Wearable devices, including health and activity monitors, video and audio recorders, location trackers, and other interconnected devices in the form of watches, wristbands, glasses, rings, bracelets, belts, gloves, earrings and shoes are being heavily promoted in the next wave of consumer electronics.
It is estimated that 90 million wearable data devices (“WDD”) will be shipped to customers in 2014. Many of these customers will bring them into the workplace, which will challenge employers to adapt employment and IT policies to these new visitors.
WDDs also are attracting the attention of the FTC and legislators. The FTC is investigating the collection and use of consumer location data transmitted by smartphones and other devices. Earlier this month, U.S. Senator Chuck Schumer (D-N.Y.) sent a letter to the FTC asking that fitness device companies be required to give users an “opt-out” before sending personal health data to third parties.
Corporate human resources and IT policies are not ready for an influx of these devices and employers do not want to be caught up in the potential for liability. Smart employers will put policies in place now to manage the integration of WDDs into the workplace, rather than trying to catch up after the fact. This Advisory outlines the principal issues that any workplace WDD policy should cover.
Written by Julia Siripurapu, CIPP/US and Dianne J. Bourque
Community Health Systems, Inc. (the “Company”), one of the largest hospital organizations in the country, announced via a public filing (Form 8K) made yesterday with the Securities and Exchange Commission (“Report”) that the Company was the target of a cyber attack that compromised the health data of 4.5 million individuals. The Company operates 206 general acute care hospitals in 29 states with approximately 31,100 licensed beds.
According to the Report, the Company and its forensic expert, Mandiant, confirmed last month that the Company’s computer network was attacked in April and June, 2014 by an “Advanced Persistent Threat” group that was traced back to China. Using highly sophisticated malware and technology, the attacker bypassed the Company’s security measures and copied and transferred outside the Company protected health information (“PHI”) including names, addresses, birthdates, telephone numbers and social security numbers of individuals referred to or treated at hospitals operated by the Company in the last five years. The Company disclosed in the Report that it is providing the notifications required under state breach notification laws and HIPAA to the individuals affected by the attack and to the applicable regulatory agencies and will offer identity theft protection services to affected individuals. The Company also disclosed that immediately prior to the filing of the Report, it “completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type.”
The Company’s announcement of the breach, posted on its website in accordance with HITECH requirements, (the “Posting”) locates the breach at Community Health Systems Professional Services Corporation (“CHSPSC”), a Tennessee company that provides management, consulting and information technology services to clinics and hospital-based physicians. CHSPSC may be a business associate of the Company, although neither the Report nor the Posting confirmed CHSPSC’s status. The Posting provided additional information regarding breach remediation efforts which also include, audit and surveillance technology to detect unauthorized intrusions, the adoption of advanced encryption technologies, and requiring users to change access passwords. If these security measures were lacking prior to the breach, it will be an important fact in any ensuing enforcement by the Office for Civil Rights in connection with the breach.
This data breach ranks as the 2nd largest breach of medical data in the country to date, when compared to breaches of medical data affecting more than 500 individuals reported by the U.S. Department of Health & Human Services.
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) Could the European Court of Justice’s May 13, 2014 Google Spain decision delay the adoption of the EU Data Protection Regulation?
In the Google Spain “Right to be Forgotten” case, the ECJ held that Google must remove links to a newspaper article containing properly published information about a Spanish individual on the basis that the information is no longer relevant. The Google Spain decision has given a much sharper focus to the discussion about the Right to be Forgotten that may soon be adopted as part of the new Data Protection Regulation that is expected to be passed sometime in 2015. With the advent of the Google Spain decision, an issue that was on the sideline for most businesses – and which was expected by some to be quietly dropped from the draft Data Protection Regulation – has become a hot political issue. The Right to be Forgotten as interpreted by the ECJ has garnered international attention, deepened the UK/continental EU divide, and ultimately could delay the adoption of a final form of the Data Protection Regulation.
The Google Spain case has been controversial for various reasons. The decision takes an expansive approach to the long-arm reach of EU data protection law. It holds search engine providers liable to comply with removal requests even when the information in the search results is true, was originally published legally and can continue to be made available by the original website. The decision makes the search engine provider the initial arbiter of whether the individual’s right to have his or her information removed from publically available search results is outweighed by the public’s interest in access to that information. (For a pithy analysis of the “public record” aspects of the case, see John Gapper’s “Google should not erase the web’s memory” published in the Financial Times.)
The issue of cyberliability risk is finally making its way to the board room. We have written about the importance of board education and board involvement in the assessment of cyber threats and liability risk (see our series here) and the Securities and Exchange Commission is looking carefully at public company disclosures of cybersecurity risks as a factor for the investing public. Reputation, cybersecurity and social media are largely intertwined and the associated risk has captured the attention of most boards. However, the executives seem to lack significant understanding, and organizations are missing robust plans to address the identified concerns. The fifth annual board survey conducted by accounting firm EisnerAmper, “Concerns About Risks Confronting Boards,” reveals that concerns over cybersecurity/IT risks among the directors surveyed has increased by nearly 10% and has overtaken regulatory/compliance risk as the second most important concern to all boards. Further, the top concern is reputational risk, which is one of the main issues embedded in cybersecurity risk.
A recent Corporate Counsel article (authored by Mintz Levin colleagues David Barres and Dom Picca) provides an in-depth discussion of “Director Liability for Cybersecurity Risks” outlining specific steps that directors can take to improve board oversight of cybersecurity risks, and the fiduciary duty claims that could result without such oversight.
Reputation, cybeecurity and social media are largely intertwined and the associated risk has captured the attention of most boards. However, the executives seem to lack significant understanding, and organizations are missing robust plans to address the identified concerns.
These articles and studies should be on the agenda for September board meetings. The time is now.
There is another retail data breach to talk about in this Privacy Monday post – privacy & security bits and bytes to start your week.
Supermarket Chain Reports Data Breach
Minnesota-based food retailer Supervalu Inc. has reported breach of its point-of-sale (POS) system, apparently by hackers. A press release on the corporate website describes the incident as a “criminal intrusion” and says that it “may have” resulted in the theft of credit or debit card numbers. According to Supervalu, there is no evidence that data were stolen, and it has not had any reports of misuse of any such data. Affected stores are reported by the company to be operated under the Cub Foods, Farm Fresh, Hornbacher’s Shop ‘n Save and Shoppers Food & Pharmacy banners as well as other stand-alone liquor stores and franchised stores. The complete list is at the company’s Consumer Security Advisory on its website.
We are just two Mondays away from Labor Day, the traditional end of summer in the United States. Here are some privacy tidbits to get your week started. See especially Jake Romero’s piece on the new Delaware data destruction law.
Lack of Information on the Russian Hackers
A company called Hold Security dropped a bombshell last week at the Black Hat security conference in Las Vegas, but has since gone silent on what companies were affected, what websites, or any other specifics, except to sell a $120 corporate security package. I wrote a piece for JD Supra Perspectives last week on the “what now?” question, and on Friday, the Federal Trade Commission’s Business Blog posted a similar question. Read here to see what personal steps to take.
The question that has been most often asked since the Hold Security announcement is “what’s the value of what the hackers grabbed?” One of the best articles written about this question is from the Krebs on Security archives. Read here.
Cute ”Baby Walls” at the OB-GYN = HIPAA Violation!
An article in yesterday’s New York Times outlines one of the more unintended consequences of HIPAA. Read here.
Delaware’s New Data Destruction Law to Set Standard for Disposing of Consumer Data and Authorize Civil Claims (and treble damages) -by Jake Romero
We all have a general sense of what it means to “destroy” something. You know, like how that new Teenage Mutant Ninja Turtles movie just destroyed all of your fond memories of the 1990s cartoon. Well Delaware wants to make sure that when it comes to destroying and disposing of consumer information, everyone is on the same page. Delaware House Bill 295, recently signed into law by Governor Jack Markell, requires commercial entities, in the destruction of personally identifying information collected from consumers, to take reasonable steps to destroy such information to ensure that it is unreadable. Effective, January 1, 2015, the new requirements to be added as sections 50C-101 – 50C-104 of the Delaware Code will apply to a broad swath of entities and could lead to substantial damages in private rights of action. In preparation for the coming change, here are four things to keep in mind:
Written by Narges Kakalia
Rarely do Microsoft, AT&T, Verizon, Apple, Cisco and the ACLU all agree on a particular subject; rarer still that such an unlikely coalition fails.
Last week, in a case of first impression, a District Court in New York denied Microsoft’s request to quash a portion of a government warrant seeking data about a customer’s MSN.com email, from a Microsoft server located in Dublin, Ireland. The warrant was issued by the government pursuant to the Stored Communications Act (the “SCA”), which was enacted almost three decades ago to address disclosures by Internet Service Providers (“ISPs”) of “stored wire and electronic communications and transactional records.” Microsoft’s efforts to quash were supported by amici AT&T, Verizon, Apple and Cisco. Continue Reading
Written by Jake Romero, CIPP
The phrase “back off” is an implied threat typically reserved for bumper stickers and mud flaps, but if you are a retailer that permits the use of remote desktop applications in your business, the name Backoff should be considered much more intimidating. According to a report released by the U.S. Department of Homeland Security, technology that is widely used to allow employees to work from home or permit IT and administrative personnel to remotely maintain systems is being exploited by hackers to deploy point-of-sale (PoS) malware that is designed to steal credit card data. Of particular concern is the fact that Backoff malware, which Homeland Security estimates has been around since October 2013, had a “low to zero percent anti-virus detection rate” at the time it was discovered, meaning that even systems with fully-updated and patched anti-virus software would not be able to identify Backoff as malicious malware. According to the security experts at Kroll, hundreds of retailers may have already been affected without their knowledge.
How Backoff Works
At the onset, hackers scan corporate networks for remote access software, such as Microsoft’s Remote Desktop, Apple Remote Desktop or LogMEIn Join.Me, just to name a few. These programs operate by constantly listening for communications from remote desktop users seeking access. Many remote desktop applications listen over standardized ports, so finding the remote desktop signal is not as difficult as one would expect. When a signal is detected, the hackers use brute force attacks to obtain login credentials and deploy the malware. The variations of Backoff reviewed by Homeland Security were enabled with a variation of four functions: (i) scraping memory for track data, (ii) logging keystrokes, (iii) Command & Control (C2) communication (this uploads discovered data and updates the malware) and (iv) injecting malicious stub into explorer.exe (this maintains the malware in the event that it crashes or is forcefully stopped).
Once Backoff has been deployed, the malware begins exfiltrating consumer payment data using encrypted POST requests. Many remote desktop applications are pre-configured to provide high levels of access to privileged users, so hackers are able to use that trusted status to compromise the network without being detected. For example, in the Target breach that exposed payment card data for millions of individuals, hackers were able to obtain access through accounts intended to remotely maintain refrigeration, heating and air conditioning.
What You Can Do To Mitigate Risk
The Homeland Security report includes a detailed list of actions that can be taken to keep your data safe and mitigate risk to PoS systems from Backoff malware. Although the full list is worth reviewing, here we have included a list of crucial steps that you should consider taking immediately:
- Require Strong Passwords and Lock Out Repeated Unsuccessful Login Attempts. The unfortunate reality is that most users, when given broad deference to craft and select passwords, select passwords that are not just bad, they’re “really, really bad”. Mandating levels of password length and complexity, as well as configuring expiration times for passwords, can help ward off or minimize the effect of a brute force attack. In addition, systems should be configured to lock out repeated unsuccessful attempts.
- Use Multi-Factor Authentication. In addition, consider implementing a two-factor authentication procedure. Multi-factor authentication procedures add an extra layer of protection by combining two or more types of credentials; typically a password along with a security token or biometric verification.
- Limit Users and Access. Consider limiting the number of users who can access desktops remotely and workstations with access. Homeland Security also recommends reviewing the levels of access granted to remote users to the number of users who receive administrative privileges to only those individuals who truly need it. In addition, consider limiting the functions of PoS terminals to ensure that those terminals are not used for secondary functions like email or web browsing that can open the terminal up to attack.
- Change the Default Remote Desktop Listening Port. As noted above, the default port used by many remote desktop applications can make it easy for hackers to locate the signal and exploit it. Changing the default listening port can make your remote desktop application more difficult to locate.
Finally, periodically review systems for unknown users. Although Homeland Security is working with a number of other parties to make Backoff malware detectable, perhaps the most important takeaway is that hackers are constantly looking for new ways to compromise technology. Ultimately there is no substitute for an organized mitigation strategy and constant vigilance.
The last Monday in July — the summer of 2014 is rapidly slipping away! Here are some privacy and security bits and bytes for this last week of July:
US Congress Heads Out on August Recess Soon – Much to Do
It has been reported today that the U.S. House will vote today on a series of four cybersecurity bills. The bills were moved forward last week after the House Homeland Security and Oversight committees resolved a jurisdictional dispute over federal civilian computer networks. On the list for today’s vote: Rep. Mike McCaul’s National Cybersecurity and Critical Infrastructure Protection Act, Rep. Patrick Meehan’s Critical Infrastructure Research and Development Act and Rep. Yvette Clarke’s Homeland Security Cybersecurity Boots-on-the-Ground Act, all from the House Committee on Homeland Security, and separately Rep. Kerry Bentivolio’s Safe and Secure Federal Websites Act of 2013 from the House Committion on Oversight and Government Reform.
Cybersecurity Still a Top Risk Concern for Boards
We’ve been discussing the elevation of privacy and security risks and vulnerablities to the board level for some time now (see here, here and here). Accounting firm EisnerAmper has just released its annual survey on concerns of corporate board directors. Cybersecurity and IT risk and reputational risk (they do go hand in hand; just ask Target and Neiman Marcus) are the two top issues. Read here
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) Although no major legislative milestones for the EU Data Protection Regulation have occurred since March 2014 (see status update here), there has been some progress over the late spring and early summer of 2014. One key item that will be of interest to US companies is the Council’s compromise position on a key piece of the Regulation, the rules for the transfer of personal data to countries outside of the European Economic Area (EEA), published on May 28, 2014.
The current mechanisms for legitimizing such transfers, including adequacy assessments, Binding Corporate Rules, model contracts, and express consent, are retained. Also, an important “derogation” for infrequent, small transfers has been endorsed.
The Council’s full wording for the infrequent, small transfer derogation is as follows:
. . . the transfer, which is not large scale or frequent, is necessary for the purposes of legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject and where the controller (…) has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and (…) based on this assessment adduced suitable safeguards with respect to the protection of personal data.
This promises to be a useful tool for companies when a relatively small set of data needs to be transferred, particularly in circumstances (such as employee data) where the EU’s views on the validity of consent makes it difficult to rely on consent as a basis for the transfer.