Facebook Shares Tumble Amid Cambridge Analytica Scandal

By By Hilarie Bellis, J.D. Candidate 2019 | March 24, 2018 | March 24, 2018 at 09:23 am

Facebook shares continued to tumble last week, falling more than 13% and closing just under $160 per share on Friday, March 23rd. Facebook is under fire after the revelation that Cambridge Analytica, a voter-profiling company, accessed the private information of more than fifty million Facebook users without their permission. The data was used by Cambridge Analytica to help profile millions of American voters for President Trump’s 2016 presidential campaign.

Facebook had originally downplayed the data leak, but founder and CEO Mark Zuckerberg finally issued a statement on Facebook last Wednesday. Zuckerberg later apologized during an interview on CNN, calling the incident a “major breach of trust.” The scandal has spurned the hashtag #deletefacebook, with Google searches as to how to delete Facebook tripling last week. Sentiment for the movement comes from a variety of places: some users say they did not realize their data was being sold and feel their privacy has been invaded, while others do not like the fact that their profile may have been used to help elect President Trump.

There are already four lawsuits filed against Facebook in Northern California federal courts, three of which are brought by shareholders of the tech giant. The fourth lawsuit is a class action suit alleging that Facebook had “absolute disregard” for the personal data of the fifty million users whose data was taken without permission by Cambridge Analytica.

Despite losing around $75 billion in market capitalization last week, COO Sheryl Sandberg said Facebook does not look at user privacy issues as long-term damage to the company’s stock price and business model. Yet the company’s business model is built on selling its users’ data. Should the company face tighter regulations, it may need to rethink its business model, which is likely why the company is taking small, slow steps to address the scandal.

Zuckerberg has been called to testify before both the House and Senate. He has said he would be willing to testify, and that he was not sure whether or not Facebook should be better regulated. There is talk for more regulation of social media and technology companies. Apple CEO Tim Cook said he thinks tech companies should be regulated as to how they are allowed to use customer data.

Facebook Shares Tumble Amid Cambridge Analytica Scandal

Cybersecurity in the Boardroom: New Horizons

By Amit Elazari, LL.M. | April 18, 2017 at 05:48 pm

Cybersecurity risks are growing. As society produces more lines of code, and everything – from cars to sex toys is becoming connected: more vulnerabilities are produced daily, inviting more data breaches. The costs associated with security breaches, mostly reputational, have increased in terms of legal and pure losses of revenues as well. The new oil, is not just data – its security vulnerabilities traded on legitimate and outlawed markets.

The rapidly changing cyber landscape is creating new types of cyber risks, which directors simply cannot continue to ignore. If they do ignore them – they might be slapped with a shareholders’ derivative lawsuit in the case of a breach, claiming that management breached its fiduciary duty towards the corporation by failing to monitor the cyber risk.

Cyber is becoming a subject regularly discussed in board rooms, and a critical corporate governance concern. Recent research done by the U.S. National Association of Corporate Directors (NACD) reported that while directors acknowledge the importance and prominence of cyber risks, they also believe that “their boards do not possess sufficient knowledge of this growing risk.”

In light of these findings, the NACD issued a new report detailing five key principles that directors can adopt to enable oversight over cybersecurity risks: (i) approaching cybersecurity as an “enterprise-wide” managerial risk, (ii) understanding the legal implications of cyber risks, (iii) enabling access to cybersecurity expertise, and discussing cyber risks in the boardroom regularly, (iv) establishing an enterprise-wide cyber-risk management framework and (v) managing cyber risks and terms of deciding which risks to avoid, manage or mitigate through cyber-insurance. Implementing an independent monitoring system, such as Bug Bounty Programs, could also enhance the directors’ ability to oversight security risks.

While the NACD report might provide directors with advice on how to oversee cyber risks, other developments in the “cyber-corporate” arena suggest that directors should take a more proactive managerial approach to cyber risks, one that requires them to have genuine expertise in this field.

First, New York adopted a new comprehensive cyber regulation for financial services companies regulated under the New York State Department of Financial Services, effective March 1, 2017 (with a transition period, § 500.22). The newly adopted 23 NYCRR 500 Cybersecurity Requirements require covered entities, among others, (1) to conduct periodical risk assessments, (2) to implement a cybersecurity policy that evaluates the effectiveness of the corporations’ cybersecurity program and (3) to conduct periodic penetrations testing and vulnerability assessments. Most importantly, the 23 NYCRR 500 regulations mandate directors to pay attention to cyber laws, requiring the Chairman of the Board or a “Senior Officer” to personally sign the annual certification confirming compliance with the regulations, the Board or a “Senior Officer” to approve the cybersecurity policy, and the Board to receive annual reports from the chief information security officer.

Second, a new bill proposal, the Cybersecurity Disclosure Act of 2017, seeks to mandate public companies to disclose to investors information relating to its directors’ expertise and experience in the field of cybersecurity as part of their annual reports/proxy statements. If the company’s Board has no such expertise, it is required to disclose “what other cybersecurity steps” it’s senior management has taken. It’s plausible that companies will prefer to comply with the first requirement, rather than disclosing their detailed cybersecurity strategy and subjecting it to scrutiny and prying eyes.

All of this suggests that directors will be mandated to take a more proactive role on cyber, one which doesn’t sum up to “oversighting”, or else they might find themselves personally liable.

Cybersecurity in the Boardroom New Horizons (PDF)

Foreign Business Worries Over Strict Chinese Cybersecurity Law

By Melissa Levin, J.D. Candidate 2019 | November 15, 2016 at 10:00 am

China may have added to the so-called “Great Firewall of China,” on Monday, November 7, 2016, by passing a new cybersecurity law, all part of a broader effort to define how the Internet is managed inside China’s borders. The legislation, passed by China’s largely rubber-stamp parliament, is set to take effect in June 2017. President Xi Jinping has focused Internet policymaking on so-called “cyber-sovereignty” throughout his administration. Since the advent of the Internet, the government of China has created sixty Internet regulations, many of which involve blocking Internet content or monitoring Internet access for individuals.

(more…)

Federal Government May Have Spied on Your Yahoo Account

By Sheila Tabrizi, J.D. Candidate 2018 | October 19, 2016 at 08:00 am

On Tuesday, October 4, 2016, Reuters revealed that Yahoo secretly scanned user emails for the federal government in 2015. Anonymous former Yahoo employees alleged that members of either the National Security Agency or Federal Bureau of Investigation issued a warrant under Section 702 of the Foreign Intelligent Surveillance Act (FISA), asking Yahoo to create software to search key words and/or phrases of user emails as part of an ongoing government investigation. Shortly after, Yahoo created a syphoning system by which the government could tap into user emails in real time and search for specific character strings that they believed were connected to national security threats. Yahoo has not denied these allegations.

(more…)

GM Entering the Race toward the Future of Driverless Cars

By Thao Thai, J.D. Candidate 2018 | December 29, 2015 at 04:30 pm

With places like California, Nevada, Florida, Michigan, and D.C. already allowing autonomous car testing and federal legislation being considered to make such cars safer, driverless cars are in our near future. Google has been eager to dominate this untapped market, but it’s starting to see competition from large automakers. General Motors’ Cadillac CT6 will be the first GM model to be equipped with Super Cruise, a semi-autonomous system that permits hands-free driving on the highway.

(more…)

Can Artificial Intelligence Protect Us From Cybercrime?

By Erika Kiran Solanki, .D. Candidate 2017 | November 24, 2015 at 09:59 am

According to Symantec’s Norton Report, the global cost of cybercrime was $113 billion in 2013. That is an astounding number. Human beings tend to be the biggest barriers to computer security in the sense that passwords are predictable, random USB drives do not cause pause, and we routinely visit less than secure websites.

The U.S. Department of Defense experiences 41 million scans, probes, and attacks a month. The U.S. military, once a vulnerable IT behemoth, is now reformed as an adept defender of its well-secured networks. According to the Pentagon, while technical upgrades and advanced technology are important, minimizing human error is even more critical. Despite the unified architecture and state-of-the-art technology, in almost every successful attack on the .mil network, people have been the weak link. Hackers capitalize on mistakes by network administrators and users, which create loopholes for successful penetration. Experts contend that simply consistent monitoring of systems—fixing known vulnerabilities and double-checking security configurations—can prevent the majority of attacks. It seems that technology can create a false sense of security. People matter as much as, if not more than, technology in building an ethos and culture that minimize risk.

(more…)

Securing the Cloud: Microsoft’s Battle with the Department of Justice

By Jenna Al-Huneidi, J.D. Candidate 2017 | October 27, 2015 at 11:55 am

Reliance on cloud storage has become an integral, and often overlooked, aspect of the daily activities of individuals and businesses throughout the world. Information stored in the “cloud” such as emails, photos, contact lists, and documents are actually stored in data centers located in many different countries. The information stored by a user is located in the data center closest to the location in which the individual or business registered their account. The purpose of these worldwide datacenters is to improve the efficiency and security of obtaining, accessing, and distributing such information. For example, Microsoft stores European users’ cloud data in its Irish data center.

An ongoing battle between Microsoft and the Department of Justice has raised many concerns among a number of tech companies that reap significant revenue from cloud computing throughout the global community. Microsoft is in the midst of an appeal from a New York Magistrate decision, adopted in full by the District Court, to uphold a warrant, compelling Microsoft to seize the emails, photos, and contacts of account data stored in Ireland and turn them over to the DoJ for a criminal investigation. On appeal to the Second Circuit, the government argues that it has the right to demand the information stored abroad by any US corporation regardless of jurisdictional issues, conflicts of laws problems, and international treaties to the contrary.

(more…)

Privacy & Cybersecurity Update – July 2014

By Skadden, Arps, Slate, Meagher & Flom LLP | August 11, 2014 at 08:06 am

In this edition of our Privacy & Cybersecurity Update, we analyze several significant developments occurring in July 2014, including a recent address by U.S. Treasury Secretary Jack Lew calling for tougher congressional action and greater private sector transparency regarding cybersecurity, the enactment of new U.S. laws requiring certain defense and intelligence contractors to report data breaches, and clarification from the FTC on verifiable parental consent methods for website operators and mobile app developers.

(more…)