OCR Issues Alert Regarding Phishing Email Disguised as Official OCR Audit Communication

Stethoscope on Computer Keyboard

11/30/2016 Update: Today OCR issued another alert relating to the phishing email campaign and has shared that the phishing email originates from the email address OSOCRAudit@hhs-gov.us and directs individuals to a URL at http://www.hhs-gov.us. This is a subtle difference from the official email address for OCR’s HIPAA audit program, OSOCRAudit@hhs.gov. Covered entities and business associates should alert their workforce members of this issue and take note that official communications regarding the HIPAA audit program are sent to selected auditees from the email address OSOCRAudit@hhs.gov.

— 11/29/2016

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published an alert on Nov. 28 describing a phishing email being circulated on mock HHS departmental letterhead under the signature of OCR Director Jocelyn Samuels. The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link takes the recipient to a nongovernmental website marketing a firm’s cybersecurity services. The HHS OCR stated that it is in no way associated with the firm. The email is targeting employees of covered entities and their business associates. Covered entities and business associates should, therefore, make their workforce members aware of this phishing campaign and remind workforce members to be vigilant and not click on links or attachments that seem suspicious. The HHS OCR has stated that you can reach out to them at OSOCRAudit@hhs.gov. if you have a question as to whether a communication you receive from them regarding a HIPAA audit is legitimate.


Digital Currency Exchange Customers Targeted in IRS Information-Gathering Sweep

DollarCoinbase, one of the largest digital currency exchange companies in the world, will likely be asked to provide the Internal Revenue Service (IRS) with transactional data and other information on all U.S. customers who used its services over a three-year period. Using what is known as a “John Doe” summons, the IRS has formally requested permission from a federal court to seek extensive information on all “United States persons who, at any time during the period January 1, 2013, through December 31, 2015, conducted transactions in a convertible virtual currency” through Coinbase.

If the summons is served as approved by a federal court this week, Coinbase will face the substantial burden of producing a long list of customer-related and other records. However, this data production will only be the first step in a process that may ultimately impact accountholders whose information is turned over to the IRS. The accountholders (corporate and individual) may become subject to IRS audits and potentially fines if there are any unpaid taxes related to their virtual currency transactions.

While the action states that it is civil in nature, the IRS is clearly seeking customer information to open separate investigations of potential tax avoidance, which could become criminal cases in certain circumstances. The information that is collected in this investigation may also be used in other investigations undertaken by IRS itself or any other part of the U.S. Department of the Treasury, including the Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN). Other digital currency exchangers and their customers could also become targets in similar actions, either directly or potentially as a result of information collected from this summons, or in follow-on investigations. Even noncustomer receivers of virtual currency could become the subjects of investigation.   Continue Reading

Six Proposals to Stop IoT-Based DDoS Attacks

Hard work brings rewardsOn Oct. 21, 2016, an extremely large distributed denial-of-service (DDoS) attack on Dyn prevented many internet users on the East Coast of the U.S. from accessing websites such as Netflix, PayPal, Spotify and Twitter for several hours. Dyn provides domain name system (DNS) services to other businesses. DNS services resolve web addresses into IP addresses, which is necessary for users’ web browsers to connect with web providers’ servers. The DDoS attack on Dyn was reportedly similar to the 620 gigabits of traffic per second that targeted Brian Krebs’ website, KrebsOnSecurity, on Sept. 20, 2016. Later in September 2016, a DDoS attack against webhost provider OVH broke the record for largest recorded DDoS attack, with attack rates of at least 1.1 terabits per second.

These historically large DDoS attacks were made possible when attackers used the “Mirai” malware to capture internet of things (IoT) devices and herd them into botnet armies that attackers used to send massive amounts of traffic to targeted servers. The IoT devices used in the attacks were primarily internet-connected cameras but also included internet routers, digital video recorders and internet-connected printers. The attackers’ tasks were made easier, as Brian Krebs reported, because the devices were deployed with standard default user names and passwords, which users had not changed. Even if users deployed the IoT device behind routers, which should have made them unreachable from the internet, the devices use technology known as universal plug and play (UPnP), which automatically opens ports to enable reaching the devices from the internet. If users had changed the default user names and passwords on the devices’ web interfaces, that may not have changed the default user names and passwords for telnet or SSH access to the devices, which the Mirai malware uses to communicate with the devices. Continue Reading

Cloud Service Providers Beware, You May Be Subject to HIPAA Without Knowing It

bigstock-Internet-Concept-30269060The use of cloud service providers has exploded in the past several years. According to estimates from Gartner, the market for cloud services is expected to reach $204 billion in 2016. But the use of cloud service providers raises significant privacy and security concerns, especially for health care providers who are subject to the Health Insurance Portability and Accountability Act (HIPAA).

Last month, the Department of Health and Human Services Office for Civil Rights (OCR) issued guidance on the storage of protected health information (PHI) in the cloud. Not surprisingly, the OCR reiterated its expectation that covered entities enter into business associate agreements with service providers and provide prompt notice of unauthorized access. However, one of the more surprising takeaways from that guidance was the OCR’s position that a cloud service provider (CSP) could be subject to HIPAA merely by storing encrypted PHI. Specifically, the OCR has said, “When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA[.] This is true even if the CSP processes or stores only encrypted ePHI and lacks an encryption key for the data. Lacking an encryption key does not exempt a CSP from business associate status and obligations under the HIPAA Rules[.]”

This is huge! Even if a CSP is unable to read or access PHI, the CSP would STILL be considered a business associate. Consider that under many state breach notification laws, encryption that renders data unreadable or indecipherable is a safe harbor in the event of unauthorized access. The position taken by the OCR holds CSPs to a higher standard than those who gain unauthorized access. This has significant ramifications for those CSPs who have explicitly sought to limit their exposure and regulatory compliance obligations by restricting their access to PHI. It seems those efforts may have been in vain. To the extent any CSP stores or maintains PHI on behalf of a covered entity, even if encrypted, that CSP must comply with HIPAA.

All CSPs should take a close look at PHI storage practices and evaluate their potential HIPAA compliance obligations in light of this guidance.

More information >>


Privacy and Security in the Voting Booth

Elections in the United States of AmericaCould the presidential election be hacked?

With Election Day upon us, concerns about the security of the U.S. election system have reached a fever pitch. But how likely is it that a breach could affect the election? Could hackers really make cries of a “rigged” election come true?

The U.S. government is definitely concerned about hacks meant to influence the election process. In October, the Department of Homeland Security (DHS) and the Office of the Director of National Intelligence on Election Security issued a joint press release squarely blaming Russia for attacks into U.S. political organizations such as the Democratic National Committee – hacks meant to affect the election. The press release noted that

[T]he U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like DCLeaks.com and WikiLeaks . . . are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process.

While the joint press release notes that in fact there have been recent scanning and probing of election systems in various states, it also downplays the ability to alter election results, given the “decentralized nature of our election system in this country” and various protections in place, such as ensuring that voting machines are not connected to the internet. In the meantime, emails stolen from the Democratic National Committee continue to leak out, with another 8,000 emails released on Nov. 6, just two days before the election.  Continue Reading

Privacy Rights Group Files First Legal Challenge to EU-U.S. Privacy Shield

Data_Security_208x186Digital Rights Ireland, an Irish privacy advocacy group, has filed the first legal challenge to the EU-U.S. Privacy Shield, the Trans-Atlantic agreement reached earlier this year to permit the lawful transfer of personal data from the European Union to the United States. The Privacy Shield was formally adopted on July 12, 2016, by the European Commission, which released an Adequacy Decision concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.” Digital Rights Ireland’s application to the EU General Court seeks annulment of the Commission’s Adequacy Decision. A spokesman for the European Commission stated that it was aware of the application and “is convinced that the Privacy Shield will live up to the requirements set out by the European Court of Justice.”

Very limited information regarding the case is publicly available at this time; the CJEU’s website shows that the application for annulment (concerning an “area of freedom, security and justice”) was filed on September 16, 2016. The U.S. Department of Commerce began accepting applications for self-certification to the Privacy Shield on Aug. 1, 2016.

Although the Article 29 Working Party issued a statement in late July indicating that EU data protection authorities themselves would not challenge the validity of the Privacy Shield for at least a year, many expected some form of legal challenge in the interim. Digital Rights Ireland’s application for annulment is permitted under an EU treaty allowing individuals or companies to seek an annulment of an EU act before the EU Court of Justice or General Court if they can prove direct or individual concern with the act.

Currently more than 600 companies are included on the Department of Commerce’s Privacy Shield List of self-certified entities, with more being added each week.


FCC Wades Back Into Data Privacy and Security for ISPs With Revised Privacy Proposal

bigstock-Internet-Concept-30269060Recently, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler circulated to the Commission a revised proposed order to regulate the data privacy and security practices of internet service providers (ISPs) (also known by the Commission as broadband internet access service (BIAS) providers). We previously wrote about the Commission’s initial proposal in this regard (available here), which was criticized by the industry and even the Federal Trade Commission (FTC) as inconsistent with data privacy standards applicable to the rest of the internet (e.g., social media platforms, search engines, etc.). Based on a fact sheet issued by Chairman Wheeler’s office (available here), the revised proposal, which is set to be voted on by the full Commission on Oct. 27, 2016, strives to be more consistent with the FTC approach to privacy and data security, but with special considerations for the telecom industry. The fact sheet previews the revised approach, including requirements for:

  • Clear notification regarding the collection, use and sharing of consumer information, including persistent notice in an online privacy policy.
  • Opt-in consent for any use or sharing of sensitive information, which the proposal defines as including geo-location, children’s information, health information, financial information, Social Security numbers, Web browsing history, app usage history and content of communications – a more expansive definition of sensitive data than under the historical FTC approach, at least so far as usage data is concerned (which will affect the ability to engage in interest-based advertising).
  • An opt out for use and sharing of nonsensitive information.
  • Strong protections for use and sharing of de-identified information.
  • Prohibition of “take-it-or-leave-it” offers requiring consent to data sharing and use that are not necessary to provide the service, as a condition of obtaining the service.
  • Heightened notice requirements for discounts and other incentives in exchange for consumers’ express affirmative consent to the use and sharing of their personal information to the extent not necessary to operate the service, and restrictions on pricing services for those who do not consent, because “[c]onsumers should not be forced to choose between inflated prices and maintaining their privacy.”

Continue Reading

New York Department of Financial Services Proposes First Rule of Its Kind for Financial Institutions

Fifty and Hundred Dollar BillsIn November, we reported on a proposal by the New York Department of Financial Services (NYDFS) for an extensive cybersecurity framework for its regulated financial institutions. Recently, Governor Cuomo announced a proposed rule requiring banks, insurance companies and other financial services institutions regulated by the NYDFS to establish and maintain a strong cybersecurity program. These regulations include several key requirements for these entities, including:

  • Establishment of a cybersecurity program. Institutions would be required to implement policies and procedures to protect against unauthorized use and access to sensitive information. The program should also focus on responsiveness to these incidents and recovery and restoration of business operations.
  • Adoption of a cybersecurity policy. The policies and procedures must address several key areas, including information security, data classification and governance, access controls, customer data privacy, risk assessments and incident response.
  • Designation of a Chief Information Security Officer (CISO). The CISO would be responsible for oversight and implementation of the cybersecurity program and enforcement of cybersecurity policy.
  • Third Party Service Provider oversight. The entity must have policies and procedures ensuring the security of information handled by third parties, including minimum standard cybersecurity practices and periodic assessments of the third party service provider.

Other key requirements of the proposed rule include annual penetration testing; timely destruction of private information, except where necessary; monitoring of authorized users; encryption of nonpublic information in transit and at rest; and a written incident response plan for cybersecurity incidents affecting the confidentiality, integrity or availability of information systems. In addition, regulated entities will be required to provide a yearly report to the NYDFS certifying compliance with the cybersecurity regulations. Continue Reading

Former SEC Commissioner Louis A. Aguilar Describes Corporate Directors’ Cybersecurity Duties

cyber security iStock_000041562536_LargeWhen Louis A. Aguilar was a commissioner at the Securities and Exchange Commission, he helped organize the SEC’s March 2014 roundtable to discuss the cyber risks facing public companies. The numerous data breaches that have occurred at public companies, from Target to Yahoo and many more, show that public companies have not yet succeeded in managing cyber risks.

On Sept. 22, 2016, Mr. Aguilar presented his current views in a talk titled “The Role of the Boards of Directors and CISOs in Overseeing Cyber-Risks” at the Security Alliance Advisors’ Annual Leadership Summit. A copy of Mr. Aguilar’s presentation is available here. His remarks provide useful guidance to board members and company managers about how to better manage cyber risks.

Mr. Aguilar points out that boards have long managed many types of risks, including credit risk, liquidity risk and operational risk. Cyber risk must become one of the risks that boards manage successfully. Continue Reading

Tales from the Trenches: Lessons Learned from the Ashley Madison Data Breach

Data Breach_GettyImages_515745835In July 2015, the online cheating website Ashley Madison was hacked and data pertaining to its 37 million users were published online. The story made headlines given the sensitive nature of the information exposed, the number of people affected and the sensational details of the hack, which included allegations of fraud, blackmail and extortion. The media outed several politicians and celebrities as paying customers, while some websites indexed the breached data, allowing people to search for email addresses to see if their spouses or significant others had accounts. Between lawsuits, resignations, suicides and countless stories of extortion and divorce, the fallout from the breach has been immense. Nearly one year later, a joint investigation by the Privacy Commissioner of Canada and the Australian Privacy Commissioner (collectively, “the Commission”) has issued a scathing report that provides remarkable insight into the breach and what qualifies as an appropriate information security framework.

Both the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the Australian Privacy Act (APA) require organizations to protect personal information using appropriate physical, technical and organizational safeguards. However, neither act outlines the specific safeguards that must be in place, instead relying on industry guidelines or widely accepted practices. That is what makes this Joint Report so interesting. Here, the Commission found significant deficiencies with Ashley Madison’s security framework and described in detail the information security practices it found lacking. Continue Reading