On November 29, 2016, the United States Environmental Protection Agency (EPA) announced the first ten chemicals it will prioritize for risk evaluation under the recent legislative amendments to the federal Toxic Substances Control Act of 1976 (TSCA). Asbestos has been included in EPA’s priority list. This portends that EPA may attempt to restrict or ban asbestos-containing products and/or their manufacture, importation, processing, or distribution in commerce through its authority under TSCA. Previous attempts by the agency to restrict or ban asbestos through rulemaking have been unsuccessful.

The issuance of the priority list was required by the Frank R. Lautenberg Chemical Safety for the 21st Century Act, which was signed into law by President Obama on June 22, 2016. The Act made significant changes to TSCA and required EPA to publish a list of 10 priority chemicals by December 19, 2016. According to EPA, these ten chemicals were selected based on multiple factors, including their prevalence as environmental contaminants, their widespread use, especially in consumer products, and their perceived or known hazards.

The issuance of EPA’s priority list triggers the requirement that the agency complete a risk evaluation for each of the ten chemicals within three years. These evaluations will determine whether the chemicals present an unreasonable risk to humans and the environment. If an unreasonable risk is found, EPA must take action to mitigate that risk within two years.

In general, TSCA authorizes EPA to require reporting, record-keeping and testing requirements, and restrictions relating to chemical substances and/or mixtures. It does not apply to certain substances, such as food, drugs, cosmetics and pesticides, which are separately regulated. With the Lautenberg Act, EPA now has the power to require safety reviews of all chemicals in the marketplace. This is a fundamental shift in the requirements and approach for addressing chemical safety under TSCA. EPA has stated that the amendments to TSCA will allow the government to better protect public health and the environment.

The TSCA amendments focus on risks to human health and the environment. A new health-based safety standard of review has replaced the former cost-benefit standard. If EPA determines that a chemical such as asbestos poses an unreasonable risk, it must promulgate use standards, and could further impose additional restrictions or even a ban on the entry of the chemical into U.S. commerce. In 1989, EPA banned asbestos and attempted to phase out its use by rule, but the rule was overturned on the grounds that EPA failed to provide an adequate justification for the complete ban. Corrosion Proof Fittings v. EPA, 947 F.2d 1201 (5th Cir. 1991).

The other nine chemicals on EPA’s priority list are subject to the same process and potential restrictions or ban as asbestos. They are: 1,4-Dioxane, 1-Bromopropane, Carbon Tetrachloride, Cyclic Aliphatic Bromide Cluster, Methylene Chloride, N-methylpyrrolidone, Pigment Violet 29, Tetrachloroethylene, also known as perchloroethylene, and Trichloroethylene. Notably, bisphenal A (BPA), the ingredient in plastic bottles that many companies have ceased using due to public concerns, was not included on EPA’s list, suggesting that the agency does not consider BPA a significant threat to the public.

Additional chemicals will be designated later for evaluation, including a group of 90 chemicals identified by EPA under the TSCA amendments. For each risk evaluation that EPA completes, TSCA requires that EPA begin another. By the end of 2019, EPA must be performing 20 chemical risk evaluations at any given time.

Additional information on the priority chemicals can be found on EPA’s website here. For additional information or legal guidance, contact Leslie G. Wolfe at (216) 928-2927 or lwolfe@walterhav.com. Leslie is an associate in Walter | Haverfield LLP’s Litigation Services Group.

What we’ve learned from the Sony Hack of 2014

November 24, 2014 marked one of the most devastating cyberattacks on a private corporation to date. The attack, which infiltrated the highest levels of Sony Pictures Entertainment (SPE), illustrates not only how vulnerable most companies are to hacking, but provides a strong case for why companies need to invest more robustly in IT security.

It was a Monday morning. As SPE employees turned on their computers, the horror began. Monitors displayed the frightful image of a skeleton bathed in red light over decayed faces of SPE executives, accompanied by sounds of gunfire. The message was that the Guardians of Peace had hacked SPE’s computers and would release sensitive information if its orders were not obeyed.

SPE management was blindsided. More than half of SPE’s 1,555 servers and 3,262 of SPE’s personal computers were wiped of all stored data and operational capability. Within an hour, most of the destruction was done. Only then did SPE’s IT personnel learn that the attack had been ongoing for months before showing itself, stealing the data it then destroyed that fateful morning. They learned the hackers accessed a “confidential” current audit of SPE’s entire computer network that they used as a roadmap to destruction against SPE. More than 47,000 social security numbers, medical records, salary lists and documents detailing intra-office affairs and unreleased movie scripts were leaked to public file sharing or piracy websites for free viewing and downloading.

Less than a month later, the FBI announced that North Korea was behind the hack. Investigations revealed that the government had issued threats against SPE because of the film “The Interview,” which focused on a plot to kill the North Korean leader. Since then, SPE has completely re-engineered its cybersecurity system, including updated protocols, equipment, employee training and firewalls. SPE’s damage and losses, much of which are uninsured, may well exceed $80 million. Contrast this with the casual remark of SPE’s lead IT officer made prior to the hack: “I will not invest $10 million to avoid a possible $1 million loss.”

Reports of other severe hacks dominate news headlines. From April to September 2014, Home Depot suffered a cyberattack that compromised 56 million credit and debit card numbers and some 53 million customer email addresses. Two months later, Partners Healthcare fell victim to a phishing expedition that stole 3,300 patient personal files (Phishing is a method of obtaining sensitive information by email impersonation). In January 2015, Anthem Blue Cross-Blue Shield lost personal information for more than 80 million consumers.

Even the Federal government is not immune. In June of this year the U.S. Office of Personnel Management revealed that personal data had been stolen for more than four million federal current and former employees. In August, the Internal Revenue Service admitted that a February 2015 hack, which mined data until it was discovered in May, stole data on almost three times the number of taxpayers than originally disclosed.

And it’s not just the U.S. government and large corporations that are targeted. It has been estimated that 71% of cyberattacks occur at businesses with fewer than 100 employees. The cost of such attacks can be extreme. The 2015 average cost of a data breach in the U.S. is approximately $217 per compromised record–up nearly 6% from 2014.

In this day of the Internet of Things, product developers are of concern as in January 2015, the Federal Trade Commission weighed in on data security for new products. The automotive industry offers a prime example of this need to consider cybersecurity in product development. Fiat Chrysler Automobiles NV recently recalled 1.4 million vehicles after researchers in product hacking showed an ability to a control a Jeep’s transmission (cutting engine power to wheels), stereo volume, windshield washers and wipers, air-conditioning and GPS, as well as disabling brakes, from a basement laptop 10 miles away. A 2015 U.S. Senate Report details vulnerability through some 50 separate electronic control units in internal vehicle computer systems. Even the cutting-edge Tesla Model S proved vulnerable to cyberattack at the August 2015 DEF CON hacker conference.

The devastating impact of these actual hacks, the potential damages from known hacking experiments and the lessons learned are a warning bell for executives. Those who believe data breaches are rare, or will not happen to them, are fooling themselves. With hacks now as common as a winter cold, the question is no longer “if,” but “when.” Any organization with an IT system needs to be sensitive to the potential of being hacked, and proactively act to protect itself. Indeed, it is predicted that increased cybersecurity project spending will exceed all other IT projects in 2015.

Of course, no protection plan is foolproof and no cybersecurity system is failsafe. Simple anti-virus personal security programs no longer effectively prevent any virus or worm infiltration but do act to decrease vulnerability and increase damage control. However, likelihood of a breach and the resulting damages can be diminished by taking responsible steps to secure one’s IT system.

What can be done? Consider the old axiom that “The surest defense is offense.” Applied to cybersecurity, it means management adopting a proactive position throughout the company, including a vigorous protection and response program incorporating active employee training and careful password protection, including multi-factor system access identifiers.

Management should also develop an Incident Response Plan (IRP) before a breach occurs. While no IRP will perfectly anticipate all issues stemming from a particular breach, it provides management a prospective look at IT vulnerability and the steps necessary to respond when the breach occurs. The IRP should also address notifications to send to third parties and government entities and, likely, the public. There currently is no national standard in the U.S., although legislation is proposed before the 114th Congress (2015-16).

Finally, the IRP must contemplate how to assess damage from the hack–from productivity to reputation loss, as well as direct costs incurred as the result of the breach. Preservation of data, chains of custody and documentation must be preserved, tracked and stored in a secure base.

This is no minor task. Rather, a comprehensive IT and data audit must be undertaken as the organization develops its IRP. Due to the comprehensive nature of this effort, it is critical that key leaders of the entity be involved in the decision making process. General counsel, as well as outside counsel familiar with cybersecurity issues, should be involved in development of the cybersecurity planning at the outset and particularly in the IRP process. For publicly held companies, this also means assuring board involvement.

Cybersecurity’s intellectual property focus is on the protection of trade secrets–customer/patient databases; personal information of customers, employees and vendors; product or service research and development; competitive product formulas, recipes and designs, computer algorithms, computer codes and any other of the vast array of valuable corporate treasure on hand. Much of this is “Bet the Company” types of information if breached.

Business owners–small and large–need to think like the bad guys and determine what attackers might want most. It could be intellectual property, trade secrets, customer lists, customer credit card information or perhaps a means to gain entrance into a larger client or customer. Assuming security codes are clean, it might make sense to outsource security operations to further protect small businesses.

Most important in minimizing the impact of a breach is the purchase of cyber-risk insurance for after-the-fact protection. Such insurance covers liability for exposing confidential information, payments for notifying customers of the breach, and providing customers with appropriate credit monitoring services. Policyholders cannot simply think the purchase of such insurance without more will protect them. For instance, IT service provider vendors must be evaluated to assure they meet appropriate cybersecurity practice standards required by insurers.

The lessons of the North Korean hack on SPE and the other examples mentioned above should stand for a long time. Unfortunately, too many companies share the same vulnerabilities as SPE, including lax and shoddy cybersecurity procedures, as well as a lackadaisical approach to employee training in cybersecurity issues. Hopefully, though, this high-profile hack job serves to open the eyes of business owners and motivates them to take preventative action.

Contact: Craig A. Marvinney