Beware of March Madness!  Scammers and phishers take advantage of increased web traffic by impersonating popular March Madness websites, including bracket sites and game live streams.  Will your employees take the bait?

Last year, it was reported that traffic activity from users streaming games and checking brackets for updates increased by 100% during the first round of the NCAA tournament.    Monitoring sites also observed an increase in malicious activity related to this category and discovered a clear upward spike in malicious activity, such as phishing pages, adware downloads, improper handling of user data, and attempts at domain squatting.   All of this is likely going on again this year, and it will be on your corporate networks.

  • Have you implemented solutions to limit the impact of nefarious phishing campaigns?
  • Have you trained employees to recognize phishing emails?
  • Do you remind employees about the dangers of falling victim to click bait in emails?
  • Do you remind employees about simple password hygiene and to not reuse corporate passwords outside the network?

The best advice we can offer is only use NCAA-sanctioned bracket applications through your web browser. There are many third-party sites out there that attempt to probe the user to create login credentials. In 2017, it was observed that one such application collected a username and password and then transmits it in the clear. This plain text credential transfer makes the connection vulnerable to sniffing attacks. Since users commonly set the same login credentials for multiple websites, the attackers might gain access to users email accounts, bank accounts, tax preparation accounts etc., or even worse, your corporate network.

Good luck!

Happy 2018.  You may notice a new widget in the right sidebar of our home page.  Now you have a reminder as to just how close we are to the GDPR D-Day.    GDPR is real.   GDPR is here.

To brush up on your GDPR, or to help you get moving in the right direction, here is a link to all of the content from our 2017 GDPR webinar series.   Each edition includes a link to the recording and slides.   We will continue to produce targeted content throughout 2018, so stay tuned.

 

Spoiler Alert: Behavioral advertising companies will find some bad news in the guidance.

The Article 29 Working Party (WP29) advisory group, which will soon become the more transparently-named (and very powerful) European Data Protection Board, is busy drafting and issuing guidance documents to help organizations understand how European data protection authorities will interpret various requirements of the General Data Protection Regulation (GDPR).  WP29 recently issued draft guidance relating to automated decision-making and profiling that will be critical for all organizations that conduct those activities. The draft guidance is open for comments until Nov. 28, 2017.  This post recaps some of the particularly interesting aspects of the draft guidance, which can be found in full here (scroll down to the items just above the “Adopted Guidelines” section).

But first, what counts as automated decision-making under the GDPR?  And what is “profiling”? Continue Reading Key GDPR Guidance on Behavioral Advertising, Profiling and Automated Decision-Making

As was generally expected from informal comments by EU representatives, Privacy Shield has survived its first annual review.  Commissioner Jourova stated: “Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation.”  Specifically, the Commission highlighted the following in the press release today in which it announced its conclusions:

  • More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce. The U.S. Department of Commerce should also conduct regular searches for companies making false claims about their participation in the Privacy Shield.
  • More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
  • Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.
  • Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
  • To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).

It’s worth noting the recommendation regarding enshrining the protections for non-Americans under Presidential Policy Directive 28 in the reauthorization of Section 702 — while President Trump has not withdrawn PPD-28, it’s not a given that protection for foreigners will be built into FISA.

The full report is available here.

 

Irma over the Southeastern U.S. – Courtesy of NOAA

As Texas, Florida, and the Caribbean rebuild after the latest string of deadly hurricanes and prepare for the possibility of future storms, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reminded health care providers of the importance of ensuring the availability and security of health information during and after natural disasters.  OCR’s guidance is a good reminder to all health care providers – regardless of where they are located – of the applicability of the HIPAA Privacy and Security Rules during natural disasters and other emergencies.

OCR recently published a bulletin during Hurricane Harvey discussing how the HIPAA Privacy Rule applies to sharing protected health information (PHI) during natural disasters. Recirculated while Irma was looming, the guidance document reminds health care providers that HHS may waive sanctions and penalties against a covered hospital for certain activities (e.g., obtaining a patient’s agreement before speaking with family or friends involved in the patient’s care) during an emergency. However, the waiver is limited to certain hospitals located within an emergency area and for a specific period of time.  More importantly, OCR noted in the bulletin that the Privacy Rule still applies to covered entities and their business associates during such emergencies, but the Privacy Rule does allow the disclosure of PHI without the patient’s consent for the patient’s treatment or public health activities.  Covered entities may also share PHI with a patient’s family or friends identified by the patient as being involved in their care, but OCR recommends that the covered entities obtain verbal permission or otherwise confirm that the patient does not object to sharing the information with these individuals.

Similarly, OCR reminded covered entities and business associates that the HIPAA Security Rule is not suspended during a natural disaster or emergency. On the contrary, the Security Rule actually imposes additional requirements during emergencies to ensure that electronic PHI is available during and after the emergency.  Specifically, covered entities and their business associates must have contingency plans that include plans for data back-up, disaster recovery, and emergency mode operation.  Additional information on the HIPAA Security Rule can be found here.

Health care providers must remain vigilant that patient information is not compromised and that it remains secure and accessible at all times. Covered entities and their business associates should carefully review their policies and procedures to make sure that they can respond appropriately to such events.

Originally published in our sister blog, Health Law & Policy Matters

Earlier this month, an appellate panel of the federal DC Circuit unanimously held that individuals affected by a healthcare insurer’s data breach in 2014 could pursue claims against the insurer stemming from the cyberattack. In the process, the panel deepened a circuit split on the question of whether data breach victims have standing to pursue claims based solely on exposure of their sensitive personal information, while also adding significant risk of cyber-liability for companies that collect and store medical records of individuals.

In Attias v. CareFirst, Inc., the plaintiffs asserted claims on behalf of a purported class of one million customers of CareFirst, Inc. (“CareFirst”), a healthcare insurer in the Washington, DC metro area. In the 2014 cyberattack, hackers penetrated 22 computers and compromised the identifying health data of one million customers, including customer names, addresses, email addresses, subscriber ID numbers, and Social Security numbers. The plaintiffs did not allege that they had suffered any direct financial injury as a result of their identifying health data being exposed, but did allege they suffered an “increased risk of identity theft” as a result of CareFirst’s alleged negligent conduct. The district court granted CareFirst’s motion to dismiss, which asserted that the plaintiffs lacked standing to bring their alleged claims because they had not asserted either a present injury arising from the data breach or a “high enough likelihood of future injury.” Continue Reading D.C. Circuit Holds Cyber-Theft of Customers’ Medical Identifying Information Created Sufficient Increased Risk of Harm to Establish Standing

The “business compromise email”  is what the FBI calls the “$5 billion scam,” but apparently an insurance company did not agree with an insured company that they had been the victim of a crime.

A federal court recently found that a crime policy afforded coverage for a $4.8 million wire transfer that an insured company was duped into making.  See Medidata Solutions, Inc. v. Federal Ins. Co., 15-CV-907 (SDNY July 21, 2017).   In this case, the thief took advantage of “real” facts, posing as the insured’s attorney for a corporate transaction.   More specifically, the insured was contemplating an acquisition and, as part of that process, the president instructed the finance department to be prepared, on an urgent basis, to assist with the transaction.  Continue Reading Court Holds Crime Policy Covers Business Email Compromise (BEC) Loss


Decisions you make when founding and/or investing in an insurtech venture can dictate your regulatory obligations, tax liability, operational structure and, ultimately, profitability.

Here are five seemingly simple questions to ask when launching an insurtech venture (and do not miss question #3): Continue Reading Five Questions for Investors in Insurtech

In another example of increased restriction on the rights of non-U.S. Citizens, last week the Department of Homeland Security (“DHS”) published a policy memorandum limiting the privacy rights of immigrants and foreign nationals under the Federal Privacy Act of 1974.  This new guidance was issued to bring DHS policy in line with President Trump’s January 25 executive order.

The Privacy Act was established to govern the collection, maintenance, use and dissemination of personally-identifiable information maintained by federal agencies.  The Privacy Act, with specific exceptions, prohibits disclosure of such records without the consent of the individual.  It also provides individuals a means to access and amend their records.

Previous DHS guidance stated that such personally-identifiable information would be treated the same, regardless of citizenship.  However, consistent with the January 25 executive order, the new guidance provides that immigrants and nonimmigrant foreign nationals may not utilize these provisions and may only access their information through a request made pursuant to the Freedom of Information Act (FOIA).  Additionally, they may not request amendments of their records.  Furthermore, in connection with the new guidance, DHS stated that it permits the sharing of such information about immigrants and nonimmigrant foreign nationals from agency records with federal, state and local law enforcement.

In response to the current Administration’s “citizen-centric” policies, we are seeing an increased interest in applications for naturalization by U.S. Lawful Permanent Residents.

Originally posted in Mintz Levin’s Immigration Law Blog on May 2, 2017

Today’s Guest Post courtesy of Bill Kyrouz, Mintz Levin’s CISO:

Have you come to the conclusion that you need a Managed Security Services Provider (MSSP) to support your small to medium sized enterprise but don’t know where to start?

Delegating elements of your security operations can be a scary prospect.  An entire school of thought says “If you don’t do all of your information security in house, you aren’t doing it right.”  While I’m sympathetic to that thinking, and caution against completely outsourcing security, this post is intended to help those who seek outside assistance.

Let’s dig in: Continue Reading From the CISO Corner: Your Most Important Security Relationship