(L to R) Molly Russell and Jason Linder from Irell & Manella (Photo: Courtesy Photo)Cybersecurity Steps You Can Take to Comply With Authorities' Conflicting Demands
Recent government pronouncements have created competing, sometimes contradictory, pressures on companies simultaneously to ensure robust protection for their customers' data while also considering whether to acquiesce to law enforcement's demands that they should be able to de-encrypt data on request.
July 31, 2019 at 01:45 PM
6 minute read
Cybersecurity, encryption and data breaches now regularly lead the evening news. Recent government pronouncements have created competing, sometimes contradictory, pressures on companies simultaneously to ensure robust protection for their customers' data while also considering whether to acquiesce to law enforcement's demands that they should be able to de-encrypt data on request.
On Tuesday, July 23, Attorney General William P. Barr focused his keynote address at the International Conference on Cybersecurity at Fordham University Law School in Manhattan on cybersecurity concerns. Barr's speech noted first the importance of encryption techniques in cybersecurity, explaining, “encryption provides enormous benefits to society by enabling secure communications, data storage and online transactions.” However, Barr's speech primarily focused on a need for companies to provide governmental access to encrypted data and communications. Bemoaning the dangers of “warrant proof” encryption, Barr warned that such encryption “poses a grave threat to public safety by extinguishing the ability of law enforcement to obtain evidence essential to detecting and investigating crimes.” Barr advised technology providers to maintain an appropriate mechanism for lawful access when deploying encryption in their products, services and platforms, although he refrained from supporting or discussing any specific proposals to do so.
Since Barr's speech, figures such as FBI Director Christopher Wray and Sen. Ron Wyden have spoken in both approval and warning, respectively, of Barr's plan to eliminate “warrant proof” encryption. While one side argues it is important for authorities to be able to investigate dangerous crimes that bad actors may use encrypted data to hide, the other cautions that allowing a back door entry for legal access to encrypted data nullifies the entire purpose of encryption, as there is no guarantee that back door entry will be secure from bad actors.
One day later, on July 24, the Federal Trade Commission imposed a record-breaking $5 billion penalty on Facebook for violating its consumers' privacy. While many of the privacy violations at issue in the FTC's investigation involved serious violations separate from encryption concerns, the FTC's order imposed specific encryption obligations, requiring the company to protect user passwords cryptographically and implement regular scans to make sure user passwords are not stored in plain text.
Companies reviewing encryption news may justifiably be at a loss for how to navigate encryption concerns in a world with an ever-increasing need for cybersecurity. As the Facebook fine illustrates, encryption of sensitive data is becoming less optional and is more commonly seen as part of a reasonable standard of care. But what type of encryption? What needs to be encrypted? As Barr's speech makes clear, how a company encrypts its data has become the most pressing question for companies today. We provide here a few general considerations for companies reconsidering their current encryption policies:
- You should likely implement encryption policies for sensitive personal employee or consumer data or highly confidential commercial data. Although few laws currently mandate that companies encrypt data, many state, federal, and foreign laws require companies to take reasonable measures to protect personally identifiable employee, consumer information, and highly confidential commercial information—i.e., the kind of data most attractive to cyber hackers. Some laws, like California's recently enacted data privacy law, which takes effect next year, may ease or remove liability for companies that encrypt their data.
- When making a determination of which company data to encrypt, focus on two questions: What data is most valuable to your company (or to competitors or hackers)? What data is most vulnerable at your company? Note that the vulnerable data may not necessarily be the same as the highly valuable data. For example, employees with access to unencrypted consumer information may be easier targets for email phishing scams or other infiltration methods than employees working on sensitive and highly confidential inventions.
- When implementing or updating encryption policies at your company, match or exceed the level of encryption other companies in your marketplace consider suitable. Cybersecurity consultants or third party anti-malware vendors may provide you with examples of what is typical in your field for a company of your size. Go above and beyond. An ounce of prevention now may save you pounds of pain in the future, and will put you in better stead with regulators, customers, and potential litigants should something still go wrong.
- When implementing enhanced encryption security policies in your company, train employees that may handle encrypted data. For example, if your company provides a virtual private network to encrypt any remote work, you should train employees as to VPN and remote working best practices.
- Implement appropriate controls to ensure compliance with your encryption requirements, as well as meaningful ways to collect and analyze data about compliance with the requirements.
- Keep current on evolving laws, regulations, and litigating related to information privacy, cybersecurity and encryption. Cybersecurity is, legally, cutting edge, and its regulatory and legal compliance requirements will continue to evolve as cyber risks become more prevalent and sophisticated. Experienced counsel can help keep you abreast and in compliance with those evolving laws.
- If you are a technology provider, consider whether—and, if so, how—you can and should seek to accommodate law enforcement's desire for a de-encryption backdoor to which Attorney General Barr gave voice. There may be good business or corporate governance reasons to do so, but such a back door may not only alienate customers but also increases your own cybersecurity risks.
There are no one-size-fits-all answers to how best a company can and should encrypt and otherwise protect customer and other sensitive data, and whether and how it should implement a back door for law enforcement. Each company faces its own risk package, has its own market pressures, and interfaces with law enforcement in its unique way. But keeping in mind the pointers we set forth above will allow you to frame and flesh out the approach that makes the most sense for your company.
Jason Linder is a partner and chair of Irell & Manella's global investigations and white collar criminal defense practice. He is a former senior Department of Justice prosecutor and assistant U.S. attorney.
Molly Russell is an associate in the Los Angeles office of the firm. Her practice encompasses a wide range of intellectual property, white collar and general litigation matters.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
'Water Cooler Discussions': US Judge Questions DOJ Request in Google Search Case
3 minute read
Read the Document: 'Google Must Divest Chrome,' DOJ Says, Proposing Remedies in Search Monopoly Case
3 minute read
Apple Asks Judge to 'Follow the Majority Practice' in Dismissing Patent Dispute Over Night Vision Technology
Trending Stories
- 1Judge Denies Sean Combs Third Bail Bid, Citing Community Safety
- 2Republican FTC Commissioner: 'The Time for Rulemaking by the Biden-Harris FTC Is Over'
- 3NY Appellate Panel Cites Student's Disciplinary History While Sending Negligence Claim Against School District to Trial
- 4A Meta DIG and Its Nvidia Implications
- 5Deception or Coercion? California Supreme Court Grants Review in Jailhouse Confession Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
