Archives: Identity Theft

We are now officially in the throes of “midsummer” on this Privacy Monday.  And, on occasion in the data privacy world, we agree with Will Shakespeare’s words….“Lord, what fools these mortals be!”

Flash Drives  ….

Butler University has warned about 160,000 students, faculty, staff, and alumni that personal information was discovered on a flash drive of an identity theft suspect arrested in California.  Exposed information includes birthdates, Social Security numbers and bank account information.

CSO Online

Houston to “Ground Control” – We Have a Problem

The Houston Astros have not exactly been hitting the cover off the ball this season, but the team’s proprietary database system known as “Ground Control” had been the envy of Major League Baseball.  That is, until it was hacked.  Details of trade discussions involving 22 teams during a 6-month period ending in March were leaked first to Anonbin, a data sharing website, and then most recently, to the website Deadspin.com.  Astros GM Jeff Luhnow is furious and says that the team intends to prosecute those involved.

CNBC.com

MLB.com

Goodbye Hotel Hippo …

Disclosure of weak security and privacy controls can be harmful to the health of your business.   One week after an independent security consultant discovered that the Hotel Hippo site had been leaking large amounts of customer information.  The incident is being investigated by UK privacy watchdogs and the site says “website permanently closed.”

SC Magazine UK

 

DID YOU KNOW?

–       93 percent believe their online actions can protect not only friends and family but also help to make the Web safer for everyone around the world.

–       Nearly two-thirds of the American public have heard, read or seen something about online safety and security issues recently. However, most of what the news they remember is negative: identity theft, privacy loss, and increased frequency of attacks.

–       When asked why they don’t always do all the things they can or should do to stay safer online, Americans said they simply lacked the information or knowledge (28 percent) – a surprising finding that surpassed other hurdles often cited by the media. Only 12 percent said online safety was too expensive, while just 5 percent said they were too busy to take the extra step.

STOP.   THINK.   CONNECT.

Cybersecurity begins with a simple message everyone using the Internet can adopt:  STOP. THINK. CONNECT. Take security and safety precautions, understand the consequences of your actions and behaviors online and enjoy the benefits of the Internet.

Watch National Cyber Security Awareness Month Get Under Way From Boston On Facebook Live

Public and private sector leaders kick off the 10th National Cyber Security Awareness Month Tuesday afternoon from the Federal Reserve Bank of Boston. Watch the opening remarks and subsequent panel discussion live on Facebook at https://www.facebook.com/staysafeonline/app_142371818162.

The live feed will be available from 1:30-3:30 p.m. You are encouraged to join the conversation during the event and throughout October by using the official hashtag, #ncsam, on Facebook, Twitter and Google+
To learn more about the various ways you and your family can stay safe online, please visit:

http://www.staysafeonline.org/stay-safe-online/resources/

Written by Amy Malone

Just before the Labor Day holiday, the Federal Trade Commission issued a press release announcing its complaint against LabMD, Inc., a company that performs medical testing for consumers around the country.  The complaint alleges that the company did not take reasonable measures to protect the security of consumers’ personal data.   The Commission charges that by not taking such reasonable measures two incidents occurred which resulted in the exposure of personal information, including Social Security numbers and medical information.

The first incident described in the complaint is that the company’s billing information for over 9,000 customers was found on a peer-to-peer (P2P) network (for more information on P2P networks and risks, see our client alert here).  P2P software allows companies to easily share information with other users, but there is also the inherent risk that the information will be unintentionally shared.  The information disclosed in this incident included Social Security numbers, dates of birth, health insurance provider information, and standardized medical treatment codes.

The second incident includes the disclosure of names, Social Security numbers and bank account information of some 500 consumers to identity thieves.  The Commission alleges that the Sacramento, California Police department found LabMD documents in the possession of identity thieves.

The Commission alleges that, among other things, the company:

  • did not implement or maintain a comprehensive data security program to protect information;
  • did not use readily available measures to identify commonly known or reasonably foreseeable security risks and vulnerabilities to this information;
  • did not use adequate measures to prevent employees from assessing personal information not needed to perform their jobs;
  • did not adequately train employees on basic security practices; and
  • did not use readily available measures to prevent and detect unauthorized access to personal information.

LabMD asserts that the documents related to this complaint contain confidential information, so the Commission’s complaint will not be made public until the claims are resolved.

 

UPDATE: The Federal Trade Commission recently issued a revised guide on the Red Flags Identity Theft Rule, designed to help businesses comply with the requirements of the Rule. Our detailed Client Alert on the Final Red Flags Rule and compliance obligations issued by the SEC and CFTC can be found here.   Compliance with the Red Flags Rule for entities regulated by the FTC has been required since 2007.

The revised guide is a helpful tool for entities that are considering whether they are covered by the Rule as well as for covered entities as it:

  • • Provides a two-part analysis that businesses can use to determine if they are a “financial institution” or a “creditor” covered by the Rule,
  • • Contains an FAQ section that clarifies the definition of “creditor,” and
  • • Outlines a four-step compliance process for businesses under FTC jurisdiction.

You can find a copy of the guide here.

If you need assistance with your own Red Flags compliance program, or determining whether you are covered by the Rule, contact a Mintz Levin Privacy attorney.

 

Written by Amy Malone

You might think that if you lock your backup tapes in a safe they are protected from a data breach, but Kmart’s recent data breach proves that’s not the case.  Last month, a person held a Kmart employee in Little Rock, Arkansas at gun point and ordered him to open the store’s safe.  The perpetrator ran off with the safe’s contents, including almost $6,000 and the day’s backup disk.

The next problem for Kmart (or maybe the first problem)?  The backup disk was not encrypted or password-protected.  The Chicago Tribune reports that information on the disk included confidential information relating to prescriptions including, names, addresses and medications prescribed for almost 800 customers.  According to another news source, parent company Sears says that “certain prescriptions also contained the customer’s social security number.”

Kmart spokesperson Shannelle Armstrong-Fowler said there was a “slim to none” chance of the thief accessing information on the disk because he would need to know what software package Kmart uses and have that software, but, FierceRetail asserts that it would not be that difficult to extract information from the disk by using a hex dump utility.   According to StorefrontBacktalk, the initial police report did not reference the missing data disk, and Little Rock Police said no updated report had been filed. Such an updated report would have been filed had Sears contacted police to update the list of what had been stolen.  Read more details here.

This breach underscores the importance of implementing layers of security.  Using strong encryption and passwords in addition to locking the media in a safe would have provided greater security to customer information and saved Kmart some angst.  Are you utilizing the right security to protect your sensitive information?  Unsure?  Contact one of our privacy attorneys for help.

 

UPDATE:   We have prepared a detailed Client Alert as a guide to getting started with these new Red Flag Rules and compliance obligations.   You can read it here.

 

It has been several years since the Federal Trade Commission’s Red Flag Rule took effect; and the banking regulators have had the Red Flag Interagency Guidance in place since 2007.   Finally, entities regulated by the Securities and Exchange Commission (SEC), such as broker-dealers and investment advisers, and entities regulated by the Commodity and Futures Trade Commission (CFTC), such as futures commodity merchants, commodity trading advisers and commodity pool operators will be required to join the party.

In announcing the adoption of the rule, new SEC Chair Mary Jo White said, “Current estimates are that about five percent of American adults fall victim to identity theft fraud each year.  It is a risk for everyone, and as technology continues to advance, the risks increase.”

Section 1088 of the Dodd-Frank Wall Street Reform and Consumer Protection Act shifted certain oversight functions under the Fair Credit Reporting Act from the Federal Trade Commission to the SEC and the CFTC for entities regulated by those agencies. Last year the agencies issued a joint proposal on the identity theft provision. The final rules are “substantially identical” to the proposal, said Norm Champ, director of the SEC’s Division of Investment Management.

Specifically, the rules require that covered entities set up programs that identify, detect, and respond to identity theft “red flags.”    Most of the SEC-regulated entities will not be surprised by these rules.  Dodd-Frank essentially transferred oversight of already-existing Fair Credit Reporting Act requirements from the FTC to the SEC and the CFTC.

SEC Commissioner Luis Aguilar, however, noted that certain investment advisers, including advisers to hedge funds and private equity funds, may not have identity theft programs in place and will have to pay “particular attention” to the rules. Such entities were not required to register with the SEC until last year pursuant to Dodd-Frank.

The joint rules will become effective 30 days after publication in the Federal Register, and firms will be required to come into compliance six months after that date.


In a case that we have written about here and here, People’s United Bank of Maine has agreed to pay about $ 390,000 to settle a claim that its security practices allowed unauthorized persons to withdraw funds from a construction company’s account (Patco Construction Co. v. People’s United Bank, D. Me., No. 09-503, agreed dismissal filed 11/19/12).

The agreement, which settles the suit brought by Patco Construction Co. against People’s United Bank in the U.S. District Court for the District of Maine, came several months after the U.S. Court of Appeals for the First Circuit ruled that the bank’s anti-fraud procedures were not reasonable in Patco Construction Co. v. People’s United Bank, No. 11-2031 (1st. Cir. July 3, 2012).

The settlement amount includes the $ 345,000 that was not recovered from the theft along with interest. “They made my client as whole as they could possibly have been made,” Patco attorney Daniel Mitchell said. Attorneys’ fees and other expense are not recoverable in this type of action, he explained.   However, according to the attorney for Patco Construction, the settlement did not address the bank’s security procedures.

Continue Reading The Tale of Two Banks: Final Settlement in Maine Bank Security Practices Case and a Failure of Bank Security Procedures in Florida

Written by Amy Malone

Last week the FBI released a fraud alert warning financial institutions that cyber criminals have been using tactics such as spam and phishing emails to obtain employee log-in credentials.  After obtaining the credentials the hackers initiated wire transfers oversees.  A few days after the alert, Bank of America, JPMorgan Chase  and Wells Fargo suffered service outages that prevented access to their websites.  According to security experts, such outages were likely caused by denial of service attacks that disrupt the service to websites by overloading the servers with traffic so that they cannot respond to legitimate requests.

These attacks have been aimed at financial institutions, but are a good reminder to all organizations that cyber security remains an important aspect of your company’s overall security.  Technology is constantly changing and hackers are always finding new ways to penetrate systems so it’s important for organizations to analyze their systems and make updates as necessary.

Where do you start?  Below are a few tips for combating cyber security threats:

1) Remain vigilant.  No security system is 100% secure so it’s important to review the safety measures you have in place and identify gaps.  A good way to identify such gaps is by hiring a third party to perform penetration tests on your systems.  Malicious attacks are simulated in penetration tests which will enable your organization to identify how your protections fail.  It’s also important to run regular scans of your network for vulnerabilities and make sure your firewalls are as strong as possible.  Investing in security technology before you have a breach will save your organization time and money in the long run.

2) Train your employees.  According to a recent article published by Computerworld, most data breaches are inadvertently caused by employees.  An organization can have the most robust cyber security system available, but if employees are not trained and re-trained about the importance of protecting sensitive information then there are going to be data breaches.  It’s important to educate employees on how to protect information, including the threats posed by spam and phishing emails.

3) Encrypt, encrypt, encrypt.  Encryption of information at all stages will  information useless if it is obtained during a hack.

4) Vet your vendors.  Is your company providing sensitive information to third parties (storing documents offsite?  That counts!)?  If so, it’s essential that your company conduct reviews of vendors to ensure their security measures meet your standards.   What about your vendor’s vendors?  See our previous blog here discussing that topic.

Protecting your company’s personal information is an on-going challenge.  If you need help building your data security program contact any member of your Mintz Levin service team, or one of Mintz Levin’s privacy lawyers.

 The article below was posted to the Mintz Health Law & Policy Matters blog, but it contains valuable information for any business regarding steps to take to avoid data blackmail.    Check out the bullet point list below and make sure that your company secures all its sensitive data against threats, both internal and external.

Written by Stephen Bentfield and Stephanie Willis 

Medical-data blackmail is becoming more common as more health care providers adopt electronic health records systems and store patient data digitally.  This Bloomberg technology blog story describes some of the larger incidents where medical data has been held for ransom by hackers or even unpaid, disgruntled subcontractors.

In particular, the story provides the details of a recent breach of a small Libertyville, Illinois medical practice’s server by bold hackers who gained access to patient data contained in stored emails and electronic medical records.  The hackers encrypted and password-protected the files they accessed, and then posted a ransom note on the server demanding payment from the medical practice in exchange for the password to unlock the encrypted files.  Rather than comply with the ransom demand, the small medical practice shut down the compromised server and called police.

Although storing patient data electronically has its benefits, it is important that medical practices remember that merely storing the data electronically is insufficient to protect the patient from potential identity theft or to comply with federal and, in many instances, state data security obligations.  And one-time encryption is never enough.  Hackers spend an inordinate amount of time searching for ways to circumvent security measures to access personal data with high monetary value, such as Social Security numbers and credit card numbers.

So what can be done to protect against such threats?  While each medical practice should specifically tailor its information security plan to address the unique threats and vulnerabilities it confronts, practices should consider employing several strategies to reduce the risk of authorized persons gaining access to health records systems:

  •  Install the latest updates and security patches for antivirus and anti-intrusion solutions, and, to the extent possible, encrypt patient data maintained by the practice (whether stored centrally on a server, or locally on a desktop PC, smart phone, tablet PC, or thumb drive).
  • Conduct regular backups of patient data to secure storage media.  The practice can retrieve and use the backup patient data should locally stored data be lost or stolen.
  • Develop and enforce comprehensive user access policies that are applicable to all employees and third-party contractors (including business associates and business associate subcontractors).  These policies should identify those individuals or classes of individuals who are authorized to access and/or modify patient data; manage the means by which such individuals can access patient data (e.g., directly through an in-office workstation, remotely via a smart phone or tablet PC, etc.); as well as describe the procedures for activating and terminating user access to patient record.
  • Assign each authorized user a unique user ID, which the practice can use to properly monitor and track user activity as well as assign appropriate credentials to control access to sensitive data.
  • Disable or strictly limit the use of administrator IDs for electronic systems containing patient data.
  • Employ auditing software that can alert practice management to potential security incidents and inappropriate data access in near real time.

The list above is illustrative only and provides no substitute for a thorough risk assessment and comprehensive information security plan.  The ease by which practitioners can electronically access and modify patient records is also the greatest weakness.  However, sound security practices and solutions can help mitigate the financial and legal risks if appropriately employed and configured.

Today’s news contains information regarding not one, but two, data breaches, compromising the personal information of a total of nearly 20,000 people.

The Washington Business Journal published a report today of a breach at the Environmental Protection Agency which exposed the Social Security numbers and banking information of nearly 8,000 individuals, most current employees of the EPA.  According to the Washington Business Journal’s report, the agency confirmed that notices were sent out Tuesday (yes, August 1st) about a security incident that occurred in March. Compromised information reportedly included SSN, bank routing numbers and home addresses.  The EPA has offered one year of credit monitoring and established a hotline.

Closer to home, the Connecticut Attorney General’s office is investigating an incident at Hartford Hospital, compromising the personal health information and SSNs of about 9,000 patients.   According to a press release from Attorney General George Jepsen, the information was stored on an unencrypted laptop stolen from an employee of Greenplum, a subsidiary of EMC Corp., which was a contractor to the Hospital.   Jepsen’s office sent a letter to the Hospital, requesting additional information regarding the breach and suggesting that, at a minimum, the Hospital offer two years of credit monitoring services to impacted individuals.

According to the company’s website, Greenplum is “driving the future of Big Data analytics.”    The theft was discovered in June and has been reported to police.