Data Privacy Monitor

Data Privacy Monitor

Commentary on Data Privacy & Information Security Subjects

New Guidance for Merchants on Ensuring that Service Providers Share Security Responsibility

Posted in Credit Card, Cybersecurity, Information Security

For merchants, long gone are the days of using a card reader with a dial-up connection to their payment processor. Today’s omni-channel retailers rely on multiple third party service providers to complete payment card transactions. These third parties—call center operators, payment gateways, loyalty solution providers, managed security services, data-center hosts, mobile app developers, and fraud prevention services—have access to or could impact the security of cardholder data. A quick review of recent security alerts regarding remote access tools and news articles regarding attacks on payment card systems highlights the fact that merchants still face the consequences that follow from an account data compromise event even if it was caused by their service provider. Indeed, contractual obligations merchants accept to be able to accept payment cards impose the ultimate responsibility on merchants for compliance with the Payment Card Industry Data Security Standard (PCI DSS), regardless of whether the merchant does it entirely on its own, relies on some service providers, or completely outsources all aspects.

Merchants are obligated under PCI DSS Requirement 12.8 to maintain policies and procedures to ensure that service providers are securing cardholder data. And although just a “best practice now” under PCI DSS 3.0, beginning July 2015, merchants will also be required to obtain a written acknowledgement of responsibility for the security of cardholder data from their service providers. But anyone who has gone through several rounds of selecting, vetting, and contract negotiation with various service providers has likely faced at least one of the following challenges: (1) denial of access to Reports on Compliance; (2) refusal to agree to maintain continuous compliance with PCI DSS; (3) rejection of demand for indemnification of the merchant if the provider allows unauthorized access to cardholder data; and (4) refusal to permit post-selection auditing. Ensuring compliance with Requirements 12.8 and 12.9 is a difficult task for merchants. Continue Reading

What Companies Can Do to Protect Themselves in the Face of Yet Another Massive Data Breach

Posted in Data Breaches, Hacking, Online Privacy

Last week it was reported that a small group of Russian computer hackers illegally obtained an unprecedented quantity of internet credentials, including 1.2 billion username and password combinations, and over 500 million unique email addresses. The compromised companies have not yet been identified, but it is believed that the information came from over 420,000 websites. While the size of this particular breach is unparalleled, news of yet another data security breach does not come as much of a surprise. What is concerning, however, is how unsophisticated and common the tactics used were, and the number of companies that still remain vulnerable to such attacks.

The Russian crime ring reportedly, at least in part[1], used what is known as the SQL injection (“SQLi”) method, a very well-known hacking technique. SQL is a computer language that is used to send queries to databases. It is used, for example, in username and password fields on websites. The coding in these fields commands the website’s database to search for the stored username and password; if both match, the website allows the user access. The problem with this type of SQL coding is that it can be difficult to prevent a site visitor from inputting information other than usernames and passwords. An attacker can therefore “inject” malicious code into the input boxes that allow the hackers to download entire databases of information. The risk of SQLi has dramatically risen with the proliferation of automated tools, which allow hackers to attack many websites at once with ease, instead of having to manually enter malicious code into each site. Continue Reading

Major Transformation in Cyber-Liability Insurance is Underway

Posted in Cybersecurity, Hacking, Insurance

Editor’s Note: the following blog post was authored by Ben Beeson from Lockton Companies LLC

In the beginning

The emergence of the Internet as a business platform at the end of the nineties also announced the arrival of new risks to organizations. In those early days, there was a widely held belief that the primary concern was operational, amidst concerns about the impact of a computer virus or the actions of a “Hacker,” a new term to many of us then.

Despite the lack of actuarial data, a few underwriters in the US and London started to devise solutions to indemnify business interruption losses and the costs to restore compromised data. commonly known as “Hacker Insurance.” We found few buyers beyond large US banks. Clients found the underwriting process both intrusive and expensive as insurers demanded onsite security audits.

On July 1, 2003, everything changed.

California enacted SB 1386, the world’s first data breach notification law. The industry started to understand that the Internet would revolutionize the way that it could store and use data, especially personal information on its customers. However, government and regulators also started to appreciate that this new opportunity could be open to significant abuse and, as the majority of US states started to enact their own data breach notification laws, the risk evolved into a privacy issue. Continue Reading

Nominations Open for ABA Journal’s Top 100 Legal Blogs – Data Privacy Monitor

Posted in Miscellaneous

The American Bar Association Journal announced that it is compiling its annual list of the 100 best legal blogs and invites readers to submit a nomination:

Use the form below to tell us about a blog—not your own—that you read regularly and think other lawyers should know about. If there is more than one blog you want to support, feel free to send us additional amici through the form. We may include some of the best comments in our Blawg 100 coverage. But keep your remarks pithy—you have a 500-character limit.

We invite our readers to recommend the Data Privacy Monitor and other favorite legal blogs for selection by the ABA.  Submissions are accepted through August 8, 2014.

Partner Alan Friel Named Influential Lawyer by LA Business Journal

Posted in Uncategorized

Partner Alan Friel was named among the “Most Influential Lawyers: Digital Media and E-Commerce Law” in the Los Angeles Business Journal’s July 21, 2014, issue. The list recognizes 30 Los Angeles attorneys who have demonstrated outstanding achievements in digital media and e-commerce law. Friel is noted in the publication as a “sought after counselor, speaker, and thought leader” who adds “strength to the firm’s capacity” in advertising, retail, e-commerce, digital media and technology, and privacy and data security.

View the list.

What’s Old is New Again—Insecure Remote Access

Posted in Credit Card, Cybersecurity

When a merchant is suspected of being the victim of an account data compromise event, they are often required by the card brands to hire a Payment Card Industry Forensic Investigator (PFI). The PFI provides a report on the investigation to the card brands, and if the investigation found evidence of a breach, the report explains how the attack was carried out. The card brands likely receive several hundred PFI reports each year, and they occasionally issue security alerts when they see an emerging threat pattern in PFI reports. Visa, which issued three alerts in the past year alone regarding memory scraping malware used against retailers, has only issued nine alerts since 2011 (Visa Security Alerts/Bulletins). So, it is advisable that merchants pay attention to these alerts.

Unfortunately, many threat trends are not based on the exploitation of new vulnerabilities. In a 2011 Security Alert, Visa stated that “[i]nsecure remote access continues to be the most frequent attack method used by intruders to gain access to a merchant’s point-of-sale (POS) environment.” MasterCard warned of recent attack trends in 2012 showing that hackers were focusing on smaller merchants with improperly configured remote access systems. Continue Reading

Utilities, Oil and Gas Companies Feeling Drained by “Energetic Bear”

Posted in Cybersecurity

The following was authored by Mary Guzman, Senior Vice President, InfoSec Practice Leader with McGriff, Seibels & Williams, Inc.

There is much going on in the cyber world related to energy and utility companies.  As has long been anticipated, it appears that Industrial Control Systems are the subject of targeted attacks both against Oil and Gas companies as well as Utilities.  At the moment, it appears the attackers are focused on espionage with a plan for who knows what down the road.   There is a new Oil and Gas ISAC (Information Sharing and Analysis Center) in addition to an already very active ICS ISAC (if you don’t visit their web site often already, it is a great source of information about current cyber threats against Critical Infrastructure). Also, the DHS is holding several closed working sessions for select insurance industry representatives on how we can play a more crucial role (and how they can help us) in developing risk transfer solutions and risk mitigation strategies for clients in this sector.  I attended the first one and I am hopeful some good things will come out of it in the coming months!

Below you will find several recent articles highlighting attacks on the energy sector, as well as an update on how robust the SEC is becoming in pursuing companies that do not provide adequate disclosures around information security related risks and security breaches that have already occurred.  The debate looms over how much information is too much, but really how much is a sophisticated hacking group like Energetic Bear going to learn from a paragraph in your SEC filing? Continue Reading

Industry Thought Leader Tanya Forsheit Joins BakerHostetler’s Nationally Renowned Privacy Team

Posted in Miscellaneous

InfoLawGroup Founding Partner and IAPP Certified Information Privacy Professional is sixth major practice addition in 2014

LOS ANGELES, July 21, 2014—BakerHostetler is proud to announce that Partner Tanya Forsheit has joined the firm’s Privacy and Data Protection team in the Los Angeles office. The sixth significant lawyer to join the firm’s preeminent Privacy and Data Protection practice in 2014, Forsheit is best known for her work with clients to address legal requirements and best practices for protection of customer and employee information. Forsheit is an International Association of Privacy Professionals (IAPP) Certified Information Privacy Professional with experience in all aspects of privacy and data security law. She joins BakerHostetler from the well-known privacy and data security boutique law firm, InfoLawGroup LLP, where she was a founding partner.

Forsheit assists companies, from multinationals to startups, on all aspects of cutting-edge privacy and data protection issues, including compliance, contracts, complex regulatory schemes, and large-scale litigation matters. Her compliance-side work includes counseling clients across many industry sectors – including consumer electronics, financial services, oil and gas, technology, media and entertainment, and fraud prevention—on thorny issues in sensitive data management, information protection, and Big Data analytics. Her transactional experience includes negotiating cloud computing and similar IT outsourcing deals for service providers and enterprise purchasers. Forsheit’s 17 years of litigation experience includes the handling of complex commercial and appellate matters for corporate clients in federal and state courts, including purported class actions under the Telephone Consumer Protection Act and Fair and Accurate Credit Transaction Act, representation of companies in litigation brought under privacy statutes such as California’s Confidentiality of Medical Information Act (CMIA), and disputes involving online scraping. She has represented clients in FTC privacy investigations and has handled more than 100 data security breaches over the span of her career. Continue Reading

New York Attorney General Report Shows the Number of Data Breaches is on the Rise and Recommends Steps to Take for Protecting Against Them

Posted in Data Breaches

On July 15, 2014, the New York Attorney General issued a report examining the growing number and costs of data breaches in the state of New York.  The report titled, “Information Exposed: Historical Examination of Data Security in New York State,” analyzes eight years’ worth of security breach data collected by the Attorney General and the impact of those breaches upon New Yorkers.  The report finds that the number of security breaches reported to New York has more than tripled between 2006 and 2013.  Additionally, half of the largest breaches have occurred since 2011, with 2013 having the largest number of New Yorkers affected by data breaches.

The leading causes of the data security breaches were also reported by the Attorney General.  The report found that approximately 40 percent of all breaches between 2006 and 2013 were the result of hacking intrusions (third parties gaining unauthorized access to data stored on computers).  Nearly percent of all breaches were the result of lost or stolen equipment or documentation.  And insider wrongdoing, increasing in frequency each year, accounted for approximately 10 percent of all breaches.

The Attorney General also reviewed the number of data security breaches reported by industry.  Retailers were most likely to report three or more breaches between 2006 and 2013.  The report links retailers’ susceptibility to attack – particularly restaurant retailers – to retailers’ payment systems which have become a favorite target of hackers.  In addition, health care providers were shown to have not only a high incidence of three or more attacks, but also experienced the largest number of personal records exposed between 2006 and 2013. Continue Reading

Florida Gives Breach Notification Statute More Teeth

Posted in Breach Notification, Data Breach Notification Laws, Data Breaches, Identity Theft, Information Security

On June 20, 2014, Florida Governor Rick Scott signed the Florida Information Protection Act of 2014 (“FIPA”), which will repeal Florida’s current breach notification statute at Fla. Stat. § 817.5681 and replace it with a new statute at Fla. Stat. § 501.171 effective July 1, 2014.  On the same day, Governor Scott also signed SB 1526, companion legislation that adds provisions to Fla. Stat. § 501.171 exempting certain records that must be provided to Florida regulators under the FIPA from the Florida Public Records Act.  This legislation appears to follow in the footsteps of legislation enacted in California by covering a broader scope of information and including additional notification methods and related obligations, but it also builds on the California model by imposing the shortest express notification deadline in the nation and granting the Florida Department of Legal Affairs broad investigative and enforcement authority.  These provisions, as well as their potential impact on businesses and health care providers, are discussed in more detail below.

Expanded Definition of Personal Information

The FIPA expands the “Personal Information” capable of triggering notification obligations under Florida law in two ways.  First, the FIPA adds the following health information to the list of data elements that, when included in combination with an individual’s first name or first initial and last name, are capable of triggering notification obligations:

  • Any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or
  • An individual’s health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.

Continue Reading