As published in our sister blog, Health Law & Policy Matters

OCR Provides Additional Clarification on Phishing Scam

As we reported earlier this week, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights described a phishing campaign that is attempting to convince recipients of their inclusion in OCR’s Phase 2 audit program. The email, which was disguised as an official communication, suggests that recipients click on a link. This link takes recipients to a non-governmental website marketing cybersecurity services.

On Wednesday, OCR followed up their alert with additional details about the phishing campaign. According to OCR, the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. OCR points out the subtle difference from the official email address for its HIPAA audit program, OSOCRAudit@hhs.gov, noting that such subtlety is typical in phishing scams.

OCR also took the opportunity to confirm that it has notified select business associates of their inclusion in the Phase 2 HIPAA audits.  For more information about the Phase 2 audit program please visit our earlier post.

Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak

An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed.  On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores.  The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat

 

The growing scale of cybersecurity concerns is prompting action from government leadership on the federal level. Before the Thanksgiving recess, the House’s Committee on Energy and Commerce got in on the act when two of its subcommittees–the Communications and Technology Subcommittee, chaired by Rep. Greg Walden (R-OR), and the Commerce, Manufacturing, and Trade Subcommittee, chaired by Rep. Michael C. Burgess, M.D. (R-TX)–held a joint hearing to investigate and consider the role of Internet-enabled devices (collectively referred to as the “Internet of Things,” or “IoT”) in high-profile online attacks.  Continue Reading House Energy & Commerce Committee Holds Hearing on Security of the Internet of Things

Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later.  The hotel chain paid a penalty to the State of New York for its handling of that incident.  The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy

Developers and operators of educational technology services should take note.  Just before the election, California Attorney General Kamala Harris provided a document laying out guidance for those providing education technology (“Ed Tech”).  “Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data” provides practical direction that operators of websites and online services of a site or service used for K-12 purposes can use to implement best practices for their business models.

Ed Tech, per the Recommendations, comes in three categories: (1) administrative management systems and tools, such as cloud services that store student data; (2) instructional support, including testing and assessment; (3) content, including curriculum and resources such as websites and mobile apps.  The Recommendations recognize the important role that educational technology plays in classrooms by citing the Software & Information Industry Association; the U.S. Market for PreK-12 Ed Tech was estimated at $8.38 billion in 2015.

The data that may be gathered by through Ed Tech systems and services can be extremely sensitive, including medical histories, social and emotional assessments and test results.  At the Federal level, the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Rule (COPPA) govern the use of student data.  However, according to the Recommendations, these laws “are widely viewed as having been significantly outdated by new technology.”

Recognizing this, California has enacted laws in this space to fill in gaps in the protection.  Cal. Ed. Code § 49073.1, requires that local education agencies (county offices of education, school districts, and charter schools) that contract with third parties for systems or services that manage, access, or use pupil records, to include specific provisions regarding the use, ownership and control of pupil records. On the private side, the Student Online Personal Information Privacy Act (SOPIPA), requires Ed Tech provides to comply with baseline privacy and security protections.

Building on this backdrop of legislation, Attorney General Harris’ office provided six recommendations for Ed Tech providers, especially those that provide services in the pre-kindergarten to twelfth grade space.

  • Data Collection and Retention: Minimization is the Goal 

Describe the data being collected and the methods being used, while understanding that data can be thought of to include everything from behavioral data to persistent identifiers.  If your service links to another service, disclose this in your privacy policy and provide a link to the privacy policy of the external service.  If you operate the external service, maintain the same privacy and security protections for the external service that users enjoyed with the original service.  Minimize the data collected to only that necessary to provide the service, retain the data for only as long as necessary, and be able to delete personally identifiable information upon request.

  • Data Use: Keep it Educational

Describe the purposes of the data you are collecting.  Do not use any personally identifiable data for targeted advertising, including persistent identifiers, whether within the original service, or any other service.  Do not create profiles other than those necessary for the school purposes that your service was intended for.  If you use collected data for product improvement, aggregate or de-identify the data first.

  • Data Disclosure: Make Protections Stick 

Specifically describe any third parties you share personally identifiable data with. If disclosing for school purposes, only do so to further the school specific purpose of your site.  If disclosing for research purposes, only disclose personally identifiable information if you are required by federal or state law, or if allowed under federal and state law, and the disclosure is under the direction of a school, district or state education department.  Service providers should be contractually required to use any personally identifiable data only for the contracted service, not disclose the information, take reasonable security measures, delete the information when the contract is completed, and notify you of any unauthorized disclosure or breach.  Do not sell any collected information, except as part of a merger or acquisition.

  • Individual Control: Respect Users’ Rights 

Describe procedures for parents, legal guardians, and eligible students to access, review and correct personally identifiable data.  Provide procedures for students to transfer content they create to another service, and describe these procedures in your privacy policy.

  • Data Security: Implement Reasonable and Appropriate Safeguards

Provide a description of the reasonable and appropriate security you use, including technical, administrative and physical safeguards, to protect student information.  Describe your process for data breach notification.  Provide training for your employees regarding your policies and procedures and employee obligations.

  • Transparency: Provide a Meaningful Privacy Policy

Make available a privacy policy, using a descriptive title such as Privacy Policy, in a conspicuous manner that covers all student information, including personally identifiable information.  The policy should be easy for parents and educators to understand.  Consider getting feedback regarding your actual privacy policy, including from parents and students.  Include an effective date on the policy and describe how you will provide notice to the account holder, such as a school, parent, or eligible student.  Include a contact method in the policy, at a minimum an email address, and ideally also a toll-free number.

Given the size of the California market, any guidance issued by the California Attorney General’s office should be carefully considered and reviewed.   If you are growing an ed tech company, this is the time to build in data privacy and security controls.   if you are established, it’s time to review your privacy practices against this Guidance and see how you match up.  If you have any questions or concerns as to how these recommendations could be applied to your company, please do not hesitate to contact the team at Mintz Levin.

 

 

As we previewed last week, the Federal Communications Commission (FCC) has adopted new privacy rules that govern Internet service providers’ (ISPs) handling of broadband customer information.  Though the Wireline Competition Bureau stated that it expects it will be at least several days before the final Order is released to the public, the FCC released a fact sheet describing the rules as adopted.

These rules are the culmination of a process that began in 2015 with the reclassification of Broadband Internet Access Service (BIAS) as a common carrier telecommunications service regulated under Title II of the Communications Act.  As a consequence of reclassification, the obligations established under the privacy framework adopted by the Federal Trade Commission (FTC) no longer applied to ISPs due to the common carrier exception in Section 5 of the FTC Act.  Accordingly, the FCC determined that the privacy protections governing telephone customer proprietary network information (CPNI) set forth in Section 222 of the Communications Act would now apply to ISPs’ provision of BIAS.

On April 1, 2016, the Commission released a Notice of Proposed Rulemaking setting forth proposed privacy and data security rules that would govern ISPs’ provision of BIAS.  The rules originally proposed by the FCC would have subjected ISPs to significantly greater constraints on their ability to use customer data for advertising, marketing, and offering customized services and features than the FTC’s privacy framework, which continues to apply to websites, apps, and all other entities in the Internet ecosystem other than ISPs.  For example, while the FTC framework applies differing choice mechanisms (i.e., opt-in, opt-out, or implied consent) depending on the sensitivity of the data being collected and the context of its use, the FCC initially proposed to apply a default opt-in regime to virtually all data – rejecting any distinctions based on data sensitivity.

In response to comments from the FTC and others in the proceeding, the final rules adopted by the FCC align more closely with the FTC framework, though some important differences remain.  Continue reading for key elements of the proposed rules. Continue Reading What You Need to Know about the New Broadband Privacy Regulations

You may not realize how much personal information your insurance company has about you. Scarier still is that much of this data is sensitive and valuable to hackers – such as your Social Security number, financial information, medical history, even itemized schedules of your most expensive personal property.  As data breaches affecting insurers have piled up in the past couple of years (Anthem, Premera Blue Cross and Blue Shield, Excellus Health Plan, UCLA Health System just to name a few), so too have calls for stronger data security protections applicable to insurance data.  In response, the CyberSecurity Task Force of the National Association of Insurance Commissioners (“NAIC”), the standard-setting organization in the U.S. insurance industry created and governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories (“Task Force”) is racing to finish its Insurance Data Security Model Law (“Model Law” or “Law”) by the end of this year so that states can begin the adoption process as early as 2017.  Continue Reading Insurance Regulators Fine Tuning Cybersecurity Guidance

The term “cloud computing,”  — a process by which remote computers are used to store, manage and process data — is no longer an unfamiliar term. According to at least one estimate, “approximately 90 percent of businesses using the cloud in some fashion.” American Airlines is assessing major providers of cloud services for an eventual relocation of certain portions of its customer website and other applications to the cloud.

What some may not realize is that there are actually three main types of clouds: public, private and hybrid.  Public clouds are those run by a service provider, over a public network.  For example, Amazon Web Services offers public cloud services, among others.  A private cloud is operated for a single entity, and may be hosted internally or by a third-party service provider.  A hybrid cloud is a composition of two or more clouds, such as a private cloud and a public cloud, such that the benefits of both can be realized where appropriate.  Each of these cloud infrastructure types has different advantages and disadvantages.

For a given company looking to migrate to the cloud, the appropriate option will be motivated in part by business considerations; however, data privacy and security laws, compliance best practices, and contractual obligations will provide mandatory baselines that companies cannot ignore. As such, relevant laws, best practices, and contractual obligations serve as a useful starting point when evaluating the appropriate cloud option.

Most every organization has data flow systems that receive data, and then process and use the data to deliver a service. Below are three initial steps a decision maker should take when evaluating a potential cloud infrastructure choice.

 

First, consider the statutory implications of the types of data being processed

For example, is the system collecting social security numbers and driver’s license numbers? Pursuant to California Civil Code Section 1798.81.5, businesses that “own or license” personal information concerning a California resident are required to “implement and maintain reasonable security procedures and practices . . . to protect the personal information from unauthorized access, destruction, use modification, or disclosure.”  Of course, many other state and federal laws may also provide additional obligations, such as the HIPAA Security Rule, which applies to certain health information under certain circumstances.

Deciding which relevant laws apply, and then interpreting language such as “reasonable security procedures and practices” is a complicated process. Companies should consult experienced legal counsel regarding these risks, especially in light of potential liability.

Second, consider any relevant contractual obligations

For example, many companies may have contracts that provide for certain service level availability (SLA) obligations for services they provide. It is also possible that these contracts could have their own security requirements in place that must be met.

Third, decide which cloud architecture option makes sense in light of the first two steps as well as business considerations

After senior decision makers, with the benefit of experienced legal counsel, have decided what elements of applicable laws, best practices, and contractual obligations apply, further business considerations may need to be addressed from an operational standpoint.  For example, interoperability with other services may be an issue, or scalability may be an issue.

 

Through these requirements, in conjunction with appropriate information technology stakeholders, the appropriate cloud architecture can be chosen. Private clouds can offer the strongest security controls, as they are operated by a single entity and can offer security options not present in public clouds.  As such, a private cloud may be appropriate where a very strong security stance is deemed necessary.  Public clouds are often less expensive, but offer a more limited range of security options.  A hybrid cloud may be appropriate where an entity hosts certain high security data flow systems, as well as other systems with less sever security requirements.  For example an entity that has an HR system that contains social security numbers, as well as an employee shift scheduling system might choose to host the HR system on a private cloud, while hosting the customer feedback system on a public cloud system, with limited cross over and interoperability between the two systems.

Once you have chosen which cloud suits your business and data flow, the real work of getting appropriate contract documents in place begins.   We’ll discuss those issues in a future blog post.

 

The FBI warned this summer that the “Business Email Compromise” (“BEC”) scam continues to grow, evolve, and target businesses of all sizes. As reported by the FBI in June, the scam had hit more than 22,000 victims for a combined dollar loss of greater than $3 billion – that’s billion with a B! And the latest evolution is even more threatening, potentially causing breaches of protected data.

What is the BEC scam? Why have so many been taken in? And how can you protect yourself?

The BEC scam is a smart, targeted scheme using emails that appear genuine, usually seeming to originate from within the victim’s company or from its suppliers/contractors.  For example, the company’s CFO may receive an email that seems to come from the CEO, urgently directing funds to be wired to a specified account for a seemingly legitimate purpose. Or the email may appear to come from a supplier or contractor and seek payment on an invoice that appears legitimate. If the company wires funds as directed, the funds are transferred offshore and become unrecoverable.

The scam has been highly effective because BEC emails mimic legitimate requests. The perpetrators research their victim to learn its protocols, its counterparties’ names, its payment methods, etc. They often use social engineering techniques (e.g., phishing emails requesting info) to learn details about the targeted business. The successful perpetrators learn which individuals are necessary to perform wire transfers and what protocols are used. They may learn when the CEO is traveling, so that an email from the CEO directing payment would not be questioned. The perpetrator may have hacked and used a valid email account for this purpose, or may have established an account with a similar domain name. Their level of sophistication has enabled the theft of billions of dollars.

Earlier this year, the FBI started receiving reports that this highly successfully scheme has evolved into a means to obtain confidential information, leading to data breaches. For example, an email request to the human resources department may prompt the disclosure of W-2 forms or other confidential, personally identifiable information (“PII”). The FBI reports that victims have fallen for this new data-theft BEC scenario, even if they were able to successfully identify and avoid the traditional BEC scam.

We all have learned (hopefully) not to click links in suspicious looking emails. But trusted emails receive less scrutiny. What steps can you take to avoid being hit?

  • If an email is directing payment by wire or seeks protected information, it merits special treatment.
  • TRAIN employees and establish clear protocols for wire transfers and data privacy.
  • Beware of sudden changes in business practices. Require secondary sign-off by company personnel when a change in payment method is requested.
  • Always verify requested changes via other channels. Don’t click “reply”. Instead, call the sender to verify; and use a trusted phone number, not a phone number appearing in the email. Or forward the email to the sender after typing a trusted email address, and seek confirmation.
  • Be suspicious of requests for urgent action or secrecy.
  • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail.
  • In addition, diligently maintain data and email security. Educate employees to be alert to social engineering situations, and to delete phishing emails. Establish two-factor authentication for email accounts.

If you have questions about how to train employees and avoid these phishing scams, contact a member of the Mintz Levin Privacy team.

Last week the clothing retailer Eddie Bauer LLC issued a press release to announce that its point of sale (“POS”) system at retail stores was compromised by malware for more than six months earlier this year.  The communication provided few details but did specify that the malware allowed attackers to access payment card information related to purchases at Eddie Bauer’s more than 350 locations in the United States, Canada and other international markets from January 2 until July 17, 2016.  According to the company, its e-commerce website was not affected.

In an open letter posted online, Eddie Bauer’s CEO Mike Egeck explained that the company had conducted an investigation, involved third party experts and the FBI, and now is in the process of notifying customers and reviewing its IT systems to bolster security.  These are customary and important steps following a security breach to mitigate harm to customers, protect against future threats, and comply with state data breach notification laws.    Read on to find out more ….. Continue Reading Eddie Bauer Latest Victim of POS Malware Attack