The Invisible Hijacker

Similar documents
Corporate Litigation: Standing to Bring Consumer Data Breach Claims

9th Circ.'s Expansive Standard For Standing In Breach Case

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

22 April 2015 Trial TIM ROBBERTS/GETTY IMAGES; JASON HETHERINGTON/GETTY IMAGES. By Norman Siegel, Barrett Vahle, and J.

Remijas v. Neiman Marcus: The Seventh Circuit Expands Standing in the Data Breach Context

Issue Brief. A Public Policy Paper of the National Association of Mutual Insurance Companies July 2005

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

United States Court of Appeals

1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0

MEMORANDUM OPINION AND ORDER * * *

Contemporary Legal Notes

UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008

Data Breach - Litigation Update

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0

OKLAHOMA IDENTITY THEFT RANKING BY STATE: Rank 25, 63.9 Complaints Per 100,000 Population, 2312 Complaints (2007) Updated January 10, 2009

Current Topics in Internet Law Data Breach Liability

Selected Federal Data Security Breach Legislation

State Data Breach Laws

State Data Breach Notification Laws

Case 3:13-cv JE Document 1 Filed 12/20/13 Page 1 of 13 Page ID#: 1

Security Breach Notification Chart

United States Court of Appeals

Security Breach Notification Chart

STATE DATA SECURITY BREACH LEGISLATION SURVEY

2015 Data Breach Litigation Report

Security Breach Notification Chart

UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION CLASS ACTION COMPLAINT

Security Breach Notification Chart

Class Action Defense: What You Need to Know in 2017

Case: 1:12-cv Document #: 130 Filed: 10/03/16 Page 1 of 17 PageID #:1161

Security Breach Notification Chart

State Data Breach Notification Laws

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS. Case No. 1:14-cv NOTICE OF CLASS ACTION SETTLEMENT

Chapter 17. Proskauer Rose LLP

Arent Fox LLP Survey of Data Breach Notification Statutes

Approximately 4% of publicly reported data breaches led to class action litigation.

Case 1:16-cv JKB Document 19 Filed 03/22/17 Page 1 of 9 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND

NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION

Case 3:17-cv MO Document 1 Filed 09/27/17 Page 1 of 10

NOT FOR PUBLICATION IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA

Case 1:17-cv Document 1 Filed 06/09/17 USDC Colorado Page 1 of 29 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLORADO

State Data Breach Law Summary. November 2017

Case: 1:15-cv Document #: 1 Filed: 12/03/15 Page 1 of 37 PageID #:1 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION

CASE NO UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT. DANIEL B. STORM, et al., Appellants, PAYTIME, INC., et al., Appellees.

The Seventh Circuit Undercuts Prominent Defenses in Data Breach Lawsuits and Class Actions

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF GEORGIA ATLANTA DIVISION

Case 2:15-cv PA-AJW Document 1 Filed 01/02/15 Page 1 of 11 Page ID #:1 UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA. Deadline.

Calif. Privacy Act Will Increase Data Breach Liability

IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF NORTH CAROLINA ASHEVILLE DIVISION CIVIL CASE NO. 1:17-cv-0001-MR-DLH

IN THE SUPERIOR COURT OF THE STATE OF CALIFORNIA IN AND FOR THE COUNTY OF SAN FRANCISCO. Unlimited Jurisdiction

DATA BREACH CLAIMS IN THE US: An Overview of First Party Breach Requirements

PLEASE READ CAREFULLY BEFORE AGREEING TO THE TERMS AND CONDITIONS

Privacy & Cybersecurity Update

NO. 14 The Plaintiff, State of Washington, by and through its attorneys Robert W. Ferguson,

Standing in the Midst of a Data Breach Class Action

UNITED STATES DISTRICT COURT CENTRAL DISTRICT OF CALIFORNIA IN RE EXPERIAN DATA BREACH LITIGATION ANDREW J. GUILFORD

IN THE CIRCUIT COURT FOR THE STATE OF OREGON FOR MULTNOMAH COUNTY. Case No.

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF GEORGIA

H.R./S. In the A BILL. To protect the privacy of personal information of consumers, the promotion

Case: 1:17-cv Document #: 1 Filed: 11/28/17 Page 1 of 17 PageID #:1 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS

State Data Breach Notification Laws

STATE DATA SECURITY BREACH NOTIFICATION LAWS

UNITED STATES DISTRICT COURT DISTRICT OF MARYLAND

United States Court of Appeals For the Eighth Circuit

THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL

Case: 1:17-cv Document #: 1 Filed: 08/18/17 Page 1 of 13 PageID #:1

IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF ILLINOIS EASTERN DIVISION. Plaintiff, Defendant. CLASS ACTION COMPLAINT

Data Breach Charts. November 2017

Case 1:17-cv STV Document 1 Filed 05/26/17 USDC Colorado Page 1 of 29 UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLORADO

STATE DATA SECURITY BREACH NOTIFICATION LAWS

Case 1:15-cv RDB Document 11-2 Filed 09/24/15 Page 1 of 31 IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF MARYLAND BALTIMORE DIVISION

HIPAA Enforcement and Settlements. Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA

Translation from Finnish Legally binding only in Finnish and Swedish Ministry of the Interior, Finland

United States District Court

ASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 2018 SESSION

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN FRANCISCO DIVISION. Plaintiffs, Defendant.

HOT TOPICS IN U.S. PRIVACY AND SECURITY LITIGATION

In recent years, criminals have launched cyberattacks

A BILL. (a) the owner of the device and/or geolocation information; or. (c) a person to whose geolocation the information pertains.

Please contact the UOB Call Centre at (toll free if calls are made from within Singapore) if you need any assistance.

Please return the following to

BREACHES OF INFORMATION SECURITY: A U.S. COMPANY S OBLIGATIONS

Case 1:17-cv LGS Document 21 Filed 06/09/17 Page 1 of 26 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF NEW YORK

NTEU v. Cobert, 15-cv-1808-ABJ (D.D.C.) 3:15-cv (N.D. Cal.)

Case 3:17-cv Document 1 Filed 11/28/17 Page 1 of 18

ORAL ARGUMENT HELD ON MARCH 31, Case No UNITED STATES COURT OF APPEALS FOR THE DISTRICT OF COLUMBIA CIRCUIT

NOT FOR PUBLICATION UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT

Case 2:18-cv KJD-CWH Document 7 Filed 12/26/18 Page 1 of 7

United States Court of Appeals

Arent Fox LLP Survey of Data Breach Notification Statutes

Limited Data Set Data Use Agreement

Executive Summary. 1 Google News Search for Data Breach Litigation conducted on March 22, 2016 (covers 30 days);

UNITED STATES DISTRICT COURT FOR THE CENTRAL DISTRICT OF CALIFORNIA ) ) ) ) ) ) ) ) ) ) ) ) )

Ownership of Site; Agreement to Terms of Use

No UNITED STATES COURT OF APPEALS FOR THE NINTH CIRCUIT

Telecommunications Information Privacy Code 2003

Transcription:

The Invisible Hijacker Cybersecurity in Aviation Robert J. Williams SCHNADER HARRISON SEGAL & LEWIS LLP Overview Identify potentially susceptible aviation systems Applicable law Claims and defenses from leading civil actions Statutory requirements and standards Best practices Overview Cyberattack is malicious activit[y] aimed at computers or information systems. Congressional Research Report No. R43955, March 27, 2015 Cybersecurity is the process of protecting information by preventing, detecting and responding to attacks. National Institute of Science and Technology 1

Potentially Susceptible Systems Flight Controls External Aircraft Communications Addressing and Reporting System (ACARS) Internal Engine Indication Crew Alerting System (EICAS) Chris Roberts Allegedly compromised onboard systems 15 20 times between 2011 and 2014 Boeing 737 800, 737 900, 757 200 and Airbus A 320 Flight Controls He then connected to other systems on the airplane network after he exploited/gained access to, or hacked the [In Flight Entertainment ] system. He stated that he then overrode code on the airplane s Thrust Management Computer while aboard a flight. He stated that he successfully commanded the system he had accessed to issue the CLB or climb command. He stated that he thereby caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane during one of these flights. Affidavit of Special Agent Mark Hurley (N.D.N.Y. No. 5:15 MJ 00154) 2

In Flight Entertainment (IFE) Reported to be physically independent and separate from flight controls Not so fast Spoofing flight information, e.g., location, destination, speed, and altitude Cabin lighting Public address system In Flight Entertainment (IFE) Worse than a coffee shop: Hotspots can be faked Secure HTTP and VPN blocked Compliant with Communications Assistance for Law Enforcement Act Ticketing and Reservation Software and Apps At risk: Credit/Debit card info Name Address Date of Birth Known Traveler Number 3

Internal or Back Office Systems Systems not intended for consumer or public access, such as production scheduling, inventory management, and human resources According to the FireEye, Inc. 2016 Report on Cyber Threats to the Aerospace and Defense Industries: At least seven systems of an aerospace defense contractor were compromised by China based threat group in 2016 A different China based threat group compromised more than 300 systems at an aerospace company for several years Potentially Susceptible Systems Air Traffic Control NextGen and Automatic Dependent Surveillance Broadcast (ADS B) 4

Air Traffic Control ADS B: communications between aircraft and ground stations are... UNENCRYPTED Air Traffic Control Air Traffic Control So what if it s unencrypted? With this equipment: Universal software defined radio peripheral (USRP) RF amplifier Antenna and Personal computer A hacker can: Spoof an aircraft or multiple aircraft Track an aircraft Make an aircraft disappear/jam ADS B transmissions 5

Law Firms and Other Vendors to Aviation Industry Confidential communications with aerospace and aviation clients Retention of sensitive technical, commercial and personal data from aerospace and aviation clients Elements: Article III Standing The plaintiff must have Sustained an injury in fact, That is fairly traceable to the challenged conduct of a defendant (causation), and That is likely to be redressed by a favorable judicial decision. Article III Standing Clapper v. Amnesty International, 133 S.Ct. 1138 (2013) 2008 amendments to Foreign Intelligence Surveillance Act authorized surveillance of foreign nationals without showing of probable cause Human rights group claimed increased cost and inconvenience in securely communicating with probable targets of surveillance The Supreme Court held that plaintiff lacked standing, because a highly attenuated chain of possibilities does not satisfy the requirement that threatened injury must be certainly impending. 6

Article III Standing Defendants in early data breach cases relied on Clapper to challenge plaintiffs standing Arguments: No injury because credit card liability was zero, if timely reported No injury because many banks forgave charges and returned money to accounts No impending injury from identity theft because too speculative Under the foregoing circumstances, no redressability Early defense successes: Remijas v. Neiman Marcus Group, LLC; Lewert v. P.F. Chang s China Bistro, Inc. and Galaria v. Nationwide Mutual Insurance Co. Article III Standing initial victories reversed Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7 th Cir. 2015) 350,000 credit cards compromised, but no theft of DOBs or SSNs 9,200 cards had fraudulent charges Defendant offered one year of paid credit monitoring and ID theft protection Plaintiffs have standing: Time and effort monitoring for fraudulent charges, and fear of imminent identity theft are concrete injuries that are not ameliorated by reimbursement Neiman Marcus admits its customer data was compromised, so causation exists Plaintiffs are vulnerable to future harm, so the claims are redressable. Article III Standing initial victories reversed Lewert v. P.F. Chang s China Bistro, Inc., 819 F.3d 963 (7 th Cir. 2016) Debit and credit card data stolen from 33 restaurant locations Plaintiffs have standing: Once again, fraudulent charges are an injury, even if subsequently reversed Plaintiffs dined at the locations from where data was stolen, so causation is met Judgment would compensate plaintiffs 7

Article III Standing initial victories reversed Galaria v. Nationwide Mutual Insurance Co., No. 15 3386 (6 th Cir. 2016) 1.1 million customers names, DOBs, marital statuses, genders, occupations, employers, SSNs and drivers license numbers were stolen Nationwide offered one year subscriptions for credit monitoring and $1 million in identity theft coverage Nationwide refused to pay fees for credit reporting agencies to activate and deactivate new account freezes Plaintiffs have standing: Court follows Neiman Marcus and P.F. Chang s There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill intentioned criminals. Negligence Common allegations: Defendant breached the duty to exercise reasonable care in obtaining, retaining, securing, safeguarding and protecting personal financial information Defendant breached a duty to promptly notify plaintiff of data breach Common defense: Economic loss doctrine/rule plaintiff cannot recover purely economic loss in tort, without personal injury or property damage Result: Varies widely from state to state Reformation to negligent misrepresentation In re Zappos.com, Inc., No. 12 cv 325 (D. Nev. 2016) Breach of Contract Express contract rare, but when it exists, dependent upon terms Implied contract More common Where alleged or allowed to proceed, often question of fact for jury, e.g., In re Target Corp. Customer Data Security Breach, 66 F. Supp. 3d 1154 (D. Minn. 2014) Varies greatly from state to state 8

Unjust Enrichment Common allegations: Cost of data security is included in sales price, consequently, data breach means the vendor received a benefit without providing something in return the overcharge theory Plaintiff would not have transacted business with defendant, had he or she known about inadequate data security the would not have shopped theory Unjust Enrichment Result: Varies widely from state to state Where sales price is the same for cash and credit card purchases, the overcharge theory fails as a matter of law, e.g., In re Target and In re Barnes & Noble Pin Pad Litigation, No. 12 cv 8617 (N.D. Ill. 2016) If the consumer received any product or service, no unjust enrichment claim exists, e.g., In re Zappos.com State Consumer Protection Statutes For example, the following conduct violates the Michigan Consumer Protection Act: Representing that goods or services are of a particular standard, quality, or grade, or that goods are of a particular style or model, if they are of another Making a representation of fact or statement of fact material to the transaction such that a person reasonably believes the represented or suggested state of affairs to be other than it actually is Failing to reveal facts that are material to the transaction in light of representations of fact made in a positive manner Mich. Comp. Laws 445.903 9

State Consumer Protection Statutes Claims and results vary widely from state to state Highly dependent upon the text of the statute itself with respect to: Standing Actionable conduct Available remedies State Notice Statutes For example, the California Database Breach Act provides: Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement... or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. Cal. Civ. Code. 1798.82(a) State Notice Statutes Claims and results vary widely from state to state Highly dependent upon the text of the statute itself with respect to: Standing Actionable conduct Available remedies 10

Federal Statutes Federal Trade Commission Act Section 5 of the FTC Act provides that unfair or deceptive acts or practices in or affecting commerce... are... declared unlawful. 15 U.S.C. 45(a)(1). FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). FTC alleged that Wyndham s systems were compromised on three separate occasions between 2008 and 2010, resulting in disclosure of over 619,000 credit/debit card numbers and loss of more than $10.6 million FTC alleged Wyndham liable for lax security practices Wyndham challenged FTC s authority over data security and breaches The court held that the FTC has the authority to commence and prosecute enforcement actions for inadequate data security Federal Statutes Cyber AIR Act Cybersecurity Standards for Aircraft to Improve Resilience Act of 2017 Recently introduced by Senators Edward Markey and Richard Blumenthal Material provisions: Airlines and OEMs would be required to disclose to the FAA any successful or attempted cyberattack on any system aboard an aircraft DOT, DHS, FCC and National Intelligence Director would be required to collaborate on cybersecurity standards to be imposed upon holders of air carrier and production certificates Mandatory isolation of aircraft software systems Federal Statutes Legacy Acts The original trifecta of cybersecurity: 1996 Health Insurance Portability and Accountability Act (HIPAA) 1999 Gramm Leach Bliley Act 2002 Federal Information Security Management Act (FISMA) Not aviation specific healthcare, banking and federal agencies Mandate reasonable protection of systems and information 11

Federal Statutes Recent Acts 2015 Cybersecurity Information Sharing Act (CISA): public private partnership for sharing internet traffic information Cybersecurity Enhancement Act of 2014: variation on public private partnership that includes workforce development and education Federal Exchange Data Breach Notification Act of 2015: requires health insurers to notify insureds of breach within 60 days National Cybersecurity Protection Advancement Act of 2015: authorizes government info sharing with additional entities State Statutes In 2016, at least 28 states introduced new or additional cybersecurity legislation Mostly addressing consumer transactions, handling of public records and criminalization of misconduct Slightly more than half were passed www.ncsl.org/research/telecommunications and informationtechnology/cybersecurity legislation 2016.aspx Best Practices Comply with National Institute of Science and Technology standards 12

Engage the experts Best Practices Best Practices Cultivate a culture of security Email scams and phishing External media storage devices Personal electronic devices Best Practices Have a plan and a go team to implement it Recovery and restoration Consequences Notice 13

Questions? 14

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback