Earlier this month, Delaware revamped its data breach notification law, with changes to go into effect April 14, 2018.  Most notably, the new law requires any entity that has suffered a data breach that includes social security numbers to provide free credit monitoring services to affected residents for one year. The entity must provide all information necessary for the resident to enroll in such services as well as instructions for how to implement a credit freeze. This makes Delaware the second state to require credit monitoring services be provided to residents at no cost following a breach. (Connecticut has a similar provision.)

Continue reading

UK data protection after Brexit – UK government Statement of Intent contains few surprises

On the 7th August 2017, the UK’s Government Department for Digital, Culture, Media and Sport issued a Statement of Intent (the Statement) outlining its planned reforms of the UK’s data protection laws which are to be implemented by the Data Protection Bill (the Bill). The Statement anticipates the UK’s departure from the EU and makes it clear that following this, the Bill will transpose the General Data Protection Regulation (the GDPR) into domestic law, stressing the importance of continued efficiency of data flow between the UK and the EU in a post-Brexit world.

Continue reading

German court: monitoring of employees by key logger is not allowed

Data Protection Report - Norton Rose Fulbright

The German federal labor court held in a recent decision (Bundesarbeitsgericht, 27 July 2017 – case no. 2 AZR 681/16) that the use of evidence obtained through the use of key logger software is not permitted under current German privacy law, if there is no suspicion of a criminal offense. Such monitoring is only allowed when an employer has a concrete suspicion of a criminal offense by an employee or any other serious breach of duty in a specific case. This decision is understood as a general guidance where the highest labor court gave guidance on secret employee monitoring.

Continue reading

US Senators introduce IoT cybersecurity bill

Data Protection Report - Norton Rose Fulbright

On August 1, 2017, US Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.

The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.

Continue reading

US Coast Guard Releases Draft Cybersecurity Guidelines

Data Protection Report - Norton Rose Fulbright

On July 11, 2017, the US Coast Guard (USCG) and the Department of Homeland Security (DHS) proposed new cybersecurity draft guidelines for Maritime Transportation Security Act (MTSA) regulated facilities. The guidelines follow the White House’s May 2017 Executive Order to strengthen the cybersecurity of critical infrastructure. The draft guidelines are open for public comment until September 11, 2017.  The guidelines outline a position on addressing cybersecurity that is consistent with the National Institute for Standards and Technology (NIST) Cybersecurity Framework and other cybersecurity guidance. Similar to the Executive Order, the draft reflects a growing emphasis on mitigating cyber threats to critical infrastructure.

The guidelines are divided into two sections. One provides draft guidance on existing regulatory requirements and how they relate to cybersecurity. The second advises regulated facilities on how to implement a cyber risk management governance program.

Continue reading

Hong Kong Company Director Convicted Under Personal Data (Privacy) Ordinance

Data Protection Report - Norton Rose Fulbright

A director of a Hong Kong company has been convicted of an offence under the Personal Data (Privacy) Ordinance (“PDPO”). This is the first conviction of its type under the PDPO since the law came into effect in 1996, confirming the potential for directors’ liability under the law.

Continue reading

China Seeks Comment on Draft Regulation on Critical Information Infrastructure

On 10 July 2017 the Cyberspace Administration of China (CAC) issued a draft Regulation on the Protection of Critical Information Infrastructure (CII Regulation) for public comment. The comment period ends on 10 August 2017. This long-anticipated regulation, formulated pursuant to Article 31 of the Cyber Security Law of China (Cyber Security Law), is a key implementing measure for the Cyber Security Law. In this client update we outline the key features of the draft CII Regulation and highlight its implications for businesses.

Continue reading

The Privacy Implications of Autonomous Vehicles

This is the first of a two-part series discussing the privacy and security issues associated with the widespread use of automated vehicle technology.  This first post focuses on potential privacy issues, while the second post – coming soon – will address security issues.


As the development and testing of self-driving car technology has progressed, the prospect of privately-owned autonomous vehicles operating on public roads is nearing. Several states have passed laws related to autonomous vehicles, including Nevada, California, Florida, Michigan, and Tennessee. Other states have ordered that government agencies support testing and operations of these vehicles. Industry experts predict that autonomous vehicles will be commercially available within the next five to ten years. A 2016 federal budget proposal, slated to provide nearly $4 billion in funding for testing connected vehicle systems, could accelerate this time frame. In addition, the National Highway Traffic Safety Administration (NHTSA) set a goal to work with stakeholders to “accelerate the deployment” of autonomous technologies.

This post will explore some of the  privacy issues that should be addressed before these vehicles are fully commercialized.

Continue reading

Singapore – Comprehensive Cyber Bill Published For Consultation

Data Protection Report - Norton Rose Fulbright

Overview: On 10 July 2017, the Singapore Government unveiled its draft Cybersecurity Bill (the Bill) and announced a public consultation to seek views and comments from the industry and members of public. The public consultation runs from 10 July to 3 August 2017.This Bill comes on the back of various moves by the Singapore Government to strengthen its approach to cybersecurity, starting with the setting up of the Cyber Security Agency (CSA) in April 2015, the launch of Singapore’s Cybersecurity Strategy in October in 2016, and more recently, the amendments to the Computer Misuse and Cybersecurity Act earlier this year (see our publication on the amendments).

Comment: Singapore’s strategy of being a smart nation and financial centre has at its core a resilient and strong foundation in cybersecurity. This Bill helps ensure that this objective is achieved by focusing on the continuity of essential services in Singapore. It also comes at a time when the business world is reeling from the impact of the WannaCry and NotPetya attacks.

The Bill takes an holistic approach to the regulation of cybersecurity by: giving the CSA oversight of the regime and enforcement powers to police the regime; providing a framework for regulation of critical information infrastructure systems, including mandatory breach notification; and establishing a licensing framework for cybersecurity service providers.

The consultation paper notes that the regulatory framework will be flexible to take account of the unique circumstances of each sector. It will also require a proactive approach to enhance cybersecurity before threats and incidents happen – based on the risk profile of the sector. Offences and penalties are to ensure compliance with the Bill rather than punish those that suffer from cyberattacks.

Who is covered – Critical Information Infrastructure

A key thrust of the Bill is the identification of 11 critical sectors as providing “essential services” and the ability to of the CSA to designate as CII any computer or computer system necessary for the continuous delivery of essential services as CII. It applies to both the public and the private sector.

The 11 critical sectors identified are:

  • Energy
  • Info-communications
  • Water
  • Healthcare
  • Banking and finance
  • Security and emergency services
  • Aviation
  • Land transport
  • Maritime
  • Government
  • Media

Computers and computer systems that are necessary during times of national emergency may also be designated as CIIs – and so it could potentially cover any sector.

The CSA may also designate a person as the owner of a CII (a CIIO). The Bill proposes to define an “owner of a CII” as a person who has effective control over the operations of the CII and has the ability and right to carry out changes to, or is responsible for, the continuous functioning of the CII. The CSA may require certain information in advance from the owner to determine if a system is a CII. The designation of systems as CII will be treated as an “official secret” under the Official Secrets Act, and will not be divulged to the public.

Duties of CII owners

CII owners are subject to the following statutory duties to:

  • provide information
  • comply with codes and directions
  • report incidents – ie breach notification to the CSA
  • conduct audits by an auditor approved by the Commissioner of Cybersecurity (the Commissioner)
  • conduct risk assessments
  • participate in exercises

In addition, CII owners are required to comply with any code of practice or relevant standard issued under the Bill.

Failure to comply with these duties is a criminal offence – due to the national security implications of non-compliance.

CSA is the central cybersecurity authority

The Bill proposes to vest the extensive supervisory and regulatory powers on a Commissioner of Cybersecurity (the Commissioner), which is a position that will be held by the Chief Executive of the CSA.

CSA – Extensive Enforcement Powers

Apart from its supervisory powers over CIIs, the Bill also confers on the Commissioner significant powers to respond to, and prevent, cybersecurity incidents. These powers include the power to examine persons, produce evidence, and where satisfied that the cybersecurity threat meets a certain specified severity threshold, impose measures requiring a person to carry out remedial measures or to cease certain activities, take steps to assist in the investigation and perform a scan of a computer or computer system to detect cybersecurity vulnerabilities. Property may also be seized. This applies to all computer or computer systems in Singapore, and is not limited to CIIs.

The Minister has the power to impose extraordinary emergency cybersecurity measures and requirements if the Minister is satisfied that it is necessary for the purposes of preventing, detecting or countering any threat to the essential services or national security, defence, foreign relation, economy, public health, public safety or public order of Singapore. This includes the power to authorize a specified person to direct another person to provide information “relating to the design, configuration or operation of any computer, computer program or computer [service][system]” if it is necessary to identify, detect or counter any such threat.

Companies and institutions should therefore be prepared for such actions, and have the necessary protocols in place to facilitate and respond to these investigations and regulatory actions.

Assistant Commissioners – from other Regulators

The Bill grants the Minister the power to appoint as Assistant Commissioner public officers from other Ministries or from other regulators. This is an unusual feature as certain public officials would be double-hatting as an Assistant Commissioner of Cybersecurity and as an official from another Ministry or statutory body performing a similar regulatory/supervisory function.

Assistant Commissioners are, in most cases, “Sector Leads” in the respective sectors, i.e., the lead government agency in charge of each sector. Therefore, CIIOs will know the Assistant Commissioners from existing regulatory relationships. For example, the Assistant Commissioner for financial institutions would likely be an officer from the Monetary Authority of Singapore (MAS). Hopefully, this will help cut down the bureaucratic burden on CIIOs on dealing with a new regulator for cybersecurity issues by allowing continuity and consistency of established relationships with existing regulators.

Regulating Cybersecurity Service Providers

There is a proposal to license and regulate cybersecurity service providers. It is recognized that since cybersecurity service providers are given access to customer systems and networks, they gain a deep understanding of system vulnerabilities, and that there should be some assurance concerning ethics and standards these providers should meet. The Bill proposes a licensing framework for cybersecurity service providers for two types of licences – investigative cybersecurity services (penetration testing) and non-investigative cybersecurity services (managed security operations). The list of licensable services is set out in the Second Schedule, which may be amended by the Minister.

Licensed providers will need to meet certain basic requirements concerning: key executive officers to be fit and proper; retention of service records for 5 years; compliance with a code of ethics; and ensuring that employees performing the services are fit and proper. These requirements will also apply to overseas providers.

At this stage, it is not clear how the CSA would evaluate applicants for licensing, and the CSA will have a further consultation with industry on detailed requirements before it is implemented.

What this Bill may mean for you

  • Organizations operating in a critical sector and potentially owning CIIs should put in place an overarching cybersecurity policy tailored to the organization’s needs and the requirements of the regime. This policy should set out the organization’s approach to meeting its legal and regulatory obligations, and specify who is accountable for the CII within the organization. Ideally, this person should be at C-suite level.
  • As a result of the Commissioner’s powers to respond to, and prevent, cybersecurity incidents, we recommend that all organizations should have in place a comprehensive cyber-response plan that includes protocols for responding to, and cooperating with, requests from the Commissioner on cybersecurity. This will minimize disruption to operations and ensure compliance with regulatory obligations.
  • Cost of compliance will increase – in particular in respect of the new licensing regime for cybersecurity service providers that will likely be passed onto customers, but given the impact of recent cyberattacks on business such as WannaCry and the NotPetya Ransomware, this is likely the new reality and cost of doing business in a technology enabled world.

We are happy to discuss if you have any queries on the Bill or the public consultation.

 To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.