2016 has been another busy year in the cybersecurity and data breach world. NISD and the GDPR were both passed, and will bring about significant changes as to how data breaches involving personal data will need to be managed when they come into effect in 2018. The vote for Brexit has brought significant uncertainty, including as to what the United Kingdom's relationship with European bodies such as Europol will look like in the future, although recent weeks appear to have brought some welcome clarity in that area.
2016 has seen a number of significant data breaches and, curiously, a number of breaches which took place several years ago (re-)enter the public domain, presumably as criminals have sought to maximise revenue by putting data they have been exploiting within a closed group on the wider market. Nation state actors, or those allegedly linked to nation states, have also been in the public domain in a more significant way than in recent years, although this is, in reality, a matter of what has been made public rather than an increase in such activity. We have seen the hacking of WADA and the DNC and the leak of information and emails obtained from each, allegations of attacks on electronic voting terminals in the US and further breaches of data relating to military personnel.
On the commercial side, the Yahoo breach of around 500,000,000 records is now top of the list of the biggest breaches in the public domain, and raises interesting questions as to who knew what, and when, in relation to its acquisition by Verizon. In the UK, TalkTalk was the subject of the largest fine handed down by the Information Commissioner's Office to date, with the monetary penalty notice detailing its significant failings. It has since estimated the total cost of the breach to be around £60,000,000, and has lost a significant number of customers as a result.
We expect companies to continue to struggle with identifying and taking appropriate measures to deal with cybersecurity risk in 2017, even with the scope for very significant fines for data breaches under the incoming GDPR, looming large. This is a general theme which we do not deal with specifically here.
We expect 2017 to also include several 'mega-breaches' as companies and government bodies continue to struggle with understanding and taking appropriate steps to protect, their data assets. We expect due diligence on information security risk to move up the agenda on corporate acquisitions, and disputes between companies in the data management chain over loss of data and limitation of liability for data loss. On the cybercrime side, we expect the volume of DDoS attacks to continue to increase (with associated ransom threats) and the ease of use of effective ransomware software to mean that ransomware attacks will only increase, particularly against perceived easy targets which rely heavily on IT infrastructure such as hospitals and education.
Cybersecurity risks in corporate M&A
2016 has emphatically reiterated the impact that cybersecurity issues may have on the M&A landscape. In particular, the Yahoo and TalkTalk data breaches illustrate the risks presented by cybersecurity breaches, both before and after an acquisition takes place.
On 22 September 2016, Yahoo issued a press release disclosing a data breach from 2014 affecting over 500 million account holders – right in the middle of the (then) $4.83 billion proposed acquisition by Verizon. Initially, Verizon remained quiet on the affect this would have on the deal, or at least the price it would pay. However, Verizon has since provided increasingly strong indications that the data breach will impact on the transaction.
Ultimately, this is likely to come down to what representations were made by Yahoo, what was included in due diligence, and Verizon's contractual right to renegotiate the terms of the deal on the occurrence of an event having a material adverse effect. Alternatively, there may be a post-completion price adjustment mechanism in the acquisition documentation. It is not yet clear what remedy Verizon may have. However, the disclosure of the breach undoubtedly imposes significant commercial pressure on Yahoo, particularly where there now appears to be press reporting that some staff knew of the breach in 2014, if not the scale of it.
The Yahoo breach emphasises the risks that cyber breaches, even those that occurred a number of years ago, may present to corporate sellers. Looking forward, any seller with an online presence will need to consider carefully what representations and warranties it can make relating to security issues. Buyers will need to ensure that due diligence adequately deals with identifying cyber risk and, where necessary, should consider protecting their position through specific carve-outs and reservations in the deal documentation in the event that a cyber breach occurs or a previous breach is discovered.
2016 also saw a record monetary penalty of GBP400,000 issued by the Information Commissioner's Office (ICO) against TalkTalk for a data breach that traced back to its acquisition of the UK operations of Tiscali in 2009.
TalkTalk unknowingly acquired certain web pages as part of Tiscali's infrastructure, which provided access to an underlying database containing customer data. The database ran on an outdated version of the MySQL platform, which was compromised by a cyber attack using a relatively basic SQL injection for which a well-known patch had been publically available for over three years.
TalkTalk attempted to argue against the penalty being issued, as it was not actually aware that it had acquired these webpages as part of the Tiscali acquisition. This argument was not accepted by the ICO or the Appeal Tribunal, both of which considered that TalkTalk should have identified that these webpages formed part of Tiscali's IT infrastructure.
The TalkTalk penalty emphasises the importance for corporate buyers of conducting thorough pre-transaction due diligence of a target business' cybersecurity profile and then, post-acquisition, grappling with the issue of what infrastructure and data has been acquired. Failure to do so may potentially expose the buyer to future liability for inadequate security systems that it was not even aware of.
In 2017, we expect to see further more M&A-related cyber issues emerging, including disputes between buyers and selling shareholders. The clear position, in the UK at least, is that lack of knowledge of what has been acquired, or of legacy problems, will not be an answer to regulatory action post-acquisition. Disputes as to whether selling shareholders should have known of the existence, or true scope of a breach, or failed to include IT or data assets in SPA schedules which were then transferred and were the subject of a breach, are likely to be highly fact specific and technical.
Terabit DDoS attacks to become more common
2016 saw, in rapid succession, several of the largest DDoS attacks seen to date, including one of around 600 gigabits per second against the investigative journalist Brian Krebs and one of around a terabit per second against OVH. Both used malware called Mirai, which differs to some degree from traditional DDoS malware. Instead of seeking to use a lower number of computers or devices each firing a more significant amount of data at the target, Mirai seeks to use large volumes of IoT devices such as internet enabled cameras, each generating a smaller volume of traffic. There has been significant criticism of poor security of the devices which have been used in the attacks, with good reason. It is also estimated that only a small proportion of the potential compromised devices have been utilised to date. There have also been a number of lower-profile (at least in the West) attacks which appear to be testing capability, including one which knocked most of Liberia offline.
What this means in practice, is that malware capable of delivering much more significant DDoS attacks than have been seen previously is now easily available, and the cost of 'buying' significant DDoS capacity will increase. We have seen a notable increase in 2016 in enquiries as to their legal position from clients who have been subject to DDoS ransom threats. We expect these threats to increase in 2017. One trend in 2016 has been that where clients have not paid DDoS ransoms (and the significant majority of clients have not paid) the threatened attack has not materialised. This may change in 2017, and as more and more very high volume attacks are reported, businesses that rely on their online presence should review whether their existing DDoS protection is sufficient, and the cost of buying additional capability if it is not.
The new PCI DSS – lessons to be learned going forward
From 31 October 2016, the latest revision of the Payment Card Industry Digital Security Standard (PCI DSS), "Release 3.2", has come into effect. Many of the changes made will be considered 'best practice' until 31 January 2018, after which they will become obligatory.
Release 3.2 provides a number of revisions to PCI DSS that may help businesses understand not just the technical measures they should be putting in place, but also their overall approach to protecting against cybersecurity threats going forward.
For example, the new Rule 8.3 provides far more detailed requirements on the security measures to be put in place for remote access to business networks. Under the previous standard, businesses were only required to implement two-factor authentication (for example, by password and PIN code) for remote access to the sections of the network containing payment information. However, cyber attackers were still able to compromise these parts of the network through hacking the single-factor non-PCI parts of the network and working their way into the sections containing payment information using compromised passwords.
Under the new standard, remote access to the whole network will require two-factor authentication, unless the payment card information is stored on a segregated subnet that requires two-factor authentication both internally and externally.
Release 3.2 also significantly increases the security monitoring requirements placed on payment card service providers under the new Rule 10.8. Rule 10.8 enhances the requirements facilitating timely detection, reporting and response to critical security control failures.
PCI DSS does not apply to all business equally. Instead, the extent to which the standard applies largely depends on the volume of payments processed by a particular business. However, regardless of the extent to which the standard applies, businesses may find it helpful to use the detailed requirements set out in Release 3.2 as a baseline for implementing adequate data security measures going forward into 2017.