It seems as though we have been writing about this case for a lifetime. Target Corporation’s data breach saga came one step closer to a conclusion this week. On Tuesday, Target reached an $18.5 million settlement with 47 states and the District of Columbia to resolve the states’ investigation into the company’s 2013 data breach. Alabama, Wisconsin, and Wyoming were not part of the settlement. Continue Reading Target Reaches $18.5 Million Dollar Settlement in Data Breach with States
The latest edition of the Mintz TCPA Digest has been published and you can read it hot off the presses, here.
This month’s issue features updates on the latest regulatory activities and an article on a potential ruling that could have major implications for pending and future TCPA cases.
Mintz Levin’s TCPA and Consumer Calling Practice team should be on your speed dial.
You’ve had your apple a day, but you can’t keep the subpoenas away…
And, if your organization is facing a request seeking records or other materials that may contain patient health information (“PHI”), it bears repeating that while HIPAA provides a number of methods through which covered entities that hold records containing PHI may produce such records, these guidelines are closely enforced by courts. Read on for your spring check-up. Continue Reading HIPAA Spring Check-up: Your Obligations to Safeguard Third-Party Patient Health Information in medical records produced in litigation
Amid the flurry following former FBI Director James Comey’s firing last week, President Trump marked his 111th day in office on Thursday, May 11th by signing an executive order targeting national cybersecurity.
The long-awaited order is the first step in fulfilling Trump’s promise to address national cybersecurity concerns and it arrives as threats of international hacking and cyberattacks reach an all-time high. It establishes three overarching cybersecurity priorities for the United States: (1) protecting federal networks, (2) reinforcing critical IT infrastructure, and (3) protecting the American public in the online space. The full text of the executive order can be found here.
While the order includes few actionable items, it sets strict deadlines for government agencies to produce risk reports and recommendations for improving their data security practices, signifying an important call to action from the executive branch that places risk management at the forefront.
Modernizing & consolidating federal networks
Consolidating to the cloud will likely be the first major step toward overhauling the government’s administration-wide cybersecurity protocol. In a press briefing last Thursday, White House Homeland Security Advisor Tom Bossert addressed what he views as fractured, agency-specific IT security practices across the government, noting that “[if] we don’t move to shared services, we have 190 agencies all trying to develop their own defenses against advanced collection efforts.”
The move to modernize is an extension of similar efforts from the Obama administration to bolster cybersecurity, an area in which Bossert says the administration made “a lot of progress … [but] not enough.” In line with advancing these efforts, the executive order requires federal agencies to use the Framework for Improving Critical Infrastructure Cybersecurity developed in 2014 by the National Institute of Standards and Technology (“NIST”) to manage cybersecurity risk. Coincidentally, the Framework may be revised soon as the NIST recently closed a comment period on an updated draft that it circulated in January 2017, and per the executive order any successor document to the Framework will become the operative version to be used by government agencies. Separately, Rep. Will Hurd (R-TX), Chairman of the House Information Technology Subcommittee, recently reintroduced H.R. 2227, the “Modernizing Government Technology Act,” which secures more efficient funding for the modernization of federal IT infrastructure and is expected to hit the floor of the House of Representatives within the next couple of weeks.
Reinforcing critical infrastructure
The second prong of the executive order requires the Secretary of Homeland Security to prepare an audit of potential vulnerabilities across the country’s infrastructure systems – from financial and telecommunications systems to utilities including water and electricity. Improving transparency about the security gaps in these systems is crucial, especially as traditional data breaches are losing ground to more devastating Distributed Denial of Service (DDoS) botnet attacks made possible by the growing Internet of Things, or “IoT” (see our blog post here for a discussion of the House’s efforts to address growing security concerns around the IoT).
Protecting the public online
Finally, President Trump’s executive order urges policies aimed at protecting U.S. citizens from domestic and foreign online threats. In addition to increasing the number of cybersecurity experts working with the White House, Bossert suggested that following through on such policies will require greater partnerships between the federal government and the private sector. Indeed, the government currently relies on technology from large, long-time vendors, many of which may not be prepared to grapple with the significant and evolving risks becoming apparent across the data security landscape. Independent technology startups are proving to be the heart of progress in new cybersecurity measures, and the government will need to cultivate solid relationships with these players if it wants to stay ahead in the cybersecurity arena.
President Trump’s executive order has received some criticism for its breadth, but overall has been commended by cybersecurity experts as a balanced step in the right direction. Time will tell whether the resulting policies will make a meaningful difference in the country’s ability to fend off attackers in the ever-evolving online battleground.
Another day, another data incident. If you use DocuSign, you’ll want to pay attention.
The provider of e-signature technology has acknowledged a data breach incident in which an unauthorized third party gained access to the email addresses of DocuSign users. Those email addresses have now been used to launch a massive spam campaign. By using the stolen email address database and sending “official” looking emails, cyber criminals are hoping that recipients will be more likely to click on and open the malicious links and attachments.
DocuSign’s alert to users says in part:
[A]s part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. A complete forensic analysis has confirmed that only email addresses were accessed; no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. No content or any customer documents sent through DocuSign’s eSignature system was accessed; and DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.
A portion of the phish in the malicious campaign looks like this:
Two phishing campaigns already detected and more likely
The DocuSign Trust Center has posted alerts notifying users of two large phishing campaigns launched on May 9 and again on May 15.
The company is now advising customers NOT TO OPEN emails with the following subject lines, used in the two spam campaigns.
- Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature
- Completed [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature
We recommend that you change your DocuSign password in light of this incident as an extra measure of caution. Also, DocuSign (and other similar services) offer two-factor authentication, and we strongly recommend that you take advantage of this extra security measure.
As always, think before you click.
We’ve been following the latest on the WannaCry ransomware attack that we first told you about over the weekend.
A feared “second strike” did not materialize today, but victimized firms in over 100 countries are still struggling to recover.
So, what’s next?
If you needed to build the business case for increasing the budget for updates/upgrades and your IT programs, this should provide you with the jump start. If your IT support and maintenance is outsourced, you should be asking questions. Now.
- What versions of operating systems and software are you running? Obsolete versions of Microsoft Windows are particularly vulnerable, not only to this exploit, but to new variants. There may be very specific circumstances that require you to use versions that are no longer supported (including the cost of upgrade), but now is the time to revisit the topic with the Board of Directors if necessary.
- Is your company’s patching program up-to-date? At the very least, have you updated this weekend? You should make sure that both your personal and business machines running Windows are updated with patches issued by Microsoft. If you can’t patch directly, follow TrendMicro’s suggestion to use a virtual patch. If you can’t patch; segregate machines with outdated operating systems.
- What is your backup and recovery plan? Do you have one? If you have a well-thought out data backup and recovery plan, then you may be able to ride out a ransomware attack by restoring your data from clean backups. Management should be asking if there is a plan to assure that all important files are backed up in a way that will prevent a ransomware infection from attacking both the primary files and the backups.
- Are you following US-CERT alerts? Sign up here.
- Review your insurance policies. Ransomware attacks and the after-effects may be covered by a cyberliability policy. But, the failure to take preventive action could trigger an exclusion. Also, look at your other policies — business interruption, crime, kidnap/ransom — to see if you can stack coverage.
Be vigilant. Encourage vigilance in your workforce.
UPDATE: Europol chief Rob Wainwright told the BBC, “Companies need to make sure they have updated their systems and ‘patched where they should’ before staff arrives for work on Monday morning.”
By now, you may have heard about the global ransomware attacks affecting organizations throughout the world. Estimates range from between 150,000 to 200,000 groups in nearly 150 countries, and those numbers could be higher. The ransomware variant, called “Wanna Decryption” or “WannaCry” works like any other ransomware: once it is inadvertently installed, it locks up the organization’s data until ransom is paid. Here are some quick facts about the WannaCry attack and suggestions for avoiding it.
How does ransomware get onto a system generally?
Ransomware installs on a victim’s computer when a user clicks on a malicious link in a “phishing” email (or an email designed to trick the user into thinking that it is from a known or legitimate source). Ransomware can also be downloaded through infected file attachments or visiting a website that is malicious in nature. WannaCry appears to be delivered through links in phishing emails. You can read more about ransomware generally here, here and here. See graphic of malicious file message.
How does WannaCry work? WannaCry affects systems that are behind in their Windows patching. There is actually a patch for the vulnerability exploited by WannaCry (see, US-CERT article on Microsoft SMBv1 Vulnerability and the Microsoft Security Bulletin MS17-010). See the following links for additional technical information:
- Indicators Associated with WannaCry Ransomware US Department of Homeland Security: https://www.us-cert.gov/ncas/alerts/TA17-132A
- Multiple Ransomware Infections Reported: https://www.us-cert.gov/ncas/current-activity/2017/05/12/Multiple-Ransomware-Infections-Reported
Is any system particularly vulnerable?
Because Windows Server 2003 or older, and Windows XP or older on the desktop, have been discontinued by Microsoft and are unsupported, these systems are particularly vulnerable. In response, Microsoft has taken the highly unusual step of releasing emergency security patches to defend against the malware for these unsupported versions of Windows, such as XP and Server 2003. Everyone should be actively checking systems and updating. This may be the first time that Microsoft has ever issued patches for decommissioned software.
What are immediate steps for an organization that is attacked?
An organization that is attacked should immediately isolate the affected systems and networks to avoid the spread of the malware and contact law enforcement.
How can a WannaCry victim regain access to data?
Once WannaCry or other ransomware installs and locks up a victim’s data, the only alternatives are: 1) restore data from clean backup systems; or 2) pay the ransom.
How can WannaCry and other types of ransomware be avoided?
- A comprehensive and continually updated security risk assessment
- A security risk assessment that doesn’t address ransomware is out of date
- Workforce training on ransomware – make sure that the workforce understands the importance of avoiding suspicious email messages, links and attachments
- Workforce testing on ransomware – send suspect phishing emails and see how many click on the suspicious links.
- Maintain comprehensive data backup systems – make sure that they are easily accessible in the event of an emergency (practice accessing them in a non-emergency)!
We will provide further information on the WannaCry attack as it becomes available.
In another example of increased restriction on the rights of non-U.S. Citizens, last week the Department of Homeland Security (“DHS”) published a policy memorandum limiting the privacy rights of immigrants and foreign nationals under the Federal Privacy Act of 1974. This new guidance was issued to bring DHS policy in line with President Trump’s January 25 executive order.
The Privacy Act was established to govern the collection, maintenance, use and dissemination of personally-identifiable information maintained by federal agencies. The Privacy Act, with specific exceptions, prohibits disclosure of such records without the consent of the individual. It also provides individuals a means to access and amend their records.
Previous DHS guidance stated that such personally-identifiable information would be treated the same, regardless of citizenship. However, consistent with the January 25 executive order, the new guidance provides that immigrants and nonimmigrant foreign nationals may not utilize these provisions and may only access their information through a request made pursuant to the Freedom of Information Act (FOIA). Additionally, they may not request amendments of their records. Furthermore, in connection with the new guidance, DHS stated that it permits the sharing of such information about immigrants and nonimmigrant foreign nationals from agency records with federal, state and local law enforcement.
In response to the current Administration’s “citizen-centric” policies, we are seeing an increased interest in applications for naturalization by U.S. Lawful Permanent Residents.
Originally posted in Mintz Levin’s Immigration Law Blog on May 2, 2017
Snatching victory of a sort from the jaws of defeat, shareholders who brought a derivative action alleging that the 2014 Home Depot data breach resulted from officers’ and directors’ breaches of fiduciary duties have reached a settlement of those claims. As previously reported in this blog, that derivative action was dismissed on November 30, 2016. That dismissal followed on the heels of dismissals of derivative actions alleging management breaches of fiduciary duties in connection with the Wyndham and Target data breaches. Despite that discouraging precedent, the Home Depot shareholder plaintiffs noticed an appeal from the trial court’s order of dismissal. The parties subsequently resumed settlement discussions that had broken off in the fall of 2016, on the eve of argument and decision of Home Depot’s motion to dismiss. On April 28, 2017, the parties submitted a joint motion disclosing and seeking preliminary approval of the proposed settlement. If approved, the proposed settlement would result in dismissal of the shareholders’ appeal and an exchange of mutual releases, thereby terminating the fiduciary claims arising from the Home Depot data breach. Continue Reading Appeal in Home Depot Data Breach Derivative Action Results in Settlement of Corporate Governance Claims
It was a busy April for the Office for Civil Rights (“OCR”) (see our prior post on a settlement from earlier in April). On April 20, OCR announced a Resolution Agreement with Center for Children’s Digestive Health, S.C. (“CCDH”) related to CCDH’s failure to enter into a business associate agreement with a paper medical records storage vendor. The cost of that missing agreement? $31,000. Then, on April 24, OCR announced a settlement with CardioNet, a remote monitoring company for cardiac arrhythmias, related to CardioNet’s failure to implement compliant HIPAA policies and procedures and failure to conduct a sufficient risk assessment. The price of those failures? $2.5 million! Continue Reading Two HIPAA Mistakes Lead to Fines from OCR