Archives: Cybersecurity

Subscribe to Cybersecurity

 

Just at the end of 2015, the Cybersecurity Information Sharing Act (CISA) was enacted into law as part of the omnibus spending measure passed by Congress and signed by President Obama at right before Christmas.  The legislation combines elements from the versions of CISA that passed the House in April of 2015 and the Senate in October.

Enactment of CISA was driven by the goal of clearing away some of the legal uncertainty and liability risk concerns inhibiting sharing of cybersecurity threat information. Cyber criminals are technologically proficient and constantly innovating, which means that protecting American enterprise networks, industrial control systems, and electronic information systems requires continued vigilance and innovation. There is broad agreement that the nation’s cyber defense posture could be greatly strengthened through more robust and timely sharing of cyber threat information both between the government and the private sector and between private companies themselves.   Continue Reading Happy New Year – Cybersecurity Information Sharing Act

As the year winds down, we look back with a mixture of nostalgia and queasiness on the major Health Insurance Portability and Accountability Act (HIPAA) events that defined 2015. Incredibly large data breaches became disturbingly routine, calling into question the ability of insurers and providers to protect their increasingly large troves of sensitive health information. We also saw the release of an Office of Inspector General (OIG) report that was highly critical of the Federal government’s ability to effectively enforce HIPAA, followed almost immediately by signs of more aggressive enforcement from the Office for Civil Rights (OCR), perhaps in response. We waited for commencement of the second round of HITECH-mandated audits, but it never came. As regulated entities prepare for a new year of regulatory challenges, we review the highlights — and lowlights — of HIPAA 2015, and prepare for what’s to come in 2016.

Massive Data Breaches

The year began inauspiciously, with one of the largest data breaches to ever hit the U.S. health care industry. We are, of course, referring to the theft of approximately 80 million personal records from health insurer Anthem Inc. The theft spanned over 14 states, and included names, birthdates, email addresses, Social Security numbers, and other personal data. The Anthem breach, however, was not an isolated incident. There were at least four other multi-million record data breaches affecting the health care industry in 2015, including:

Premera Blue Cross (11 million individuals affected)

Carefirst BlueCross BlueShield (1.1 million individuals affected)

UCLA Health (4.5 million individuals affected)

Excellus (10 million individuals affected)

One common thread throughout these breaches, beyond their sheer magnitude, is the inability of the entities to quickly identify and report the breach. For example, Excellus hired a security firm to conduct a forensic analysis of its computer system. The analysts concluded that their breach had occurred as early as December of 2013. UCLA Health faced similar delays in identifying their breach. One reason for this may be a result of another common thread: the advanced nature of the attacks. While not independently verified, a number of the affected entities have reported that the acts were “very sophisticated.” While the culprits of these mega-breaches have not been identified by name, many suspect state sponsorship of the attacks by China. Continue Reading HIPAA and Health Care Data Privacy – 2015 in Review

The years-long saga of the Federal Trade Commission’s suit against Wyndham Hotels over data breaches that occurred at least as early as April 2008 is finally coming to an end with a proposed settlement filed today with the court.  The original complaint, which is summarized in this post from 2012, alleged that Wyndham’s claims to use “standard industry practices” and “commercially reasonable efforts” to protect customers’ personal information were deceptive, and its actual practices unfair, in light of the company’s lax security practices.  Wyndham argued that the FTC lacks the authority to police data security practices, but in August 2015 the Third Circuit found against Wyndham, holding that the FTC’s authority to take action against a company’s unfair practices extends to enforcement of data security practices.

The proposed settlement, which is in effect for 20 years, reached between Wyndham and the FTC provides the first notice to companies of what they should expect from the FTC in the event of a data breach due to a failure to maintain reasonable data security standards.  The various settlement provisions are similar to those imposed in cases brought by the FTC over misrepresentations in privacy policies (as opposed to this case, which involved a suit over the laxity of the company’s actual data security practices).

Those provisions include Wyndham agreeing to undertake the following:

  • • Establishment a comprehensive information security program to protect credit card data, which must include risk assessments, reasonable safeguards, and regular monitoring for the next 20 years;
  • • Annual information security audits and independent assessments of its compliance with the Payment Card Industry Data Security Standard (PCI DSS) over the next 20 years;
  • • Obtain the certification of an independent certified assessor before implementing any “significant change” to its data security practices that the change would not cause it to fall out of compliance;
  • • Provide all assessments to FTC;
  • • Keep records relied on to prepare each annual assessment for three years; and
  • • Submit to compliance monitoring by the FTC.

Notably, and different from the settlements of privacy-related cases, Wyndham will not be required to pay a fine.

The recent data breach of Hong Kong-based electronic toy manufacturer VTech Holdings Limited (“VTech” or the “Company”) is making headlines around the world for good reason: it exposed sensitive personal information of over 11 million parents and children users of VTech’s Learning Lodge app store, Kid Connect network, and PlanetVTech in 16 countries! VTech’s Learning Lodge website allows customers to download apps, games, e-books and other educational content to their VTech products, the Kid Connect network allows parents using a smartphone app to chat with their children using a VTech tablet, and PlanetVTech is an online gaming site. As of December 3rd, VTech has suspended all its Learning Lodge sites, the KidConnect network and thirteen other websites pending investigation. Continue Reading Happy Holidays: VTech data breach affects over 11 million parents and children worldwide

To take a step back from our continuing analysis of the situation and developments in Europe,  there are other things going on in the privacy and data security world!   Our October Wednesday Webinar is coming up and we will take a walk on the wild side:  data security litigation.    Registration is open now! Read more – Continue Reading Wednesday Webinar: Tricks, But No Treats – A Halloween Visit to the Frightening World of Data Security Litigation

As reported on Friday in the Krebs on Security blog, online broker Scottrade had sent an e-mail to customers earlier that day stating that it recently had learned from law enforcement officials that Scottrade was one of a number of financial services companies that had been victimized by data thieves.  That very same day saw the first class action complaint arising from the breach was filed in federal court in San Diego.  Given the haste of the filing, the complaint unsurprisingly offers little more than conjecture about what took place.  Plaintiff’s allegations parrot facts reported by Brian Krebs – that the breach was detected by government investigators, did not compromise or access Scottrade’s trading platform, and appeared only to have resulted in the theft of names and addresses, despite hackers apparently having access to customers’ Social Security Numbers.  Thus, even though it was unclear whether Social Security Numbers had been stolen, Scottrade offered free credit monitoring to affected customers.  Beyond alleging that the breach occurred and that Scottrade’s credit monitoring offer provided inadequate relief, the complaint has nothing specific to say about the breach.  Instead, it speculates that Scottrade might have been targeted by the same hackers who stole data from J.P. Morgan in 2014 – itself an event discussed in the Krebs report on the Scottrade breach.  Plaintiff flatly alleges that Scottrade breached the industry standard of care in allowing the breach to occur, but does not allege precisely how Scottrade failed to do so.

The threadbare complaint against Scottrade illustrates the pitfalls of trying to be a “first mover” whenever a data breach occurs.  Until more is known about how the breach occurred and how, if at all, it affected Scottrade customers, it will not be possible to allege a plausible theory under which Scottrade may be held responsible for the breach.

Contributed by William Kyrouz

William Kyrouz is Mintz Levin’s Chief Information Security Officer and our guest blogger.  His “views from the CISO” will be posted from time to time –

Putting your organization’s name in the paper can be a boon to both your business and your career.  The ego stroke isn’t bad either; it can be quite a jolt to see your name in a trade or general news publication for the first time.  Speaking with the press on information security, however, has unique pitfalls for you and your company if you are not prepared.

The Information Security field is all about mitigating risk, and this brief post will help you mitigate risk before you have that phone call with the Metropolis Business Journal.

 

Consult with your CISO, Counsel and PR Director (or equivalent)

Your Chief Information Security Officer (or closest equivalent) is going to have their fingers on the pulse of the latest security news – that’s part of their job.  If your interview might cover the latest breach in the news, your CISO may have greater insight into what happened and how it impacts your organization.  You should also ensure that you are both on precisely the same page in terms of security priorities and projects (and what you are comfortable sharing about them).

Counsel will help you navigate the close relationship between data security and the law; make sure that you understand how statutes and regulations impact your firm before speaking about them in public.  This is all the more important if your business covers multiple states or nations.

PR, your CMO or whomever speaks with the press regularly for your organization should be a close ally no matter the topic.  They know the lay of the journalistic land and know the professionals as compared to those that will mangle your quotes and misrepresent you to the world.  Even if you’ve had regular experience speaking to the media, make sure that you are in line with the PR policies and culture of your organization.

 

Do’s and Don’ts on Information Security Interviews

Do convey professionalism and try to stick to business-like language at all times.  Say “Keeping all of our systems tracked and patched” sounds better than “Find all our stuff and patch it.”.  It may be difficult to avoid using more casual language over the course of a long conversation, but when hitting your major points do speak as if there are hundreds or more listening (because there are).

Do convey that you understand the risks to your business.  Whether it’s competition that wants your intellectual property or concerns about a malicious insider, you want your customers and business partners to know that you are on the case.  Avoid deemphasizing risks, as this may make you appear disinterested in the topic and ignoring a potential hole in your security program.  Recently a CIO was quoted in an article saying that mobile device security was not a concern.  Perhaps that CIO had a solid mobile device management program and could track every bit coming and going from their iPhones, but the article did not read that way.

Don’t portray yourself as invincible.  This is a given; do not throw down the gauntlet and dare those who would otherwise ignore you from trying to knock down your web site (or worse).

Don’t expose your weaknesses.  Are you a company of over 1,000 people and you lack a dedicated full time person to the protection of your electronic information?  If so, a) you’re asking for trouble  and may already have it and b) you really don’t want to let the world know it.  Don’t publicly share critical pieces of your security infrastructure without serious thought about how that information might be used against you.  If there are entire elements of your security program that haven’t even been implemented (e.g. password policies, mobile device management, security awareness, vulnerability management, etc) do not discuss them on the record with a journalist.

Don’t help perpetuate myths and stereotypes about information security.  Improving security doesn’t always mean spending the most (or any) money, or making things more difficult to get the job done.  Security documentation never needs to be endless tomes of legal and technical jargon.  We need to let our management know that we can be effective and judicious in our use of time, money and resources.  We are there to partner with and protect the organization, not (as was recently conveyed in an article by someone in a security role) to just encrypt everything we can and put extra passwords on our computers.

 

We’re all in this together

What you say may be used against you by putting not just your organization but your entire industry in a bad light.  While partnering with your industry peers is a topic for another article, know that you are being watched with Google Alerts and news services every time you appear in a blog or newspaper.  When you speak, make sure that you have a clear, concise and accurate message about information security being a top priority.

The SEC has announced a new round of cybersecurity inspections at broker-dealer and registered investment advisory firms.  If that’s not enough to catch your attention, just days after issuing the Risk Alert, the SEC censured and fined a St. Louis-based investment advisor for a failure to adopt written policies and procedures to ensure the confidentiality of personal information as required by law.   According to the SEC, that failure led to a breach of the personal information of 100,000 investors held by R.T. Jones Capital Equities Management and led to a $75,000 fine.

Register now for our upcoming webinar — Wednesday, September 30 at 1 pm ET where the latest Risk Alert and enforcement action, along with other important developments, will be discussed by Mintz Levin’s Steve Ganis and Peter Day.

Another Cop on the Cybersecurity Beat: What to Do Before and After the SEC and FINRA Come Knocking

This webinar, the eighth in our Privacy series, will address regulatory compliance and risk management aspects of cyber attacks and data breaches at financial institutions and their service providers. Cybersecurity is one of the most significant issues facing the financial services industry — and vendors to financial services customers. Consequences of cyber attacks and data breaches are more costly than ever, and now the SEC and FINRA are conducting cybersecurity examinations. Enforcement actions are likely to follow. Meanwhile, the “fintech” revolution is radically and dramatically transforming how securities, banking, and money services firms collect, retain, protect, and monetize financial consumer data. Join us for guidance on crafting effective cybersecurity programs and insights into areas of likely cybersecurity focus uniquely critical for broker-dealers, investment advisers, and investment companies — intermediary and vendor due diligence, risk assessment, identity theft prevention, Gramm-Leach-Bliley safeguarding of customer information, referral and aggregator arrangements, suspicious activity monitoring, material nonpublic information protection, and front running prevention.

 

As always, the webinar is eligible for New York and California CLE credit.

It’s back to school time – time to put away the flip flops and beach chairs and settle back into the routine.   To help motivate you, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) has announced a new round of cybersecurity examinations!   This comes on the heels of the SEC’s sweep exam of broker-dealers and registered investment advisers and the issuance of its February 2015 summary observations from that sweep.

Last month, our August webinar discussed third party vendor security management in a more general context, and how critical vendor management is to the overall cybersecurity health and resilience of your organization.  Over 500 people took a break on a beautiful August day to catch the webinar – if you missed it, click here to playback the webinar.

We had already planned our September topic — Another Cop on the Cybersecurity Beat: What to Do Before and After the SEC and FINRA Come Knocking —  but it is even more timely in light of last week’s OCIE announcement.

In this next round of OCIE examinations, the office will direct the testing at implementation of key controls and procedures, none of which will be surprising to regular readers of this blog.

  • Governance & Risk Assessment:  current processes tailored to the business with senior management and board involvement
  • Access Rights & Controls: controls across, within, and without the enterprise, including access tracking, credentialing, Bring Your Own Device (BYOD) and other issues
  • Data Loss Prevention:  patch management, system configuration, outbound communications, with special emphasis on personally identifiable information (PII)
  • Vendor Management:  (see last month’s Privacy webinar)
  • Training:  both employees and vendor
  • Incident Response Plans

 

The September Privacy Wednesday webinar, the eighth in our Privacy series, will address regulatory compliance and risk management aspects of cyber attacks and data breaches at financial institutions and their service providers (and specifically look at the OCIE standards and exam process). Cybersecurity is one of the most significant issues facing the financial services industry — and vendors to financial services customers. Consequences of cyber attacks and data breaches are more costly than ever, and now the SEC and FINRA are conducting cybersecurity examinations . Enforcement actions are likely to follow. Meanwhile, the “fintech” revolution is radically and dramatically transforming how securities, banking and money services firms collect, retain, protect and monetize financial consumer data. Join us for guidance on crafting effective cybersecurity programs and expert insights into areas of likely cybersecurity focus uniquely critical for broker-dealers, investment advisers, and investment companies — intermediary and vendor due diligence, risk assessment, identity theft prevention, Gramm-Leach-Bliley safeguarding of customer information, referral and aggregator arrangements, suspicious activity monitoring, material nonpublic information protection, and front running prevention.

Registration is open – here.  Join us!

 

Rather than our usual Privacy Monday “bits and bytes,” we have a breaking story relating to the ongoing Wyndham/FTC saga.

Today, Wyndham Worldwide Corp. lost a critical round in the Third Circuit.   Anticipated since April, 2014, the three-judge panel upheld U.S. District Judge Esther Salas’ ruling that the Federal Trade Commission (FTC) has the authority under the “unfairness” prong of Section 5 of the FTC Act to bring suit against companies over data security practices.

For all the background leading up to today’s ruling, we send you back to our April 2014 post  summarizing Judge Salas’ ruling and a recap of the entire case history, going back to June 2012 when the FTC filed its complaint.  The FTC originally alleged that Wyndham had engaged both in unfair and deceptive business practices in violation of Section 5 by failing to maintain reasonable and appropriate security measures.  The alleged security failures led to at least three data breaches between April 2001 and January 2010, exposing consumer data and payment card account numbers.  Wyndham has been fighting back all along the way, using this case to oppose the FTC’s authority and claiming that the agency exceeded statutory powers.

The appeals court said that Wyndham “cannot argue it was entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform….[T]he company can only claim that it lacked fair notice of the meaning of the statute itself — a theory it did not meaningfully raise and that we strongly suspect would be unpersuasive under the facts.”

This precedential opinion squarely rejects Wyndham’s argument that the FTC exceeded its statutory authority and Congress never intended for the commission to be able to use its Section 5 powers to police “failures to institute voluntary industry best practices” and virtually ensures the position of the FTC as “top cop” for data privacy and security regulation.