Header graphic for print

Password Protected

Data Privacy & Security News and Trends

Don’t Forget the State Attorneys General

Posted in Consumer Privacy/FTC, Data breach, Identity Theft, Legislation, Notification

State attorneys general play an active role in data privacy and security matters. Their involvement is increasing as they grapple with changing technologies and threats, rapidly evolving state laws and their relatively broad consumer protection authority to engage private sector custodians of personal data such as retailers, financial institutions, technology companies, and health systems. In some states, attorneys general also have some level of law enforcement responsibility related to data breaches and privacy matters.  The role of the attorneys general vary by state, further complicating compliance for those who may experience a data privacy or security event.

Attorneys general often work together leveraging their resources by initiating multistate litigation against companies resulting in larger settlements and by working closely with federal agencies such as the Department of Justice (DOJ), the Federal Bureau of Investigation (FBI), the Federal Trade Commission (FTC), and the U.S. Department of Commerce (DOC). Attorneys general are also branching out from their typical enforcement roles to include policy and legislative initiatives.  Attorneys general associations such as the National Association of Attorneys General (NAAG), Republican Attorneys General Association (RAGA), and Democrat Attorneys General Association (DAGA) are making data privacy and security a top priority, frequently hosting panel discussions at their national meetings, and holding policy conferences specific to this topic.  The following are some examples of how attorneys general can impact your business regarding data breach and security matters.

State Reporting Requirements

A total of 47 states have legislation requiring entities to notify individuals of breaches involving personally identifiable information. Twenty-three of these states require entities to notify the attorney general of a breach. Some notification statutes are triggered by the number of persons affected by the breach (e.g., when 500 or 1,000 persons are affected). Others require disclosure no matter the size of the breach. As of this year, states requiring some form of attorney general notification are: California, Connecticut, Florida, Idaho, Illinois, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, Montana, Nebraska, New Hampshire, New York, North Carolina, North Dakota, Oregon, Rhode Island, Vermont, Virginia and Washington.  Because state laws in this area are constantly changing, it is important to stay current on breach notification laws for your applicable states.

State Attorney General Litigation and Settlements

Attorneys general are actively involved in bringing litigation and seeking settlements against companies for various matters relating to data breaches. For example, Trump Hotel Collection settled with the New York attorney general to pay $50,000 in penalties when over 70,000 credit card numbers and other personal data were breached. Trump Hotel Collection also agreed to design and implement new data security practices to prevent future breaches.

Recently the Texas attorney general settled with PayPal regarding its Venmo mobile phone app for potential violations of Texas law by not disclosing how the personal information was being used and that it might have publically exposed private information. The settlement required PayPal to pay $175,000 to the state and improve disclosures regarding security and privacy.

Failure to timely notify patients of a breach and inadequate security measures resulted in a consent judgment against Beth Israel Deaconess Medical Center (BIDMC). The Massachusetts Attorney General sued BIDMC after a laptop containing health information of nearly 4,000 patients was stolen from a physician’s office. The lawsuit alleged BIDMC violated state and federal law when it did not notify patients that their information had been compromised until three months after the incident. BIDMC agreed to pay $100,000 and take steps to ensure compliance with data security laws.

A Vermont-based grocery store, Natural Provisions, settled with the Vermont Attorney General after a security breach involving credit card numbers. The settlement required Natural Provisions to upgrade its computer systems beyond the minimum required legal protections and pay a fine to the state. This settlement exemplifies the emerging trend requiring companies to not only pay a monetary penalty, but also make institutional improvements to prevent future breaches.

In November, Adobe settled a multistate action alleging the company did not employ reasonable security measures to protect customer information in violation of consumer protection laws and personal information safeguard statutes. The Connecticut attorney general led the multistate investigation with fourteen other states that involved over 500,000 people. The settlement required Adobe to pay $1 million to the states and review internal security polices at least twice annually.

State Attorney General Policy Initiatives

Many attorneys general are going beyond enforcement and litigation. This year, the Massachusetts Attorney General’s Office hosted a forum on data privacy. Consumer advocates at this forum encouraged attorneys general to pursue enforcement of consumer protection laws. Washington and California attorneys general release annual reports of every data breach incident in their state. Ohio’s Attorney General recently launched CyberOhio, a collection of cybersecurity initiatives to help Ohio businesses prevent data security threats and pursue legislative initiatives. The Maryland Internet Privacy Unit, created in 2013, monitors companies to ensure compliance with state and federal consumer protection laws. The increased policy attention on data breaches is sure to bring more enforcement and investigatory efforts by state attorneys general. Much of the policy development for attorneys general begin with their various national associations such as NAAG, RAGA and DAGA, providing companies with a good opportunity to help inform these state initiatives.

Summary

Despite federal regulations and enforcement, companies cannot forget that state attorneys general play a significant and expanding role with data privacy and security matters, including enforcement, prevention, and policy development. Understanding their role and a company’s responsibility in the event of a data breach is critical.  Engaging attorneys general before a crisis occurs, and helping shape their policy initiatives are also prudent strategies.

Do As We Say, Not As We Do: Audit Reveals Unencrypted IRS Emails Put Taxpayer Data at Risk

Posted in Data Protection and Competition, Data Security, Identity Theft

With tax season around the corner, the Internal Revenue Service (IRS) has begun its yearly campaign to educate taxpayers on the importance of protecting their personal information.  However, a recent audit of the agency’s email use reveals the awkward truth that even the IRS does not always follow best practices when it comes to protecting taxpayers’ sensitive information.

On November 17, 2016, the Treasury Inspector General for Tax Administration (TIGTA) released its October report on an audit of emails sent by 80 randomly selected IRS employees in the Small Business/Self Employed (SB/SE) division during a four-week period in the spring of 2015.  The audit revealed that 39 of the 80 employees sent a total of 326 unencrypted emails containing 8,031 different taxpayers’ personally identifiable information (PII).

The Office of Management and Budget defines PII as any information that can be “used to distinguish or trace an individual’s identity,” such as names, Social Security numbers, birth dates, or tax return information.  The TIGTA report observed that loss, theft, or unauthorized disclosure of PII places individuals at risk for invasion of privacy and identity theft.

Of the 326 unencrypted emails identified by TIGTA, IRS staff sent 275 within the agency and 51 to non-IRS email accounts, including some emails to agents’ personal email accounts, for reasons that are unclear. Most of the internal emails were sent using the IRS’ Enterprise e-Fax system, which allows employees to fax documents from their computers, but which does not have encryption capability.

In its report, TIGTA extrapolated the results of the 80-employee sample to the entire IRS staff and estimated that, over the same four-week period, 11,416 IRS employees sent 95,396 unencrypted emails with private information of 2.4 million taxpayers. If this rate is typical, TIGTA determined, it could mean that the IRS annually sends more than 1.1 million unencrypted emails with private information of 28.2 million taxpayers.  The IRS has established penalties for employees who send unencrypted emails with taxpayers’ personal information, ranging from warning to termination; however, neither the TIGTA nor the IRS has said whether anyone has been disciplined.

In its response, the IRS noted that TIGTA’s review did not identify any instances where unencrypted information was sent to an unintended recipient or fell into the wrong hands.  Karen Schiller, Commissioner of the SB/SE division, also observed that, because most of the emails were sent internally, they remained “within the extensive protections of the IRS firewall” and therefore posed “a minimal risk of disclosure or access.”  Nonetheless, Schiller and the agency recognized that the TIGTA audit reveals areas where the IRS can improve, including in its use of encryption, and emphasized that the IRS is committed to ensuring the privacy and security of taxpayer information against external threats.

The inspector general’s report made several recommendations, including technology upgrades—such as encrypting emails by default and updates to the e-Fax system to allow it to handle encrypted messages, improved training for employees and managers, and disciplinary action for violators.

A separate TIGTA report from October, also released November 17, further revealed that the IRS failed to protect taxpayer information when it transferred data externally to other agencies and contractors.  TIGTA found that the IRS did not always share sensitive data through secure file transfer and identified a number of vulnerable IRS servers: 61 servers with “high-risk vulnerabilities,” 32 servers missing important security patches—of which four were “deemed as critical,” and 10 servers with outdated operating systems.

As April approaches, we will continue to monitor threats facing the privacy and security of taxpayer information and efforts by the IRS to educate the public—and its staff—on ways to guard against these threats.

Retirement Plans Incur Data Breaches; ERISA Council Addresses Cyber Risks

Posted in Cybersecurity, Data Security

Until relatively recently, retirement plans have not made the news as targets of data breaches. This is somewhat surprising, given the wealth of participants’ personal data stored online by these plans. This past summer, however, two plans experienced cybersecurity incidents, one involving theft and one involving ransomware.

While earlier this month, the ERISA Advisory Council (Council) recommended that the Department of Labor (DOL) inform the employee benefits community as to cybersecurity risks and potential approaches for managing those risks, there is a dearth of law on the subject of ERISA and cybersecurity. In fact, ERISA is silent on the subject and no court has yet decided if and to what extent managing cybersecurity risk is a fiduciary function.

Fraudulent Loans Obtained From Chicago Deferred Compensation Plan

The Chicago Deferred Compensation Plan is a Section 457(b) defined contribution plan with some $3.6 billion in assets. In June, press reports indicated that $2.6 million was taken from the plan in the form of unapproved loans from 58 participant accounts. Within five days, the funds were restored, apparently by the company that administered the plan. Participants’ personal information was used to set up web profiles that allowed loans to be taken from their accounts. The matter remains under investigation.

Ransomware Demand Hits UFCW Local 655 Food Employers Joint Pension Plan

This past July, hackers made a ransomware demand on the United Food and Commercial Workers Union Local 655 Food Employers Joint Pension Plan. The plan is a multi-employer defined benefit plan that had assets of approximately $569 million at the end of 2015.

“Ransomware” is malicious software that infiltrates a device or potentially an entire information technology network. The software uses tools to encrypt or “lock” the data located on the device or network to prevent access unless what is, in effect, a monetary ransom is paid to the attacker (typically in untraceable electronic currency, called bitcoins) for a “key” to unlock and retrieve the data.

The unidentified hacker who took control of one of the Local 655 plan’s servers demanded three bitcoins, worth about $2,000, in order for the server to work again. The ransom was not paid and the plan used a backup server to recreate the information that had been on the locked server.

Possible data that may have been accessed during the attack included participants’ names, dates of birth, Social Security numbers and bank account information. As a precaution, the union offered credit monitoring and identity protection services to its members for 12 months without cost.

ERISA Advisory Council Addresses Benefit Plan Cybersecurity

The Council was created under ERISA and is tasked with advising the Secretary of Labor (Secretary) and submitting recommendations regarding the Secretary’s functions under ERISA. The Council consists of 15 members appointed by the Secretary

Benefit plan cybersecurity has been studied by the Council since 2011. In 2015 and earlier this year, hearings were held. The Council has made available its current issue statement on cybersecurity as well as the prepared statements of witnesses at this year’s hearings.

The Council’s final 2016 report is not expected to be released for several months. On November 10, it did release an executive summary provided to the Secretary, in which it made the following recommendations:

  • Make the Council’s report and its appendices available via the DOL’s website as soon as administratively feasible to provide plan sponsors, fiduciaries and service providers with useful information on developing and maintaining a robust cyber risk management program for benefit plans.
  • Provide information to the employee benefit plan community of plan sponsors, fiduciaries and service providers to educate them on cybersecurity risks and potential approaches for managing these risks.

The summary notes that the Council has drafted a sample document titled Employee Benefit Plans: Considerations for Managing Cybersecurity Risks for the DOL as an illustration. When the Council’s final report is posted, we will report on it and the sample document in a WorkCite.

Observation

Apart from protecting online data, plan administrators are seriously concerned about the following:

  • Is cybersecurity a fiduciary responsibility under ERISA? If so, in some cases plan fiduciaries may have personal liability under ERISA for the consequences resulting from data breaches.
  • Are state cybersecurity laws and regulations pre-empted by ERISA? If not, in the event of a data breach, administrators of plans with participants residing in multiple states will have a daunting task in determining which laws and regulations apply.

Regrettably, the Council indicated in its issue statement that although it was aware of these matters, it did not intend to address them within the scope of its study. So far, no guidance has come from the DOL itself on either fiduciary responsibility or pre-emption.

Cybersecurity Threats May Impact Your Digital Health

Posted in Consumer Privacy/FTC, Cybersecurity, Data breach, Data Protection and Competition, Health Information

As the healthcare industry continues to embrace the Internet of Things, cybersecurity may present unprecedented health and privacy risks to patients. Wireless-enabled medical devices are increasingly common. For some patients, this means that their hearts are, quite literally, connected to the Internet of Things. For others, mobile medical apps and wearable products are collecting personal health data that may be inadequately protected.

The medical device industry came under fire this year when a Senator from California sent a letter to the top five U.S. medical device manufacturers expressing “serious concerns that the cybersecurity vulnerabilities in medical devices are putting the health and safety of patients in California and across the country at risk.” Senator Barbara Boxer (D-CA) wrote her letter in response to findings from an independent security researcher who discovered certain vulnerabilities in drug infusion pumps used in hospitals.  The researcher discovered that the device software was vulnerable to infiltration that had the potential to manipulate the pump’s drug dosage levels. Unfortunately, this is not the first time this risk has been demonstrated.  For instance, similar studies have revealed the vulnerabilities of wireless-enabled pacemakers and defibrillators, which in some cases have led to embarrassing public disclosures by companies seeking to profit from such vulnerabilities.

This month, two other lawmakers questioned the U.S. Food and Drug Administration (FDA) on its plans to address cybersecurity vulnerabilities in networked medical devices. Diana DeGette (D-CO) and Susan W. Brooks (R-IN) urged the agency to consider the vulnerability of the 10 to 15 million devices in circulation that are connected to the internet, hospital networks, and to other medical devices.

While there is no evidence that medical devices have been the targets of cyber-attacks, other IoT devices are increasingly becoming attractive targets. The consequences of such an attack on medical devices could be dire. These threats are credible enough that during his tenure as Vice President, Dick Cheney was ordered to disable the wireless functionality of his pacemaker due to fears it might be hacked in an assassination attempt. As more medical device manufacturers create products that are wireless-enabled, data security for these devices is an increasing concern. Historically, device manufacturers have had to create products that are able to perform under various conditions, such as power outages.  Going forward, resistance to cyber-attacks is likely to be an additional hurdle that device manufacturers will need to clear before marketing their products.

This year FDA issued draft guidance addressing Postmarket Management of Cybersecurity in Medical Devices. FDA encourages manufacturers to use a proactive and risk-based approach in the post-market phase for medical devices, such as the NIST Framework for Improving Critical Infrastructure Cybersecurity. FDA has also identified cybersecurity enhancement in medical devices as a Science Priority for FY 2017. Medical device manufacturers are likely to face increasing scrutiny from FDA regarding the cybersecurity measures of connected devices.

“But what about my fitness tracker?” you may ask.  The explosive growth of wearable wellness products and mobile medical apps has created another avenue for cyber-threats. These products raise serious privacy and security concerns.  Wearable products and medical apps collect a plethora of sensitive health information about its users, such as location, pregnancy, gender information, and ovulation information. Despite these issues, for the time being, many of these products may fall into a regulatory no-mans-land.  Per its recent guidance, FDA does not intend to regulate low-risk general wellness products. Additionally, FDA’s current guidance suggests that many mobile medical apps will fall outside of FDA’s jurisdiction as they will not meet the definition of “medical device.” Other mobile medical apps may meet the definition of “medical device” but pose lower risk to the public, and therefore FDA does not intend to regulate these products as “medical devices.” HIPAA is unlikely to apply to these products as they are not offered by “covered entities.”  FDA’s stance on this may change and these products are still subject to regulation by the Federal Trade Commission (FTC), however, for the time-being consumers will need to carefully consider the cybersecurity strength of the manufacturers from which they are purchasing these products.

Given the growth of the healthcare industry and the constantly evolving nature of cyber-threats, these issues are not likely to disappear any time soon.  Manufacturers will need to be vigilant to keep up with the constantly evolving cybersecurity threats and assess vulnerabilities when designing and developing products.

LabMD Successfully Delays FTC’s Data Security Enforcement During Appeal

Posted in Consumer Privacy/FTC, Data Protection and Competition, Data Security, FTC enforcement

In another twist in the LabMD case, LabMD has succeeded in obtaining a delay on the FTC’s enforcement action during its appeal.  Of course, the substantive issues remain to be determined.

In 2013, the Federal Trade Commission (FTC) issued an administrative complaint against LabMD for alleged “unfair” data security practices culminating in an Opinion and Final Order (Order) against the company for violating Section 5 of the Federal Trade Commission Act (Section 5). After exhausting administrative law procedures, LabMD filed an appeal with the U.S. Court of Appeals for the Eleventh Circuit to prevent the FTC from enforcing the Order until the court reviewed several unresolved legal questions, including whether or not the FTC can enforce data security standards in the absence of identifiable harm.

The Court’s Analysis

In determining whether or not to grant the Stay, the court weighed the following four considerations:

  1. Did LabMD make a strong showing it would succeed on the merits;
  2. Would LabMD be irreparably injured without the stay;
  3. Does issuing the stay substantially injure a third party; and
  4. What is in the public’s best interest?

Success on the Merits

To succeed on the merits, LabMD must show that the FTC misinterpreted Section 5 as it was applied in the Order. Section 5 grants the FTC authority over “unfair or deceptive acts.” (15 U.S. C § 45 (a)). “Unfair” is defined as something that has caused “or is likely to cause substantial injury to consumers.” (15 U.S.C. § 45 (n)). Federal agencies are charged with reasonably interpreting their own statutes. In its discussion, the court said that LabMD presented “a strong showing that the FTC’s factual findings and legal interpretations may not be reasonable.” In other words, there is enough ambiguity in the FTC’s analysis that the Order should not be enforced, yet. The court says, “[i]t is not clear that the FTC reasonably interpreted ‘likely to cause’ …we do not read the word ‘likely’ to include something that has a low likelihood. We do not believe an interpretation that does this is reasonable.”(emphasis added).

Irreparable Harm

The second point of analysis examines to what extent LabMD would be harmed if the Order is enforced. Here the court highlights the fact that LabMD (which was founded in 1996) is no longer in operation, with no employees, no revenue, and is relying on pro bono legal representation. Simply put, the court determined that LabMD is not well positioned to assume the costs required to comply with the Order.

Third Party Injury & Public’s Interest

The third and fourth points consider if third parties would be harmed by delaying the Order. Here the court notes that the “FTC’s ruling did not point to any tangible harm to any consumer, because there is no evidence that any consumer suffered a harm.” The court continues, “there is no evidence that any consumer ever suffered any tangible harm…we find it improbable that a party downloaded this information now years ago, has not used it for several years, but may yet use it for nefarious purposes before this appeal terminates”. This analysis led the court to determine there is no risk of immediate harm to consumers or the public if the Order is delayed.

What’s Next for the FTC and LabMD?

This Stay comes after a handful of attempts to clarify the FTC’s policies and procedures in this case, including a letter from Sen. Jeff Flake and Sen. Mike Lee sent to Chairwoman Ramirez challenging the FTC’s analysis. In particular, the letter addresses whether the “FTC’s cybersecurity regime complies with the protections of due process under the constitution.”  The letter directly addresses the FTC’s analysis that LabMD’s vagueness challenge was inapplicable because there are no fundamental rights implicated in the case. The letter asks “[a]re laws unconstitutionally vague only if they implicate fundamental rights?”

This case then begs the question: has data security regulation hit the proverbial ‘tipping point’? Is momentum slowly crawling away from big agency regulation and inching towards streamlined industry standards?  Maybe. The Stay is certainly a win for LabMD, but it does not mean it is a loss for the FTC. The case is far from over. There are several substantive claims that must be addressed on appeal.

“Warfare of the Future”: Trump’s National Cybersecurity Strategy

Posted in Cybersecurity, Legislation

The celebratory confetti has barely settled on the campaign office floor, but in the age of patches, hacks, and cyberattacks, the nation’s attention has shifted to how President-elect Donald Trump will manage U.S. privacy and data security issues.

During the campaign, Mr. Trump did not extensively outline a cybersecurity plan, but from the information provided on his website, the administration will likely construct strong government cybersecurity policies both defensively and offensively. His website provides the following cybersecurity agenda:

  • “Order an immediate review of all U.S. cyber defenses and vulnerabilities, including critical infrastructure, by a Cyber Review Team of individuals from the military, law enforcement, and the private sector.
  • Instruct the U.S. Department of Justice to create Joint Task Forces throughout the U.S. to coordinate Federal, State, and local law enforcement responses to cyber threats.
  • Order the Secretary of Defense and Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command, with a focus on both offense and defense in the cyber domain.
  • Develop the offensive cyber capabilities we need to deter attacks by both state and non-state actors and, if necessary, to respond appropriately.”

The website details that the Cyber Review Team will:

  • “The Cyber Review Team will provide specific recommendations for safeguarding different entities with the best defense technologies tailored to the likely threats, and will followed up regularly at various Federal agencies and departments.
  • The Cyber Review Team will establish detailed protocols and mandatory cyber awareness training for all government employees while remaining current on evolving methods of cyber-attack.”

Applying the Cybersecurity Plan

Securing national infrastructure is a top priority for Mr. Trump. During a speech on October 3, 2016, to the Retired American Warriors PAC, then candidate Trump said, “[t]o truly make America safe, we must make cybersecurity a major priority” which includes both the government and the private sector. He intends to “order a thorough review of our cyber defenses and weaknesses” including infrastructure. During his Presidential acceptance speech on November 9, 2016, he reiterated his intention to secure national infrastructure.

The importance of a secure national infrastructure was demonstrated last month when a distributed denial of service (DDoS) attack disrupted service providers like Amazon and Netflix, bringing renewed attention to the dangerousness of vulnerable internet of things (IoT) devices. Similarly, recent accusations regarding cybersecurity weaknesses in St. Jude’s medical devices and the Yahoo breach (which Yahoo insists was committed by a state actor) implicates a number of IoT cybersecurity threats that the Trump Cyber Review Team will likely focus on during the first 100 days.

In crafting policies surrounding these and other cybersecurity issues, Mr. Trump will likely take a strong pro-law enforcement approach. Mr. Trump’s predilection for exhausting resources to support law enforcement efforts was front and center at the October 3, 2016 speech when he said, “the United States must develop the ability – no matter how difficult – to track down and incapacitate those responsible…[t]his is the warfare of the future, America’s dominance in this arena must be unquestioned.”

You Are the Company You Keep

Trump’s partnerships with both political and non-political figures offer additional insight into his cybersecurity plans. Vice President-elect Mike Pence and former New York mayor Rudy Giuliani were both key players during the Trump campaign and they both come with cybersecurity experience; supporting the likelihood that the Trump administration will draft thoughtful and comprehensive cybersecurity policies.

Earlier this year Indiana Governor Pence, announced the formation of the Indiana State Executive Council on Cybersecurity. The council is described as a “comprehensive public-private partnership charged with enhancing Indiana’s ability to prevent, respond to and recover from all types of cybersecurity issues.”  The council includes input from both public and private partners, which is an increasingly important strategy in the fight against cyber-crime.

Rudy Giuliani, who joined Mr. Trump on stage on election night, remains a key player in forming the Trump agenda. In addition to his time in public office, Giuliani brings significant cybersecurity experience.  In 2001, Giuliani founded security consulting company, Guiliani Partners LLC, and he is currently touted as the chair of the “Cybersecurity, Privacy and Crisis Management Practice” at a large international law firm.

As a political outsider himself, Mr. Trump found support from other non-political figures including Peter Thiel, a co-founder of PayPal Holdings Inc., an early investor in Facebook Inc., and a major investor in the tech industry. Thiel’s strong presence during the campaign will likely continue through the presidency, indicating the administration will be aware and sensitive to emerging technologies and associated cybersecurity risks.

Insight into the tech industry will help the Trump administration as it works to fill vacancies at several agencies. One of these vacancies includes replacing the chairman at the Federal Communications Commission (FCC). Mr. Trump once described the Net Neutrality rules as a “power grab” so it is likely that the next FCC chairman will take a deregulatory approach.  This could mean big changes for the newly passed broadband privacy rules, Title II common carrier regulations, telecom policy and Commissioner Clyburn’s interest in eliminating mandatory arbitration clauses. As to other regulatory and compliance concerns, including HIPAA and the EU-U.S. Privacy Shield, there will be an adjustment period between administrations, but it is unlikely that Trump administration will entirely obstruct or block these policies.

Trump’s campaign speech described his plan as the beginning of the discussion on how to “gain a critical security edge in the 21st century.” But only after he takes office will we see his policies develop to navigate difficult national cybersecurity issues and meet the needs of the constantly evolving cyber threat.

Banking Regulators Propose Enhanced Cyber Risk Management Standards

Posted in Financial Services Information Management

On October 19, 2016, the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency (together, the “Prudential Regulators”) published an advance notice of proposed rulemaking (ANPR) that would require banks with more than $50 billion in assets to take additional steps to protect against cyber-attacks.  Comments to the ANPR are due January 17, 2017.

The ANPR explains that Prudential Regulators have existing programs that contain supervisory expectations for cybersecurity practices at financial institutions and third-party service providers, such as existing FFIEC standards (please see our recent FFIEC alerts available here and here).  The proposed ANPR standards would be integrated into these existing supervisory frameworks.

The ANPR addresses five categories of cyber standards: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. Significant proposals within each category include the following:

  1. Cyber risk governance – The board of directors of a covered entity would be required to hold senior management accountable for implementing the entity’s cyber risk management framework. The ANPR proposes requiring the board to have adequate expertise in cybersecurity or to maintain access to resources or staff with such expertise. The ANPR also considers requiring senior leaders with responsibility for cybersecurity to be independent of business line management.
  2. Cyber risk management – The ANPR would require covered entities, to the greatest extent possible, to integrate cyber risk management into the responsibilities of at least three independent functions with appropriate checks and balances.  Units responsible for the day-to-day business functions would need to assess, on an ongoing basis, cyber risks associated with the activities of the unit, and that information regarding those risks is shared with senior management, as appropriate, in a timely manner.  The ANPR proposes explicitly requiring the audit function of a covered entity to assess whether the cyber risk management framework complies with applicable regulations and is appropriate for the firm’s size, complexity, interconnectedness, and risk profile.
  3. Internal dependency management – The ANPR would require covered entities to maintain an inventory of all business assets on an enterprise-wide basis, prioritized according to the assets’ criticality to the business functions they support, the firm’s mission and the financial sector.  Covered entities would need to track connections among assets and risk levels throughout the life cycles of the assets.
  4. External dependency management – The ANPR proposes requiring covered entities to have a current, accurate, and complete awareness of, and prioritize, all external dependencies and trusted connections on an enterprise-wide basis, based on their criticality to the business functions they support, the entity’s mission, and the financial sector. Covered entities would be expected to generate and maintain a current, accurate, and complete listing of all external dependencies and business functions, including mappings to supported assets and business functions.
  5. Incident response, cyber resilience, and situational awareness – Covered entities would be required to be capable of operating critical business functions in the face of cyber-attacks and to continuously enhance their cyber resilience. This includes establishing processes designed to maintain effective situational awareness capabilities to reliably predict, analyze, and respond to changes in the operating environment.  In addition, the ANPR proposes that covered entities establish and maintain enterprise-wide cyber resilience and incident response programs, with escalation protocols, based on their enterprise-wide cyber risk management strategies and supported by appropriate policies, procedures, governance, staffing, and independent review. These programs would be required to include processes to incorporate lessons learned into the programs.

The Prudential Regulators are considering implementing the enhanced standards in a tiered manner, imposing more stringent standards on the systems of those entities that are critical to the functioning of the financial sector (“sector-critical systems”).  Particularly, the ANPR proposes a requirement that covered entities minimize the residual cyber risk of sector-critical systems by implementing the most effective and commercially available controls.  Prudential Regulators are also considering requiring covered entities to establish a recovery time objective (RTO) of two hours for their sector-critical systems.

As the ANPR states, “[a]s technology dependence in the financial sector continues to grow, so do opportunities for high-impact technology failures and cyber-attacks. Due to the interconnectedness of the U.S. financial system, a cyber incident or failure at one interconnected entity may not only impact the safety and soundness of the entity, but also other financial entities with potentially systemic consequences.” As a result, banks, their boards and third-party vendors should all continue to expect heightened cybersecurity regulations and consider changes to other liability standards that might result from those heightened regulatory expectations.

A New Shorting Strategy: Short Selling Cybersecurity Vulnerabilities

Posted in Data Protection and Competition, Data Security

St. Jude’s Medical has filed a defamation lawsuit against short-seller, Muddy Waters LLC, and cyber-security research company, MedSec Holdings, along with executives at the companies, following allegations by the companies of cybersecurity vulnerabilities in some of St. Jude’s medical devices.

MedSec Holdings first approached investment company, Muddy Waters, last year with information that alleged cybersecurity flaws in St. Jude’s pacemakers and defibrillators make the devices vulnerable to being hacked and manipulated. Instead of approaching St. Jude directly with their findings as is typically done in the industry, MedSec decided to go straight to Muddy Waters with the information.

The two companies went on to form an unprecedented partnership that led to Muddy Waters shorting St. Jude stock based on the information brought to them by MedSec, in exchange for which they will pay MedSec a portion of any profits made from this information. St. Jude shares took an immediate nosedive after Muddy Water’s release of a research report outlining the security vulnerabilities and announcement of their short position on August 25, 2016. St. Jude stock had previously been up after an announcement of a planned $25 billion dollar acquisition later this year.

St Jude’s prior history with security issues may have led to it to being singled out by the Florida-based, MedSec. MedSec CEO stated in a Bloomberg interview that “St. Jude Medical stood out, far and away, as severely deficient when it comes to security protections” in the company’s research into security flaws in medical devices. MedSec chose not to directly notify St. Jude because “[they] felt that notifying the company would simply give it a chance to prepare its ‘messaging’ in an effort to sweep this under the rug.”

Potential future alliances between cybersecurity companies and for-profit investment firms that publicly announce cybersecurity vulnerabilities as a part of a short selling strategy are just one more potential byproduct for companies with questionable cybersecurity programs. Companies have been dealing with more obvious consequences of cybersecurity issues like risk of breach, regulatory fines, and lawsuits but may now have to worry about public disclosure of security flaws by companies looking to make a profit. Companies may also face additional security threats if they learn of security vulnerabilities at the same time as hackers, eliminating their ability to fix the bugs before they are announced to public.

St. Jude has already announced it is creating a Cyber Security Medical Advisory Board (CSMAB) in the wake of the recent events surrounding their security practices. Although the jury is still out on whether public outing and disclosure will be good for consumer safety, it is clear that public companies should make cybersecurity a priority by investing in strong cybersecurity and data protection programs.

Seventh Circuit Denies Challenge to FMCSA Electronic Logging Device Rule

Posted in Information Management, Legislation, Privacy, Surveillance

In an opinion issued Oct. 31, 2016, the U.S. Court of Appeals for the Seventh Circuit rejected a challenge to a Federal Motor Carrier Safety Administration (FMCSA) rule that will require most commercial motor vehicles to be equipped with an electronic logging device, or “ELD,” by December 2017 (the “ELD Rule”).

The petition to challenge the ELD Rule was brought by the Owner-Operator Independent Drivers Association and two individual drivers. In denying the petition, the Seventh Circuit held that the ELD Rule sufficiently complies with a statutory directive that ELDs must be capable of “automatically” recording a driver’s hours of service, notwithstanding that some level of driver involvement will still be required to enter information into an ELD. The court also held that the FMCSA had sufficiently protected drivers from harassment, adequately considered the confidentiality of information that will be collected by ELDs, and was not required to conduct a cost-benefit analysis in promulgating the ELD Rule (although the court held that FMCSA’s research studies were sufficient even if a cost-benefit analysis were required).

In response to the petitioners’ challenge to the ELD Rule on Fourth Amendment grounds, the court held that even if the ELD Rule mandated a search or seizure for Fourth Amendment purposes, such a search or seizure was exempt from the warrant requirement under an exception for reasonable administrative inspections in “pervasively regulated industries.” The petitioners have indicated that they are considering their options to continue their challenge to the ELD Rule, potentially including an appeal to the U.S. Supreme Court.

Motor carriers that are subject to the ELD Rule should review their operations for compliance with the new requirements to prepare for the December 2017 deadline. In doing so, carriers should consider how compliance with the ELD Rule impacts other regulatory considerations, including compliance with federal truth-in-leasing regulations. In another recent decision that could impact how carriers comply with the ELD Rule, available here, the U.S. Court of Appeals for the Tenth Circuit held that a motor carrier violated truth-in-leasing regulations — specifically, 49 C.F.R. § 376.12(i) — by requiring, as a condition of entering into a lease arrangement, that truckers pay $15 each week for use of the carrier’s satellite communications system.

In considering how to manage the costs of the ELD Rule and the challenges of integrating different devices into communication and fleet management systems, carriers should consider all of their regulatory obligations to ensure regulatory compliance and prevent enforcement or litigation.

A Closer Look: Practical Tips to Managing a Ransomware Attack Part 2

Posted in Cybersecurity, Data Security, Information Management

Part 1 of this two-part series outlined the mechanics and dangers of ransomware. In Part 2, this post will examine what steps to take, or not to take, during and after a ransomware attack.

“We’ve Been Hit – Now What?”

Bill Hardin of Charles River Associates, one of the panelists at the September FTC fall technology conference on ransomware, introduced an easy to remember acronym for guiding ransomware response strategies: “CPR” – contain, preserve, remediate.

  • Contain – As soon as you have determined that your device is infected, immediately unplug infected device from the network, turn off wireless capabilities, disrupt connection to the network, and shut down the agent. If this occurs at a service provider’s location, the service provider should run programs to detect and sever the connection. Create and maintain an incident response plan and train all your employees on the plan.
  • Preserve – The FBI representative on the panel highly recommends that the organization preserve the evidence, and report the ransomware attack to its local FBI law enforcement office or online at the FBI Internet Crime Complaint Center (at www.ic3.gov). The FBI conducts joint investigations with numerous countries to try to identify and shut down these attackers. While the FBI may not be able to resolve the current situation, the more information the FBI has, the better they will be able to potentially disrupt the criminal hierarchy and prevent future attacks.
  • Remediate – At this point, once your data is held for ransom, there are not many alternatives available to you. You can pay the ransom, try to negotiate a reduced ransom payment, or not pay the ransom. The FBI discourages the payment of any ransom. The Bureau believes that “success breeds success” and paying a ransom will encourage those bad actors to keep at it so long as there is a profit to be made.

To Pay or Not to Pay, That is the Question

The FBI recommends that companies not pay the ransom. However, in reality, if the information is critical and there are no backups, companies may be tempted to pay the ransom. The attackers know the sweet spot and have priced the ransom accordingly – a small sum of a few hundred or thousand dollars versus the cost of company down time, lost data, productivity, and general network shut down in addition to bad publicity. But beware when paying a ransom!  There are pitfalls – these attackers are not model citizens.

  • First, do not expect that your data will be returned even if the ransom is paid. Less than 80% of decryption keys are returned to victims that paid.
  • Second, beware of the bait and switch, where once you agree to pay the agreed upon price, the attacker then raises the ransom amount.
  • Third, beware of any links provided by the attacker for you to purchase Bitcoins, as that link may be programmed to harvest additional information from you – to be used against you at a later date or to sell to other organizations to attack you again. If possible, purchase the Bitcoins from a reputable place – some sources are sketchy, and purchasing from them may lead you to provide additional information that can subject you/your organization to further malware.
  • Fourth, by demonstrating a willingness to pay, you increase your risk of being a target of future attacks.
  • Finally, if possible, communicate with the attacker via an anonymous account or an intermediary.

Some organizations may not be in a position to pay the requested ransom amount and may be tempted to negotiate more favorable pricing. One panelist indicated that on average, negotiations may lower the ransom demand by approximately 29%. However, a willingness to negotiate tells the attacker that you have no data backup and he/she may try to take further advantage of the situation.

Mitigating the Damage

Correctly managing the aftermath of a ransomware attack is critical to protecting your customer and navigating liability. Ransomware attacks can affect different industries differently (Click here for a closer look at how ransomware affects the healthcare industry.)  But, regardless of industry, security and communication will be key in the wake of an attack.  Some things to consider include:

  • Be prepared to determine if, and to what extent, you want law enforcement involved. Establishing relationships with law enforcement officials before an attack can help restore your business after an attack.
  • Be ready to respond to customer questions with facts – do not speculate.
  • Be sure your information governance program identifies what data you have and where it is stored, so you know what data is at risk.
  • Have an incident response team and plan in place– internally and externally.
  • If your service was disrupted, be sure to restore service first, then do a forensic search later. Most importantly, don’t repeat poor behavior – if the attack was a result of a phishing email, be sure that email is flagged so other employees do not click on it.