Former SEC Commissioner Louis A. Aguilar Describes Corporate Directors’ Cybersecurity Duties

cyber security iStock_000041562536_LargeWhen Louis A. Aguilar was a commissioner at the Securities and Exchange Commission, he helped organize the SEC’s March 2014 roundtable to discuss the cyber risks facing public companies. The numerous data breaches that have occurred at public companies, from Target to Yahoo and many more, show that public companies have not yet succeeded in managing cyber risks.

On Sept. 22, 2016, Mr. Aguilar presented his current views in a talk titled “The Role of the Boards of Directors and CISOs in Overseeing Cyber-Risks” at the Security Alliance Advisors’ Annual Leadership Summit. A copy of Mr. Aguilar’s presentation is available here. His remarks provide useful guidance to board members and company managers about how to better manage cyber risks.

Mr. Aguilar points out that boards have long managed many types of risks, including credit risk, liquidity risk and operational risk. Cyber risk must become one of the risks that boards manage successfully. Continue Reading

Tales from the Trenches: Lessons Learned from the Ashley Madison Data Breach

Data Breach_GettyImages_515745835In July 2015, the online cheating website Ashley Madison was hacked and data pertaining to its 37 million users were published online. The story made headlines given the sensitive nature of the information exposed, the number of people affected and the sensational details of the hack, which included allegations of fraud, blackmail and extortion. The media outed several politicians and celebrities as paying customers, while some websites indexed the breached data, allowing people to search for email addresses to see if their spouses or significant others had accounts. Between lawsuits, resignations, suicides and countless stories of extortion and divorce, the fallout from the breach has been immense. Nearly one year later, a joint investigation by the Privacy Commissioner of Canada and the Australian Privacy Commissioner (collectively, “the Commission”) has issued a scathing report that provides remarkable insight into the breach and what qualifies as an appropriate information security framework.

Both the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the Australian Privacy Act (APA) require organizations to protect personal information using appropriate physical, technical and organizational safeguards. However, neither act outlines the specific safeguards that must be in place, instead relying on industry guidelines or widely accepted practices. That is what makes this Joint Report so interesting. Here, the Commission found significant deficiencies with Ashley Madison’s security framework and described in detail the information security practices it found lacking. Continue Reading

Latest Data Breach Settlement Illustrates Need for Companies to Prioritize Cybersecurity

credit card iStock_000009899701_LargeOn Aug. 5, 2016, the New York attorney general, Eric Schneiderman, announced a $100,000 settlement with an e-retailer following an investigation of a data breach that resulted in the potential exposure of more than 25,000 credit card numbers and other personal information.

According to the investigation, on Aug. 7, 2014, in an all-too-common scenario, an attacker infiltrated the e-retailer’s website. Nearly one year later, the e-retailer’s merchant bank notified it that fraudulent charges were appearing on customers’ credit card accounts. The e-retailer then hired a cybersecurity firm to conduct a forensic investigation, and the malware was discovered and removed from the e-retailer’s website.

The e-retailer, however, failed to take the next step, which should have been notification to affected customers. According to the attorney general’s office, the e-retailer never provided notice to its customers or law enforcement about the breach, in violation of New York General Business Law (GBL) § 899-aa, which requires that notice be provided to affected individuals and various government agencies, in the most expedient time possible and without unreasonable delay. Continue Reading

A Closer Look at the OCR’s Guidance on Ransomware

Hacker wearing black glove clicking on ransomware buttonIn the wake of several high-profile ransomware infections targeting hospitals and health care organizations, the Department of Health and Human Services Office for Civil Rights (OCR) has issued guidance on the growing threat of ransomware.

Ransomware is a type of malware that denies access to systems and data. It uses strong cryptography to encrypt files to prevent access without a decryption key. To receive the decryption key and restore access, the entity must pay a ransom, typically in the form of a cryptocurrency such as Bitcoin. While this type of malware has been around for years, it has recently made headlines in the healthcare industry, most notably after Hollywood Presbyterian Medical Center was forced to use pen and paper when its computer systems were held hostage by ransomware back in February. Like an infectious disease, ransomware has spread throughout the healthcare industry, causing havoc and potentially jeopardizing patient care.

Given the publicity and the potential for harm, it should come as no surprise that the OCR has issued guidance in this area. As the regulatory agency that enforces HIPAA, when the OCR speaks, healthcare organizations should take heed. Continue Reading

OCR to Increase Efforts to Investigate Breaches Affecting Fewer Than 500 Individuals

HIPAA document magnifiedThe Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency tasked with investigating data breaches involving protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

The mere mention of an OCR investigation can strike fear into the hearts of HIPAA privacy officers and health care executives everywhere. Data breaches have been occurring with disturbingly high frequency in the health care industry. If a covered entity experiences a data breach involving more than 500 affected individuals, a regulatory investigation by the OCR is virtually guaranteed.

On August 18, 2016, the OCR announced that it was increasing efforts to investigate smaller breaches, such as those involving fewer than 500 individuals. While the OCR has always had the authority to investigate smaller breaches, it has traditionally done so only when it had resources to spare. This new initiative announced by the OCR represents a concerted effort to investigate the root causes of breaches affecting fewer than 500 individuals.

Even with this new initiative, the OCR is unlikely to investigate every breach; there are simply too many to handle. Instead, each regional office will prioritize its investigations based on:

  • The size of the breach;
  • Whether it involves the theft of or improper disposal of unencrypted PHI;
  • Whether it involves unwanted intrusions to IT systems (for example, by hacking);
  • The amount, nature and sensitivity of the PHI involved; or
  • Instances where numerous breach reports from a particular covered entity or business associate raise similar issues.

The key takeaway from this announcement by the OCR is to treat every breach as if it will result in an OCR investigation. Do not become complacent, especially when dealing with smaller or routine incidents, because you never know when the OCR will come knocking.

Unanimous FTC Finds LabMD’s Data Security Practices Violated Section 5 of the FTC Act

Hard work brings rewardsOn July 29, 2016, a unanimous Federal Trade Commission (“FTC” or “Commission”) issued its Opinion and Final Order reversing the decision of an administrative law judge (“ALJ”) and holding that LabMD engaged in “unfair” practices in violation of Section 5 of the FTC Act because it failed to provide reasonable and appropriate security for personal information stored on its computer network. The FTC’s conclusion is significant because companies may face enforcement action for inadequate data security in connection with incidents in which there is no evidence that consumer information was accessed by unauthorized persons who likely intended to misuse the information.

Background

As we previously reported, the FTC first began investigating LabMD’s data security practices in 2010, when Tiversa Holding Company, a cybersecurity consulting firm, informed the FTC that sensitive personal information held by LabMD may have been publicly disclosed on a peer-to-peer (“P2P”) file-sharing network. On Aug. 28, 2013, the FTC brought the administrative action against LabMD under Section 5 of the FTC Act, alleging, in part, that LabMD failed to provide reasonable and appropriate data security for personal information stored on its computer network and that its failure caused or was likely to cause substantial consumer injury, including identity theft, medical identity theft, and the disclosure of sensitive, private medical information. Section 5(n) of the FTC Act prohibits unfair acts or practices if: (1) the act or practice causes or is likely to cause substantial injury to consumers, (2) which is not reasonably avoidable by consumers themselves, and (3) not outweighed by countervailing benefits to consumers or to competition.

On Nov. 13, 2015, the ALJ concluded that the FTC failed to prove the substantial injury prong of the three-part test, holding that “[t]o impose liability for unfair conduct … , where there is no proof of actual injury to any consumer, based only on an unspecified and theoretical ‘risk’ of a future data breach and identity theft injury, would require unacceptable speculation and would vitiate the statutory requirement of ‘likely’ substantial consumer injury.” Counsel for the FTC appealed to the full Commission. Continue Reading

Automotive Industry Organization Releases Recommended Cybersecurity Best Practices

Auto-ISAC is not alone in its efforts to address potential cybersecurity risks imposed by connected vehicles. As we have previously discussed, in 2015 legislators introduced the SPY Car Act, which requires automakers to meet certain vehicle data security standards to combat potential hacking threats. The U.S. Department of Transportation (DOT) notes that it has been researching and testing vehicle communications for over a decade. In addition, through the Intelligent Transportation Systems Joint Program Office, the DOT has worked to fund almost $25 million in cyber security research between 2012 and 2014. The National Highway Traffic Safety Administration (NHTSA) also published information relating to its comprehensive approach to vehicle cybersecurity.

The Best Practices continue these efforts by promoting a self-regulation framework within the industry for vehicle cybersecurity. The Best Practices outlined by Auto-ISAC include: Continue Reading

Privacy Shield to Open for Business August 1

bigstock-Internet-Concept-30269060After more than two years of negotiations, on July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield (the “Privacy Shield”) framework as a valid mechanism for transfers of personal data from the EU to the U.S. Touting the Privacy Shield as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses,” the European Commission released an Adequacy Decision, along with accompanying Annexes, concluding that “the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the Union to self-certified organisations in the United States.” Continue Reading

Business Associates in the Crosshairs: Catholic Health Care Services Settles for $650,000 for Failure to Safeguard PHI

Stethoscope on Computer KeyboardCatholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to enter into a $650,000 resolution agreement and a two-year corrective action plan (CAP) with the Office for Civil Rights (OCR). CHCS provides management and information technology services as a business associate to six nursing homes. The OCR settlement follows a finding that CHCS violated the HIPAA Security Rule, which requires business associates to conduct enterprise-wide security risk analyses and to prepare corresponding risk management plans.

OCR initiated its investigation upon notification by CHCS of the theft of an employee’s unencrypted company iPhone containing Social Security numbers, diagnosis and treatment information, medications, and names of family members and legal guardians. This resulted in separate notifications from each of the six nursing homes regarding a breach of e-PHI, which, according to OCR, affected some 412 individuals. Continue Reading

$90 Million Cyber Thefts From Banks Using SWIFT Network Raise Security Issues

Security Breach_465738902In February 2016, attackers stole $81 million from the Bangladesh central bank’s account at the New York Federal Reserve Bank by hacking into the Bangladesh bank’s computer network and sending fraudulent messages through the Society for Worldwide Interbank Financial Telecommunication (SWIFT) payment network. In January 2015, attackers netted $9 million in funds from an Ecuadorian bank through fraudulent SWIFT messages. Information about the attacks and documents from a lawsuit related to the theft from the Ecuadorian bank reveal the challenging data security issues banks face when they use the SWIFT network.

How SWIFT operates. SWIFT, founded in 1973,[1] is a cooperative owned by 3,000 financial institutions from around the world.[2] SWIFT’s message platform is used by more than 11,000 banks[3] in 200 countries.[4] Those banks sent approximately 25 million SWIFT messages per day in April 2016.[5] To use the SWIFT network, a person or business that wants to transfer funds internationally, referred to as the “sender,” asks an “originator bank” to send a SWIFT message to a bank in another country directing the “receiving bank” to pay funds to a “beneficiary bank” for the account of the person or entity to receive the funds, the “beneficiary.”[6] Each bank using the SWIFT network is assigned an eight-character identification code and a SWIFT message can be sent only from a SWIFT terminal at the originator bank; the SWIFT terminal authenticates to the SWIFT network using smart-card technology.[7] Receiving banks verify that each payment message contains the originator bank’s code and was sent from the originator bank’s SWIFT terminal.[8] Continue Reading

LexBlog