We are well into March Madness … and Happy St. Patrick’s Day!

You may have already had your bracket busted by now…..but you should have Mintz Levin’s Third Annual Employment Law Summit on your schedule and the panel on Cybersecurity and Employee Data Breaches may help you avoid a security incident/personal data buster.

Teamwork is a key to advancing in the Big Dance and HR and IT could make a powerful team in fighting cybersecurity risks in your company. Just because cybersecurity threats affect cyberspace does not take the human element out of the prevention/mitigation loop.   And the Luck of the Irish has nothing to do with it……

Even though IT plays the role of the center in managing the game flow with respect to the company’s data security, the HR department should not sit on the bench. HR has the point guard skills necessary to mitigate important insider threats and properly train the rest of the team to play it safe.

Businesses are a treasure trove of information about people – customers, employees, business contacts. Loss or theft of any of these can cost a company both in cold cash and in reputation. We’ll take a look at the crazy-quilt of laws and discuss how HR managers and counsel can make the important connections between HR professionals and security professionals and keep your company in the game.

We hope you will join us in New York on April 6th as our panel ventures into cyberspace. Please remember to register here, as you won’t want to miss this important event.

Recently, a Google researcher discovered a serious flaw with the content delivery network (CDN) provided by CloudFlare.  This vulnerability has now become known as Cloudbleed, in a nod to the earlier Heartbleed SSL vulnerability.  The Cloudfare CDN allows users of the service to have their content stored at Cloudflare Network Points of Presence (PoPs) rather than a single origin server.  This reduces the amount of time it takes to serve websites in disparate geographical locations.  The service is popular, with Cloudflare having over five million customers, including Uber, OkCupid, and FitBit.

The Cloudbleed vulnerability involved a situation where sensitive data was inadvertently displayed or “leaked” when visiting a website that used certain Cloudflare functionality.  Cloudflare has estimated that the leak was executed 1,242,071 times between September 22nd and February 18th.  Search engines such as Bing, Yahoo, Baidu and Google also cached the leaked data.  The researcher who discovered the leak found all sorts of sensitive data being leaked, including private messages from major dating sites, full messages from a well-known chat service, online password manager data and hotel bookings, passwords and keys.

The Clouldbleed vulnerability is a reminder that companies that leverage external vendors to receive, process, store, or transfer sensitive data must find ways to reduce the risk created by the relationship to an acceptable level.  We have three steps that companies should consider taking to accomplish this.  

First, companies should understand how external vendors will interact with their data flows.  Companies that leverage Cloudflare services have given it access to sensitive data, including private messages, passwords, and keys.  The risks of providing this data to external vendors cannot be understood if the company itself does not understand at a senior organizational level what is being transferred.  Ask questions about the proposed procurement of vendor-provided services to understand what interaction the service/vendor has with your data.

Second, companies should make sure that they have permission to transfer user data to third parties, based on its existing terms of use and privacy policy documents that the relevant data subjects have agreed to.  Generally speaking, in most cases, the company collecting the data from the data subject will remain responsible for any issues that occur downstream, including loss or breach of the data through a third party vendor relationship.

Third, companies should carefully negotiate their vendor contracts in light of their own risk tolerance.  The contract should contemplate the data at issue, including by type and category, such as private messages and passwords, and should to the extent feasible transfer all risk of a breach on the vendor side to the vendor.  In many cases, it will be appropriate to require that the vendor carry insurance to satisfy its obligations under the agreement, including data breach remediation should it become an issue.

Companies with any questions regarding this process should not hesitate to contact the Privacy and Security team at Mintz Levin.

 

Counsel for a class of card-issuing banks filed a settlement agreement on March 8 proposing a class settlement to resolve claims arising from the 2014 theft of payment card data from Home Depot point-of-sale terminals.  The contemplated $27.25 million class settlement follows in the wake of over $140 million already paid by Home Depot to settle issuer bank claims through card association settlement processes.  The revelation that Home Depot was able to use private means to settle the vast majority of the bank claims outside of the class action raises significant questions about whether the proposed settlement class satisfies the requirement under Rule 23(b)(3) that a class action provide a superior means to resolve class members’ claims. Continue Reading Does Class Settlement Of Bank Claims In Home Depot Data Breach Litigation Pass The “Superiority” Test?

 

Last week, Snap Inc. (“Snap” or the “Company”) – the parent company of the wildly popular app Snapchat (“Snapchat” or the “App”) – became a publicly traded company on the New York Stock Exchange in the biggest tech IPO since Alibaba in 2014.  Priced at $17 per share, the Snap stock opened at $24 per share on Thursday morning and closed at $24.48 per share, bringing the Company’s market capitalization to approximately $28 billion. In today’s post, we’re taking a closer look at Snap’s S-1 filing (“Snap S-1”) with the U.S. Securities and Exchange Commission (SEC) with a particular focus on the Company’s disclosures of risk factors associated with cybersecurity and privacy risks.  Continue Reading A Deep Dive into Privacy/Security Disclosures in Snap’s S-1

In an effort to combat the growing prevalence of large-scale corporate cyberattacks, the New York Department of Financial Services (“NYDFS”) is rolling out a revamped cybersecurity regulation for financial services companies to take effect TODAY (March 1, 2017). This ambitious regulation is broadly drafted and carries a heavy compliance burden intended to protect consumers and ensure the safety and soundness of New York State’s financial services industry.   Even if you are not directly in banking or insurance, read on to see how these regulations may affect your company. Continue Reading It’s March 1: The Cybersecurity Goal Post Has Been Moved

Last week, the HHS Office for Civil Rights (OCR) disclosed a $5.5 million settlement with Memorial Healthcare Systems (MHS) for HIPAA violations affecting the protected health information (PHI) of 115,143 individuals. The Resolution Agreement, which can be found here, also contains a detailed corrective action plan (CAP).

The Florida-based health system reported to OCR that the PHI had been impermissibly accessed by MHS employees and impermissibly disclosed to affiliated physician office staff. The PHI consisted of names, dates of birth, and social security numbers.

According to OCR, the login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by HIPAA. The health system also failed to regularly review records of information system activity for its applications that maintain electronic PHI and which are accessed by workforce users and users at affiliated physician practices. To make matters worse, the health system failed to review the audit information despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

While hacking incidents typically garner more media coverage, this case highlights the increasing threat posed by those inside a HIPAA-regulated organization. According to a Protenus report, nearly 60% of the breaches that occurred this past January involved insiders. Organizations would be well-served by reviewing recent OCR guidance on the importance of audit controls.

Originally posted in Mintz Levin’s Health Law Policy Matters

 

It’s that taxing time of the year.   Employees have received W-2 forms and the tax filing season has begun in earnest.  And, as night follows day, last year’s W-2 spear-phishing scam has returned.  The IRS and state tax authorities have issued a new alert  to HR and payroll departments to beware of phony emails intended to capture personal information of employees.   The emails generally appear to be from a senior executive (typically the CEO or CFO) to a company payroll office or HR employee and request a PDF or list of employee W-2 forms for the tax year.   Those forms contain all the information any cybercriminal needs to file a fraudulent tax return for a tax refund.   That scam cost the US taxpayer about $21 billon in 2016.  Over 70 companies fell victim to the 2016 scam and hundreds of thousands of employee records, including Social Security numbers, were compromised.

To refresh your memory, here are some of the details that may be contained in the emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

We’ve already seen some activity on this front being reported from around the country.  These incidents not only create angst for employees, but they constitute data breaches reportable under state law because personal information has been exposed to an unauthorized (and unknown) individual and the risk of identity theft is high.   Last year’s incidents also resulted in class action lawsuits by employees against some of the victimized companies.

Employees Are Front Line of Defense

These emails look absolutely legitimate.  That is what makes them so effective.  The header of the email may look exactly as one would expect, mirroring the company fonts, duplicating automated signature blocks, and containing the actual email address of the spoofed executive in the “From:” line. Often, the return email address won’t even be visible until after the reply is sent unless the user specifically expands the address field. If you look carefully, it is likely that the domain name is a few characters “off” from the company’s legitimate domain name, such as substituting the number one (1) for the letter “l” or replacing a “.org” with a “.com”.   The more sophisticated attacks may utilize information obtained from LinkedIn® or social media designed to lull the target into a false sense of trust.

Awareness of these attacks and the problem is the key for employees.   

Train employees — particularly HR and payroll employees — who handle sensitive information to be wary of direct requests for personal information from company executives.   Send out samples of such emails and establish a campaign to raise employee consciousness.  A bit of skepticism goes a long way in protecting against this type of attack.  Confirmation of this type of request should be standard operating procedure, no matter who appears to have sent it.   Your company’s IT department should also be monitoring for phishing trends and remaining on the alert for suspicious outgoing activity, including large files or attachments.

Ask.  Since we have already seen reports of these attacks very early in this tax year, it is time to check in and insure that your company has not already fallen victim.   It’s important to respond quickly to reduce total damage to the organization, and most importantly, to your employees.  Affected individuals can protect themselves with certain forms filed with the IRS – but it’s only effective if they know soon enough.

 

The Mintz Levin Privacy team is here to help with employee training or preparing a plan to respond to an incident.

The Securities and Exchange Commission (SEC) is investigating whether Yahoo! should have reported the two massive data breaches it experienced earlier to investors, according to individuals with knowledge.  The SEC will probably question Yahoo as to why it took two years, until September of 2016, to disclose a 2014 data breach that Yahoo has said affected at least 500 million users.  The September 2016 disclosure came to light while Verizon Communications was in the process of acquiring Yahoo.  As of now, Yahoo has not confirmed publically the reason for the two year gap.  In December of 2016, Yahoo also disclosed that it had recently discovered a breach of around 1 billion Yahoo user accounts.  As Yahoo appears to have disclosed that breach near in time to discovery, commentators believe that it is less likely that the SEC will be less concerned with it.

After a company discovers that it has experienced an adverse cyber incidents, it faces a potentially Faustian choice: attempt to remediate the issue quietly and avoid reputational harm, or disclose it publically in a way that complies with SEC guidance, knowing that public knowledge could reduce public confidence in the company’s business and could even prove to be the impetus for additional litigation.

Part of the issue may be that while the SEC has various different mechanisms to compel publically traded companies to disclose relevant adverse cyber events, including its 2011 guidance, exactly what and when companies are required to disclose has been seen as vague.  Commentators have argued that companies may have a legitimate interest in delaying disclosure of significant adverse cyber incidents to give law enforcement and cyber security personnel a chance to investigate, and that disclosing too soon would hamper those efforts, putting affected individuals at more risk.

Even so, many see the two year gap period between Yahoo’s 2014 breach and its September 2016 disclosure as a potential vehicle for the SEC to clarify its guidance, due to the unusually long time period and large number of compromised accounts. As a result of its investigation, it is possible that the SEC could release further direction for companies as to what constitutes justifiable reasons for delaying disclosure, as well as acceptable periods of delay.  As cybersecurity is one of the SEC’s 2017 Examination Priorities, at a minimum, companies should expect the SEC to increase enforcement of its existing cybersecurity guidance and corresponding mechanisms.  Whatever the SEC decides during its investigation of Yahoo, implementing a comprehensive Cybersecurity Risk Management program will help keep companies out of this quagmire to begin with.

If you have any questions regarding compliance with SEC cyber incident guidance, please do not hesitate to contact the team at Mintz Levin.

With Inauguration Day upon us, it’s time for a #MLWashingtonCyberWatch update.   President-elect Donald Trump has vocalized his support for the future of “cyber” throughout his campaign – but how will members of his cabinet act, or refuse to act, on his vision for that future?

During the past two weeks, the United States Senate has been holding confirmation hearings for Mr. Trump’s cabinet selections. Pointed questioning from senators has surfaced many issues of critical importance to the American people, among them the future of privacy and cybersecurity. The incoming administration will confront significant issues in these areas such as the use of back-door encryption, mass data collection and surveillance, and international cybersecurity threats. The nominees for Attorney General, Secretary of the Department of Homeland Security (“DHS”), and Director of the Central Intelligence Agency (“CIA”) were each questioned about how they will navigate these concerns as part of the Trump Administration. In this installment of #MLWashingtonCyberWatch we are discussing highlights from these hearings. Continue Reading #MLWashingtonCyberWatch: Nominees Discuss Future of Cybersecurity

The U.S. Federal Trade Commission (“FTC”) has filed a lawsuit against device manufacturer D-Link for allegedly deceiving the marketplace about the security of its products and, in turn, unfairly placing customer privacy at risk.

Overview

Taiwan-based manufacturers D-Link Corporation and D-Link Systems, Inc. (collectively, “D-Link”) design a variety of home network devices, such as routers, IP cameras, and baby monitors. Devices such as these are susceptible to hacking when they are connected to each other and to the internet (in what is often referred to as the “Internet of Things” or “IoT”), and weak security measures therefore pose a significant security concern. Judging from D-Link’s advertisements for its products, the company is certainly aware of these risks. D-Link boasted that its routers are safe locked from hackers thanks to “Advanced Network Security,” its baby monitors and cameras assure a “Secure Connection” to protect the livestream view of a sleeping child, and promises of an “easy” and “safe” network appear repeatedly during the set up process for a D-Link device with an online interface. As the FTC explains in its lawsuit, claims like those made by D-Link are not only misleading but also dangerous.

Despite an apparent awareness of consumers’ cybersecurity concerns, the FTC alleges that D-Link neglected to build common security measures into the devices it sells. The allegations are startling: mobile app credentials were stored unsecured in plain text on consumer devices; a private company key code was accidentally made viewable online for six months; hard-coded login credentials in camera software left video feeds vulnerable to unauthorized viewers. And that’s just the beginning. More details are listed in the FTC’s complaint filed in a U.S. District Court in California on January 5, 2017. These lapses, and D-Link’s deceptive advertising, prompted the FTC to charge the company with a violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. §45.

As of January 10th, D-Link has denied the allegations outlined in the complaint and has retained the Cause of Action Institute as counsel to defend against the action.

The growing IoT problem

In recent years, the FTC has tried to keep pace with mounting concerns over the IoT industry by filing a handful of complaints focused on consumer protection. For example, it went after the company TRENDnet after the firm’s faulty software allowed hundreds of personal security cameras to be hacked. It also filed an action against computer parts manufacturer ASUS after its cloud services were compromised and the personal information of thousands of consumers was posted online. These isolated mistakes add up; when millions of unsecured and seemingly innocuous Wi-Fi-enabled devices join the global network, they can serve as a massive launchpad for crippling cyber-attacks like the one that overwhelmed internet traffic operator Dyn and shut down several major websites in October 2016. The efforts of the FTC are aimed at mitigating such attacks and encouraging technology developers to invest effort and resources in order to secure their IoT devices before they hit the marketplace.

Search for solutions

Both the FTC and the National Institute of Standards and Technology (NIST) have released reports offering guidelines and technical standards for building reliable security into the framework of new systems and devices. As we wrote about recently, the Obama administration had also left the Trump administration an extensive report on cybersecurity recommendations. Achieving these standards will require a combination of regular agency enforcement and greater market demand for safe, secure devices. In the meantime, some digital vigilantes are working to stop cyber-attacks before they start. Netgear, for instance, has launched a “bug bounty program” offering cash rewards of $150-$15,000 for eager hackers to track and report security gaps in its devices, applications, and APIS. Indeed, incentivizing solutions rather than quietly overlooking mistakes, and searching for loopholes in our laws, will make a substantial difference in safeguarding the IoT landscape.