US Companies Create Principles for Cybersecurity Risk Ratings

On June 20, 2017, the U.S. Chamber of Commerce announced that a consortium of more than two dozen chamber member companies, including prominent big banks, big-box retailers, and technology giants released a set of principles designed to promote fair and accurate cybersecurity ratings. The creation of the “Principles for Fair and Accurate Security Ratings” comes in response to the recent emergence of several companies, such as BitSight Technologies, CyberGRX, RiskRecon and SecurityScorecard, that collect and analyze publicly accessible data to develop a rating of a company’s cybersecurity risk posture. The data is typically collected without the target company’s knowledge and comes from a variety of sources, such as:

  • Hackers’ forums and data available on the darknet indicating that a company’s data is for sale or its systems have been compromised.
  • Sink-hole technology that monitors all public internet traffic that enters or leaves a company’s network for signs of viruses, malware, spamming software or botnets beaconing to and from the company’s network.
  • Port-scanning tools to identify open ports to a company’s network.
  • Open-source malware intelligence sources intended for companies to use for strengthening cybersecurity defenses that are analyzed by ratings companies to identify compromised companies.
  • Scanning a company’s public-facing systems for indications of vulnerabilities, such as out-of-date operating systems, the absence of multifactor authentication and poor patching practices.
  • Public data breach feeds for indicators of compromise.

Continue Reading

When is a Chair not a Chair? Big Data Algorithms, Disparate Impact, and Considerations of Modular Programming

The DESI VII Workshop titled “Using Advanced Data Analysis in eDiscovery & Related Disciplines to Identify and Protect Sensitive Information in Large Collections” was held on the Strand Campus of King’s College in London on June 12, 2017. DESI VII was particularly focused on privacy, and presented numerous papers that examined emerging protocols and novel techniques for identifying and protecting sensitive information in large collections of data, with specific references to the following four areas:

  • E-Discovery.
  • EU Privacy Policies and the “right to be forgotten.”
  • Audits and Investigations.
  • Public Access Requests.

As part of the proceedings, a presentation and supporting article titled “When is a Chair not a Chair? Big Data Algorithms, Disparate Impact, and Considerations of Modular Programming” focused on the rapid growth in predictive algorithms based on “real world experience” data. This article and its associated presentation also examined a number of challenges associated with algorithms that worked as intended, but as they worked, also demonstrated the law of unintended (and unwanted) consequences. These unintended consequences had very serious legal, regulatory and court of public opinion repercussions that the workshop then discussed in detail. Continue Reading

Deeper Dive: Clapper Divide Expands In Data Breach Cases

As reported in our 2017 Data Security Incident Response Report, plaintiffs allege potential future harm as a basis for injury in 80 percent of data breach lawsuits. But are allegations of future harm sufficient to meet Article III’s cases-and-controversies requirement, specifically with regard to the injury-in-fact element of standing? Despite the prevalence of these allegations, federal courts remain divided on the answer to this question as it applies in the data breach context.

This divide stems from differing interpretations of the Supreme Court’s 2013 decision in Clapper v. Amnesty International USA, which held that plaintiffs must show that future harm is certainly impending, or that they are at a substantial risk of future harm, to satisfy the injury-in-fact requirement of Article III standing.

This divide continues to grow as the federal circuit courts begin to weigh in on the issue, with some circuits finding standing where others have not. Most recently, the Second Circuit joined the First, Third, and Fourth Circuits in holding that plaintiffs must allege more than the fact that their information was stolen to show an Article III injury. See Whalen v. Michaels Stores, Inc., — F. App’x —, 2017 WL 1556116, at *1-2 (2d Cir. May 2, 2017); see, e.g., Beck v. McDonald, 848 F.3d 262, 274 (4th Cir. 2017). Continue Reading

Washington State Passes Legislation Governing the Use of Biometric Information

Effective July 23, 2017, Washington will join Illinois and Texas as the third U.S. state to impose statutory restrictions on how businesses collect, use, disclose and retain biometric information. House Bill 1493 applies to entities that “enroll a biometric identifier in a database for a commercial purpose” and includes requirements to provide notice to individuals and obtain their affirmative consent, both prior to enrollment and if the business seeks to sell, lease or otherwise disclose the identifier to a third party.

The new law does not prescribe the exact form of notice and consent, making clear those processes are “context-dependent,” and notably, there is no specific requirement that consent must be written. The law contains certain exceptions to the consent requirement with respect to disclosures, such as if disclosure is necessary to provide a service or product requested by the individual or if it is made to a third party that “contractually promises” that the biometric identifier will not be further disclosed or enrolled in a database inconsistent with the law. Continue Reading

Deeper Dive: Vendor Management Crucial for Data Protection

Data-Incident-ReportIn our 2017 Data Security Incident Response Report, we found that of the 450+ incidents we worked on last year, network attacks that succeeded due to vendor wrongdoing were significantly more common (15 percent) than those due to employee wrongdoing (9 percent). Vendors were also found to be the cause of technical and security failures and lost/stolen devices or records. Indeed, some of the highest-profile breaches to date have been traced back to vendors (e.g., Target 2014).

Organizational obligations regarding data privacy and security extend not only to the data in a company’s possession, but also to its data in the possession of a third-party service provider or business partner. Outsourcing information processing to a third party, or sharing data with business partners, does not relieve an organization of its privacy and security obligations. For instance, businesses need to scrutinize the security measures of the outsourced providers with which they contract and the providers’ in-place measures – contractual and otherwise – to respond to breaches. Continue Reading

Deeper Dive: Security Is a Big Deal for Big Data

Data-Incident-ReportIn the rapidly expanding landscape of Internet-based data analytic services, companies across all industries with a significant online presence have faced or will face a data breach resulting from their collection and use of Big Data. As more consumer information is digitized and collected by companies for data analytics, the potential for cyberattacks also increases. While businesses often find Big Data analytics valuable for research and marketing, most organizations do not have the security assets needed to keep such data safe. As can be imagined, large quantities of consolidated data can be extremely tempting for cybercriminals, especially when such data may contain a company’s proprietary information or customers’ personal and/or financial information. Big Data security breaches can result in serious legal consequences and reputational damage for companies, often more severe than those caused by breaches of traditional data.

Big Data Has Big Security Challenges

Big Data has several unique security challenges, of which companies unfamiliar with the complexities of Big Data analytics may not be aware. Variety, volume and velocity are the three primary terms used to characterize Big Data, and each individually contributes to the security challenges native to Big Data analytics and must be considered equally.

The first term, variety, defines the multiple classes or data types captured across a company’s given enterprise. Variety is quickly becoming the single biggest driver of investments in Big Data. At any given time, a company may be collecting and/or storing data from multiple business areas (e.g., customer data, employee personal information, intellectual property) in a variety of formats. To adequately combat threat actors targeting valuable Big Data repositories, companies must fully understand all data types collected and used in their business before engaging in or contracting for Big Data service. Companies must also balance their desire to rapidly extract and analyze Big Data with the need to adequately secure such data.  Continue Reading

Deeper Dive: Ransomware – WannaCry and the Future of Ransomware-as-a-Service

In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future.

Less than a month later, the most prominent ransomware attack to date swept the globe and dominated headlines. As we previously reported, on May 12, 2017, thousands of companies were affected by the so-called “WannaCry” ransomware variant, which exploited a known Microsoft Windows vulnerability (patched since March 2017) and spread rapidly across borders and industries. Despite the facial complexity of its origins, reportedly using an exploit revealed in National Security Agency documents, signs have emerged that the perpetrators of the WannaCry outbreak were perhaps less sophisticated than one might expect. Specifically, WannaCry’s authors seem to have included “amateur flaws” in their design, such as a straightforward kill switch, an “unsavvy” payment protocol and a poorly designed ransom function. As a result, WannaCry was halted by a simple domain name registration, and the financial yield for the perpetrators appears to have been surprisingly low. Continue Reading

Substantial Risk of Harm in Data Breach Class Actions Ripe for Supreme Court Review

credit card iStock_000009899701_LargeEarly in May, the U.S. Court of Appeals for the Second Circuit in Whalen v. Michaels Stores, Inc., No. 16-260 (L) (2d Cir. May 2, 2017), affirmed the dismissal of a data breach class action brought against Michaels Stores Inc. (Michaels) for failing to sufficiently allege an injury to support standing. This decision is significant because it widens the existing circuit split on what allegations constitute an injury-in-fact, particularly where a plaintiff seeks standing by alleging a substantial risk of harm resulting from a data breach.

Read more on BakerHostetler’s Class Action Lawsuit Defense blog >>

Deeper Dive: Forensics

Data-Incident-ReportA company’s ability to quickly and efficiently conduct a forensic investigation is critical to limiting the impacts of a data security incident and determining the scope of the incident.

In BakerHostetler’s 2017 Data Security Incident Response Report, we analyzed data from the more than 450 incidents we worked on in 2016. A forensic investigation occurred in 34 percent of those incidents – a slight increase from 2015, when 31 percent of the incidents involved a forensic investigation. Healthcare entities used forensic investigations at a higher rate this year most likely because of the rise in ransomware incidents and the OCR guidance related to ransomware. A forensic investigation occurred in 27 percent of the incidents involving healthcare entities in 2016 versus only 13 percent in 2015. The average total cost of a forensic investigation in 2016 was $62,290, with the highest cost in excess of $750,000. The average cost of a network intrusion investigation was $93,322. It took forensic firms an average of 44 days after they were hired to complete their investigations of network intrusion incidents. Investigators found evidence of data exfiltration in 34 percent of the network intrusion incidents. A failure to find evidence of exfiltration does not always mean that data wasn’t stolen. Some attackers carefully remove evidence of their activities, and in other scenarios there is insufficient logging. Continue Reading

No More Tears: A Few Recommended Steps in Response to WannaCry Ransomware

Hacker wearing black glove clicking on ransomware buttonOn May 12, 2017, thousands of companies across the globe saw the first signs of a prolific malware outbreak. The malware, a ransomware variant labeled WannaCry, is capable of encrypting files on a device and moving laterally to encrypt files on associated file shares. On average, the ransom amount that is demanded is the equivalent of $300 in Bitcoin. Early reports indicate the ransomware, which may function in 27 different languages and  encrypted data on over 75,000 systems in 99 countries.  Russia, Ukraine, India and Taiwan appear to have been the hardest hit. The attack resulted in some hospitals canceling operations and appointments because critical patient data could not be accessed.

The WannaCry ransomware gained entry into computer systems by exploiting a vulnerability in certain versions of Microsoft Windows.  Microsoft released a patch for the vulnerability in March 2017. Microsoft also released a blog that guides individuals and businesses through the steps they should take to stay protected from WannaCry.  One reason this ransomware has been so prolific is that it is less susceptible to antivrus programs because it is injected into a running process instead of being written to disk.  Continue Reading

LexBlog