The FBI warned this summer that the “Business Email Compromise” (“BEC”) scam continues to grow, evolve, and target businesses of all sizes. As reported by the FBI in June, the scam had hit more than 22,000 victims for a combined dollar loss of greater than $3 billion – that’s billion with a B! And the latest evolution is even more threatening, potentially causing breaches of protected data.

What is the BEC scam? Why have so many been taken in? And how can you protect yourself?

The BEC scam is a smart, targeted scheme using emails that appear genuine, usually seeming to originate from within the victim’s company or from its suppliers/contractors.  For example, the company’s CFO may receive an email that seems to come from the CEO, urgently directing funds to be wired to a specified account for a seemingly legitimate purpose. Or the email may appear to come from a supplier or contractor and seek payment on an invoice that appears legitimate. If the company wires funds as directed, the funds are transferred offshore and become unrecoverable.

The scam has been highly effective because BEC emails mimic legitimate requests. The perpetrators research their victim to learn its protocols, its counterparties’ names, its payment methods, etc. They often use social engineering techniques (e.g., phishing emails requesting info) to learn details about the targeted business. The successful perpetrators learn which individuals are necessary to perform wire transfers and what protocols are used. They may learn when the CEO is traveling, so that an email from the CEO directing payment would not be questioned. The perpetrator may have hacked and used a valid email account for this purpose, or may have established an account with a similar domain name. Their level of sophistication has enabled the theft of billions of dollars.

Earlier this year, the FBI started receiving reports that this highly successfully scheme has evolved into a means to obtain confidential information, leading to data breaches. For example, an email request to the human resources department may prompt the disclosure of W-2 forms or other confidential, personally identifiable information (“PII”). The FBI reports that victims have fallen for this new data-theft BEC scenario, even if they were able to successfully identify and avoid the traditional BEC scam.

We all have learned (hopefully) not to click links in suspicious looking emails. But trusted emails receive less scrutiny. What steps can you take to avoid being hit?

  • If an email is directing payment by wire or seeks protected information, it merits special treatment.
  • TRAIN employees and establish clear protocols for wire transfers and data privacy.
  • Beware of sudden changes in business practices. Require secondary sign-off by company personnel when a change in payment method is requested.
  • Always verify requested changes via other channels. Don’t click “reply”. Instead, call the sender to verify; and use a trusted phone number, not a phone number appearing in the email. Or forward the email to the sender after typing a trusted email address, and seek confirmation.
  • Be suspicious of requests for urgent action or secrecy.
  • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail.
  • In addition, diligently maintain data and email security. Educate employees to be alert to social engineering situations, and to delete phishing emails. Establish two-factor authentication for email accounts.

If you have questions about how to train employees and avoid these phishing scams, contact a member of the Mintz Levin Privacy team.

The number one threat to a company’s information (personal or confidential) is still its own employees. Data security and privacy training are the first lines of defense against negligent employee behavior.

Join us tomorrow (6.22) at 1 PM ET for a webinar in which we will explore why traditional training programs are falling short and what you can do to boost your efforts and counter top concerns regarding malicious and negligent employee handling of personal and confidential data.

Register here.

CLE credit available in NY and CA

Mintz Levin’s Immigration Law Blog is running a series titled “Innocents Abroad” addressing issues in an increasingly globalized economy where employers assign employees all over the globe.

These are big questions, reflecting some of the practical concerns in our international marketplace.  The series focuses on the well-intentioned Global HR Director, Ned Help, who will raise hot topics and difficulties his company faces when sending their employees abroad.  We will then explore the common pitfalls and offer practical solutions to the difficulties Ned Help faces.   This month’s edition:   Privacy Considerations – follow the rest of the series at Innocents Abroad.


 

From:            Carrie Counselor

To:                  Ned Help

Date:              May 24, 2016

RE:     Privacy considerations for employees working abroad

Dear Ned,

I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy.  Great question!  This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.

Generally speaking, federal and state laws applicable to employee information do not have “extraterritorial” effect beyond the information that remains in the United States, meaning that American employees working abroad (even temporarily) will not benefit from US legal protections with respect to personal information collected, stored or transmitted outside of the country.

What makes this area of the law particularly crucial and daunting for employers is that non-US countries frequently offer greater protections to employees and establish far higher compliance obligations on the part of employers.  Of particular concern for you should be the data protection landscape across the European Economic Area (referred to as the “EEA,” encompassing all European Union (EU) Member States as well as Iceland, Liechtenstein and Norway) because each country has passed its own set of national laws governing the collection, use, retention and transmission of personal data. Companies must consider these local laws before electronically monitoring an employee outside the United States or transferring an employee’s personal information back home.  Let’s talk specifics: Continue Reading Innocents Abroad: Privacy Considerations for Employers

There’s no doubt businesses in the EU and US would breathe a sigh of relief if a new Safe Harbor agreement is put in place between before European data protection authorities start prosecuting companies for potentially illegal personal data transfers to the US.  But if it doesn’t happen, the US is actually not any worse off than most of the rest of the world.  No other country has a special agreement with the EU concerning personal data transfers, and only eleven countries have been deemed to be “adequate” by the European Commission: Andorra, Argentina, Canada (commercial organizations only), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

Only one of the countries on the “adequate” list, Switzerland, is a “top ten” EU trade partner, according to the latest trade statistics published by the Commission (based on 2014 figures).  Only two of the countries are in the top twenty (Canada is in twelfth place).  Japan, India, Brazil, Turkey, South Korea, all “top ten” EU trade partners, are not on the “adequate” list.  Nor is China or Russia, both of which have significant trade with the EU (coming in second and third in the “total EU trade” rankings published by the Commission).  So if the US isn’t on the “adequate” list, it is no worse off than most other major EU trade partners. Continue Reading (So) What if there’s no Safe Harbor 2.0?

The European Court of Human Rights recently ruled in Bărbulescu v. Romania (Application no. 61496/08) that a Romanian employer did not violate its employee’s fundamental right of privacy when the employer accessed personal messages in the employee’s Yahoo! Messenger account.  Numerous newspapers and other media sources quickly declared employee privacy dead as a result of the ruling – and the Court was sufficiently alarmed by the mischaracterization of the case that it issued a press release refuting the media accounts.  (The  Guardian published a rather entertaining article about the inaccurate media coverage with photos of various front-page announcements by its competitor newspapers.)

In fact, the Bărbulescu case is so specific to the somewhat unusual facts that it does more to show how limited the circumstances in which an employer can access personal communications of its employees.   For a more down-to-earth take on the case, take a look at Law360’s analysis here.   The take-away for employers is that it is vital to consult local employment lawyers first before engaging in any monitoring of employee communications, to make sure that your company’s policies and actions meet local requirements as well as the case law of the European courts.

Remember this?   weakestlink 

“Wetware” – coder slang for biological life forms (i.e., people) – is the weak link in most companies’ data security protections, according to a new data security report issued by the Association of Corporate Counsel (ACC).  Companies surveyed attributed data breaches to a host of human foibles, including lost laptops or devices (9%), “phishing” emails that induce employees to click on malicious links or open infected documents (12%) or simple “employee error” (24%).  A distressing 15% were classified as inside jobs.

The full report can be obtained from the ACC.

The ACC report highlights the paramount importance of employee training to a company’s data security program.  The strongest and most assiduously updated firewalls and malware detection systems cannot stay ahead of every newly-crafted piece of malicious code.  Training employees in best practices with respect to email and data handling provide an additional bulwark against threats that data security technology simply cannot root out.  It’s no accident that the mantra of most data security professionals is “People, Process, Technology” – in that order.  

 

 

people-process-technology-Custom-3

Watch out for your weakest link!

As expected, the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (also known as LIBE) voted today to adopt the new General Data Protection Regulation (see the summary we provided yesterday here).  A LIBE press release announced the vote with the proclamation “New EU rules on data protection put the citizen back in the driving seat.”  The vote was 48 for the GDPR, 4 against, and 4 abstentions.  The GDPR will go to a vote of the full EU Parliament in March or April of 2016.  It is expected to be passed based on LIBE’s endorsement.

Companies will have a grace period of two years to come into compliance, measured from the date that the GDPR is formally adopted and published in the Official Register.  That means that the key compliance date will probably fall in March or April of 2018.  Given the complexity of the 200 page Regulation and the likely need to audit and change business processes throughout organizations, we recommend starting the compliance review process immediately.

We will announce a series of webinars to drill down on specific topics under the GDPR early in the new year.

 

Updated at 8:50 pm GMT on 16 December 2015.

The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15.  One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps.  As much consternation as that will cause at the breakfast table, it’s really the least of our worries.

It will take some time to process the new Regulation, and of course we don’t have the complete, official version yet (please read the important caveat at the end of this summary), but here are the key features of the Regulation in bullet point form so we can start mapping out the new legal landscape.  This summary focuses more on what’s new than what has stayed in place; generally speaking, rights of data subjects that existed under the Directive also exist under the Regulation.  On the other hand, the burdens on data controllers and processors have substantially increased. We’ll explore all of this in more detail over the coming weeks. Continue Reading The General Data Protection Regulation in Bullet Points

Privacy & Security Matters Monday Blog Series ImageAnd the days dwindle down, to a precious few … November …

We are still following developments in the EU relating to the invalidation of the US-EU Safe Harbor Framework.   In case you were on a secluded island during the month of October, you can catch up here.

European Commission Issues Communication.  On Friday, the European Commission issued “long-awaited” guidance (called a Communication), which did not shed much new light on the cross-border data transfer issues, but instead rehashes the “alternative transfer tools” available to legitimize data flows to jurisdictions deemed “not adequate,” like the United States.   More after the jump. Continue Reading Privacy Monday: November 9, 2015 – EU/Safe Harbor Updates

 

As I reported earlier today, the Court of Justice of the EU (ECJ) has declared Safe Harbor invalid.  The full decision is now available online  in English here (other languages also available at curia.europa.eu by searching on C-362/14).

There are two key elements of the ECJ’s decision.  The first is that national data protection authorities in the EEA are authorized – indeed, required – to hear complaints from individuals with regard to the transfer of their personal data outside of the EEA regardless of whether the Commission has issued an adequacy decision.  The second is a determination that the Commission’s adequacy decision concerning Safe Harbor is invalid.  Period.  It’s gone.

Most US companies that rely solely on Safe Harbor will initially focus on the second part of the decision invalidating Safe Harbor.  That makes sense, because if Safe Harbor is your company’s only basis for legitimizing the transfer of personal data from the EEA to the US, your company is likely in violation of various contracts and, if your company is the data controller responsible for the transfer or otherwise directly subject to European data protection laws, it’s probably in violation of European data protection laws.  Near-term consequences?  The possibilities include:

  • termination of contracts and exposure to damages
  • customer complaints to your company
  • customer complaints against your company made to local Data Protection Authorities (DPAs)
  • employee complaints (although rather less likely than customer complaints)
  • loss of potential new business in Europe
  • orders and injunctions issued by DPAs that force your company to stop transferring personal data
  • (and no doubt you can add your own parade of horribles here . . . such as lost time of your General Counsel, your head of IT systems, head of consumer services and other senior executives, possibly a need for extensive data audits, and so on)

The invalidation of Safe Harbor in the blink of an eye (even if the case was pending over a year) requires urgent action.  But we should also be concerned about the first part of the ECJ’s decision, to the effect that local DPAs will always have the right and obligation to hear complaints from individuals even if the Commission has issued an adequacy decision.  We should care about this because for nearly two years, EU and US bureaucrats have been trying to negotiate a more robust Safe Harbor.  Let’s call that Safe Harbor II.

A few days ago, some commentators suggested that Safe Harbor II would save Safe Harbor-dependent companies because it would remedy the faults that the ECJ might find with the original Safe Harbor.  But now we know that even if the Commission endorses a Safe Harbor II, it can be attacked on a country-by-country basis.  Furthermore, the ECJ has effectively raised the bar for Safe Harbor II – in future judicial assessments of Commission decisions, the ECJ will take a strict approach to reviewing such decisions (see Para. 78 of Schrems).   To achieve a Safe Harbor II that meets the ECJ’s stringent requirements, the Commission will, effectively, need to “ensure” that the US’s national security laws don’t allow the gathering of data beyond that strictly necessary to achieve their objectives (that is, objectives that the ECJ thinks are legitimate) and contain adequate safeguards for EEA individuals.  Taken in its strongest form, this could include a right to know their data has been processed by intelligence services, a right to find out what data has been gathered about them, and a right to have incorrect or incomplete data rectified (see Para. 90 of Schrems), all of which would be, to say the least, in tension with the fundamentals of intelligence work.

In a nutshell, we may not get a Safe Harbor II any time soon, and if we do, we won’t be able to rely on it (not with any real confidence) until it’s been challenged through national DPAs, then the national courts, then referred to the ECJ – and we finally have an ECJ decision upholding it.  In other words, Safe Harbor II will be negotiated with a wary eye toward the inevitable ECJ chopping block.  As for what’s next on the chopping block, the Schrems opinion does nothing to settle concerns that model contract clauses and BCRs are vulnerable to attack on essentially the same basis as Safe Harbor.  Consent is looking better and better all the time – little surprise that Facebook Ireland has an express consent to transfers to the US and other countries built into its terms of use.

This all sounds a bit grim, doesn’t it?  There are alternatives to Safe Harbor (again, described in my earlier posts on this topic), although they have their own challenges.  Please tune in for our webinar on Wednesday, 7 October at 3 pm EDT for more discussion about steps you can take to comply with EU data protection laws in the new, post-Safe Harbor era.