Recently the United States Computer Emergency Readiness Team (US-CERT), an organization within the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) and a branch of the Office of Cybersecurity and Communications’ (CS&C) National Cybersecurity and Communications Integration Center (NCCIC), encouraged users and administrators to review a recent article from the Federal Bureau of Investigation (FBI) regarding Building a Digital Defense with an Email Fortress.

Are we have discussed in many posts before, phishing — the fraudulent practice of sending emails purporting to be from a reputable entity to induce an individual to reveal privileged information such as a password — remains a major security threat.  Within the article, the FBI provides several helpful actions for businesses can take to reduce their risk of being phished, including reporting and deleting suspicious e-mails, and making sure that countermeasures such as firewalls, virus software, and spam filters are robust and up-to-date.

We encourage each of our readers to review the FBI’s guidance and consider whether their organization could benefit from any of the methods of protection provided.

Companies with any questions regarding any of these issues should not hesitate to contact the team at Mintz Levin.

The FBI has issued new guidance specifically applicable to medical and dental facilities regarding the cybersecurity risk of File Transfer Protocol (“FTP”) servers operating in “anonymous” mode.  FTPs are routinely used to transfer information between network hosts.  As further described in the guidance, when an FTP server can be configured to permit anonymous users (through the use of a common user name like “anonymous” and without the use of a password) to gain access to the information stored on the server, which might include sensitive information about patients.  In addition to potentially directly compromising the security of the stored information, a hacker could use the FTP server in anonymous mode to launch a cyber attack on the entity.

The FBI provides the following specific guidance, which Covered Entities and Business Associates should heed:

The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI [Protected Health Information] or PII [Personally Identifiable Information] is not stored on the server.

Coupled with recent advice from FBI Director James B. Comey on ransomware, which we blogged about here, this latest guidance from the FBI demonstrates the seriousness the potential cybersecurity threats facing healthcare entities.

Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later.  The hotel chain paid a penalty to the State of New York for its handling of that incident.  The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy

The FBI warned this summer that the “Business Email Compromise” (“BEC”) scam continues to grow, evolve, and target businesses of all sizes. As reported by the FBI in June, the scam had hit more than 22,000 victims for a combined dollar loss of greater than $3 billion – that’s billion with a B! And the latest evolution is even more threatening, potentially causing breaches of protected data.

What is the BEC scam? Why have so many been taken in? And how can you protect yourself?

The BEC scam is a smart, targeted scheme using emails that appear genuine, usually seeming to originate from within the victim’s company or from its suppliers/contractors.  For example, the company’s CFO may receive an email that seems to come from the CEO, urgently directing funds to be wired to a specified account for a seemingly legitimate purpose. Or the email may appear to come from a supplier or contractor and seek payment on an invoice that appears legitimate. If the company wires funds as directed, the funds are transferred offshore and become unrecoverable.

The scam has been highly effective because BEC emails mimic legitimate requests. The perpetrators research their victim to learn its protocols, its counterparties’ names, its payment methods, etc. They often use social engineering techniques (e.g., phishing emails requesting info) to learn details about the targeted business. The successful perpetrators learn which individuals are necessary to perform wire transfers and what protocols are used. They may learn when the CEO is traveling, so that an email from the CEO directing payment would not be questioned. The perpetrator may have hacked and used a valid email account for this purpose, or may have established an account with a similar domain name. Their level of sophistication has enabled the theft of billions of dollars.

Earlier this year, the FBI started receiving reports that this highly successfully scheme has evolved into a means to obtain confidential information, leading to data breaches. For example, an email request to the human resources department may prompt the disclosure of W-2 forms or other confidential, personally identifiable information (“PII”). The FBI reports that victims have fallen for this new data-theft BEC scenario, even if they were able to successfully identify and avoid the traditional BEC scam.

We all have learned (hopefully) not to click links in suspicious looking emails. But trusted emails receive less scrutiny. What steps can you take to avoid being hit?

  • If an email is directing payment by wire or seeks protected information, it merits special treatment.
  • TRAIN employees and establish clear protocols for wire transfers and data privacy.
  • Beware of sudden changes in business practices. Require secondary sign-off by company personnel when a change in payment method is requested.
  • Always verify requested changes via other channels. Don’t click “reply”. Instead, call the sender to verify; and use a trusted phone number, not a phone number appearing in the email. Or forward the email to the sender after typing a trusted email address, and seek confirmation.
  • Be suspicious of requests for urgent action or secrecy.
  • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail.
  • In addition, diligently maintain data and email security. Educate employees to be alert to social engineering situations, and to delete phishing emails. Establish two-factor authentication for email accounts.

If you have questions about how to train employees and avoid these phishing scams, contact a member of the Mintz Levin Privacy team.

apple-logo fbi-sealAmong the major headlines dominating not only the recent news cycle, but also this week’s RSA Conference in San Francisco, has been Apple’s challenge to the federal government’s request that Apple assist in unlocking the iPhone recovered from the perpetrators of the shootings in San Bernardino.  On March 1, 2016, the House Judiciary Committee held a hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy” focused on the intersection of the competing values of privacy and security in American society.  Testifying before the committee were two panels, one consisting solely of Federal Bureau of Investigation James Comey and the other of Bruce Sewell, Senior Vice President and General Counsel for Apple, Inc.; Cyrus R. Vance, District Attorney for New York County and Professor Susan Landau of Worcester Polytechnic Institute. Continue Reading Apple vs. FBI: The House Judiciary Committee Hearing and Takeaways

The Mintz Levin Privacy & Data Security Team invites you to register and join us at two upcoming events:

Our next Wednesday Webinar is coming up on February 25th, with a focus on privacy in the workplace. Our workplace is everywhere these days, which makes employment and privacy compliance even more challenging. Jen Rubin and Gauri Punjabi will discuss developments in the workplace privacy field, including statutory developments, mobile device regulation, social media’s impact on workplace privacy, recruiting and hiring, and some practical advice to keep your workplace policies in compliance with rapid legal developments.  Register here!

In the wake of the Anthem breach, we’ll be presenting a timely seminar in our Washington, D.C. office on Tuesday, March 3rd:  HACKED!  What to Do When It Happens to You

This roundtable, featuring national subject matter experts from the United States Secret Service and the Federal Bureau of Investigation, as well as forensic and legal professionals, will provide unique and important insights, tips, and advice on current cyber threats affecting your business and what to do when the cyber-thief strikes and the opportunity for in-person, live discussion with law enforcement officials.  Early registration (here) is encouraged, because space is limited.

Written by Amy Malone

Last week the FBI released a fraud alert warning financial institutions that cyber criminals have been using tactics such as spam and phishing emails to obtain employee log-in credentials.  After obtaining the credentials the hackers initiated wire transfers oversees.  A few days after the alert, Bank of America, JPMorgan Chase  and Wells Fargo suffered service outages that prevented access to their websites.  According to security experts, such outages were likely caused by denial of service attacks that disrupt the service to websites by overloading the servers with traffic so that they cannot respond to legitimate requests.

These attacks have been aimed at financial institutions, but are a good reminder to all organizations that cyber security remains an important aspect of your company’s overall security.  Technology is constantly changing and hackers are always finding new ways to penetrate systems so it’s important for organizations to analyze their systems and make updates as necessary.

Where do you start?  Below are a few tips for combating cyber security threats:

1) Remain vigilant.  No security system is 100% secure so it’s important to review the safety measures you have in place and identify gaps.  A good way to identify such gaps is by hiring a third party to perform penetration tests on your systems.  Malicious attacks are simulated in penetration tests which will enable your organization to identify how your protections fail.  It’s also important to run regular scans of your network for vulnerabilities and make sure your firewalls are as strong as possible.  Investing in security technology before you have a breach will save your organization time and money in the long run.

2) Train your employees.  According to a recent article published by Computerworld, most data breaches are inadvertently caused by employees.  An organization can have the most robust cyber security system available, but if employees are not trained and re-trained about the importance of protecting sensitive information then there are going to be data breaches.  It’s important to educate employees on how to protect information, including the threats posed by spam and phishing emails.

3) Encrypt, encrypt, encrypt.  Encryption of information at all stages will  information useless if it is obtained during a hack.

4) Vet your vendors.  Is your company providing sensitive information to third parties (storing documents offsite?  That counts!)?  If so, it’s essential that your company conduct reviews of vendors to ensure their security measures meet your standards.   What about your vendor’s vendors?  See our previous blog here discussing that topic.

Protecting your company’s personal information is an on-going challenge.  If you need help building your data security program contact any member of your Mintz Levin service team, or one of Mintz Levin’s privacy lawyers.