TK Data Privacy and Cybersecurity Blog

Posted by Timothy E. Hudson and Madeline Tansey

In a recent press announcement, the U.S. Food and Drug Administration (FDA) released a statement informing healthcare providers, patients, and medical device manufacturers about a set of cybersecurity vulnerabilities that could expose medical devices and hospital networks to serious risks.^[1] This set of vulnerabilities, referred to as “URGENT/11,” consists of a set of 11 network flaws that researchers from the enterprise security firm Armis discovered.^[2] Though the FDA has not yet received any reports of hackers exploiting these vulnerabilities, it has begun efforts to proactively protect the public from the threats URGENT/11 poses to the healthcare system.

            The problem dates back to the early 2000s, when software firms began implementing transmission control protocols and internet protocols (“TCP/IPs”), which are sets of rules and procedures that allow devices to connect to wireless networks. Around this time, Interpeak, a Swedish software firm, created its own TCP/IP network protocol called “IPnet” and sold it to a variety of customers that manage operating systems. These customers then incorporated the IPnet software into their operating systems, which enabled them to link medical devices to the internet and central device networks. Unfortunately, this integration occurred years before anyone discovered the flaws within IPnet that leave billions of medical devices susceptible to hacking.^[3]

            The implications to the healthcare system of IPnet’s vulnerabilities are much broader—and more severe—than originally thought. According to Armis researchers, URGENT/11 can enable remote users to take down firewall protections and control devices connected to the internet or internal networks.^[4] Medical devices on an operating system that use IPnet are consequently vulnerable to these attacks, including MRI machines, patient monitors, anesthesia machines, and infusion pumps. For example, Becton Dickinson, a major medical device manufacturer, found its Alaris infusion pump was potentially vulnerable to hacker exploitation because it used the IPnet software.^[5] Researchers were able to exploit the infusion pump’s vulnerabilities, which caused it to crash and become unresponsive. This experiment demonstrated the critical nature of the URGENT/11 vulnerabilities and the direct impact on patient safety.

Though IPnet is an old protocol, many medical devices that still use the IPnet software “are critical devices, which go under a much longer period of development and approvals than consumer devices, and have significantly longer life cycles once in use,” said Ben Seri, Vice President of research at Armis. To combat this issue, the FDA has taken steps to disseminate information about which operating systems are affected and has made recommendations to ensure patient safety. Thus far, the agency has identified one or more versions of the following operating systems as vulnerable: VxWorks (by Wind River); Operating System Embedded (by ENEA); INTEGRITY (by GreenHills); ThreadX (by Microsoft); ITRON (by TRON); and ZebOS (by IP Infusion).^[6]

The FDA encourages medical device manufacturers to continue monitoring, reporting, and remediating the cybersecurity vulnerabilities. Medical device end users should contact manufacturers to determine whether their devices are impacted and whether those manufacturers have designed software patches to prevent device exploitation. For example, Armis and Wind River (a manufacturer for software used in medical devices) have worked to develop system patches for VxWorks versions that were released subsequent to version 6.5, such as VxWorks 653 and VxWorks Cert Edition.^[7] Additionally, device users can contact device manufacturers for mitigation techniques, such as the installation of a firewall recommended by Becton Dickinson to block remote attempts to exploit its devices.^[8]

While the FDA, Armis, and the Department of Homeland Security seek to resolve this issue, the FDA will continue to focus on informing those in the healthcare sphere about URGENT/11. As one FDA spokesperson noted, “Awareness is key because without it, industry cannot begin their risk assessment and mitigation activities.”

[1]See U.S. Food & Drug Admin., FDA informs patients, providers and manufacturers about potential cybersecurity vulnerabilities for connected medical devices and health care networks that use certain communication software (Oct. 1, 2019).

[2]Lily Hay Newman, Decades-Old Code Is Putting Millions of Critical Devices at Risk (Oct. 1, 2019).

[3]See Dennis Fisher, URGENT/11 flaws now affect broader range of medical, network devices (Oct. 3, 2019).

[4]See Armis, UPDATE: URGENT/11 affects additional RTOSs – Highlights Risks on Medical Devices (last visited Oct. 8, 2019).

[5]Fisher, supra.

[6]U.S. Food & Drug Admin., supra.

[7]Armis, supra.

[8]Newman, supra.

Posted by Tim Hudson

To kick off National Cybersecurity Awareness Month, the FDA released a statement regarding the agency’s continued emphasis on medical device cybersecurity. As cyber attacks have become more and more prevalent, the increasing number of medical devices connected to hospital networks creates a greater possibility that cyber criminals could exploit vulnerabilities in medical devices. Recognizing that medical device cybersecurity incident preparedness is fundamental to protect patients, the FDA announced new initiatives, updates, and collaborations.

To learn more, please click here to read Thompson & Knight's recent Client Alert, which provides an overview of the significance of cybersecurity awareness and preparedness for connected medical devices and practical tips and recommendations for protecting sensitive medical data and patient privacy in the digital age.

Posted by Paul Stafford

The U.S. Securities and Exchange Commission (“Commission”) states as its mission the protection of investors; the maintenance of fair, orderly, and efficient markets; and the facilitation of capital formation.  In furtherance of this mission, the Commission requires public companies to timely disclose information about the security of the public company’s cyber infrastructure and data, as well as information about material incidents and breaches that may affect shareholders’ investment decisions in those companies.  Consequently, the Commission has promulgated a series of cyber security pronouncements and documents, including the CF Disclosure Guidance: Topic No. 2 – Cybersecurity (“2011 Guidance”, Oct. 13, 2011) issued by the Commission’s Division of Corporation Finance (the “Division”), and the Commission Statement and Guidance on Public Company Cybersecurity Disclosures (“2018 Guidance”, February 26, 2018). The 2018 Guidance reinforces and expands upon the 2011 Guidance by providing “interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents”. 

When there is a “material cybersecurity risk or incident”, the Commission considers public companies to have a duty to disclose the material cybersecurity risk(s) or incident(s) to the Commission, and therefore to the public and the company’s investors and potential investors.  The Commission encourages companies to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack” (2018 Guidance, p.4), and believes that public companies should disclose “the most significant factors that make investments in the company’s securities speculative or risky” (2018 Guidance, p.13).   But what constitutes “timeliness” for purposes of cyber incident, breach, or risk disclosures to the Commission?  Although not a public company, can guidance as to the interpretation of “timeliness” be gleaned by examining was has occurred in most recent years in instances in which the government itself has been the subject of a cyber incident, breach, or risk?  Are these incidents instructive as to how the Commission may interpret timeliness within the cybersecurity context?

For instance, in June 2015, the U.S. Office of Personnel Management announced a data breach involving approximately 21.5 million records and approximately 4 million people, including Social Security numbers and detailed security-clearance-related background information.  The “data breach” involved two incidents.  The first incident was purportedly discovered on March 20, 2014 - over fifteen months before the announcement.  The second incident was purportedly discovered on April 15, 2015 - two months before the announcement.

In January 2016, the National Aeronautical and Space Administration (NASA) acknowledged a cyber breach of over 2000 NASA personnel, as well as flight logs and videos recorded by NASA aircraft.  In addition, the hackers were able to alter the flight path of a $222M NASA drone before the ground crew was able to restore the flight path by accessing the drone using satellites.  According to NASA, the hackers had been inside of NASA’s systems since 2013 – approximately three years before the announcement.

In February 2016, the Internal Revenue Service acknowledged a cyber breach of over 700,000 Social Security Numbers and other sensitive information occurring over a number of years through an online portal that permitted users to view their tax history.  The U.S. Justice Department also was breached in February 2016 with the publication of personal information for 20,000 FBI employees.  More recently, the FBI and Custom and Border Agents were among thousands of law enforcement personnel impacted by a breach involving the Advanced Law Enforcement Rapid Response Training (reported in June 2018).

It is undisputed that these public agencies are not subject to the regulatory and disclosure requirements of public companies.  It is also certainly arguable that these cyber incidents and breaches involving government entities and agencies may not have been widely publicized, and perhaps not announced in what some would consider a timely manner; however, in contrast, the Equifax breach became widely publicized on September 7, 2017 when Equifax announced that hackers had accessed data including Social Security Numbers and drivers license numbers and addresses for approximately 145 million Americans.  The cyber attack purportedly began in May 2017 and was detected in July 2017 – and was announced approximately two months later.   In the wake of Equifax’s disclosure, on September 20, 2017, the Commission issued a statement emphasizing the importance of cybersecurity and detailing the SEC’s approach to cybersecurity … as well as confirming a 2016 intrusion (purportedly discovered in August 2017) involving unauthorized access to the EDGAR test filing system, which is the system used by companies to make their legally required filings to the SEC – this after a July 2017 report released by the Government Accountability Office that found deficiencies in the SEC’s information systems.  Would the SEC’s cyber breach have become apparent and been announced but for the Equifax breach?

Understanding that the government is by the public and for the public but is not a “publicly held” company per se, it is evident that although the government may disclose cyber incidents, breaches, and risks when it deems appropriate after considerations of materiality, national security, and pragmatism, publicly-traded companies do not share this same deference in determining the timeliness of disclosures to regulatory or reporting bodies such as the Commission.  Accordingly, the interpretation of “timeliness” should be examined within other legal contexts, as well as within the Commission’s 2018 Guidance itself. 

For example, within the 14th Amendment constitutional desegregation context, timeliness is defined as “with all deliberate speed”, which was a purposefully vague and slow standard meant to ease the political and cultural ramifications of societal change. See Brown v. Board of Education II, 349 U.S. 294 (1955).

Within the context of the sale of previously occupied single-family residential real property, and pursuant to Section 5.008 of the Texas Property Code, the seller must timely disclose to the purchaser material facts and the condition of the property, known to the seller as of the date the notice (disclosure) is completed and signed by the seller.  This “seller’s disclosure” is legally interpreted as a representation rather than a warranty, with serious penalties and potential liabilities for misrepresentations.

And, within an insurance context, “timeliness” is often characterized by the standard form insurance language “as soon as practicable”.  In insurance cases alleging the breach of a material term by an insured, such as lack of notice in a policy, Texas courts have employed a “notice-prejudice” rule, which first examines whether notice was provided to the insurer, then examines when the insurer was provided notice, and finally examines whether a lack of what the insurer claims as “timely” notice in accordance with the “as soon as practicable” or other applicable standard form policy language resulted in prejudice to the insurer.  See PAJ, Inc. v. Hanover Insurance Co., 243 S.W.3d 630 (Tex. 2008) and Prodigy Communications Corp.  v. Agricultural Excess & Surplus Lines Ins. Co., 288 S.W.3d 374 (Tex. 2009).  Unless the court answers in the affirmative (i.e. – a finding of prejudice to the insurer due to lack of timely notice) the insured is determined not to have violated a material term of the insurance contract.  This creates an incentive on the part of the insured for timely notice (disclosure) of an occurrence (incident) to the insurer, but provides some protection to the insured from the subjectivity associated with an insurer’s unilateral determination of the term “timeliness” or the contractual phrase “as soon as practicable”. 

In contrast to desegregation jurisprudence, real estate sales contracts, and the insurance law context, the Commission has no such mechanism for determination of “timeliness” in disclosures pertaining to cyber incidents, breaches, or risks, instead employing a standard based on “expectations” placed upon public companies to determine when disclosure should occur.  So, as with “materiality”, a determination of the timing of disclosures to the Commission of cyber incidents, breaches, and risks is the responsibility of the public company, with the Commission and courts reserving the right to question the timing of disclosures as circumstances develop or additional facts and factors become known with the passage of time.  The Commission’s authority to exercise retroactive determinations of “timeliness” could reasonable lead to the invocation of a phrase famously stated in President George W. Bush's 2006 State of the Union Address,  “Hindsight alone is not wisdom, and second-guessing is not a strategy”. 

In the years since President Bush’s assertion, lots has occurred in the realm of cybersecurity, and hindsight and second-guessing have been refined to a legal art form.  For instance, the well-publicized cyber attacks (by Russian Federation hackers) on Yahoo included breaches in 2013 and in 2014. The 2014 breach, discovered in July 2016 and reported in September 2016, affected over 500 million Yahoo user accounts.   The August 2013 breach, discovered in July 2016 and reported in December 2016, was originally believed to have affected approximately 1 billion accounts; however, Yahoo later affirmed in October 2017 that the breach affected every Yahoo account that existed at that time – which is 3 billion accounts. In 2018, as a result of the 2014 breach, Yahoo agreed to pay a $35 million fine to the Commission as part of a settlement in the first enforcement action by the Commission for failure to timely disclose a cyber incident, breach, or risk. 

In hindsight, it is easy to inquire as to why the Yahoo of just a few year ago did not disclose the full nature of its cyber breach in a more timely manner; however, it is worth noting within this “timeliness” context that in January 2018, the U.S. Department of Homeland Security disclosed a cyber breach it discovered in May of 2017  involving the personal information for approximately 240,000 employees employed by DHS in 2014, as well as “subjects, witnesses, and complainants” associated with DHS Office of Inspector General investigations between 2002 and 2014. DHS did not begin notifying affected employees until November 2017, with DHA stating that this delay was due to “a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed.”  “The investigation was complex given its close connection to an ongoing criminal investigation,” a notice posted on the DHS website read. “These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.” 

In relying upon the Commission’s guidance of today, the Commission acknowledges (just as in the DHS example) that “some material facts may be not available at the time of the initial disclosure”, that a company “may require time to discern the implications of a cybersecurity incident”, and that the necessity of cooperating with law enforcement and any ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding the incident; however, the Commission states that “an ongoing internal or external investigation … would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident”(2018 Guidance, p.11).

In addition, and more specifically, 2018 Guidance, Note 15 references the NYSE Listed Company Manual Rule 202.05, which requires listed companies to “release quickly to the public any news or information which might reasonably be expected to materially affect the market for its securities.”  2018 Guidance, Note 15 also references Nasdaq Listing Rule 5250(b)(1), which requires listed companies to “make prompt disclosures to the public of any material information that would reasonably be expected to affect the value of its securities or influence investors’ decisions.”  2018 Guidance, p.19 states that  “A company’s disclosure controls and procedures should not be limited to disclosure specifically required, but should also ensure timely collection and evaluation of information potentially subject to required disclosure, or relevant to an assessment of the need to disclose developments and risks that pertain to the company’s businesses.”  And 2018 Guidance, p.11 states that, in accordance with Section 7 and 10 of the Securities Act: Sections 10(b), 13(a) and 15(d) of the Exchange Act; and Rule 10b-5 under the Exchange Act [15 U.S.C. 78j(b); 15 U.S.C. 78o(d); 17 CFR 240. 10b-5], “Where a company has become aware of a cybersecurity incident or risk that would be material to its investors, we would expect it to make appropriate disclosure timely and sufficiently prior to the offer and sale of securities and to take steps to prevent directors and officers (and other corporate insiders who were aware of these matters) from trading its securities until investors have been appropriately informed about the incident or risk.” 

The disclosure requirements in Commission Regulation S-K and Regulation S-X make no specific mention of cybersecurity risks and incidents; however, public companies must make every effort to adhere to the Commission’s reporting requirements, and may find guidance or specific instruction as to timeliness in the particular requirements for each category of report.  Examples include:  periodic reports, including Form 10-K annual reports, Form 10-Q quarterly reports (to be submitted every ninety days), and Form 20-F disclosures by foreign private issuers (within four to six months, depending on when the fiscal year ends); current reports, including Form 8-K (which require disclosure within four business days after discovery of a reportable condition) or Form 6-K reports (“promptly after the material contained in the report is made public”); and, Securities Act and Exchange Act obligations, including registration statements that (consistent with Section 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act) must adequately and timely disclose all material facts required to be stated therein or necessary to make the statements therein not misleading.

Accordingly, given the Commission’s Guidance, and the realities of commerce in a digital world, public companies must make every effort to develop policies, procedures, and protocols designed to comply with the Commission’s expectation of timeliness in the disclosure of material information, incidents, breaches, or risks.

Posted by Paul Stafford

The U.S. Government, through several agencies and in conjunction with state governments and international governing bodies, has assumed the duty to regulate and to facilitate various aspects of commerce in a matter that minimizes economic uncertainty and promotes fairness in the market. As part of the government’s regulatory “contract” with the public, investors, and potential investors, the U.S. Securities and Exchange Commission (“Commission”) states as its mission the protection of investors; the maintenance of fair, orderly, and efficient markets; and the facilitation of capital formation. To carry out this mission, the Commission requires public companies to disclose information about the security of the public company’s cyber infrastructure and data, especially personally identifiable information, as well as information about incidents, and breaches that are “material” and that may affect shareholder decisions about investing in those companies.

Consequently, the Commission has promulgated a series of cybersecurity pronouncements and documents, including the CF Disclosure Guidance: Topic No. 2 – Cybersecurity (“2011 Guidance,” Oct. 13, 2011) issued by the Commission’s Division of Corporation Finance (the “Division”), and the Commission Statement and Guidance on Public Company Cybersecurity Disclosures (“2018 Guidance,” February 26, 2018). The 2018 Guidance reinforces and expands upon the 2011 Guidance by providing “interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.” The 2018 Guidance also addresses two topics not developed in the Division’s 2011 Guidance: the importance of cybersecurity policies and procedures, and the application of insider trading prohibitions in the cybersecurity context to deter selective disclosures and to prevent directors, officers, and corporate insiders from trading in a public company’s securities while in possession of “material non-public information.” But what is “materiality”?

When there is a “material cybersecurity risk or incident,” the Commission considers public companies to have a duty to disclose the material cybersecurity risk(s) or incident(s) to the Commission, and therefore to the public and the company’s investors and potential investors. The Commission encourages companies to “take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack” (2018 Guidance, p.4), and believes that public companies should disclose “the most significant factors that make investments in the company’s securities speculative or risky” (2018 Guidance, p.13). Such interpretive guidance on the term “material” not only encourages companies to develop procedures for determining “materiality” for disclosures of actual risks and incidents, but also protocols for determining prospective risks. As the 2018 Guidance (p.11) states, “[T]he materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations,” and such information may include “personally identifiable information, trade secrets or other confidential business information, the materiality of which may depend on the nature of the company’s business, as well as the scope of the compromised information.”

The Commission’s 2018 Guidance (p.11) also states that “[T]he materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause,” with footnote 34 indicating that a company’s materiality analysis “should consider the indicated probability that an event will occur and the anticipated magnitude of the event in light of the totality of the company activity Basic v. Levinson, 485 U.S. 224, 238 (1988) (citing SEC v. Texas Gulf Sulphur Co., 401 F.2d 833, 849 (2d Cir. 1968))” and that within this analysis, “no ‘single fact or occurrence’ is determinative as to materiality, which requires an inherently fact-specific inquiry. Basic, 485 U.S. at 236.”

The Commission’s 2018 Guidance clearly illustrates that the legal construct of “materiality” is, by its nature, imprecise and flexible. The concept of “materiality” is contextual, requiring what the Commission terms a “tailored” approach (2018 Guidance, p.13) – and perhaps even, at times, subjectivity on the part of public companies based upon the factors, procedures, and protocols utilized in preventing and responding to cybersecurity incidents or in determining a company’s susceptibility to cybersecurity risks. Stated differently, for SEC purposes, an event that is material for one company may not be material for another.

Such subjectivity becomes more apparent when comparing and contrasting the disclosure obligations of the Commission with contract law or tort law principles. For example, the Restatement (2d) of Contracts Section 1 defines a “contract” as a “promise or set of promises for the breach of which the law gives a remedy, or the performance of which the law in some way recognizes a duty.” The determination of whether there is a breach is a question of law; however, a breach must be “material” to be actionable and compensable for foreseeable injuries or equitable relief. Some breaches are “material” as a matter of law (e.g., when a contract specifies that time is of the essence, failure to timely perform is a “material breach”); however, in most instances, the determination of whether a breach is “material” is a question of fact, and non-performance may be excused or damages may be awarded based upon a finding of materiality. As the court stated in Henderson v. Wells Fargo Bank, N.A., 974 F.Supp.2d 993, 1005, 1006 (N.D.Tex.2013), the question of whether a breach was sufficiently material to excuse a party’s performance under a contract is a question of fact for a jury to decide based on an analysis of the factors set out in the Restatement Second of Contracts 241 and 242. Accordingly, materiality in contract law is often determined by a finder of fact within a narrow context that considers performance, acts, and omissions precipitating the alleged material breach and tends towards a presumption of permitting the contract to survive and the contracting parties to perform.

By contrast, a determination of materiality within the context of disclosures to the Commission is the responsibility of the public company that is subject to the cyber risk(s) or incident(s), with the Commission and the courts serving as the ultimate arbiters (i.e., “finders of fact”) of the materiality of those cyber risk(s) or incident(s). The disclosure requirements in Commission Regulation S-K and Regulation S-X make no specific mention of cybersecurity risks and incidents; however, several of the requirements impose an obligation (i.e., “duty”) on public companies to disclose such risks and incidents depending on a company’s particular circumstances. Examples include: periodic reports, including Form 10-K annual reports, Form 10-Q quarterly reports, and Form 20-F disclosures by foreign private issuers; current reports, including Form 8-K or Form 6-K reports; and Securities Act and Exchange Act obligations, including registration statements that (consistent with Section 11, 12, and 17 of the Securities Act, as well as Section 10(b) and Rule 10b-5 of the Exchange Act) must adequately disclose all material facts required to be stated therein or necessary to make the statements therein not misleading. In addition to the information expressly required (or interpreted to be required) by Commission regulations, a public company is required to make a subjective determination and to disclose “such further material information, if any, as may be necessary to make the required statements, in light of the circumstances under which they are made, not misleading,” pursuant to Rule 408 of the Securities Act, Rule 12b-20 of the Exchange Act; and Rule 14a-9 of the Exchange Act. This interpretation of materiality regarding omissions is akin to the Texas Deceptive Trade Practices-Consumer Protection Act, Section 17.46 (b)(24), which addresses the “failure to disclose information concerning goods or services known at the time of the transaction if such failure to disclose such information was intended to induce the consumer into a transaction into which the consumer otherwise would not have entered had the information been disclosed.”

The Commission considers omitted information to be material “if there is a substantial likelihood that a reasonable investor would consider the information important in making an investment decision or that disclosure of the omitted information would have been viewed by the reasonable investor as having significantly altered the total mix of information available.” (This is the standard established by the U.S. Supreme Court in TSC Industries v. Northway, 426 U.S. 438, 449 (1976)). The Commission’s articulation of materiality of omitted (non-disclosed) information illustrates that when determining materiality the Commission adopts a less subjective, and perhaps arguably objective, approach.

So the inquiry as to “materiality” then becomes not only, “What is material?” but “Who is asking?” and “Who is determining?” Accordingly, through the Commission’s articulated 2018 Guidance, the determination of “materiality” within the context of disclosures to the Commission can be seen as subjective when determined by the public company and perhaps objective when determined by the Commission, particularly regarding omitted (non-disclosed) information. Consequently, and in contrast to a contractual, tort, or litigation context, in a public company’s continuing effort and duty to timely provide the Commission information available as to the company’s actual or potential cyber risk(s) and incident(s), public companies should consider determining and defining “materiality” more broadly when providing disclosures to the Commission.