The Equifax breach continues to evolve. Please click here for our latest analysis.
Contact your Mintz Levin attorney, or a member of the Mintz Levin Privacy team with questions regarding your business and this massive data incident.
The number one threat to a company’s information (personal or confidential) is still its own employees. Data security and privacy training are the first lines of defense against negligent employee behavior.
Join us tomorrow (6.22) at 1 PM ET for a webinar in which we will explore why traditional training programs are falling short and what you can do to boost your efforts and counter top concerns regarding malicious and negligent employee handling of personal and confidential data.
CLE credit available in NY and CA
We have seen many variations of the ransomware attacks on the increase lately. Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.
Details of the HPMC Incident
On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:
Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams. If you are a HIPAA-covered entity, you should be checking in with Mintz’s Health Law & Policy Matters blog on a regular basis.
FBI on Ransomware
One of the big questions arising out of the HPMC and other ransomware cases is: do we pay? If your business is about to grind to a halt, you likely have no choice. However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular. The FBI’s Ransomware information page provides some tips. Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.
When in Doubt, Don’t Be a Click Monkey!
Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:
All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.
As reported on Friday in the Krebs on Security blog, online broker Scottrade had sent an e-mail to customers earlier that day stating that it recently had learned from law enforcement officials that Scottrade was one of a number of financial services companies that had been victimized by data thieves. That very same day saw the first class action complaint arising from the breach was filed in federal court in San Diego. Given the haste of the filing, the complaint unsurprisingly offers little more than conjecture about what took place. Plaintiff’s allegations parrot facts reported by Brian Krebs – that the breach was detected by government investigators, did not compromise or access Scottrade’s trading platform, and appeared only to have resulted in the theft of names and addresses, despite hackers apparently having access to customers’ Social Security Numbers. Thus, even though it was unclear whether Social Security Numbers had been stolen, Scottrade offered free credit monitoring to affected customers. Beyond alleging that the breach occurred and that Scottrade’s credit monitoring offer provided inadequate relief, the complaint has nothing specific to say about the breach. Instead, it speculates that Scottrade might have been targeted by the same hackers who stole data from J.P. Morgan in 2014 – itself an event discussed in the Krebs report on the Scottrade breach. Plaintiff flatly alleges that Scottrade breached the industry standard of care in allowing the breach to occur, but does not allege precisely how Scottrade failed to do so.
The threadbare complaint against Scottrade illustrates the pitfalls of trying to be a “first mover” whenever a data breach occurs. Until more is known about how the breach occurred and how, if at all, it affected Scottrade customers, it will not be possible to allege a plausible theory under which Scottrade may be held responsible for the breach.
Settlement appears imminent in an employee class action against Sony Pictures Entertainment (“SPE”) arising from disclosure of their personally identifiable information (“PII”) in a massive data breach allegedly perpetrated by North Korean hackers in retaliation for SPE’s release of “The Interview,” a satirical comedy depicting an attempt on the life of North Korean dictator Kim Jong-Un. A stipulation filed earlier this week by plaintiffs and SPE notified the court of the imminent settlement. Terms of the settlement are as yet undeclared, but will become known on or before October 19, the deadline set in the stipulation for filing a motion for preliminary approval of the settlement. Any classwide settlement will be subject to court approval after notice to members of the proposed class, who will have the right to object or to opt out of the settlement entirely. Continue Reading Sony: Stipulation Announces (but does not disclose) Employee Data Breach Class Settlement
Written by Wynter Deagle
The Impact Team, the vigilante group behind the hacking of the infamous website AshleyMadison.com has followed through on its threat to leak the full database of the site’s users online. On Tuesday, August 18, 2015, an impressive 9.7 gigabytes of compressed data was posted to the dark web using an Onion address accessible only through the Tor browser. The files appear to include the names, addresses, phone numbers, email addresses, seven years of credit card data (dating back to 2007), and, in some cases, detailed sexual preferences and desires of AshleyMadison’s approximately 32 million users. The credit card data, which amounts to millions of transactions, includes names, street address, email address and amount paid, but not credit card numbers; instead it includes four digits for each transaction that may be the last four digits of the credit card or simply a unique transaction ID.
While it is presently unclear whether all of the data supplied by users to AshleyMadison is legitimate, the growing consensus is that the information is legitimately from AshleyMadison’s site. But, the site never verified any email addresses supplied upon registration, therefore, not every leaked email belongs to an “actual” AshleyMadison “user”.
The Ashley Madison hack is by no means the biggest data grab to date, but it is certainly one of the most notorious. The Telegraph (London) is even running “real time” updates as reporters comb through the data trove for famous or government email addresses. Take a look here.
While some may be worried that spouses will discover attempted or actual infidelity, this data dump also creates increased risk for employers. This large list of email addresses is likely to be irresistible to those launching “phishing attacks” by delivering malicious links or attachments containing malware in seemingly innocuous emails. This creates additional risk for intrusion into corporate networks where an employee may have used his or her work email to register with AshleyMadison or if an employee checks their personal email at work. In addition, the vast array of leaked personal information could also be used to impersonate the AshleyMadison users and gain access to, for example, corporate networks.
Finally, the AshleyMadison leak underscores the poor security practices we have often decried on this blog. As an initial matter, AshleyMadison exercised terrible data retention practices. Ashley Madison evidently kept credit card transactions going back over seven years, including information on 250,000 “deleted” accounts. Why would any company maintain credit card records for nearly eight years, particularly on accounts that should have been deleted? The lack of an appropriate data retention policy has resulted in serious legal exposure for AshleyMadison as users can (and likely will) claim that AshleyMadison negligently maintained their data.
Separate and apart from the data retention issues, it appears that AshleyMadison only used the bcrypt algorithym to hash their passwords without providing any additional layers of protection. While encryption using bcrypt is a good security measure, this alone is not sufficient. Data security is by no means one-size fits all. However, a more secure approach would have been a multi-pronged security effort including items such as adroit data retention, appropriate deletion, encryption of data, and two-factor authentication.
In short, we live in an era where massive amounts of personal data are being hacked and exposed. This new reality requires companies to take a hard look at their data security measures. The take away here: from both a PR and a legal perspective, your company does not want to be the next AshleyMadison.
In the absence of any meaningful moves in Congress to enact uniform data breach notification, the states continue to make adjustments to existing laws to better protect affected residents in their states. Continue Reading Connecticut Amends Data Breach Notification Law
The U.S. Office of Personnel Management (OPM) announced that hackers have stolen the personal information of approximately 4 million current and former federal employees, including names, birthdates and social security numbers. OPM serves as the human resources department -and holds employee records – for the entire federal government, ranging from security clearances to the identities of covert CIA agents. Every federal agency is potentially affected by this breach. Notifications to affected employees will begin going out on Monday, June 8th, via email or US mail. OPM will provide credit monitoring, identity theft insurance and recovery services for 18 months to affected individuals.
OPM is working with the Department of Homeland Security’s Computer Emergency Readiness Team – CERT – and the FBI to assess the full extent of the breach. Early reports suggest that the breach originated in China.
Compounding the pain for OPM and the affected individuals is the revelation in OPM’s website notice that the agency recently implemented an “aggressive effort” to update its network security. Unfortunately, this effort only revealed the hack, but was not implemented in time to prevent it.
OPM’s breach follows a highly publicized IRS data breach, in which hackers accessed the personal information of 100,000 taxpayers and used it to file false refund requests. In 2014 alone, the US Postal Service, White House, National Weather Service and US Department of State were all victims of cyber-attacks, some of them suspected of originating in China.
As of now, federal data breach numbers pale in comparison to private sector breaches, but it will be interesting to see if these incidents create a credibility problem for federal regulators, who can’t seem to keep their own systems secure. According to Mark Robinson, a former federal prosecutor and cyber defense litigator at Mintz Levin:
At a minimum, the government’s own inability to keep it’s cyber security house in order will be used defensively by private companies breach victims as a glowing example of how easily hackers can get in to even the most fortified government controlled computer systems.
It will also be interesting to see if this breach results in private litigation on behalf of affected employees, particularly those whose safety and ability to do their jobs depends on the secrecy of their identities. According to Kevin McGinty, Mintz Levin privacy class action litigator:
As day follows night, class actions typically follow data breaches. Here, most OPM employees would have a difficult time alleging any injury sufficient to confer standing to sue. The most plausible harm that could flow from this data breach, identity theft, is addressed by the services already being offered by OPM. Unless a would-be litigant could allege some additional and imminent risk of harm that would not be covered by the services that OPM is offering, a private lawsuit would be likely to face dismissal for lack of standing.
We will have more on this story as it evolves.
Registration is open for the next installment in the Mintz Levin Privacy & Security Group Wednesday Webinar series —
This webinar, scheduled for Wednesday, February 25, will focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.
Save the date and register online here!
By now (unless you have been under a snow drift), you have likely heard about the apparent intrusion into a database at the nation’s largest health insurer, Anthem, Inc. Rather than reiterate the facts as currently known (see Anthem’s dedicated website for updates), we’ll look at the fallout and what’s next. Continue Reading The Anthem Data Breach: The Fallout and What’s Next