hacking
Subscribe to hacking's Posts

FTC Sees Disconnect on Proposed Connected Cars Legislation

The Energy & Commerce Committee of the U.S. House of Representatives held a hearing on October 21st titled “Examining Ways to Improve Vehicle and Roadway Safety” to consider (among other matters) Vehicle Data Privacy legislation for internet-connected cars.

The proposed legislation includes requirements that auto manufacturers:

  • “Develop and implement” a privacy policy incorporating key elements on the collection, use and sharing of data collected through technology in vehicles. By providing the policy to the National Highway Traffic Safety Administration, a manufacturer earns certain protection against enforcement action under Section 5 of the Federal Trade Commission Act.
  • Retain data no longer than is determined necessary for “legitimate business purposes.”
  • Implement “reasonable measures” to ensure that the data is protected against theft/unauthorized access or use (hacking).

Manufacturers that fail to comply face a maximum penalty, per manufacturer, of up to $1 million. The penalty for failure to protect against hacking is up to $100,000 per “unauthorized” access.

Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection, of the Federal Trade Commission (FTC), testified that the proposed legislation “could substantially weaken the security and privacy protections that consumers have today.”

The FTC’s criticism focuses on the proposed safe harbor against FTC enforcement for manufacturers. The FTC testified that a manufacturer should not earn immunity under the FTC Act if the privacy policy offers little or no privacy protection, or is not followed or enforced. The FTC expressed disapproval of provisions allowing retroactive application of a privacy policy to data previously collected. The FTC also advised against applying the proposed safe harbor to data outside of the vehicle, such as data collected from a website or mobile app.

Although the FTC applauded the goal of deterring criminal hacking of the auto systems, the FTC testified that the legislation, as drafted, may disincentivize manufacturers’ efforts in safety and privacy improvements. The testimony echoed that of other industry critics who believe that what is considered “authorized” access is too vague, which may prevent manufacturers from allowing others to access vehicle data systems, such as for repair or research on an auto’s critical systems.

Finally, the FTC criticized the provisions creating a council to develop cybersecurity best practices.  Since the council could operate by a simple majority, it could act without any government or consumer advocacy input, diluting consumer protections.

The hearing agenda, as well as the text of the draft legislation is available here.

The FTC’s prepared statement, as well as the text of the testimony is available here.




Should We Hack Back?

“No,” says U.S. Assistant Attorney General Leslie R. Caldwell.  At the most recent Cybersecurity Law Institute held at Georgetown University Law Center in late May, the head of the U.S. Department of Justice’s (DOJ) Criminal Division offered guidance to attendees on how to prevent and combat cybercrime. She also spoke about significant victories that the Criminal Division had achieved with the help of private sector and foreign collaboration. In the last year or so alone, the U.S. government extradited about a dozen high-level cybercriminals from around the world.

In her speech, Caldwell urged the private sector to work more closely with the government, explaining that “the Criminal Division is better positioned than ever before” to help organizations bring intruders to justice, defend networks and prevent cybercrimes from happening in the first place. Among other things, she reported that the new DOJ Cybersecurity Unit has broken new ground, including recently releasing well-received guidance called “Best Practices for Victim Response and Reporting of Cyber Incidents,” which we discussed on this blog post earlier this month  – and made the case for why businesses should not take defensive measures such as “hacking back” against attackers in an effort to punish an attacker or to retrieve or delete stolen data.

Caldwell summed up the Division’s legal position on hacking back: “based on a simple, plain-text reading of the Computer Fraud and Abuse Act, such conduct is generally unlawful.” If that were not reason enough, she explained, businesses should still avoid hacking back for these legal, policy and practical reasons:

  1. Hacking back tactics pose a significant threat to innocent third parties whose infrastructure may be hijacked by cybercriminals, in order to more easily commit crimes and to mask the hacker’s identity during subsequent investigations;
  2. Hacking back can interfere with and irreparably harm ongoing government investigations;
  3. Hacking back carries the danger of dramatic escalation against unknown and potentially sophisticated adversaries who may have powerful and destructive technical capabilities;
  4. Such activities may be illegal in foreign jurisdictions;
  5. Hacking back may have serious effects on international relations and could have foreign policy consequences; and
  6. There is a low likelihood that such activities would be beneficial and yield anything other than the momentary pleasure that comes with taking action.

Caldwell’s points are well taken. From our perspective, one of the best ways for a company to prevent, detect, respond to, remediate, survive and even thrive following a cyberattack is to have in place an effective Incident Response Plan that has been tested, adapted and improved over time to reflect changing technology, business circumstances and emerging threats to the organization. Companies that want to incorporate strategies for hacking back into their plans should carefully consider the legal and practical risks and consult with legal counsel prior to taking any action.




STAY CONNECTED

TOPICS

ARCHIVES

2021 Chambers USA top ranked firm
LEgal 500 EMEA top tier firm 2021