Coming Soon: Two-Factor Authentication for Social Security Website

Log OnThe Social Security Administration recently announced that beginning June 10, two-factor authentication will be required for all account holders logging into the “My Social Security” portal.

To comply with this new rule, account holders will be required to provide their username and password, and either their cell phone number or email address as the second identification method. After providing their cell phone or email address, the account holder will be sent a time-sensitive passcode to authenticate his or her identity.

This is the Social Security Administration’s second attempt at implementing two-factor authentication. In 2014, an Obama administration executive order mandated improved security for consumers regarding financial transactions, and remediation for victims of identity theft. Based on this executive order, in July 2016, the Social Security Administration announced the requirement of two-factor authentication for the account holder portal through the transmission of one-time passcodes via SMS text messages to the account holder’s cell phone. This method was widely criticized because many of the account holders were senior citizens who did not have access to a cell phone and therefore lacked the ability to use two-factor authentication for their account. Continue Reading

Deeper Dive: Implementing Basic Security Measures Can Stop Some Network Intrusions and Reduce the Damage From Others

Data-Incident-ReportIn BakerHostetler’s 2017 Data Security Incident Response Report, we analyzed 104 network intrusion attacks that we helped our clients respond to last year. Such incidents typically occur when criminals find a weakness in a company’s internet-facing network, penetrate the network, conduct reconnaissance to find valuable data and export the data before they can be detected and stopped. Our clients were required to notify potentially affected customers or patients in 62 percent of the network intrusion attacks. Forensic investigation costs for the attacks averaged $93,322 and ranged as high as $750,000.

Basic data security measures can make it more difficult for many criminals to succeed with these attacks. Companies should consider taking the following steps:

  • Implement multifactor authentication to remotely access any part of the company’s network or data.
  • Disable remote desktop protocol on internet-facing systems.
  • Segregate subnetworks that contain valuable data from other parts of the network, and require users who need to access such data to use multifactor authentication or one-time passwords to do so.
  • Implement and monitor a software patch management system that requires critical patches to be installed promptly.
  • Require users to use complex passwords and to change them at least every 90 days.
  • Remove administrative rights from normal users and limit the number of accounts with administrative privileges.
  • Implement a web proxy that can block access to untrusted websites.
  • Utilize threat intelligence and endpoint protection tools that use reputational searches and behavioral patterns.
  • Deploy an intrusion detection and prevention system (IDPS) that aggregates logs to a SIEM tool that sends real-time alerts.
  • Hire qualified staff or engage a vendor to monitor SIEM and endpoint protection alerts.
  • Ensure that all internet-facing and core infrastructure systems, as well as systems that store or have access to sensitive data, have logging enabled.
  • Retain the logs for at least a year but preferably longer.
  • Do not allow employees to access personal email accounts from the company’s network.
  • Use security firms to conduct periodic, credentialed vulnerability scans; to help correct vulnerabilities discovered; and to conduct periodic penetration tests on internet-facing applications that contain sensitive data or provide access to internal networks.

Continue Reading

Deeper Dive: Incorporating Incident Response Into Disaster Recovery Plans

Data-Incident-ReportIncident response and disaster recovery are both essential components of a comprehensive written information security program. However, too often these plans are implemented in a vacuum, without considering the potential synergies and improvements that can be gained when such plans are developed, deployed and tested together.

Incident response and disaster recovery tend to have the same goals, i.e., to provide a game plan that outlines how the organization will respond to and recover from an event. The key difference is often the type of events. Incident response tends to focus on events that impact computer systems and personal information, such as malware or network intrusion. On the other hand, disaster recovery tends to focus on larger, enterprise-wide events, such as earthquakes, hurricanes and terrorism. The fallacy is thinking these categories are mutually exclusive. Consider the impact of ransomware, which according to BakerHostetler’s 2017 Date Security Incident Response Report, is one of the leading causes of security incidents. A ransomware infection has the same shutdown potential as an earthquake or flood, and the response is sometimes the same, i.e., switch to emergency operation mode, restore from backups, etc. But a disaster recovery plan that doesn’t factor in the malicious nature of ransomware may result in critical backups encrypted or deleted by the malware. Similarly, incident response plans that do not consider the far-reaching impact of ransomware may not consider recovery response times, employee messaging and alternative communication methods typically covered in a disaster recovery plan. The solution is to develop both of these plans in tandem.  Continue Reading

Deeper Dive: Security Incident Notification Under the New EU General Data Protection Regulation (GDPR)

Data-Incident-ReportAs noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and includes provisions relating to fair, lawful, and transparent data processing; data minimization and purpose limitation; data integrity and accuracy; specific data retention periods; increased data security; and accountability associated with the practices of data controllers and processors.

Among the key operational impacts of the GDPR is a new “personal data breach” notification obligation, the first EU-wide requirement to notify supervisory authorities and affected individuals of security incidents. Organizations doing business in the U.S. that are familiar with federal and state security breach notification requirements likely already have the mechanisms in place to comply with this aspect of the GDPR. That said, the GDPR’s approach has a couple of twists, which we discuss further below.  Continue Reading

Babies and Baby-making, or Not… Privacy and Security Lessons for the Internet of Things

What do babies, sex toys and wireless head phones have in common? Apparently, the privacy concerns of the Federal Trade Commission (FTC), state AGs and legislatures, class action plaintiffs, and consumer advocacy groups, at least when it comes to the Internet of Things (IoT). The IoT refers to consumer devices that are connected, directly or indirectly, to the internet or other internet-connected devices.

Today cars, household appliances, so-called wearables like Fitbits, smart TVs, home command centers like Nest, Alexa and Google Home, and even sex toys and toothbrushes are collecting consumer data, often of a sensitive nature, and transmitting it over Wi-Fi, Bluetooth and the internet. The same privacy and data security issues that apply to computers and mobile phones apply to the IoT. Given the potentially sensitive nature of the data involved, the first generation of lawsuits and regulatory actions has involved babies, abortion, movie-viewing at home and vibrators. But these cases are not outliers, and there are lessons to be learned for all companies considering a foray into the IoT. And with the public notoriety these cases are generating has come the interest of the California legislature, which is considering legislation that would, among other things, codify data security obligations and require point-of-sale privacy disclosures and express consent to data collection. Continue Reading

Deeper Dive: Be Prepared for Regulatory Investigations in the Wake of a Security Incident

Data-Incident-ReportYour company had a data security event. After an investigation, it was determined that notifications were required, and the incident was made public as a result. Notification letters were mailed and regulators were notified, all in accordance with the law. Your company also enhanced security measures and took other remedial action, so there is nothing more to do – it’s all over, right? Not quite – there is a good likelihood your organization may be subject to a regulatory investigation as a result of the incident.

In 2016, we assisted clients in over 450 data security incidents. Among the trends revealed by our analysis of these incidents, we found that regulators, including state attorneys general, continue to make inquiries in the wake of data security events. In fact, in the incidents we handled, attorneys general made inquiries 29 percent of the time after notifications were made. This is up from 26 percent the prior year. Continue Reading

Deeper Dive: Phishing/Hacking/Malware Attacks Remain Leading Cause of Security Incidents

During 2016, our BakerHostetler privacy and data protection team worked on data security incidents across virtually all industries. For the second year in a row, phishing/hacking/malware attacks have accounted for the largest percentage of incidents handled by our team. Specifically, security incidents arising from phishing/hacking/malware made up 43 percent of all security incidents we handled last year – a 12 percent jump from 2015 – with ransomware attacks (i.e., events where malware prevents or limits users from accessing their system until a ransom is paid) accounting for nearly a quarter of such incidents.

With the adoption of new technologies, the collection and use of larger amounts of data, and the increasing sophistication of cyber-attackers, the risk landscape for companies drastically changes from year to year. Last year saw the first security incident to affect more than 1 billion accounts, as well as a reported increase of more than 500 percent in ransomware attacks. While investing in network security and breach detection technologies is an essential component to building an effective cybersecurity strategy, companies must also take enterprise-wide steps to ensure that everyone, from executives to front-of-house employees, is involved in risk-reducing behaviors. In our 2017 Data Security Incident Response Report, the BakerHostetler incident response team looked back at the more than 450 incidents that we handled in 2016 to identify the top causes of security incidents across industries. DPM04252017 Continue Reading

Deeper Dive: Protecting Paper Records

Data-Incident-ReportOur third annual BakerHostetler Data Security Incident Response Report analyzes the more than 450 data security incidents we led clients through in 2016, and includes a number of interesting trends relating to the causes of incidents, how companies are identifying and responding to incidents, and the regulatory and litigation trends after an incident is disclosed. Many of the takeaways from the Report focus on the technology side of preparedness and the protection of electronic data. Since our inaugural Report, however, we have been warning companies not to forget that data security incidents can also result from the compromise of paper records. Given the trend across all industries to go “paperless” and the growing awareness of privacy issues within companies, one would expect a decline in the number of incidents involving paper records. Yet, as described in the Report, 13 percent of the incidents that we handled in 2016 involved paper records, and an additional 4 percent involved both paper and electronic records. This represents a 1 percent increase in paper-related incidents since 2015. Notably, the number of incidents involving paper records for the healthcare-related incidents we handled decreased from 25 percent in 2015 to 17 percent in 2016, which means other industries experienced a significant increase in paper-related incidents. Continue Reading

Deeper Dive: Frequency and Severity

Data-Incident-ReportAll industries are affected by cyberattacks, but how often and to what extent they occur vary greatly by industry type.

Industry Type

As for frequency, the healthcare industry in 2016, for the third year in a row, saw the greatest number of incidents and by a wide margin. Specifically, about 35 percent of the incidents we handled last year involved the healthcare industry. This is a marked increase from last year’s report with healthcare – still the leading industry by frequency of incident – representing about 23 percent of incidents we worked on. Why is healthcare affected so frequently? One reason is that stolen electronic medical records are significantly more valuable on the black market than most other stolen personal information such as payment card information or Social Security numbers. Additionally, being the victim of medical-related information theft may take longer to discover and fix than other types of identity theft do, thereby allowing the bad actors more time to monetize the stolen information. While it is hit the most, the healthcare industry is not hit the hardest. Continue Reading

Be Compromise Ready: Go Back to the Basics

Data-Incident-ReportWe are excited to release our third annual BakerHostetler Data Security Incident Response Report. This report analyzes the more than 450 data security incidents we led clients through in 2016. Companies continued to experience incidents at a record pace, and we expect this will continue through 2017. We have received more calls to our breach hotline in the first three months of 2017 than we did during all of 2015.

Ransomware was the biggest development we saw last year – it was involved in 23% of the network intrusion incidents. Because no one measure can guarantee a successful defense against ransomware, we do not expect this issue to go away.

Our 2016 Report focused on companies being “compromise ready” to detect, respond to and contain incidents faster. That still holds true. In fact, our experience shows that companies should be focused on the basics, such as education and awareness programs, data inventory efforts, risk assessments, and threat information sharing. Most incidents are not the result of a sophisticated, never-before-seen, unpreventable, zero-day attack. Instead, networks are often as fallible as the people who build and maintain them. Both skilled and unskilled attackers are able to access networks, whether the networks have little or “next gen” security. Continue Reading