A Finnish web developer discovered that “autofill profiles” now offered  on certain browsers provides hackers with a new phishing vector.  Autofill profiles allow users to create a profile containing preset personal information that they might usually enter on web forms.  When a user fills in information for some simple text boxes, the autofill system will input other profile-based information into any other text boxes on the page, even when they are not visible on the page to the user and, from there, the hacker harvests additional autofilled personal information without the user’s knowledge.

Autofill profiles are not to be confused with form field autofilling behavior, which allows the user to fill in one form field at a time with data previously entered in those fields, while autofill profiles in browsers enable users to fill in an entire web form with one click.  
Continue Reading

shutterstock_505066678On December 28, 2016, New York published a revised version of its proposed “Cybersecurity Requirements for Financial Services Companies” aimed at increasing the requirements and protections for information security, auditing, and reporting for financial institutions doing business within New York state. The regulation was announced on September 13, 2016 as the first-of-its-kind regulation to protect consumers and financial institutions and had intended to go into effect January 1, 2017. However, in response to the 45-day public comment period, a revised version was distributed mere days before the end of the year on December 28, 2016 with an expected implementation date of March 1, 2017.

Although the revised version will be subject to an additional 30-day public comment period, there are a number of key provisions in the current versions that financial institutions should be aware of:

  1. 500.02. Cybersecurity Program: The required Cybersecurity Program will be based upon the Covered Entity’s Risk Assessment (described in §500.09) and must comply with the items described in §500.02(b):
    1. identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;
    2. use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
    3. detect Cybersecurity Events;
    4. respond to identified or detected Cybersecurity Events to mitigate any negative effects;
    5. recover from Cybersecurity Events and restore normal operations and services; and
    6. fulfill applicable regulatory reporting obligations.
  • 500.02(c) allows a Covered Entity to adopt the cybersecurity program of an Affiliate if the Affiliate’s cybersecurity program meets the above requirements and covers the Covered Entity’s information.


Continue Reading

As we begin the new year, companies are continuing to survey the ever-changing data-breach landscape and assess their own preparedness for the worst. And with data security threats becoming more complex, sophisticated, and diverse every year, it is no small task. For those of you wondering what data breach trends might look like this year, and what to do to avoid them, Experian Data Breach Resolution, drawing on its experience with over 17,000 data breaches over the last decade, offered the following five predictions in its 2017 Data Breach Industry Forecast:

Aftershock password breaches will expedite the death of the password.

  • What and Why: Companies will face the consequences of previous data breaches, as username and password information breached years prior (and often from an unrelated company) is continued to be sold through darknet markets.
  • The Takeaway: Companies should consider (1) using multi-factor authentication to verify users to help solve the password reuse problem; (2) accounting for aftershock breaches in their data-breach response plans; and (3) educating customers about resetting their passwords and about the broader risk associated with password reuse across websites.

Nation-state cyberattacks will move from espionage to war.

  • What and Why: Cyberattacks by hackers sponsored by foreign nations will likely continue to increase and escalate. Although these attacks are motivated by the desire to gain intelligence, they will lead to collateral damage to consumers and businesses through widespread outages or exposure of personal information.
  • The Takeaway: Businesses should prepare for large-scale attacks, particularly if they are a part of critical infrastructure, by staying vigilant about their security measures and by considering purchasing proper insurance protection.

Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging.

  • What and Why:
    • Medical identity theft will remain cybercriminals’ top target, as medical information is lucrative and easy to exploit.
    • Experian predicts that in the new year mega breaches will move on from focusing on healthcare insurers to distributed hospital networks, which might have more security challenges compared to centralized organizations.
    • Experian also predicts that electronic health records (EHRs) will likely be a primary target for attackers, since EHRs are widely used and are likely to touch a compromised computer.
    • The top breach vector will likely be ransomware because a disruption of healthcare system operations could be catastrophic and most organizations would rather opt to simply pay the ransom than fight the attack. According to the recent Office of Civil Rights (OCR) guidance, depending on the facts, ransomware attacks may be classified as breaches and require notification under the HIPAA Breach Notification Rule, in accordance with 45 CFR 164.404.
  • The Takeaway: Healthcare organizations need to ensure they have proper, up-to-date security measures in place, including data-breach response plans in the event of a ransomware attack and adequate employee training about the importance of security.


Continue Reading

shutterstock_255618763December 2016 brought the US government some progress on prosecuting foreign cybercriminals.  Last month, three Romanians were extradited to face charges in the US for running a cybercrime ring using custom-built malware and money mules to steal at least $4 million.  Chinese authorities also got their hands on one of three Chinese citizens charged by the US with insider trading on confidential information gleaned from the servers and networks of law firms involved in M&A work.  The US is seeking the extradition of the apprehended hacker by the Chinese government.

It is reported that the three Romanians were arrested by the Romanian National Police following an eight-year FBI investigation.  A 21-count indictment awaited them upon their extradition to Ohio, unsealed on December 17, 2016, charging them with wire fraud, identity theft, money laundering and trafficking in counterfeit goods or services.  Known as the Bayrob Group, they allegedly used phishing attacks and malware to rob their victims.  Disseminating its Bayrob Trojan through emails made to look like legitimate sources (e.g. Western Union, Norton Antivirus and the U.S. Internal Revenue Service), they prompted the recipient to click on an attached file, which upon clicking released the Bayrob Trojan to roam around their computers.  Later versions of the Bayrob Trojan harnessed the infected computer’s processing power to mine for cryptocurrency.  Symantec’s security response team, which worked in conjunction with the US government on the investigation, estimates the total losses over eight years to be as much as $35 million, sending 11 million malicious emails and running a botnet composed of 300,000 infected PCs.
Continue Reading

The Trump transition team announced yesterday that Thomas Bossert was chosen for the role of the Assistant to the President for Homeland Security and Counterterrorism.  In that position, Mr. Bossert will advise the President on issues related to cybersecurity, homeland security and counterterrorism, and also coordinate the process for creating and executing relevant policies, the

The Commission on Enhancing National Cybersecurity, established by President Obama, has released its much-awaited Report on Securing and Growing the Digital Economy (December 1, 2016). The Commission was tasked with assessing the state of our nation’s cybersecurity and developing actionable recommendations for securing the digital economy, while at the same time protecting privacy, ensuring public safety and economic and national security, and fostering the development of new technical solutions.

The Commission sought to examine what is working well, what represents a challenge, and what needs to be done to incentivize and cultivate a culture of cybersecurity in the public and private sectors. The Commission found that while the interconnectedness of the digital ecosystem creates unparalleled value for society, technological advancement is outpacing security and will continue to do so unless the government and the private sector change how they approach and implement cybersecurity strategies and practices.

Among the observed challenges, the Commission pointed out that technology companies are under significant market pressure to innovate and move to market quickly, often at the expense of cybersecurity. An example of this would be the widely-used Internet-of-Things (IoT) devices, ranging from pacemakers to fitness trackers to smart home devices, many of which do not provide sufficient security.

Another challenge is represented by mobile working environments. The Commission observed that gone are the days when employees performed work only at an office using an organization-issued (and controlled) desktop computer, but that many organizations fail to properly secure mobile devices. Moreover, today, no organization is an island, and few are able to function without connecting to vendors, customers, and partners in multiple global supply chains. These developments are making the classic concept of the security perimeter largely obsolete.


Continue Reading

shutterstock_196544378China has finalized a broad new Cyber Security Law, its first comprehensive data privacy and security regulation.  It addresses specific privacy rights previously adopted in the European Union and elsewhere such as access, data retention, breach notification, mobile privacy, online fraud and protection of minors.

There is plenty in the new law to irritate international businesses operating in China.  It requires in general that Chinese citizens’ data be stored only in China, for starters, possibly requiring global corporations to maintain separate IT systems for Chinese data.  Most of the privacy enhancements benefiting citizens align with those required in the European Union, but it is unclear how the Chinese will expect compliance, particularly since, as with many Chinese laws, its language is vague as to its scope, application and details.  This vagueness leaves interpretation to the State Council, the chief administrative authority in China, headed by Premier Li Keqiang.

The law expands Chinese authorities’ power to investigate even within a corporation’s Chinese data systems, and provides for draconian penalties for non-compliance by business entities or responsible individuals  include warnings, rectification orders, fines, confiscation of illegal gains, suspension of business operations or the revocation of the entity’s business license.
Continue Reading

Last Friday, Russia blocked LinkedIn based on a Russian court’s finding that LinkedIn violated Russian “localization” law that requires companies holding personal data of Russian citizens to store it on servers located within Russian borders.  This law came as an amendment to Russian data privacy laws, “Regarding information, information technologies and the protection of information,” “Regarding telecommunications,” and the Codex of Administrative Violations. The amendments, which came into law in September 2015, required websites and telecommunications providers to begin storing “on the territory of the Russian Federation information regarding the receipt, transfer, sending and/or processing of voice information, written text, images, sounds or other electronic messages of the users of Internet,” within six months after the law went into effect.

Russia took the position that the new requirements were necessary to ensure personal data on Russian consumers is properly protected, something the Russian government said can only be done if the servers are within Russian jurisdiction. The penalty for violating the law by companies was established at 500,000 roubles (approximately $8,000). The law also contemplated a punishment much worse than the monetary penalty. Specifically, the amendment empowered Roskomnadzor, the Russian federal agency charged with overseeing telecommunications services and information technologies, to investigate violations of the new law and to petition courts to block websites who refuse to comply.

Following the adoption of this law, many companies that collect and process Russian citizens’ information began working toward achieving compliance by ensuring that this data stayed on Russian soil. Some, however, decried the law as forcing businesses to needlessly invest in servers in Russia and rework established data workflows.

Soon after the law went into effect, Roskomnadzor began exercising its investigative powers and taking suspected violators to court. To keep track of the adjudicated violators, Roskomnadzor created a special registry of websites marked for blocking in case of continued noncompliance following the adjudication. LinkedIn, which has over 6 million registered Russian users, made Roskomnadzor’s “black list” registry and, on Friday, November 18, became the first website to be blocked in Russia for the violations of the localization law.


Continue Reading

WebinarDo you and your firm have adequate cybersecurity to prevent yourself (and your confidential client data) from getting hacked?

On Wednesday, December 7, at 11:00 a.m. Pacific, Richard Lutkus, a partner in Seyfarth Shaw’s eDiscovery and Information Governance Practice; and Joseph Martinez, Chief Technology Officer and Vice President of Forensics, eDiscovery & Information Security

We have all heard this before, but just how bad things really are? According to Verizon’s 2016 Data Breach Investigations Report (“DBIR”), insider and privilege misuse was once again one of the leading causes of incidents and breaches in 2015, accounting for 10,489 total incidents, 172 with confirmed data disclosure. Some of this misuse is perpetrated by malicious actors driven by motivation of financial gain and some of it is due to actions of well-meaning employees who either lacked cybersecurity awareness or simply made a mistake.

While there are no perfect answers for addressing the multitude of possible insider attacks, which can range from privilege abuse, to data mishandling, to the use of unapproved hardware, software, and workarounds, to email misuse, implementing the steps below can go a long way in reducing the risks.

Five Steps to Reduce Insider Misuse


Continue Reading