Header graphic for print

Password Protected

Data Privacy & Security News and Trends

DOJ Takes Down AlphaBay, the World’s Largest Dark Web Marketplace

Posted in Cybersecurity, Identity Theft

The U.S. Department of Justice has announced the seizure of AlphaBay, the largest criminal marketplace on the Internet, which was used to sell stolen financial information, identification documents and other personal data, computer hacking tools, drugs, firearms, and a vast number of other illegal good and services throughout the world.

AlphaBay was the largest dark web market with estimated annual sales of hundreds of thousands of dollars, which made it nearly ten times the size of the infamous Silk Road dark web marketplace that was shut down by the government in 2013. AlphaBay operated as a hidden service on The Onion Router (Tor) network, which hid the locations of its underlying servers and the identities of its administrators, moderators, and users.  Its user interface was configured like a conventional e-commerce website, where vendors could sell illegal goods or services in exchange for paying a percentage of the transaction as a commission to AlphaBay.

AlphaBay had a dedicated section of the website where users could purchase stolen credit cards and financial information, as well as stolen personal identifying information (PII) – even offering specific search controls to allow potential buyers to search the listings by location (city, state and country), social security number, birth year, credit limit, PIN number, seller, seller rating, price, and more.

The international operation to seize AlphaBay’s infrastructure was led by the United States and involved cooperation with law enforcement authorities in Thailand, the Netherlands, Lithuania, Canada, the United Kingdom, and France, as well as the European law enforcement agency Europol. On July 5, Alexandre Cazes, a Canadian citizen residing in Thailand, was arrested by Thai authorities on behalf of the United States for his alleged role as the creator and administrator of AlphaBay.  On July 12, Cazes apparently took his own life while in custody in Thailand.

The Federal Bureau of Investigation (FBI) and the Drug Enforcement Administration (DEA) have seized millions of dollars’ worth of cryptocurrencies that represent the proceeds of AlphaBay’s illegal activities, including at least 1,943 Bitcoin, 8,669 Ethereum, 3,691 Zcash, and 11,993 Monero. Cazes and his wife had also amassed numerous other high value assets, including luxury vehicles, residences and a hotel in Thailand.

Prior to its takedown, there were over 250,000 listings for illegal drugs and toxic chemicals on AlphaBay, and over 100,000 listings for stolen and fraudulent identification documents and access devices, counterfeit goods, malware and other computer hacking tools, firearms and fraudulent services. Comparatively, the Silk Road dark web marketplace reportedly had approximately 14,000 listings for illicit goods and services at the time of seizure in 2013 and was the largest dark web marketplace at the time. These numbers indicate that the use of dark web marketplaces for illegal commerce will only continue to grow, despite the closure of AlphaBay.

In his public remarks regarding the seizure of AlphaBay, Attorney General Jeff Sessions stated, “This is likely one of the most important criminal case of the year. Make no mistake, the forces of law and justice face a new challenge from the criminals and transnational criminal organizations who think they can commit their crimes with impunity by ‘going dark.’ This case, pursued by dedicated agents and prosecutors, says you are not safe.  You cannot hide. We will find you, dismantle your organization and network.  And we will prosecute you.”

New Guidance Issued by EU Data Protection Regulators – Does Your Organization Use Social Media During Recruitment?

Posted in EU Data Protection, Privacy, Regulation

The Article 29 Data Protection Working Party (comprising representatives from the data protection regulators in each EU Member State, the European Data Protection Supervisor and the European Commission) has issued an opinion on data processing at work (2/2017) (the Opinion).  The Opinion is not legally binding but it does provide an indication as to how EU data protection regulators will consider and interpret EU data protection law.  The new EU data protection law (the General Data Protection Regulation – or the GDPR) comes into force on 25 May 2018 and will impose significant fines on non-compliant organizations (up to 4% of annual worldwide turnover or €20 million, whichever is higher) in addition to giving individuals more rights with regard to their personal data.  The GDPR does not only apply to EU companies, but can also apply to non-EU based organizations processing EU citizens’ personal data.

The Opinion notes that in light of the increasing amount of personal data that is being processed in the context of an employment relationship, the balance between the legitimate interests of the employer and the privacy rights of the employee becomes ever more important. It provides guidance on a number of specific scenarios including the use of social media during recruitment. Nowadays, employers may be tempted to view job applicants’ social media profiles as part of the recruitments process. However, according to the Opinion, employers may only use social media to find out information about a job applicant where: (a) they have a “legal ground” for doing so; (b) doing so is necessary and relevant for the performance of the position being applied for; (c) the applicant has been informed that their social media profiles will be reviewed; and (d) the employer complies with all of the data protection principles set out in the law.

What steps should your organization take if it wishes to review social media profiles as part of the recruitment process while also complying with the Opinion and EU data protection law? Continue Reading

Huge Relief From eClinicalWorks Decision Not to Hold Customers Liable For Its Vendor’s Actions, But Providers Should Not Drop Their Guard

Posted in Health Information, Regulation

There are inherent risks in any vendor relationship. In the healthcare industry, with myriad regulatory pitfalls, the stakes can be even higher. Several customers of the cloud-based electronic health record (EHR) software vendor eClinicalWorks were relieved by a recent decision in which regulators decided not to take action against them as a result of the alleged wrong-doing of eClinicalWorks. While this decision offers a huge sigh of relief, it should not be seen as an open invitation to adopt a lax approach to vendor engagements.

eClinicalWorks recently agreed to pay $155 million and enter into a five-year Corporate Integrity Agreement to settle allegations that it violated the federal False Claims Act by concealing information indicating that its EHR software failed to meet certain certification requirements from its certifying entity. Such requirements are necessary for eClinicalWorks to meet the “Meaningful Use” standard for EHR under the federal HITECH Act.

Under the HITECH Act, providers can receive incentives for using certified EHR. Providers participating in the Meaningful Use program must attest to the certification of their EHR software in order to qualify for the grants. The United States Department of Justice claimed that eClinicalWorks caused its customers to submit false claims for federal incentive payments tied to the Meaningful Use of EHR when they relied on the improper certification of eClinicalWorks.

In response to the eClinicalWorks settlement, the Centers for Medicare and Medicaid Services (CMS) stated that it would not take action against eClinicalWorks customers who had otherwise acted in good faith with respect to eClinicalWork’s technology. The settlement and, more specifically, CMS’ reaction to it, highlights CMS’ position that providers that may reasonably rely on the representations of their software vendors for accuracy of reporting. CMS further indicated that it does not plan to audit eClinicalWorks customers based on the settlement.

Although CMS’ statement certainly relieves some pressure from healthcare providers who contract with third parties, it is important to note that this settlement is a single situation, and the regulators may take a different approach in the future based on different facts. Furthermore, the Office for Civil Rights (OCR), which is responsible for HIPAA compliance, has not issued an opinion on this topic, and CMS has not published formal guidance to support this position more broadly.

Despite the fact that HIPAA does not (currently) require auditing or any form of specific monitoring of business associates, some form of oversight and/or vendor vetting is often appropriate and may significantly help to reduce the risk of liability if there is a breach or some other issue with the business associate vendor.

Finally, providers cannot ignore issues if they learn of them—regardless of how issues are discovered. Indeed, healthcare providers remain responsible for taking corrective action (including making any necessary disclosures) when they become aware of any HIPAA and HITECH violations by their business associates.

Former Employee Need Not Allege Emails Were Unopened to Assert Claim of Unauthorized Access Under Stored Communications Act

Posted in Data retention, Privacy

Earlier this month, a federal court denied an employer’s motion to dismiss a claim that it violated the Stored Communications Act (SCA) by accessing a former employee’s personal emails, concluding that the plaintiff need not allege the emails were unopened at the time of the alleged unauthorized access. Levin v. ImpactOffice LLC, No. TDC-16-2790 (D. Md. July 10, 2017).

Defendant ImpactOffice LLC (Impact), which supplies office products and services, collected the plaintiff’s company-issued cell phone after she resigned. Id. at *1.  She had previously deleted all emails stored on the phone, including personal emails from her Gmail account. Id. The plaintiff later filed suit in the District of Maryland, seeking a declaratory judgment that the restrictive covenants in her employment agreement are unenforceable and asserting a claim for unauthorized access of her personal emails under the SCA. Id. at *1-2.

According to the complaint, Impact accessed—and forwarded to its own attorney—a number of these personal emails, which were still stored on Google servers, including emails sent and received after the plaintiff resigned and emails between the plaintiff and her attorney. Id. at *1.

The SCA is violated when a person “intentionally accesses without authorization a facility through which an electronic communication service is provided . . . and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” 18 U.S.C. § 2701(a).  The SCA defines “electronic storage” as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” Id. § 2711(1) (incorporating definitions in 18 U.S.C. § 2510).

In its motion to dismiss, Impact asserted that because the plaintiff did not allege that the emails were unopened at the time of its alleged access, she had not sufficiently alleged that the emails were in “electronic storage” under the SCA. Levin, No. TDC-16-2790 (D. Md. July 10, 2017), at *2.

The court first agreed with Impact’s interpretation of “temporary, intermediate storage” under Part (A) of the definition, citing First, Third, Fourth, and Ninth Circuit precedent, observing that Part (A) is “generally understood to cover email messages that are stored on a server before they have been delivered to, or retrieved by, the recipient.” Id. at *3.

However, the court ultimately concluded that, at this stage, the plaintiff need not “specifically allege that the emails at issue were unopened at the time” of Impact’s alleged unauthorized access due in part to the “fact-intensive” nature of the question. Id. at *4.  Continue Reading

Law Firms’ Data Duty: Protecting Client Information From Cybercriminals

Posted in Cyber Insurance, Cybersecurity, Data breach, Data Security, Health Information, Information Management, Litigation, Other, Privacy

The impact from the recent Petya/NotPetya ransomware attack — or what was reported as a ransomware attack but now appears to be something even more damaging — continues to spread around the globe, with several new companies coming forward as victims, including a prominent law firm.

This attack acts as an unfortunate reminder that the Internet of Things, along with our dependence on technology, has created a host of new legal and ethical challenges for attorneys. Chief among them is the duty owed to clients to keep their information secure.

Put simply, cyberattacks against law firms are a rapidly growing problem that we must collectively work to manage. And we need to do a better job of it. The 2016 ABA TECHREPORT indicated that, overall:

  • 21 percent of law firms reported having no data security policy;
  • Under 20 percent reported having an incident response plan;
  • 37 percent of firms reported downtime or loss of billable hours after a breach;
  • Only 17 percent of attorneys reported they have cyber coverage; and
  • Only 18 percent of law firms reported they have had a full security assessment.

The Threat

Cyberattacks against law firms have only just begun. The cybercriminals executing these attacks understand that law firms are the white whale of cyber victims. Client information is highly confidential and highly lucrative to cybercriminals. The financial and personally identifiable information that an individual company keeps for business operations is nothing compared to the treasure trove of sensitive data law firms maintain on behalf of their hundreds, or even thousands, of clients. Further, law firms possess data that, if stolen, would provide cybercriminals the information necessary to engage in a variety of nefarious activities, such as insider trading, intellectual property theft and corporate espionage.

Law firms are vulnerable to attack in several ways — via mobile devices, home networks, spear phishing, business email compromise and failure to install security patches, to name a few. The vigilant execution of advanced defenses against vulnerabilities must remain a priority.

In addition to securing the network, a host of legal and regulatory challenges continue to evolve and demand constant analysis. Aside from the more well-known regulations — the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, EU’s General Data Protection Regulation, and the Telephone Consumer Protection Act — federal and state agencies regularly promulgate and enforce new standards that must be met. This legal regime is further complicated by emerging American Bar Association and state ethical obligations.

Despite continued best efforts to safeguard client information, law firms remain at risk of attack by hackers and those who find opportunity in law firms’ cybersecurity failings. The industry recently found itself targeted by plaintiffs’ attorneys who exploit data breaches by claiming law firms failed to take reasonable steps to maintain data security. Thus, in addition to the cyberthreat itself, the looming threat of class action lawsuits must be considered as law firms develop and implement data security practices.

Our Response

As with every incident, the McGuireWoods data privacy and security team monitors the Petya/NotPetya attack as it develops and we stand ready to assist anyone affected. We provide solutions across industries — including solutions for law firms and colleagues in the legal profession.

In our experience, few businesses maintain an incident response plan that adequately addresses the decision points and considerations presented by distributed ransomware or other advanced threats, or have policies and procedures in place to ensure legal, regulatory and ethical compliance. We can help.

We have publicly offered some preventative measures that firms can take immediately. But we can also provide insight into our internal data privacy and security practices and how we use those practices to protect our clients’ most sensitive information (e.g., enforcing encryption for data at rest and in transit, performing regular security awareness training, using data loss protection functionality, conducting security audits, and aligning our information security plan with the firm’s strategic plan).

Our clients trust us with their most valuable information. They deserve the highest level of data security protection. No law firm is immune to the sophisticated threats today’s cybercriminals develop and propagate, but implementing cybersecurity programs and incident response plans now can significantly reduce the risk of breach, improve response protocols and mitigate financial and reputational loss.

The Toys Have Eyes (and Ears): FTC Updates COPPA Guidance for Internet of Things

Posted in Consumer Privacy/FTC, Cybersecurity, Data breach

The FTC has updated its Children’s Online Privacy Protection Rule (COPPA) Six-Step Compliance Plan for Your Business “to reflect developments in the marketplace” – including the introduction of internet-connected toys and the Internet of Things.

COPPA applies to operators of commercial websites and online services directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The primary goal of COPPA is to place parents in control over what information operators of websites collect from their young children on the Internet.

In its updated COPPA Compliance Plan, the FTC cautions that COPPA applies not only to websites and mobile apps, but also “to the growing list of connected devices that make up the Internet of Things.” These devices include connected toys and other products intended for children that collect personal information, such as voice recordings or geolocation data. The updated COPPA Compliance Plan also discusses two recently-approved methods for obtaining parental consent:

The FTC issued its updated guidance on COPPA less than a month after receiving a letter from U.S. Sen. Mark R. Warner (D-VA) concerning the agency’s efforts to protect children’s privacy following several high-profile instances of children’s data allegedly being hacked through internet-connected “smart toys.” According to multiple media reports, CloudPets, a product line marketed as “a message you can hug,” stored customers’ personal data in an insecure, public-facing online database. CloudPets reportedly exposed over 800,000 customer credentials and more than two million voice recordings sent between parents and children. Subsequent reports raised questions about security at the device level, with individuals able to hack CloudPets’ toys and remotely control the devices, including the microphone, if they are within Bluetooth range. Sen. Warner also inquired about FTC action in relation to the children’s doll “My Friend Cayla.” In December 2016, privacy advocates filed a complaint with the FTC regarding the doll and raised concerns that it can be used for unauthorized surveillance. In February 2017, Germany’s equivalent of the FTC pulled “My Friend Cayla” off the market due to concerns over the doll’s surveillance capabilities.

Companies should consider how new ways of collecting data, such as voice-activated devices that collect personal information from children, may subject them to obligations under COPPA. The FTC’s guidance also serves as a general reminder to all business to consider how new ways of collecting data from consumers – children and adults alike – may impact their compliance obligations under applicable privacy regulations.

New UK Subject Access Code of Practice

Posted in EU Data Protection, Privacy

In June the ICO updated its Subject Access Code of Practice, which gives guidance to data controllers on how to respond to subject access requests from data subjects. The Code itself is not legally binding, but provides advice on good practice to promote compliance with the Data Protection Act 1998 (DPA). With less than a year to go before the introduction of the GDPR, it seems a shame that this revised Code does not address the forthcoming amendments to the law, such as the reduced time limits to respond to a subject access request (which will decrease from the current 40 days to a mere 30) but it does make recommendations for more streamlined and user-friendly options for responding and, in addition to helpful notes on how to handle requests and deal with tricky issues, serves as a reminder of the basic entitlements, which are to:

  • Be told whether any personal data is being processed;
  • Receive a description of the personal data, the reasons it is being processed and whether it will be given to any other organizations or people;
  • Receive a copy of the personal data; and
  • Receive details of the source of the data (where available).

For many businesses, subject access requests can be a time-consuming and frustrating aspect of data protection compliance. There is an understandable urge to ignore them, or provide a minimal response, particularly if the request is made in the context of an existing dispute, or preempting litigation and disclosure/discovery of documents. However, the law states that data controllers must be prepared to make extensive efforts to find and retrieve the information requested in a subject access request, unless it would be unreasonable or would involve disproportionate effort to do so. There is an exemption in the DPA accordingly. This issue has been tentatively raised in the past but the recent cases of Dawson-Damer[1] and Ittiadieh/Deer and Oxford University[2] (both decisions of the Court of Appeal) have given the ICO the opportunity to provide more clarification on these points:

  1. Disproportionate effort is not defined in the DPA, but there may be cases where the work/expense involved in complying with a request by providing a copy of the information in permanent form exceeds the individual’s right of access to their personal data;
  2. Data controllers can take into account any difficulties in finding the information and complying with the request. (This approach is consistent with the EU concept of proportionality, but the ICO expects data controllers to balance any difficulties with the benefits the information might bring to the data subject);
  3. Data controllers have the burden of proof to show that they have taken all reasonable steps to comply with a subject access request and it would be disproportionate in all the circumstances to take further steps; and
  4. It is good practice to engage with the person making the request, to help reduce the costs and effort involved in searching for the information requested. (If there is a complaint, the data controller’s willingness to engage with the requestor will be considered).

Overall, the ICO expects data controllers to act positively towards those making a subject access request and to have readily accessible systems in place to respond to requests. Those receiving a request should deal with them promptly and fairly from the start. Subject access is a fundamental right and (as noted in the Code) an opportunity to improve customer service and delivery, by increasing levels of trust and confidence, streamlining processes and providing better customer care. These aims are consistent with the GDPR and so even though this Code is not specifically targeted at compliance with the new laws, companies should benefit from its up to date guidance.

 

[1] Dawson-Damer & Ors v Taylor Wessing LLP [2017] EWCA Civ 74

[2] Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd & Ors

Increased Focus on Health Care Cybersecurity: HHS Releases Long-Awaited Report and Cyber Attack Quick-Response Checklist

Posted in Health Information, Other, Regulation

The U.S. Department of Health & Human Services (HHS) issued a recent report noting that cybersecurity is a key public health concern that needs “immediate and aggressive attention.”  Shortly thereafter, HHS’ Office for Civil Rights (OCR) released a checklist of practical steps health care providers can take to protect themselves and their patients in the event of a cyber attack.  Both items underscore the Government’s increased focus on cybersecurity in the health care industry and remind health care providers of the importance of preparing for and appropriately responding to cyber attacks.

The Report

The interdisciplinary Health Care Industry Cybersecurity (HCIC) Task Force issued its 87 page report (the Report), mandated by the Cybersecurity Act of 2015, emphasizing the increased responsibility health care organizations have to secure their systems, medical devices, and patient data.

The increased focus on cybersecurity comes in the wake of recent rise and sophistication of cyberattacks on the health care industry. For instance, the Report notes that the health care sector experienced more cyber incidents resulting in data breaches in 2015 than any of the other 15 critical infrastructure sectors in the U.S. economy.  As the health care industry increasingly shifts to electronic health records (EHRs), automated medication delivery systems, and generally more connectivity and dependence on the Internet of Things (IoT), the prevalence and severity of these attacks is likely to increase.

The Report includes several high-level recommendations to federal regulators that could have a significant impact on members of the health care industry, including, among others:

  • Creating a cybersecurity leader role within HHS to align industry-facing efforts for health care cybersecurity;
  • Requiring federal regulatory agencies to harmonize existing and future laws and regulations that affect health care industry cybersecurity;
  • Exploring potential impacts to the Physician Self-Referral Law (the Stark Law), Anti-Kickback Statute, and other fraud and abuse laws to allow health care organizations to share cybersecurity resources and information with their partners; and
  • Establishing a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures.The Report also identified several recommended steps for industry members, including identifying a cybersecurity leadership role for driving for more robust cybersecurity policies, processes, and functions with clear engagement from executives.

The Report also suggested creating managed security service provider models to support small and medium-size health care providers. The Task Force also recommended that the industry evaluate options to migrate patient records and legacy systems to secure environments (e.g., hosted, cloud, shared computer environments). The imperatives, recommendations, and action items identified in the Report may be a guidebook for future rule-making from HHS aimed at strengthening the privacy of protected health information (PHI) in a new age of cybersecurity risks.

OCR Checklist

In the wake of the Report and an unprecedented year of increased cyber-attacks against health care entities (including the recent WannaCry attack and the Petya attack), OCR released a checklist of steps that HIPAA covered entities and business associates must take in response to a cyber-related security incident. OCR also published an infographic of the steps, which include: Continue Reading

Massive Cyberattack Developing Worldwide

Posted in Cybersecurity, Other

Several cybersecurity firms and news outlets are reporting a new major cyberattack spreading across the globe. The attack, which is still developing and appears to have hit the UK first, is being described as a “global ransomware incident.” Some of the affected companies reportedly include British advertising firm WPP, Russian petroleum company Rosneft, and the National Bank of Ukraine. There have also been reports that multiple U.S. companies have been disrupted by the attack.

Initial reviews suggest the malware is another ransomware attack, coming shortly after the global WannaCry attack. This new intrusion may be exploiting vulnerabilities in Microsoft Windows to encrypt victims’ files. Once encrypted, the ransomware note has been demanding a $300-equivalent bitcoin payment.  A preliminary review of the virus indicates it is PetrWrap, a strain of the Petya ransomware family, which can encrypt a network’s entire hard drive by overwriting the hard disk drive’s master boot record.

To help avoid becoming a victim, some preventative measures that can be taken immediately include:

  • Ensure your network has updated security patches and is otherwise protected against PetrWrap, WannaCry and known system vulnerabilities.
  • Frequently backup your data onto an isolated and segmented network.
  • Remind your employees to practice caution before opening any document or email.
  • Review your incident response plan and identify those decisions and considerations that are most relevant to ransomware events.
  • Identify outside resources – legal counsel and forensics and public relations firms – that may be needed in the event that you are impacted by ransomware.
  • Review applicable insurance policies and understand relevant terms.

The McGuireWoods Data Privacy and Security team will continue to monitor the attack as it develops and we stand ready to assist anyone affected by it. For more information, an in-depth ransomware response plan can be found here.

“Big Data” and Student Privacy Create Tensions for Lawmakers and Educators

Posted in Legislation, Privacy

“Big data” in the education context refers to the massive amount of information collected by K-12 schools and higher education institutions on student socio-economics, race and sex, test performance, academic performance, graduation rates, behavior and a myriad of other data points and how they all interact with one another. Collecting and analyzing student data is critical to policy makers and curriculum and instruction developers as institutions try to adopt and support learning delivery in the most effective and economical manner.  The National Academy of Education recently released a workshop exploring the challenges for researchers, educators and legislators.

Not surprisingly, the collection of personal data from a captive student audience has led to significant privacy concerns.  Congress originally passed the Family Education Rights and Privacy Act (FERPA) to give greater empowerment and protection to students and their families.  But the 1974 law was passed decades before the internet and cloud data storage became ubiquitous, and efforts are underway in Congress and the U.S. Department of Education to update FERPA’s requirements.

One such legislative solution is a bipartisan Senate bill called The College Transparency Act of 2017.  The College Transparency Act is focused on tapping big data to ensure that student outcome results are accurate when schools report on enrollment, retention, completion, and post-collegiate outcomes.  The bill also addresses student privacy protections and security.

The College Transparency Act walks the tightrope between accessing data to enable consumers to make informed decisions about educational options, while at the same time protecting the individual student information that makes up the data system.  Finally, it purports to relieve the reporting requirements on institutions of higher education.  The National Center for Education Statistics would house the data system created by CTA, with the aspiration that a central repository can best maintain and protect this sensitive and personal information.  These are big aspirations, but needed in a world where data is valuable but also subject to abuse and misuse.