There has been so much news swirling in the data privacy and security world in the last few days, that it has been difficult to keep up. We’ll give you a roundup here for your Friday and weekend reading.
Heartbleed – Where Are We?
By now, you should know whether your web-facing applications (customer log-in, secure web portals, shopping carts) were affected by the Heartbleed vulnerability, and patches should have been applied. If you have not checked into this yet, you can test your URL at any number of sites, but here is one. Test it now!
- Upgrade any software using OpenSSL to the latest, patched version. (should be done)
- Communicate with any hardware and software vendors to ensure they’ve also upgraded.
- Once that is secured, have everyone within your company change their passwords, or notify customers that passwords should be changed.
- Explain to employees and customers what you are doing and what you have done to take precautions against this bug.
The second bullet was the biggest nut to crack for many this week. Make sure that your network appliances (routers, conferencing, any hardware/software that connects to the Internet) are all checked. SANS (the security institute) has been keeping a running list of Heartbleed vendor patches and communications
. Many vendor sites also are posting technical communications with updates and notices regarding the availability of upgrades, patches or hotfixes. Further, many enterprises don’t know how many sites they own, such as external cloud-hosted sites, sites acquired via mergers and acquisitions – and temporary sites that everyone forgot about. All of those should be checked for the Heartbleed vulnerability, because if the door is open, it could allow malicious intruders in. Just ask Canada’s Revenue Agency
or the UK’s popular site, Mumsnet
As a follow-up to our commentary here on the headline-grabbing Heartbleed bug, I had the opportunity to discuss the subject with Colin O’Keefe of LXBN. In the brief interview, I explain how companies should respond to the bug and the uncertainty surrounding the liability they may face.
Written by Jake Romero, CIPP/US
Following a string of high-profile data breaches and new data suggesting that approximately 21.3 million customer accounts have been exposed by data breach incidents over the past two years, the California legislature has introduced legislation aimed at making retailers responsible for certain costs in connection with data breach incidents. If passed in its current form, Assembly Bill 1710, titled the Consumer Data Breach Protection Act, would have a substantial impact on retailers operating in California. Continue Reading
Last week was certainly the “week of the Heartbleed.” Unless you have been on vacation on a remote island (and if so, good for you!), you have heard and read much about the latest mass bug to infect the Internet.
If you do not know whether your servers are affected by Heartbleed, or have decided not to do anything about it, perhaps you should consider the potential for future liability arising out of breaches that could have been avoided by patching OpenSSL, and you may want to read this, and forward it to your C-suite.
If you have already checked your servers and feel relieved, you may want to check with other providers in your technology stack. For example, Cisco and Juniper Networks were scrambling last week to notify customers and issue patches for products and software. Cisco and Juniper said the security flaw affects routers, switches and firewalls often used by businesses. That means hackers might be able to capture usernames, passwords and other sensitive information as they move across corporate networks, home networks and the Internet. Cisco created an Event Response Page and Juniper has an “Out of Cycle Security Bulletin”
Rather than our usual “bits and bytes” on this Monday, below is a collection of articles on Heartbleed.
And Mashable has a great piece with a matrix of sites and whether you should change your password just yet.
Messaging to customers and site users is important and should be well-coordinated with technical, communications — and legal. Inaccurate, late to the party, or misleading messaging could lead to Heartbleed headaches.
Written by Kevin McGinty
The latest salvo in the Target data breach litigation is a class action brought by credit card issuing banks advancing a creative and somewhat misleading construction of the Minnesota’s Plastic Card Security Act. The banks allege that there was a violation of the statute’s prohibition on retaining PIN, security code and other magnetic swipe data more than 48 hours after a transaction. The problem with that theory is that Target’s system does not retain card holder data, nor was the theft of data directed toward stored data. Instead, the hackers loaded malware onto Target’s point of sale (POS) system which allowed the criminals to capture card holder data as cards were swiped. The hackers then tucked the card data away in a highjacked file location elsewhere on the Target system, before porting that data to locations in Russia and Miami. In other words, Target wasn’t storing the unauthorized data; the criminals were, without Target’s knowledge. Continue Reading
Written by Dianne Bourque and Cynthia Larose
April 8, 2014 marks the end of Microsoft’s support for the Windows XP operating system, which means the end of security updates from Microsoft and the beginning of new vulnerability to hackers and other intruders into systems still utilizing the operating system. But does the end of Windows XP support mean that HIPAA covered entities and their business associates using Windows XP are automatically out of compliance with HIPAA as of April 8th? Not necessarily.
Written by Susan Foster, Solicitor England & Wales/Admitted in California
(LONDON) The Art. 29 Working Party, a key advisory body to the EU Commission, recently proposed draft model clauses to cover the transfer of personal data from EEA data processors to non-EEA sub-processors.
The draft model clauses have the potential to bring greater certainty to the rules applicable to data transfers from a data processor that is located within the EEA to a sub-processor located outside of the EEA. (The EEA, or European Economic Area, comprises the 28 EU members, plus Norway, Liechtenstein and Iceland.) While the Art. 29 Working Party does not have authority to put the model clauses into effect, the European Commission routinely considers its advice, so the model clauses are worth a read.
The model clauses run to over fourteen pages of text. Broadly speaking, the proposed model clauses would create a high level of transparency and accountability across various levels of sub-contracting of data processing. This is particularly relevant to cloud computing arrangements
Why might these clauses be useful? The current Data Protection Directive (95/46/EC) limits the ability of an entity to transfer personal data outside of the EEA to countries other than those that the Commission has determined have adequate safeguards. The list of countries with adequate safeguards is short. The US as a whole is not on the list, although the US Safe Harbor program has been approved, so companies that participate in Safe Harbor are effectively deemed to have adequate safeguards. But there are many countries that are not covered. The main option for those countries is contractual protections – but there’s always a possibility that an EEA data protection authority could find a contract inadequate.
The model clauses, if adopted by the Commission, would provide a pre-approved set of contractual provisions that would be deemed adequate, so companies would have a high degree of legal certainty and would need to spend minimal time negotiating with each other (model clauses being a “take it or leave it” provision if one wants to get the benefit of deemed adequacy).
Welcome to the first Monday in April.
Our Privacy Monday is a report on the Federal Trade Commission’s latest privacy notice-related settlements with Fandango and Credit Karma. These settlements should be reviewed by any company with (or planning to have) mobile applications and reinforces our mantra: Say what you do, and do what you say. And make sure you know what that is.
Stop Phoning it In on Mobile Security: What Your Business Needs to Know About the FTC Settlements with Fandango and Credit Karma
Written by Jake Romero
If you’ve had a birthday in the past two weeks, you may have received a greeting card from an unlikely source; the National Security Agency. Following President Obama’s call for large-scale reform of the NSA, the agency has initiated a rebranding campaign in the hopes of winning back the trust and favor of the American public. White House Press Secretary Jay Carney acknowledged early Tuesday morning that birthday cards have been mailed to approximately 11 million Americans over the past few weeks; based largely on information collected from telecommunications companies and major mobile application developers. Carney also added that there are plans to expand the program. “The reality is that, as everyone knows, the NSA has the information and is therefore in a position to be of great assistance to the average American,” Carney said. With that in mind, the NSA is currently testing an expansion of the program that would offer text message or email reminders of spouse birthdays, anniversaries and major upcoming events at the school where an individual’s child is registered.
The cards are simple and casual in tone, with messages such as “We hope you’re having a great birthday here in America!” and each is signed anonymously by a member of the agency. They are also, however, a sobering reminder of the lengths to which an agency or corporate entity may need to go to repair its reputation following unwanted sharing or disclosure of personal information. A recent Harris Poll found that blame and distrust following a data breach can be wide-spread, but is largely focused on retailers. The poll’s findings suggest that ultimately the negative consequences for a data security incident will be felt largely by the entity with which the individual consumer has the closest relationship. There is no time like the present to ensure that your security measures for protecting the information of your customers is up-to-date.
A picture of the card received by one of our colleagues can be found here.
UPDATE to our story yesterday:
In what apparently is a big “oops,” two banks that took legal action against Target over its recent data breach have withdrawn their claims. The suits were withdrawn due to an erroneous allegation against Trustwave, a security vendor also named in the suit.
Green Bank of Houston filed a notice of dismissal Monday in the U.S. District Court for the Northern District of Illinois, effectively saying it will no longer pursue the claim. Trustmark National Bank of New York made a similar filing Monday.
Read more here: Computerworld