Our third annual BakerHostetler Data Security Incident Response Report analyzes the more than 450 data security incidents we led clients through in 2016, and includes a number of interesting trends relating to the causes of incidents, how companies are identifying and responding to incidents, and the regulatory and litigation trends after an incident is disclosed. Many of the takeaways from the Report focus on the technology side of preparedness and the protection of electronic data. Since our inaugural Report, however, we have been warning companies not to forget that data security incidents can also result from the compromise of paper records. Given the trend across all industries to go “paperless” and the growing awareness of privacy issues within companies, one would expect a decline in the number of incidents involving paper records. Yet, as described in the Report, 13 percent of the incidents that we handled in 2016 involved paper records, and an additional 4 percent involved both paper and electronic records. This represents a 1 percent increase in paper-related incidents since 2015. Notably, the number of incidents involving paper records for the healthcare-related incidents we handled decreased from 25 percent in 2015 to 17 percent in 2016, which means other industries experienced a significant increase in paper-related incidents. Continue Reading
As for frequency, the healthcare industry in 2016, for the third year in a row, saw the greatest number of incidents and by a wide margin. Specifically, about 35 percent of the incidents we handled last year involved the healthcare industry. This is a marked increase from last year’s report with healthcare – still the leading industry by frequency of incident – representing about 23 percent of incidents we worked on. Why is healthcare affected so frequently? One reason is that stolen electronic medical records are significantly more valuable on the black market than most other stolen personal information such as payment card information or Social Security numbers. Additionally, being the victim of medical-related information theft may take longer to discover and fix than other types of identity theft do, thereby allowing the bad actors more time to monetize the stolen information. While it is hit the most, the healthcare industry is not hit the hardest. Continue Reading
We are excited to release our third annual BakerHostetler Data Security Incident Response Report. This report analyzes the more than 450 data security incidents we led clients through in 2016. Companies continued to experience incidents at a record pace, and we expect this will continue through 2017. We have received more calls to our breach hotline in the first three months of 2017 than we did during all of 2015.
Ransomware was the biggest development we saw last year – it was involved in 23% of the network intrusion incidents. Because no one measure can guarantee a successful defense against ransomware, we do not expect this issue to go away.
Our 2016 Report focused on companies being “compromise ready” to detect, respond to and contain incidents faster. That still holds true. In fact, our experience shows that companies should be focused on the basics, such as education and awareness programs, data inventory efforts, risk assessments, and threat information sharing. Most incidents are not the result of a sophisticated, never-before-seen, unpreventable, zero-day attack. Instead, networks are often as fallible as the people who build and maintain them. Both skilled and unskilled attackers are able to access networks, whether the networks have little or “next gen” security. Continue Reading
BakerHostetler began publishing its Data Security Incident Response Report in 2015. Although we were the first law firm to do so, inspiration for the report came from similar reports that cybersecurity firms issue. We will be publishing our 2017 Report on April 13, 2017, containing statistics and insights from the 450+ incidents we led clients through in 2016. We think companies can use our report as a “crowdsourced” tool for identifying risks/threats, response metrics and risk mitigation investment priorities. As a preview to the release of our 2017 Report, we thought it would be helpful to provide a similar crowdsourced summary of the 2017 cybersecurity predictions from Mandiant, Stroz Friedberg, Crypsis, Kroll, Protiviti, Wombat and TrendMicro to see what commonalities and trends exist. It didn’t take long to determine that nearly everyone identified ransomware, social engineering and the internet of things (IoT) as high on the list of cybersecurity risks for 2017. Continue Reading
On April 4, 2017, the Massachusetts Attorney General’s office announced that it had settled with a digital advertiser following allegations the company was using geolocation technology to target ads to women visiting reproductive health facilities. Although the company denied that it geofenced clinics in Massachusetts, the AG indicated that such targeting would violate the Massachusetts Consumer Protection Act and has preemptively prohibited geofencing near medical centers in the Commonwealth.
The Assurance of Discontinuance discusses the practice of geofencing, a technique that allows an advertiser to tag an internet-enabled mobile device that then trips a virtual “fence” if the device enters a particular geographic area. Once a device has been flagged, the advertiser “causes third party digital advertisements to display on certain mobile applications the consumer accesses on that mobile device for up to thirty days.” Continue Reading
Breach notification statutes remain one of the most active areas of the law. Seldom does a month go by without a new bill or amendment addressing privacy or data security, and this month is no exception.
The state of Virginia recently expanded its breach notification statute to include income tax information among the types of information that require notification to the Office of the Attorney General. Likely a reaction to the increase in W2 tax fraud discussed in greater detail by my colleague here, this new amendment does not require notification to the individual taxpayers. Instead, affected entities must notify the Virginia attorney general, who in turn must notify the Department of Taxation. Of course, if the incident involves Social Security numbers, which the majority of W2 tax fraud incidents do, then the existing provisions would require notification to affected individuals. Continue Reading
In one of the first Internet of Things (IoT) class action settlements, the maker of a Bluetooth-enabled personal vibrator agreed to settle privacy class claims for $3.75 million.
The We-Vibe product allows a user to connect the product to a smartphone. The user can then control the device from the phone via Bluetooth connection. The We-Vibe also allows different users to communicate with each other through video chats and text messages, and by remotely controlling their partner’s We-Vibe device in real-time. However, consumers must download the company’s mobile application, or “app,” to access these features. The class plaintiffs alleged that the company, through its app, collected a substantial amount of information about its customers and their usage habits without customer knowledge or consent. Such information purported to include (1) the date and time of each use, (2) the vibration intensity level selected by the user, (3) the vibration mode or pattern selected by the user, and (4) where available, the email address of customers who registered with the app. Continue Reading
On March 27, 2017, the Colorado Department of Regulatory Agencies proposed changes to the Colorado Securities Act that would impose new cybersecurity requirements on investment advisers and broker-dealers (the “Proposed Rule”). Among other obligations, the Proposed Rule would require these entities to include cybersecurity as part of their risk assessments, and establish and maintain written procedures “reasonably designed” to ensure cybersecurity.
The Proposed Rule states that the written cybersecurity procedures must provide for the following, to the extent reasonably possible:
- An annual cybersecurity risk assessment;
- Use of secure email, including encryption and digital signatures;
- Authentication for employee access to electronic communications, databases, and media;
- Procedures for authenticating client instructions received via electronic communications; and
- Disclosure to clients of the risks of using electronic communications.
Under the Proposed Rule, the Colorado Securities Commissioner could consider the following factors to determine whether an adviser’s or dealer’s written procedures had been “reasonably designed”:
- Size of the firm;
- Relationships with third parties;
- Policies, procedures, and training of employees;
- Authentication practices;
- Use of electronic communications;
- Automatic locking of devices used to conduct the firm’s electronic security; and
- Process for reporting lost or stolen devices.
Although Colorado’s Proposed Rule is not nearly as expansive or detailed as the cybersecurity regulations recently issued by the New York Department of Financial Services (which took effect March 1), we may be witnessing the beginning of a wave of state-level cybersecurity requirements applicable to entities in the financial services sector.
A public hearing on the Proposed Rule is scheduled for May 2, 2017.
The Federal Communications Commission (FCC) Privacy and Data Security Rule for broadband internet access service (BIAS) providers (the Privacy Rule) is dead. As we discussed here, the new rule that was set to start phased implementation was recently put on hold. We detailed what the Privacy Rule would have required in prior blog posts available here and here.
On Monday night, President Trump signed the Senate Joint Resolution 34, effectively nullifying the Privacy Rule. The Privacy Rule was repealed under the Congressional Review Act, which prohibits the FCC from promulgating regulations of similar effect in the future. With this repeal, it is unlikely that anything less than a significantly toned down version of the Privacy Rule will be coming from the FCC anytime soon. This does not mean that the FCC cannot adopt any privacy rules, but any rules adopted would have to be substantially different from the nullified Privacy Rule, and likely would match the Federal Trade Commission (FTC) standards for internet privacy and data security. Continue Reading
On March 17, 2017, the Federal Trade Commission (FTC) announced that it had reached a $500,000 settlement with Upromise, a membership reward service aimed at families saving for college. The FTC had alleged that Upromise violated a 2012 FTC consent order by failing to make required disclosures about its data collection and use practices and not obtaining third-party assessments as agreed. This settlement illustrates not only the FTC’s continued focus on online data privacy and security issues, but also the Commission’s interest in ensuring that companies adhere to the terms of their settlement agreements.
Background and 2012 Order
Upromise offers a loyalty program that is free to join and provides credit toward college savings plans, or toward paying down student loans for members who make eligible purchases from partner businesses. Continue Reading