The 2017 edition of The Legal 500 United States recommends Seyfarth Shaw’s Global Privacy & Security Team as one of the best in the country for Cyber Law (including data protection and privacy). In addition, based on feedback from corporate counsel, the co-chairs of Seyfarth’s group, Scott A. Carlson and John P. Tomaszewski, and
On May 11, President Trump signed Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. This is a significant development for U.S. cybersecurity as it represents a concrete call to action for the government to modernize its information technology, beef up its cybersecurity capabilities, protect our country’s critical infrastructure from…
Recently, a widespread global ransomware attack has struck hospitals, communication, and other types of companies and government offices around the world, seizing control of affected computers until the victims pay a ransom. This widespread ransomware campaign has affected various organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly.
Continue Reading WannaCry Ransomware Attack: What Happened and How to Address
Another week, another well-concocted phishing scam. The most recent fraudulent activity targeted businesses that use Workday, though this is not a breach or vulnerability in Workday itself. Specifically, the attack involves a well-crafted spam email that is sent to employees purporting to be from the CFO, CEO, or Head of HR or similar. Sometimes the…
On January 5, 2017, the Federal Trade Commission (FTC) sued for permanent injunction a Taiwan-based computer networking equipment manufacturer D-Link Corporation and its U.S. subsidiary, alleging that D-Link’s inadequate security measures left its wireless routers and IP cameras used to monitor private areas of homes and businesses vulnerable to hackers, thereby compromising U.S. consumers’ privacy.
In the complaint filed in the Northern District of California, Federal Trade Commission v. D-Link Systems Corp. et al., Case Number 3:17cv39, the FTC alleged that D-Link failed to take reasonable steps to secure its routers and Internet Protocol (IP) cameras, potentially compromising sensitive consumer information, including live video and audio feeds from D-Link IP cameras. The FTC’s allegation of consumer injury is limited to the statement that due to the lack of security, consumers “are likely to suffer substantial injury” and that, unless stopped by an injunction, D-Link is “likely to injure consumers and harm the public interest.”
In seeking the requested relief, the FTC is relying on its powers under Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC’s Section 5 powers have largely gone unchallenged by companies subject to enforcement action until Wyndham hotels, which came under investigation after it suffered a series of data breaches, tried to curtail the FTC’s jurisdiction in 2015. That challenge failed when the Third Circuit held that the FTC did, in fact, have the authority to regulate cybersecurity practices under the unfairness prong of Section 5 of the FTC Act.
Earlier this month, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) civil money penalty of $3,217,000.00 against Children’s Medical Center of Dallas (Children’s), a pediatric hospital that is part of Children’s Health, the seventh largest pediatric health care provider in the nation. OCR based this penalty on its finding that Children’s failed to comply with HIPAA Security Rule over many years and that Children’s impermissibly disclosed unsecured electronic protected health information (ePHI) when it suffered two data breaches that were reportable to OCR.
- On January 18, 2010, Children’s reported to OCR the loss of an unencrypted, non-password protected BlackBerry device at an airport on November 19, 2009. The device contained the ePHI of approximately 3,800 individuals.
- On July 5, 2013, Children’s reported to OCR the theft of an unencrypted laptop from its premises sometime between April 4 and April 9, 2013. The device contained the ePHI of approximately 2,462 individuals.
Because Children’s devices were unencrypted, Children’s was obligated to report their loss, along with the unsecured ePHI they contained, to the HHS. Had Children’s devices been encrypted, it could have taken advantage of the “safe harbor” rule, pursuant to which covered entities and business associates are not required to report a breach of information that is not “unsecured.”
- OCR’s investigation revealed that, in violation of HIPAA Rules, Children’s (1) failed to implement risk management plans, contrary to prior external recommendations to do so, and (2) knowingly and over the course of several years, failed to encrypt, or alternatively protect, all of its laptops, work stations, mobile devices, and removable storage media.
- OCR’s investigation established that Children’s knew about the risk of maintaining unencrypted ePHI on its devices as far back as 2007.
- Despite this knowledge, Children’s issued unencrypted BlackBerry devices to nurses and allowed its workforce members to continue using unencrypted laptops and other mobile devices until 2013.
President Trump is expected to sign soon Executive Order on Strengthening U.S. Cyber Security and Capabilities. Reports about a “leaked draft” of the Executive Order on Cybersecurity surfaced on the Internet a few days ago, along with predictions that the Order will be signed on January 31. The Order is yet to be signed and the publicized draft may undergo some changes. The available draft orders three reviews:
- Review of Cyber Vulnerabilities, which asks, within 60 days of the date of the Order, for a report of initial recommendations for the enhanced protection of the most critical civilian Federal Government, public, and private sector infrastructure.
- Review of Cyber Adversaries, which asks, within 60 days of the date of the Order, for a first report on the identities, capabilities, and vulnerabilities of the principal U.S. cyber adversaries.
- U.S. Cyber Capabilities Review, which asks for identification of an initial set of capabilities needing improvement to adequately protect U.S. critical infrastructure, based on the results of the other two Reviews. As part of this review, the Secretary of Defense and Secretary of Homeland Security are directed to gather and review information from the Department of Education “regarding computer science, mathematics, and cyber security education from primary through higher education to understand the full scope of U.S. efforts to educate and train the workforce of the future.” The Secretary of Defense is also directed to make recommendations “in order to best position the U.S. educational system to maintain its competitive advantage into the future.”
A Finnish web developer discovered that “autofill profiles” now offered on certain browsers provides hackers with a new phishing vector. Autofill profiles allow users to create a profile containing preset personal information that they might usually enter on web forms. When a user fills in information for some simple text boxes, the autofill system will input other profile-based information into any other text boxes on the page, even when they are not visible on the page to the user and, from there, the hacker harvests additional autofilled personal information without the user’s knowledge.
Autofill profiles are not to be confused with form field autofilling behavior, which allows the user to fill in one form field at a time with data previously entered in those fields, while autofill profiles in browsers enable users to fill in an entire web form with one click. …
Continue Reading Warn Your Clients: Browser Autofill Can Steal Their Personal Details in New Phishing Vulnerability
On December 28, 2016, New York published a revised version of its proposed “Cybersecurity Requirements for Financial Services Companies” aimed at increasing the requirements and protections for information security, auditing, and reporting for financial institutions doing business within New York state. The regulation was announced on September 13, 2016 as the first-of-its-kind regulation to protect consumers and financial institutions and had intended to go into effect January 1, 2017. However, in response to the 45-day public comment period, a revised version was distributed mere days before the end of the year on December 28, 2016 with an expected implementation date of March 1, 2017.
Although the revised version will be subject to an additional 30-day public comment period, there are a number of key provisions in the current versions that financial institutions should be aware of:
- 500.02. Cybersecurity Program: The required Cybersecurity Program will be based upon the Covered Entity’s Risk Assessment (described in §500.09) and must comply with the items described in §500.02(b):
- identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;
- use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
- detect Cybersecurity Events;
- respond to identified or detected Cybersecurity Events to mitigate any negative effects;
- recover from Cybersecurity Events and restore normal operations and services; and
- fulfill applicable regulatory reporting obligations.
- 500.02(c) allows a Covered Entity to adopt the cybersecurity program of an Affiliate if the Affiliate’s cybersecurity program meets the above requirements and covers the Covered Entity’s information.
As we begin the new year, companies are continuing to survey the ever-changing data-breach landscape and assess their own preparedness for the worst. And with data security threats becoming more complex, sophisticated, and diverse every year, it is no small task. For those of you wondering what data breach trends might look like this year, and what to do to avoid them, Experian Data Breach Resolution, drawing on its experience with over 17,000 data breaches over the last decade, offered the following five predictions in its 2017 Data Breach Industry Forecast:
Aftershock password breaches will expedite the death of the password.
- What and Why: Companies will face the consequences of previous data breaches, as username and password information breached years prior (and often from an unrelated company) is continued to be sold through darknet markets.
- The Takeaway: Companies should consider (1) using multi-factor authentication to verify users to help solve the password reuse problem; (2) accounting for aftershock breaches in their data-breach response plans; and (3) educating customers about resetting their passwords and about the broader risk associated with password reuse across websites.
Nation-state cyberattacks will move from espionage to war.
- What and Why: Cyberattacks by hackers sponsored by foreign nations will likely continue to increase and escalate. Although these attacks are motivated by the desire to gain intelligence, they will lead to collateral damage to consumers and businesses through widespread outages or exposure of personal information.
- The Takeaway: Businesses should prepare for large-scale attacks, particularly if they are a part of critical infrastructure, by staying vigilant about their security measures and by considering purchasing proper insurance protection.
Healthcare organizations will be the most targeted sector with new, sophisticated attacks emerging.
- What and Why:
- Medical identity theft will remain cybercriminals’ top target, as medical information is lucrative and easy to exploit.
- Experian predicts that in the new year mega breaches will move on from focusing on healthcare insurers to distributed hospital networks, which might have more security challenges compared to centralized organizations.
- Experian also predicts that electronic health records (EHRs) will likely be a primary target for attackers, since EHRs are widely used and are likely to touch a compromised computer.
- The top breach vector will likely be ransomware because a disruption of healthcare system operations could be catastrophic and most organizations would rather opt to simply pay the ransom than fight the attack. According to the recent Office of Civil Rights (OCR) guidance, depending on the facts, ransomware attacks may be classified as breaches and require notification under the HIPAA Breach Notification Rule, in accordance with 45 CFR 164.404.
- The Takeaway: Healthcare organizations need to ensure they have proper, up-to-date security measures in place, including data-breach response plans in the event of a ransomware attack and adequate employee training about the importance of security.