The FBI warned this summer that the “Business Email Compromise” (“BEC”) scam continues to grow, evolve, and target businesses of all sizes. As reported by the FBI in June, the scam had hit more than 22,000 victims for a combined dollar loss of greater than $3 billion – that’s billion with a B! And the latest evolution is even more threatening, potentially causing breaches of protected data.

What is the BEC scam? Why have so many been taken in? And how can you protect yourself?

The BEC scam is a smart, targeted scheme using emails that appear genuine, usually seeming to originate from within the victim’s company or from its suppliers/contractors.  For example, the company’s CFO may receive an email that seems to come from the CEO, urgently directing funds to be wired to a specified account for a seemingly legitimate purpose. Or the email may appear to come from a supplier or contractor and seek payment on an invoice that appears legitimate. If the company wires funds as directed, the funds are transferred offshore and become unrecoverable.

The scam has been highly effective because BEC emails mimic legitimate requests. The perpetrators research their victim to learn its protocols, its counterparties’ names, its payment methods, etc. They often use social engineering techniques (e.g., phishing emails requesting info) to learn details about the targeted business. The successful perpetrators learn which individuals are necessary to perform wire transfers and what protocols are used. They may learn when the CEO is traveling, so that an email from the CEO directing payment would not be questioned. The perpetrator may have hacked and used a valid email account for this purpose, or may have established an account with a similar domain name. Their level of sophistication has enabled the theft of billions of dollars.

Earlier this year, the FBI started receiving reports that this highly successfully scheme has evolved into a means to obtain confidential information, leading to data breaches. For example, an email request to the human resources department may prompt the disclosure of W-2 forms or other confidential, personally identifiable information (“PII”). The FBI reports that victims have fallen for this new data-theft BEC scenario, even if they were able to successfully identify and avoid the traditional BEC scam.

We all have learned (hopefully) not to click links in suspicious looking emails. But trusted emails receive less scrutiny. What steps can you take to avoid being hit?

  • If an email is directing payment by wire or seeks protected information, it merits special treatment.
  • TRAIN employees and establish clear protocols for wire transfers and data privacy.
  • Beware of sudden changes in business practices. Require secondary sign-off by company personnel when a change in payment method is requested.
  • Always verify requested changes via other channels. Don’t click “reply”. Instead, call the sender to verify; and use a trusted phone number, not a phone number appearing in the email. Or forward the email to the sender after typing a trusted email address, and seek confirmation.
  • Be suspicious of requests for urgent action or secrecy.
  • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail.
  • In addition, diligently maintain data and email security. Educate employees to be alert to social engineering situations, and to delete phishing emails. Establish two-factor authentication for email accounts.

If you have questions about how to train employees and avoid these phishing scams, contact a member of the Mintz Levin Privacy team.

The Article 29 Working Party (WP29) has released a brief updated statement on the final form of the Privacy Shield adequacy decision and supporting annexes.  WP29 is an important advisory group made up of representatives of each of the EU’s national data protection authorities.   In a nutshell, WP29 has said that Privacy Shield isn’t perfect, but it will wait until the first annual review to raise specific objections, which gives the Privacy Shield program enough time to get up and running.  The WP29 statement promises  that, during the first annual review of Privacy Shield, “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.”  WP29 goes on to say that “[t]he results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”

While WP29’s statement has been interpreted by at least one legal news source as a one-year moratorium on Privacy Shield litigation,  that seems rather unlikely.  The WP29 does not have  the legal power to deprive any EU data subject of his or her right to challenge Privacy Shield on human rights grounds, or to materially delay such a challenge.  If a national DPA refused to hear a complaint on the basis of the putative WP29 moratorium, the national courts would most likely find against the DPA.

A more modest — and realistic- – interpretation of the WP29 opinion would be that the DPAs themselves won’t seek to scupper Privacy Shield during its first year.  Instead, they will leave that to Max Schrems and other individuals who remain skeptical of the EU-US privacy deal.

The EU Commission has formally adopted Privacy Shield and the US Department of Commerce will go live with a new Privacy Shield registration website on August 1.  US companies that had been registered under Safe Harbor will need to complete a new internal review, self-certification and registration to take advantage of Privacy Shield.

Much of the negotiation of Privacy Shield has focused on enforcement and oversight of the program by US authorities (as well as on the US intelligence agencies’ own collection and use of EU personal data).  Companies that are already familiar with Safe Harbor will find Privacy Shield’s general privacy principles to be very similar.  However, companies will want to take note of the more stringent conditions for onward transfers to third parties, which are likely to require companies to review their contracts with service providers and business partners.  Companies will also need to scrutinize their data retention practices carefully.  Overall, annual data protection reviews will be necessary as part of continued self-certification. The Department of Commerce is expected to take a more active role in proactively monitoring compliance, so companies will need to be prepared for inspections even if no complaints have been made.

The final version of Privacy Shield and its appendices, along with a press release and FAQ, are available here.

 

The number one threat to a company’s information (personal or confidential) is still its own employees. Data security and privacy training are the first lines of defense against negligent employee behavior.

Join us tomorrow (6.22) at 1 PM ET for a webinar in which we will explore why traditional training programs are falling short and what you can do to boost your efforts and counter top concerns regarding malicious and negligent employee handling of personal and confidential data.

Register here.

CLE credit available in NY and CA

The Department of Homeland Security (DHS) and the Department of Justice (DOJ) have issued the long-awaited final procedures for both Federal and Non-Federal Entities under the Cybersecurity Information Sharing Act (CISA) (“Final Procedures”) that provide information on how DHS will implement CISA.  In addition to the Final Procedures, the agencies also released “Guidance to Non-Federal Entities to Share Cyber Threat Indicators and Defensive Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (the “Guidance”).

As we have written previously, a company may share cyber threat indicators (CTIs) and defensive measures (DMs) for cybersecurity purposes “notwithstanding any other provision of law,” and receive certain liability protections for sharing in accordance with the Act.  The Final Procedures and the Guidance are finalized versions of interim guidance previously discussed.  Any decision to share information under CISA is complex and involves factual and legal determinations.

Read on to find out what CTIs and DMs are, and information on the procedures companies must follow to obtain liability protection for sharing CTIs and DMs with the Federal Government.   Continue Reading “Interim” No More: DHS and DOJ Publish Final CISA Guidance on Cybersecurity Sharing 

Mintz Levin’s Immigration Law Blog is running a series titled “Innocents Abroad” addressing issues in an increasingly globalized economy where employers assign employees all over the globe.

These are big questions, reflecting some of the practical concerns in our international marketplace.  The series focuses on the well-intentioned Global HR Director, Ned Help, who will raise hot topics and difficulties his company faces when sending their employees abroad.  We will then explore the common pitfalls and offer practical solutions to the difficulties Ned Help faces.   This month’s edition:   Privacy Considerations – follow the rest of the series at Innocents Abroad.


 

From:            Carrie Counselor

To:                  Ned Help

Date:              May 24, 2016

RE:     Privacy considerations for employees working abroad

Dear Ned,

I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy.  Great question!  This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.

Generally speaking, federal and state laws applicable to employee information do not have “extraterritorial” effect beyond the information that remains in the United States, meaning that American employees working abroad (even temporarily) will not benefit from US legal protections with respect to personal information collected, stored or transmitted outside of the country.

What makes this area of the law particularly crucial and daunting for employers is that non-US countries frequently offer greater protections to employees and establish far higher compliance obligations on the part of employers.  Of particular concern for you should be the data protection landscape across the European Economic Area (referred to as the “EEA,” encompassing all European Union (EU) Member States as well as Iceland, Liechtenstein and Norway) because each country has passed its own set of national laws governing the collection, use, retention and transmission of personal data. Companies must consider these local laws before electronically monitoring an employee outside the United States or transferring an employee’s personal information back home.  Let’s talk specifics: Continue Reading Innocents Abroad: Privacy Considerations for Employers

We now have a precise date for the European Union’s General Data Protection Regulation to go into effect: May 25, 2018.  The official version has been published and is available here.  The GDPR, in its official published version, contains 87 densely-packed pages of recitals and articles, and many new and expanded obligations for both “controllers” and “processors” of personal data.  Many companies will need the full two years’ lead time to bring their operations and contracts into compliance.  (Read our bullet point summary here.)

The Article 29 Working Party has released opinions on Privacy Shield and “essential guarantees” under EU law relating to surveillance, here and here.

Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here).  We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.

 

cookiesVerizon Wireless has reached a settlement with the Federal Communications Commission over Verizon’s insertion of unique identifier headers (“UIDH”), also known as “supercookies,” to track customers’ mobile Internet traffic without their knowledge or consent.  Verizon inserted UIDH into customers’ web traffic and associated the UIDH with customer proprietary information to create profiles and deliver targeted ads.  In at least one instance, a Verizon advertising partner overrode customers’ privacy choices by using the UIDH to restore cookies deleted by the customer.  For over two years Verizon Wireless did not disclose its use of UIDH in its privacy policies or offer consumers the opportunity to opt-out of the insertion of UIDH into their Internet traffic.

Continue Reading Verizon Settles Supercookie Probe with FCC

apple-logo fbi-sealAmong the major headlines dominating not only the recent news cycle, but also this week’s RSA Conference in San Francisco, has been Apple’s challenge to the federal government’s request that Apple assist in unlocking the iPhone recovered from the perpetrators of the shootings in San Bernardino.  On March 1, 2016, the House Judiciary Committee held a hearing titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy” focused on the intersection of the competing values of privacy and security in American society.  Testifying before the committee were two panels, one consisting solely of Federal Bureau of Investigation James Comey and the other of Bruce Sewell, Senior Vice President and General Counsel for Apple, Inc.; Cyrus R. Vance, District Attorney for New York County and Professor Susan Landau of Worcester Polytechnic Institute. Continue Reading Apple vs. FBI: The House Judiciary Committee Hearing and Takeaways