Photo of Alfredo G. Fernández

Alfredo Fernández focuses his cybersecurity practice on international trade and national security issues, with an emphasis on the aerospace and defense industries.  His cybersecurity practice includes assisting clients on compliance with contractual requirements and regulatory standards, such as the NIST basic safeguarding requirements for federal contractors, and developing/implementing Systems Security Plans and Plans of Action and Milestones.   Alfredo’s practice also covers assessments for internal/external risks to IP and export-controlled information.  As needed, Alfredo guides clients through breach/crisis response as well as drafting voluntary disclosures of identified violations. Alfredo's complete biography can be found here.

The Commerce Department’s Bureau of Industry and Security (“BIS”) recently published an advanced notice of proposed rulemaking asking for public comment on criteria to identify “emerging technologies that are essential to U.S. national security,” for example because they have potential intelligence collection applications or could provide the United States with a qualitative intelligence advantage.

BIS is the federal agency that primarily oversees commercial exports. Over the summer, Congress passed the Export Control Reform Act of 2018 and authorized BIS to establish appropriate controls on the export of emerging and foundational technologies. Although by no means exclusive or final, BIS has proposed an initial list of areas that may become “emerging technologies,” including artificial intelligence/machine learning technology, brain-computer interfaces, and advanced surveillance technology, such as faceprint and voiceprint technologies. If BIS ultimately determines a technology will be subject to export controls, it will likely receive a newly-created Export Control Classification Number on BIS’s Commerce Control List and would require a license before export to any country subject to a U.S. embargo, including arms embargos (e.g., China). Continue Reading Is Your Technology an “Emerging Technology?”

The PGA of America was hit with a troublesome ransomware attack in August ahead of golf’s final “major” tournament of the season, the 100th PGA Championship at Bellerive Country Club in St. Louis, MO.  The hackers were successful in locking many of the organization’s digital marketing files (e.g., logos, banners) specifically designed for the centennial tournament as well as for the upcoming Ryder Cup international tournament.

Based on the ransom message from the hackers, the main goal of the attack was a quick payday in light of the disruption in the critical days leading up to a major (highly televised) event.  With the organization’s servers encrypted, the hackers provided a bitcoin address and a promise to provide a decryption key, but curiously did not request a specific ransom amount.  Although it is unclear if the PGA of America ultimately regained control of its compromised files or mitigated the issue with backup servers, it appears the organization resisted the option to pay the hackers and was able to get through the PGA Championship with virtually no material impact on players or fans.

Our take

This ransomware event is a reminder that all types of data and information are vulnerable to cyberattacks.  Although the creative designs for marketing purposes were not particularly sensitive from a privacy perspective, the business risks of losing access to important intellectual property were front and center.  It could have been much worse for the PGA of America, particularly in terms of crisis response costs, reputational harm and “re-work,” but thankfully, it gets to pick up its ball and move on to the next tee.

Back by popular demand, Attorney Alfredo Fernandez will conduct a CLE webinar entitled “Export Controls in the Cloud.” He will provide practical guidance on how to balance the risks and benefits of using cloud-based software and storage services with respect to export controls compliance.

As most high-technology industries continue shifting how they access and store data (e.g., from onsite servers to cloud-based resources), the compliance challenges also evolve. The use of cloud-based services presents a compelling upside, but companies must understand the impact to export controls and reduce the risk of violations. Because cloud technology is now burgeoning into the mainstream, the legal framework is still fluid and beginning to develop with limited government guidance.

The presentation will address:

  • The basics of cloud computing
  • Key definitions under the ITAR and EAR
  • Understanding the need for “end-to-end encryption”
  • Understanding how and where your data is “at rest”
  • Managing “access” and “potential access”
  • Key takeaways from available government and industry guidance

Speakers: Alfredo G. Fernández
When: June 13, 2018, 12:00 PM – 1:00 PM EDT
Where: Webinar

REGISTER NOW!

This CLE program has been approved in accordance with the requirements of the New York CLE Board for a maximum of 1.0 credit hour, of which 1.0 can be applied toward the Professional Practice requirement. This program is appropriate for both transitional and nontransitional attorneys.

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approves or accredits CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to one hour toward your annual CLE requirement in Connecticut, including zero hour(s) of ethics/professionalism.

On March 29, 2018, Under Armour disclosed a breach impacting 150 million users of its health and nutrition app, “MyFitnessPal.” The breach is thought to have occurred in February 2018 and resulted in potentially compromised email addresses usernames and hashed (scrambled) [1] passwords. According to Under Armour’s FAQs page, some accounts were protected by a weaker encryption technique (known as SHA1). Payment information and government issued identifiers were not impacted by the breach. Under Armour is working with authorities and in the process of notifying all users and encouraging them to change their passwords.

Our take

Although a large number of users were affected, this breach is likely not catastrophic for Under Armour. Its use of hashing to protect passwords and other personal information likely limited major impacts to accounts with hashed passwords, although the same may not be true for accounts that implemented the SHA1 technique. Similarly, important unique identifiers like birthdates and credit card numbers were not affected. This breach is a reminder that daily-use consumer apps remain vulnerable to breaches, even when managed and funded reasonably well by companies like Under Armour.

[1] Is anyone else hungry?