Blog

CISA Proposes Five-Step Process to Become 5G Operational

2022/06/14

Takeaway: Federal agencies will need to consider the five-step assessment process to get authorization from CISA before operating with 5G technology. As the adoption of 5G technology by many private and public organizations approaches, assessments are being put in place to evaluate whether federal agencies can operate with 5G technology. Regulation agencies in cybersecurity teamed up to create a security assessment that grants authorization to agencies in order to use 5G technology. Specifically, CISA – with the Department of Homeland Security’s Science and Technology Directorate and the Department of Defense’s Office of the Under Secretary Defense for Research and Engineering (OUSD R&E) – proposed a five-step assessment process.  This process was derived from scientific research and security analyses. So, what are the five steps of assessment an agency must meet to acquire authorization? Step 1: Define the Federal 5G Use Case – this step involves describing what the intended use for the 5G technology is and whether there is a federal use component as well as providing details about the proposed 5G model. Step 2: Identify the Assessment Boundary – this step involves defining the boundary to identify the security requirements that will be implemented to protect networks. Step 3: Identify Security Requirements – this is a multi-step that includes conducting a high-level threat analysis of each 5G subsystem and identifying cybersecurity requirements. Step 4: Map Security Requirements to Federal Guidance – this step involves the creation of a catalog of federal security guidance that corresponds to the technologies included in the assessment boundary and implied security capabilities from Step 3. Step 5: Assess Security Guidance Gaps & Alternatives – this is an evaluation step that tests the effectiveness of implementation. The purpose of this five-step assessment is to provide federal agencies with a standardized and comprehensive process to evaluate and address security assessment gaps.  Read More

ERISA: A Journey from a Promise of Protection to a Retirement Crisis

2022/06/08

The closure of the Studebaker-Packard Corporation car manufacturing plant in 1963 was a major catalyst leading into the enactment of the Employee Retirement Income Savings Act of 1974 (“ERISA.”) This pension plan had promised generous benefits for the participants, but the plan was severely underfunded and was not able to cover the benefits for many of the employees vested in the plan. The failure of the Studebaker pension plan, along with a high profile conviction of infamous Teamsters boss James Hoffa on pension fraud, drew the attention to pension plan corruption and mismanagement and spurred talk of reform and regulation in Washington, DC. Ryles, Eric (December 3, 2018). “The History of the Employee Retirement Income Savings Act (ERISA)”. Judy Diamond Associates, Inc. Retrieved May 3, 2022. Just over a decade later, ERISA was codified in the United States Code.[1] This article is not intended to suggest that ERISA has been a complete failure. Like other laws, ERISA has limitations and lacks flexibility in achieving its intended goals. The decline of the number of American workers covered by defined benefit plans illustrates how this legislation that was intended to protect participants of defined benefit plans has instead reduced the continued availability and utilization of those plans in the industrial and manufacturing sector. Specifically, airline, steel, and trade & craft workers, among others, have faced significant challenges in the funding and perpetuation of benefits provided by these plans. Defined benefit plans have become associated with being expensive and inflexible. The funding requirements on an annual basis are not predictable due to volatility experienced in market returns and changes in employee censuses of the plan sponsor. The funding requirements have increased in many employment sectors due to declining employment levels. That is, more participants have been transitioning to pay status as compared to the number of new entrants being hired.  Read More

Key Consumer Rights and Business Obligations Under State Privacy Laws

2022/06/01

Takeaway: While the current patchwork of state consumer privacy laws is complex, there are consumer rights and business obligations that are common to all of the laws. An awareness of these key concepts will help make it easier for compliance. Without a comprehensive federal privacy law, consumer privacy has been left to states.  To date, California, Virginia, Colorado, Utah, and Connecticut have enacted comprehensive consumer privacy laws.  Many other states have similar privacy legislation pending.  This is one of the most active areas in the privacy space and as a result can be overwhelming to businesses trying to comply.  Luckily, each of the current states’ laws and proposed legislation pending around the country (including the proposed federal legislation) contain all or at least some of the same consumer rights and business obligations.  These rights and obligations are: Consumer Rights Right of Access – The right for a consumer to access from a business/data controller the information or categories of information collected about a consumer, the information or categories of information shared with third parties, or the specific third parties or categories of third parties to which the information was shared; or, some combination of similar information. Right of Rectification – The right for a consumer to request that incorrect or outdated personal information be corrected but not deleted. Right of Deletion – The right for a consumer to request deletion of personal information about the consumer under certain conditions. Right of Restriction – The right for a consumer to restrict a business’s ability to process personal information about the consumer. Right of Portability – The right for a consumer to request personal information about the consumer be disclosed in a common file format. Right of Opt-Out – The right for a consumer to opt out of the sale of personal information about the consumer to third parties. Read More

Biden Signs Better Cybercrime Metrics Act into Law

2022/05/19

Takeaway: The new Better Cybercrime Metrics Act will help the federal government track, measure, analyze, and prosecute cybercrime. On May 6, 2022, President Biden signed into law the Better Cybercrime Metrics Act.[1] This Act encourages local law enforcement to report incidents of cybercrime to the FBI to build a database of cybercrimes, as the FBI does with many other types of crime.[2]  The new database will categorize different types of cybercrime. This Act also authorizes the National Academies of Science to establish a taxonomy for cybercrime incidents in consultation with federal, state, local, and tribal stakeholders, criminologists, and business leaders that would inform the FBI’s reporting of cybercrime and cyber-enabled crime.[3] The Better Cybercrime Metrics Act also requires the Bureau of Justice Statistics at the Department of Justice and the Census Bureau to add questions regarding cybercrime to the annual National Crime Victimization Survey.[4] The data collected will be available to law enforcement agencies seeking to track down cybercriminals. James Turgal, former executive assistant director for the FBI’s Information and Technology Branch and current vice president of Cyber Risk, Strategy, and Board Relations for Optiv Security observed: “This new legislation, coupled with the previously passed Cyber Incident Reporting for Critical Infrastructure Act of 2022, will, in theory, allow for the mandatory reporting of cyberattacks by victims in the critical infrastructure industries within specified timeframes.”[5] The database created by this mandatory reporting will assist law enforcement agencies in tracking potential cybercrime threats and recovering lost assets. [1] S. 2629: Better Cybercrime Metrics Act [2] Id. [3] Sarah Coble, House Passes Better Cybercrime Metrics Act, Infosecurity Magazine, https://www.infosecurity-magazine.com/news/house-passes-better-cybercrime/ [4] Id. [5] Edward Segal, Biden Signs Bill To Create Cybercrime Reporting System, Forbes, May 5, 2022, 12:09 pm EDT, https://www.forbes.com/sites/edwardsegal/2022/05/05/biden-signs-bill-to-create-cybercrime-reporting-system/?sh=36a7c8161f91 Read More

Poisoned Robots: Data Poisoning Threatens AI-Powered Mechanisms

2022/05/12

Takeaway: Companies need to be vigilant about feeding their machines clean data to avoid hackers poisoning their networks. Artificial intelligence is everywhere: from facial recognition technology to weather forecasting.  As we get better at training computers to become more sophisticated with prediction models, hackers are developing stealthier methods to poison them. But what is the threat? It’s called data poisoning. Data poisoning is a form of manipulation that involves corrupting the information that is used to train machines. It’s an untraceable method to bypass defenses geared towards protecting artificial intelligence mechanisms, and companies may not be equipped to tackle these challenges. Data poisoning works similarly to machine learning. Machine learning involves feeding a computer reams of data for the purposes of training it how to categorize information correctly. A computer might be fed 1,000 images of various types of animals that are correctly labeled by species and breed before the computer is tasked with recognizing an image as a dog. The computer, however, doesn’t actually “know” that the image shown is that of a dog.  It’s simply running a slew of statistical calculations in the background based on past training allowing it to make an accurate prediction. Companies take the same approach with cybersecurity. They feed their machines with reams of data that distinguish good code from bad code to teach the machines what malicious software is. The machine is then able to catch malicious software when confronted with bad code. Hackers will be able to take advantage of this same technique. A savvy hacker could train a machine to recognize malicious code as harmless by labeling those corrupted codes as good and releasing them to a larger batch of data. A neural network could then surmise that poisoned piece of code as being harmless allowing it to poison the system. Read More

New CIRCIA Bill and What It Means for Whistleblowers

2022/05/03

Takeaway: Uncertainties over threats of cyberattacks resulted in both the House and Senate passing CIRCIA, which created an opportunity for whistleblowers to come forward under the False Claims Act with information about agencies and contractors failing to report cybersecurity breaches in a timely manner. Following CIRCIA, Congress voted to pass the Better Cybercrime Metrics Act to help analyze the effectiveness of cybercrime reporting. President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) on March 15, 2022.[1] This Bipartisan Act, which passed both the House and Senate after fears of retaliatory cyberattacks from Russia, requires owners and operators of critical infrastructure to report specific incidents to the Cybersecurity Infrastructure Agency (CISA) of the U.S. Department of Homeland Security. These two obligations require: “Covered cyber incidents” to be reported to CISA within 72 hours,[2] and Ransomware payments to be reported to CISA within 24 hours.[3] These reporting requirements are not in effect immediately, and companies have some time to put the proper reporting systems in place. Once in effect, this Act creates an opportunity for potential whistleblowers who have knowledge of a failure to report cybersecurity breaches to CISA in a timely manner. Whistleblowers can take advantage of a failure to report under the False Claims Act through a Qui Tam lawsuit. Following the passage of CIRCIA, on March 30, 2022, the Senate and House both voted to pass the Better Cybercrime Metrics Act. The Bill now sits on President Biden’s desk for his signage into law. This Act was inspired by the attacks on the Colonial Pipeline in 2021 and would improve the reporting on the effectiveness of federal government cybercrime investigations.[4] [1] Cyber Incident Reporting for Critical Infrastructure Act of 2022, H.R. 2471, 116th Cong. (2022). [2] H.R. 2471 § 2242(a)(1)(A). [3] H.R. 2471 § 2242(a)(2)(A). Read More

Cybersecurity Class Actions Drawing a Split Among Circuit Courts

2022/04/12

Takeaway: In the wake of a data breach, a class of Plaintiffs whose personal and/or financial information is disseminated to third parties all share the same concern – the risk of future harm. But in order for these Plaintiffs to have standing to sue over the wrongful dissemination of their information resulting from the breach, the mere threat of future harm may not be enough. As more courts across the country have had the opportunity to address this issue, the emerging trend seems to be that the mere threat of future harm, by itself, is insufficient to confer standing; the threat of future harm must pose a substantial likelihood of materializing into actual harm for Plaintiffs to recover damages resulting from a data breach. Pursuant to Article III of the United States Constitution, a plaintiff must meet the “irreducible constitutional minimum” requirements to show that he or she has standing to bring a cybersecurity class action lawsuit.[1] A plaintiff must adequately establish: (1) an injury in fact (i.e., a “concrete and particularized” invasion of a “legally protected interest”); (2) causation (i.e., a “ ‘fairly … trace[able]’ ” connection between the alleged injury in fact and the alleged conduct of the defendant); and (3) redressability (i.e., it is “ ‘likely’ ” and not “merely ‘speculative’ ” that the plaintiff’s injury will be remedied by the relief plaintiff seeks in bringing suit).[2] The question of whether a plaintiff, or group thereof, has sufficient standing to bring class action lawsuits in the cybersecurity realm has unsurprisingly drawn a split amongst the Circuit Courts. In the wake of a data breach, one particular concern remains the same amongst all plaintiffs who wish to bring these suits – the risk of future harm. But is the mere risk of future harm, without anything else, enough to satisfy the “irreducible constitutional minimum” requirements to confer standing? Read More

Top Cybersecurity Threats Your Organization May Face this Year

2022/04/04

Takeaway: With increasing numbers of cybersecurity attacks, foreign and domestic, organizations are even more likely to experience some kind of data breach threat this year. Knowing what that threat looks like, allows organizations to arm themselves against these eminent attacks and to implement policy regulations in time to prevent absolute exposure. A recent study conducted by PwC demonstrated that due to increasing cybersecurity attacks, 69% of organizations will increase their cybersecurity investments in 2022. But what are the top cybersecurity attacks types organizations should be looking out for?  Industry experts weighed in and here is what they said: Ransomware Cyberattacks: According to previous studies, 71% of cyberattacks in 2020 were financially motivated. Ransomware attacks usually involve hackers holding a company’s database hostage in exchange for ransom, usually cryptocurrency. These types of cyberattacks are increasing in number. Downloading a single malicious file can severely expose a company’s finances and reputation. Companies must establish policies and controls that train employees on how to handle emails and files from unknown or untrusted sources. 5G Vulnerabilities: Transferring data via cloud is now an absolute business necessity. With 5G being implemented by organizations, transfer speeds are expected to hit 10 GB per second. More transfer speed means increasing the pace of business. In turn, hackers are provided more opportunities to infect more data packages without companies noticing. Organizations should implement higher levels of security and stringent policies before relying on 5G for transfers. Remote Work Vulnerabilities: As organizations increasingly enable employees to work from home, IT departments are becoming more decentralized and attack surfaces more expansive. In fact, 85% of cyberattacks involve some form of human element and 36% come from phishing. To mitigate these errors, organizations should invest in employee cybersecurity training and establish best practices like multi factor authentication and remote device monitoring. Using a zero-trust security framework to continuously validate users that access company data is also a highly recommended practice. Read More

CISA Shields Up

2022/03/31

Takeaway: CISA’s Shield Up Guidance Emphasizes Incident Response Planning With the specter of an expanding war in Europe, the threat of cyber retaliation by Russia, or Russian-sponsored actors, is increased. In response, the Cybersecurity and Infrastructure Security Agency (“CISA”) released its Shields Up Guidance to help organizations and supply chains withstand and prepare for a malicious Russian cyber-attack. The guidance is aligned with previous recommendations from CISA and National Institute of Standards and Technology (“NIST”). A central theme of the Shields Up Guidance is incident response: putting in place a proper plan in the event of a cybersecurity incident.  Indeed, a strong incident response plan (“IRP”) is a pillar of a viable cybersecurity program, as it encourages accountability and helps promote a culture of security. To get started, it’s important to identify an organization’s most critical data and infrastructure. Once critical data and infrastructure are identified, the organization can assign roles to people who form the Incident Response Team (“IRT”). The IRT is the standard-bearer for how the organization will defend its critical data assets. The IRT meets regularly to augment and execute on the IRP.  The IRT also assumes responsibility for triaging and responding to an active incident. It is important to define all roles with specificity and to engage in training exercises to ensure that all people understand their responsibility. A critical responsibility of the IRT is escalating incidents to senior management and the proper external authorities. Under its Shields Up Guidance, CISA makes it clear that organizations should lower the threshold for reporting cyber incidents. That is, even minor incidents that are blocked by security controls should be reported to CISA. In addition to the internal IRT, organizations will want to identify critical third-party experts to help execute the IRP. The IRT will coordinate with technical experts and legal counsel to ensure that the breach is reported to the proper authorities, the threat is contained and eradicated, and the organization is ready to safely resume operations. Read More

Cybersecurity: Board of Director Litigation Risk

2022/02/21

Takeaway: With the surge of data and cybersecurity breaches, corporate directors and officers have become targets for shareholder derivative lawsuits. Fortunately, there are procedural measures that directors and officers can put in place in order to mitigate the risk of litigation. The standard in shareholder derivative actions is based off the seminal Caremark case. In the Caremark 1996 decision, the Delaware Chancery Court stated that, in data breach actions, directors can be personally liable for failing to “appropriately monitor and supervise the enterprise.”[1] The court stressed that a company’s board of directors must make a good faith effort to implement an adequate corporate information and reporting system. Failing to do so can constitute an “unconsidered failure of the board to act in circumstances in which due attention would, arguably, have prevented the loss.”[2] In the Caremark[3] decision, the Court set forth a two-prong test for analyzing shareholder derivative actions. To prevail under the Caremark test as later clarified by the Court in Stone v. Ritter, the plaintiff must plead particularized facts showing that either (1) “the directors utterly failed to implement any reporting or information system or controls” or (2) “having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.”[4] The application of this test was recently broadened in the Firemen’s Retirement System of St. Louis on Behalf of Marriott International, Inc. v. Sorenson case. In that case, Marriott announced its intent to acquire Starwood Hotels and Resorts Worldwide, Inc. on November 16, 2015.[5] Prior to the acquisition, Marriott engaged in 11 months of due diligence wherein Marriott’s Board of Directors ranked cybersecurity as the number one risk in the upcoming 2016 year.[6] Despite knowing that cybersecurity was a pervasive risk in the hospitality industry that could affect Marriott’s ability to achieve its goals, the Pre-Acquisition Board did not order any specific due diligence into cybersecurity in connection with the planned Acquisition.[7] Read More

News & Events

Related News

24 Pietragallo Lawyers named in 2024 Pennsylvania Super Lawyers and Rising Stars
May 17, 2024
Pietragallo is pleased to announce that 24 lawyers have been named to the 2024 Pennsylvania Super Lawyers and Rising Stars list. Read More
21 Pietragallo Lawyers Named in 2023 Super Lawyers and Rising Stars
May 19, 2023
Pietragallo is pleased to announce that 21 lawyers have been named to the 2023 Pennsylvania Super Lawyers and Rising Stars list. Read More
View More News & Events