It’s back to school time – time to put away the flip flops and beach chairs and settle back into the routine.   To help motivate you, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) has announced a new round of cybersecurity examinations!   This comes on the heels of the SEC’s sweep exam of broker-dealers and registered investment advisers and the issuance of its February 2015 summary observations from that sweep.

Last month, our August webinar discussed third party vendor security management in a more general context, and how critical vendor management is to the overall cybersecurity health and resilience of your organization.  Over 500 people took a break on a beautiful August day to catch the webinar – if you missed it, click here to playback the webinar.

We had already planned our September topic — Another Cop on the Cybersecurity Beat: What to Do Before and After the SEC and FINRA Come Knocking —  but it is even more timely in light of last week’s OCIE announcement.

In this next round of OCIE examinations, the office will direct the testing at implementation of key controls and procedures, none of which will be surprising to regular readers of this blog.

  • Governance & Risk Assessment:  current processes tailored to the business with senior management and board involvement
  • Access Rights & Controls: controls across, within, and without the enterprise, including access tracking, credentialing, Bring Your Own Device (BYOD) and other issues
  • Data Loss Prevention:  patch management, system configuration, outbound communications, with special emphasis on personally identifiable information (PII)
  • Vendor Management:  (see last month’s Privacy webinar)
  • Training:  both employees and vendor
  • Incident Response Plans

 

The September Privacy Wednesday webinar, the eighth in our Privacy series, will address regulatory compliance and risk management aspects of cyber attacks and data breaches at financial institutions and their service providers (and specifically look at the OCIE standards and exam process). Cybersecurity is one of the most significant issues facing the financial services industry — and vendors to financial services customers. Consequences of cyber attacks and data breaches are more costly than ever, and now the SEC and FINRA are conducting cybersecurity examinations . Enforcement actions are likely to follow. Meanwhile, the “fintech” revolution is radically and dramatically transforming how securities, banking and money services firms collect, retain, protect and monetize financial consumer data. Join us for guidance on crafting effective cybersecurity programs and expert insights into areas of likely cybersecurity focus uniquely critical for broker-dealers, investment advisers, and investment companies — intermediary and vendor due diligence, risk assessment, identity theft prevention, Gramm-Leach-Bliley safeguarding of customer information, referral and aggregator arrangements, suspicious activity monitoring, material nonpublic information protection, and front running prevention.

Registration is open – here.  Join us!

 

Risks to sensitive data have never been greater. With the rise in cyber attacks and data breaches, outsourcing to third parties can present an exponential threat to corporations. New regulations, technologies, standards, and security threats require organizations to implement robust vendor oversight to meet and stay ahead of the latest risks and challenges from new payment methods and systems, data breaches, and cyber attacks.   Register here for our next Wednesday Webinar on this important topic and read on –   Continue Reading The Third Party Vendor Risk to Your Data – Wednesday Webinar

It’s Privacy Monday again – and summer is winding down.

Here are three bytes of privacy/security information to start your week:

1.  House Committee Releases HHS Breach Investigation

If you are subject to HIPAA and the oversight of the Department of Health and Human Services (HHS), schadenfreude will probably best describe your reaction.

A report recently released by the House Energy & Commerce Committee reveleaed that hackers have breached at least five divisions of HHS — including the FDA — in the last three years.

“What we found is alarming and unacceptable,” committee Chairman Fred Upton, Michigan Republican, and Oversight and Investigations Subcommittee Chairman Tim Murphy, Pennsylvania Republican, said in a joint statement. “At a time when sensitive information is held by so many in the public and private sectors, Americans should not have to worry that the U.S. government is left so vulnerable to attack.”

The 27-page review of HHS information security found that the breaches were unsophisticated and the affected agencies “often struggled to provide accurate, clear and sufficient information on the security incidents” during the course of their investigation.  According to the Privacy & Security Matters Monday Blog Series Imagecommittee, officials at two breached agencies were unable to provide accurate details about security incidents within their own networks. “These incidents raise questions about whether information security officials have the appropriate level of expertise,” the report reads.

Continue Reading Privacy Monday – August 17, 2015: Three Bytes for End of Summer

Welcome to the dog days of summer 2015.   Three privacy & security bits and bytes to start your week (if you are reading this on vacation … good for you!)

1.   ICYMI: Massive Data Breach at OPM Claims Victim — The Director

One day after Office of Personnel Management Director Katherine Archuleta broke the news to a congressional hearing that the second data breach at the agency exposed the records of 21.5 million people — the largest data breach in U.S. government history — she submitted her resignation to President Obama.  The databases involved in the second breach included highly sensitive background check information.   Back in early June, the OPM had announced that personnel files for 4.2 million current and former federal employees had been breached.  About 3.6 million individuals were reportedly affected by both breaches, therefore the total number affected is about 22.1 million.

The information in the second breach includes everything from Social Security numbers, mental health records, financial histories, names of old roommates and other information on basically everyone who has undergone a background check through the agency since 2000, as well as the fingerprints of about 1.1 million people.   This information also includes personal information of family, friends and other contacts of individuals who have undergone detailed background checks for top-level security clearances.

2.  Mark Your Calendars

The next Mintz Privacy Wednesday Webinar is coming up on Wednesday, August 26th at 1 PM ET.   We’ll be looking at privacy and security risk in the context of third-party vendors – the weak link in the security chain.  If you don’t believe us, just ask Target Corporation.   It will be compelling beach viewing, we promise!

3. James Lewis Speaks at ABA Event on International Cybernorms

Ari Moskowitz

Mintz Levin was in attendance at a talk by James Lewis of the Center for Strategic and International Studies and rapporteur for the UN Group of Governmental Experts for Information Security, hosted by the American Bar Association Standing Committee on Law & National Security. Lewis talked about the recently concluded meeting of the UN Group of Governmental Experts to establish a set of international guidelines for nation-states operating in cyberspace. That meeting culminated in a report that was delivered to UN Secretary General Ban Ki-moon and will be released publicly in several weeks.

Mr. Lewis said that there were four goals of the 2015 talks: to (1) elaborate international cyber-norms that countries should abide by, whether in peacetime or wartime; (2) build capacity among the UN and world governments; (3) establish confidence building measures countries can take in cyberspace; and (4) address the application of International law to cyberspace. He compared this approach to achieving international agreement on cybersecurity with the international approach to nonproliferation. And like nonproliferation, he believes it will take a long time, but will ultimately succeed. At this stage, he suggested, it is not feasible to get a treaty, and so the talks were designed to get international agreement on a set of norms. Continue Reading Privacy Monday – July 13, 2015

The first Privacy Monday of the summer!PrivacyMonday_Image1

It’s appropriate that the “boys of summer” feature prominently in today’s post.

Strike three for the St. Louis Cardinals?

On another summer Privacy Monday in 2014, we made note of a reported hack into the Houston Astros’ vaunted “Ground Control” database and GM Jeff Luhnow said he intended to prosecute whoever was responsible.   Last week’s New York Times reported that it was likely Luhnow’s old team, the St. Louis Cardinals.  Reportedly, the Astros contacted the FBI when confidential information stored in the “Ground Control” database was posted online last year. Investigators found information indicating the origin of the hack was the home of a Cardinals’ employee.

The most recent reporting on this story comes from CBS Sports, with an interview with Cardinals’ owner Bill DeWitt and the report of a potential third violation of the Astros’ database, purportedly by Cardinals’ employees.

Recommended reading into the background of why the Cards would have bothered to hack the Astros can be found at ESPN:  Why the Astros’ sophisticated database would be worth hacking Continue Reading Privacy Monday – June 22, 2015

Register now for our June Wednesday Webinar.    This webinar, the sixth in our Privacy series, will address risk assessment best practices and data breach readiness. A risk assessment is the foundational step in the development of a comprehensive privacy and security program for your company. It is also a regulatory requirement under HIPAA and some state laws. Join us for a roundtable discussion with a group of privacy and security professionals, moderated by Mintz Levin’s Cynthia Larose, on risk assessment best practices and data breach readiness.

You can’t manage the risk if you do not know what it is — a risk assessment is the first step towards effective — and proactive — risk management.

Registration is open here.  Hope you will join us!

 

If your company has an online presence — or provides marketing or advertising services — you should be registered for the fifth webinar in our 2015 Wednesday Privacy Webinar series:  The Long Reach of COPPA.   Recall the recent FTC settlement agreement with Yelp — clearly a site not targeted at children — that cost the online review company $450,000.

 

Register online here – NY and CA CLE credit is available.

It’s Monday morning — do you know your privacy/security status?

Here are a few bits and bytes to start your week.

SEC to Registered Investment Advisers and Broker-Dealers:  It’s Your Turn to Pay Attention to Cybersecurity

The Division of Investment Management of the Securities & Exchange Commission (SEC) has weighed in on cybersecurity of registered investment companies (“funds”) and registered investment advisers (“advisers”) as an important issue because both funds and advisers increasingly use technology to conduct their business activities, and need to protect confidential and sensitive information related to these activities from third parties.  That information includes information concerning fund investors and advisory clients.   We’ve summarized key points from the recently-issued Guidance.

The Guidance recommends a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including:

  • Conduct a periodic assessment of:
    • the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses;
    • internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems;
    • security controls and processes currently in place; and
    • the impact should the information or technology systems become compromised;  and the effectiveness of the governance structure for the management of cybersecurity risk.
  • Create a strategy that is designed to prevent, detect and respond to cybersecurity threats, such a strategy could include:PrivacyMonday_Image1
    •  controlling access to:
      • various systems and data via management of user credentials;
      • authentication and authorization methods;
      • firewalls and/or perimeter defenses;
      • sensitive information and network resources;
      • network segregation;
      • system hardening; and
      • data encryption.
  • protecting against the loss or exfiltration of sensitive data by:
  • restricting the use of removable storage media; and
  • deploying software that monitors technology systems for:
    • unauthorized intrusions;
    • loss or exfiltration of sensitive data;  or
    • other unusual events.
  • data backup and retrieval; and
  • the development of an incident response plan
    • routine testing of strategies could also enhance the effectiveness of any strategy.
  • Implement the strategy through:
    • written policies and procedures; and
    • training that:
      • provides guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats; and
      •  monitors compliance with cybersecurity policies and procedures.

Most of this should not be a surprise to any business dealing with sensitive financial information these days, but a recent SEC cybersecurity sweep examination by the SEC’s Office of Compliance Inspections and Examinations (OCIE) found that 88 percent of the broker-dealers (BDs) and 74 percent of the registered investment advisers (RIAs) they visited experienced cyber-attacks directly or indirectly through vendors.

 

Penn State University Confirms Cyberattack Originated in China

If you’re studying at Penn State’s College of Engineering, you will not have access to the Internet for a while.  The University said last week that of two recent cyber attacks at the College, at least one was carried out by a “threat actor” based in China.   Penn State was alerted to a breach by the FBI in November and has been investigating since – during that time, a 2012 breach was also discovered.   The 2012 breach apparently originated in China, and compromised servers containing information on about 18,000 people.

For more:  Cyberattack on Penn State University

 

Digital Advertising Alliance to Enforce Mobile App Principles

Starting September 1, the Digital Advertising Alliance (DAA) will begin to enforce its Application of Self-Regulatory Principles to the Mobile Environment.   The DAA issued the mobile principles back in July of 2013 (see our post here), but delayed enforcement while the DAA implemented a choice mechanism for the mobile environment.  Mobile tools for consumers were released in February:  App Choices and the Consumer Choice Page for Mobile Web.

The Guidance addresses mobile-specific issues such as privacy notices, enhanced notices and opt-out mechanisms for data collected from a particular device regarding app use over time and cross-app data; privacy notices, enhanced notices and opt-in consent for geolocation data; and transparency and controls — including opt-in consent — for calendar, address books, photo/video data, etc. created by a user that is stored on or accessed through a particular device.

After September 1, any entity that collects and uses any of this type of data will be required to demonstrate compliance with the Guidance or risk being subject to the DAA’s accountability mechanism.

 

REMINDER — UPCOMING PRIVACY WEDNESDAY WEBINAR

Don’t forget to register for the next in our Privacy Wednesday Webinar series:  The Long Reach of COPPA.   Webinar is eligible for NY and CA CLE credit — register here.