In a letter responding to a request by Senator Jay Rockefeller (D-WV), Chairman of the Senate Commerce Committee, Chairman Mary Jo White of the U.S. Securities and Exchange Commission (SEC) stated that she has asked her staff for a briefing on the efficacy of the SEC’s 2011 staff guidance on Cybersecurity disclosures, overall compliance with the guidance and any recommendations regarding further guidance in the area of cybersecurity. The 2011 staff guidance urges public companies to disclose in their SEC filings descriptions of specific cybersecurity threats faced by the companies and the steps they are taking to mitigate them.

Sen. Rockefeller had written to White on April 9 to ask the just-confirmed SEC Chair to “elevate” the 2011 guidance and issue it at the Commission level as well. In his letter, Rockefeller posited that the staff guidance had had a positive impact on information available to investors, but “the disclosures are generally still insufficient for investors to discern the true costs and benefits of companies’ cybersecurity practices.”

Written by Bruce Sarkisian, Associate, Technology, Privacy & IP Transactions | Alston & Bird LLP

Kim Peretti, co-chair of the firm’s Security Incident Management and Response Team and former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section, was interviewed by BankInfoSecurity.com, where she discussed the cyber heist scheme that involved $45 million withdrawn from ATMs worldwide.

Peretti offered insights, lessons learned from global cash-out schemes and security tips for targeted organizations.

Visit BankInfoSecurity.com to watch the video of Peretti’s interview.

Written by Security Incident Management & Response Team | Alston & Bird LLP

Kim Peretti, co-chair of the firm’s Security Incident Management and Response Team and former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section, was quoted in The New York Times article, “In Hours, Thieves Took $45 Million in A.T.M. Scheme.”

Ms. Peretti said the significance in this data breach is that they are manipulating the financial system to be able to change these balance limits and withdrawal limits. “When you have a scheme like this, where the system can be manipulated to quickly get access to millions of dollars that in some sense did not exist before, it could be a systemic risk to our financial system.” 

View the complete article: "In Hours, Thieves Took $45 Million in A.T.M. Scheme"

Written by Security Incident Management & Response Team | Alston & Bird LLP

On May 17, 2013, Kim Peretti will serve as planning chair and Todd McClelland will be a featured speaker in the program entitled “The Top Five Data Security Threats in 2013: Knowing and Understanding the Legal Risks,” by ALI-CLE. Data security remains the elephant in the room for many corporate legal departments, law firms and outside counsel. Everyone knows data security concern is warranted, but many still do not entirely comprehend the risks, what resources are needed to protect against them, or how to handle liabilities resulting from breaches. Moreover, even if you appreciate the legal aspects of your data security needs, you may struggle to keep your policies and procedures current because of rapid changes in technology.

The following topics will be discussed during the program.

• National cyber security concerns
• Evolving cyber threat landscape
• Mobile devices in the workplace (BYOD)
• Data security in the cloud
• Employee training and awareness

To register, please click here.

Written by Security Incident Management & Response Team | Alston & Bird LLP 

In the newly proposed version of the Critical Infrastructure Protection (“CIP”) Reliability Standards, the Federal Energy Regulatory Commission (“FERC”) is seeking, for the first time, to create mandatory cybersecurity protections for the bulk electric system (“BES”), which includes electric utilities. The new standards would classify each BES Cyber System as Low, Medium or High Impact based on how severely a cyber attack on a given system would affect the national power grid. For each classification tier, the new CIP standards would require varying but specific levels of cybersecurity protection. It is important to note that any system considered a BES Cyber System will at a minimum be classified as Low Impact. BES Cyber Systems are defined as groupings of BES Cyber Assets, which in turn are defined as “Asset[s] that if rendered unavailable, degraded, or misused would, within 15 minutes of its required operation, misoperation, or non-operation, adversely impact one or more Facilities, systems, or equipment, which . . . would affect the reliable operation of the Bulk Electric System.” The new rule was proposed by the North American Electric Reliability Corporation (“NERC”) and would constitute CIP version 5 standards. CIP version 3 standards are currently in effect, and the proposed rule would essentially leapfrog the CIP version 4 standards that were set to become mandatory in April, 2014. CIP version 4 standards would not have reached those Cyber Systems that will be classified as Low Impact under the new CIP standards.

Read More

This article is the second in a four-part series describing some of the challenges to conducting breach investigations in response to increasingly sophisticated attacks. In Part 1, entitled Right-Sizing the Data Breach Investigation and published with Law360 on March 26, 2013, we provided an overview of the evolving advanced cyber threat landscape and the three common breach response scenarios (internal investigations to fix technical problems, investigation to assess payment card exposure, and investigations to determine compliance with state data breach notification statutes). This Part II takes a closer look at responses involving payment card breaches—both because of their unique nature and their potentially grave implications.

Please click the following link for a full version of Understanding the Role of the PFI in Payment Card Breaches.

Written by Jim Harvey, Partner, Privacy & Data Security  | Alston & Bird LLP

Kim Peretti, co-chair of the firm’s security-incident and management-response team and former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section, was quoted in the Wall Street Journal article, “U.S. Eyes Pushback On China .” U.S. officials view that strategy [indictment] as a way to establish a deterrent. China likely wouldn't turn over its citizens to the U.S. for prosecution, but U.S. authorities could ensure suspects would be unable to travel freely for fear of being turned over by a foreign government to U.S. law enforcement.

"It would be very significant, because it would be a first of its kind," said Kimberly Peretti, a former Justice Department prosecutor who handled cybercrime cases during eight years at the department until 2010. Indictments create leverage in diplomatic negotiations, because it is more difficult for the government to deny the problem when there is a specific legal action against an individual, she said.

Written by Security Incident Management & Response Team | Alston & Bird LLP

Today the House voted 288-127 to pass the Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624. The bill passed by a wider margin than last Congress, with 92 Democrats voting in favor of H.R. 624. Several amendments regarding privacy concerns were adopted. Ranking Member Dutch Ruppersberger (D-MD) stated after the vote “CISPA recognizes that you can’t have true security without privacy, and you can’t have privacy without security. This bill effectively works to protect both.”

Read More

Yesterday afternoon the House Permanent Select Committee on Intelligence marked up H.R. 624, the Cyber Intelligence Sharing and Protection Act (CISPA), which was introduced in February. The bill passed the Committee by a vote of 18-2 after the approval of six amendments.

Ranking Member Dutch Ruppersberger (D-MD) praised the “collaborative effort” on improving privacy and civil liberties, while Chairman Mike Rogers (R-MI) noted the amended bill will help American businesses protect their networks from “cyber looters” while improving the cybersecurity marketplace, and without imposing unfunded mandates or additional federal regulation on the private sector.

Written by Jeff Sural, Counsel, Legislative & Public Policy, Privacy & Data Security | Alston & Bird LLP

On April 11, Alston & Bird’s Kim Peretti was interviewed by Fox Business on the prosecution of cyber criminals. In the video interview entitled, “Cyber Conundrum: Prosecuting Hackers,” Peretti discusses:

• Prosecution roadblocks to bringing foreign and domestic hackers to justice.
• Primary categories of actors in the hacker world: hacktivists, state sponsored groups and global criminal hacking organizations.

View Kim Peretti's interview by Fox Business.

Written by Security Incident Management & Response Team | Alston & Bird LLP

On Wednesday, April 10, Security Incident Management & Response Team Co-Leaders Kim Peretti and Jim Harvey hosted the panel discussion “Nuts, Bolts and Latest Developments in Cyber and Privacy Investigations” in Alston & Bird’s Washington, D.C. office. They were joined by cybersecurity and cybercrime experts from the government and private sector to discuss the latest developments in the area of cyber and privacy investigations. The experts shared perspectives on behind-the-scene mechanics in conducting effective and efficient investigations, especially those that result from sophisticated threat actor activity.

In addition to the D.C. attendees, the presentation drew over 200 attendees from across 25 states who participated in this lively presentation via conference call.

If you are interested in participating in future events and would like to be added to our email distribution list, please send an email indicating your request to.

Written by Security Incident Management & Response Team | Alston & Bird LLP

Kim Peretti, co-chair of the firm’s security-incident and management-response team and former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section, appeared on Fox News to discuss prosecuting cyber criminals.

To view the video, please click Peretti Appears on Fox News.

Written by Security Incident Management & Response Team | Alston & Bird LLP

Kim Peretti, co-chair of the firm’s security-incident and management-response team and former senior litigator for the Justice Department's Computer Crime and Intellectual Property Section, was quoted in the Wall Street Journal article, “Law Firms Tout Advantage of Secrecy in Cyberbreach Investigations.” Ms. Peretti said the practice is among the first at a major law firm that is dedicated to data-breach investigations and she expects the firm's competitors to follow suit.

"While forensic firms still get most of the work, and are hired by law firms, the need to establish attorney-client privilege has led companies to turn to law firms," she said.

Written by Security Incident Management & Response Team | Alston & Bird LLP

In the age of targeted intrusions, sophisticated criminal and nation-state actors are often compromising hundreds of systems within a single company’s environment. However, companies are often only seeing a small portion of the entire incident, as their response to such invasions can be, and often is, too narrowly shaped by state security breach notification requirements, industry rules governing payment card breaches and the absence of a direct legal obligation requiring a more comprehensive review. If a company has a less-than-complete understanding of the nature and scope of the intrusion, it could be exposed when the criminals revisit the enterprise for further exploitation or when regulators and class-action plaintiffs begin probing into details of the company’s response. Please click the following link for a full version of Cyber Alert: Breach Investigations, Part 1: Right-Sizing the Data Breach Investigation.

Written by Security Incident Management & Response Team | Alston & Bird LLP

After observing a noticeable increase in sophisticated attacks targeting payment processors of prepaid debit accounts in which criminals are able to manipulate balances of accounts and/or fraud prevention controls, the United States Secret Service released an Industry Advisory on March 15, 2013. The Advisory outlines several “macro” and “prepaid platform specific” strategies that payment processers should take to mitigate the risk of such attacks occurring on their systems.

Read More

Kim Peretti, co-lead of the Security Incident Management & Response Team, appeared on MSNBC’s UP w/ Chris Hayes on February 23, 2013, joining in a debate on cyberwarfare and cybersecurity.

Click here to view the video.

Written by Security Incident Management & Response Team | Alston & Bird LLP

House Intelligence Committee Chairman Mike Rogers (R-MI) and Ranking Member Dutch Ruppersberger (D-MD) re-introduced the Cyber Intelligence Sharing and Protection Act (CISPA) this morning. The bill has been numbered H.R. 624.

In their press release, Chairman Rogers and Ranking Member Ruppersberger confirmed that this bill is identical to the version that the full House of Representatives approved by a bipartisan vote of 248-168 on April 26, 2012. The bill sponsors also noted that CISPA had 112 bipartisan cosponsors last Congress. As with all pending legislation in Congress, the start of the 113th Congress last month required the bill sponsors to reintroduce the bill in order to begin the Congressional consideration process again this session.

Read More

Last evening, President Obama announced in his televised State of the Union Address to Congress that he had signed an Executive Order earlier in the day to direct federal departments and agencies to adopt and implement new cybersecurity initiatives for the purpose of protecting our nation’s critical infrastructure. A legislative response from Congress is anticipated as early as today and we will provide subsequent updates. Please see our Cyber Alert for additional information on the Executive Order in the format of responses to frequently asked questions. Additionally, the White House issued a Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience (which updates HSPD 7) to complement the Order. The press release on the Order and a fact sheet on the new PPD are linked below:

• White House Cybersecurity Executive Order - Press Release
• White House Cybersecurity Presidential Policy Directive - Fact Sheet

Written by Paul Martino and Todd McClelland, Partners, Security Incident Management & Response Team| Alston & Bird LLP

On April 10, 2013, Alston & Bird will bring together cybersecurity and cybercrime experts from the government and private sector to discuss the latest developments in the area of cyber and privacy investigations. The experts will also share perspectives on behind-the-scene mechanics in conducting effective and efficient investigations, especially those that result from sophisticated threat actor activity. Please join us for this lively and topical discussion.

Read More

On January 14, 2013, Singapore passed an amendment to the Computer Misuse Act (now renamed the Computer Misuse and Cybersecurity Act), which provided the government with additional authorities to prevent, detect and counter cyber attacks on critical infrastructure. Key aspects of this law include the ability of the government to direct a person or organization to take specific steps – including exercising certain powers under the criminal procedure code -- with respect to preventing, detecting, or countering a cyber threat where the threat relates to certain types of critical infrastructure. Such broad authority could encompass directing companies to conduct “pre-emptive” strikes or other measures prior to the onset of an imminent cyber attack. Importantly, the law confers immunity from any civil or criminal liability resulting from fulfilling an obligation under the law, but also provides for criminal penalties for failing to comply.

Read More