Deeper Dive: Phishing/Hacking/Malware Attacks Remain Leading Cause of Security Incidents

During 2016, our BakerHostetler privacy and data protection team worked on data security incidents across virtually all industries. For the second year in a row, phishing/hacking/malware attacks have accounted for the largest percentage of incidents handled by our team. Specifically, security incidents arising from phishing/hacking/malware made up 43 percent of all security incidents we handled last year – a 12 percent jump from 2015 – with ransomware attacks (i.e., events where malware prevents or limits users from accessing their system until a ransom is paid) accounting for nearly a quarter of such incidents.

With the adoption of new technologies, the collection and use of larger amounts of data, and the increasing sophistication of cyber-attackers, the risk landscape for companies drastically changes from year to year. Last year saw the first security incident to affect more than 1 billion accounts, as well as a reported increase of more than 500 percent in ransomware attacks. While investing in network security and breach detection technologies is an essential component to building an effective cybersecurity strategy, companies must also take enterprise-wide steps to ensure that everyone, from executives to front-of-house employees, is involved in risk-reducing behaviors. In our 2017 Data Security Incident Response Report, the BakerHostetler incident response team looked back at the more than 450 incidents that we handled in 2016 to identify the top causes of security incidents across industries. DPM04252017 Continue Reading

Deeper Dive: Protecting Paper Records

Data-Incident-ReportOur third annual BakerHostetler Data Security Incident Response Report analyzes the more than 450 data security incidents we led clients through in 2016, and includes a number of interesting trends relating to the causes of incidents, how companies are identifying and responding to incidents, and the regulatory and litigation trends after an incident is disclosed. Many of the takeaways from the Report focus on the technology side of preparedness and the protection of electronic data. Since our inaugural Report, however, we have been warning companies not to forget that data security incidents can also result from the compromise of paper records. Given the trend across all industries to go “paperless” and the growing awareness of privacy issues within companies, one would expect a decline in the number of incidents involving paper records. Yet, as described in the Report, 13 percent of the incidents that we handled in 2016 involved paper records, and an additional 4 percent involved both paper and electronic records. This represents a 1 percent increase in paper-related incidents since 2015. Notably, the number of incidents involving paper records for the healthcare-related incidents we handled decreased from 25 percent in 2015 to 17 percent in 2016, which means other industries experienced a significant increase in paper-related incidents. Continue Reading

Deeper Dive: Frequency and Severity

Data-Incident-ReportAll industries are affected by cyberattacks, but how often and to what extent they occur vary greatly by industry type.

Industry Type

As for frequency, the healthcare industry in 2016, for the third year in a row, saw the greatest number of incidents and by a wide margin. Specifically, about 35 percent of the incidents we handled last year involved the healthcare industry. This is a marked increase from last year’s report with healthcare – still the leading industry by frequency of incident – representing about 23 percent of incidents we worked on. Why is healthcare affected so frequently? One reason is that stolen electronic medical records are significantly more valuable on the black market than most other stolen personal information such as payment card information or Social Security numbers. Additionally, being the victim of medical-related information theft may take longer to discover and fix than other types of identity theft do, thereby allowing the bad actors more time to monetize the stolen information. While it is hit the most, the healthcare industry is not hit the hardest. Continue Reading

Be Compromise Ready: Go Back to the Basics

Data-Incident-ReportWe are excited to release our third annual BakerHostetler Data Security Incident Response Report. This report analyzes the more than 450 data security incidents we led clients through in 2016. Companies continued to experience incidents at a record pace, and we expect this will continue through 2017. We have received more calls to our breach hotline in the first three months of 2017 than we did during all of 2015.

Ransomware was the biggest development we saw last year – it was involved in 23% of the network intrusion incidents. Because no one measure can guarantee a successful defense against ransomware, we do not expect this issue to go away.

Our 2016 Report focused on companies being “compromise ready” to detect, respond to and contain incidents faster. That still holds true. In fact, our experience shows that companies should be focused on the basics, such as education and awareness programs, data inventory efforts, risk assessments, and threat information sharing. Most incidents are not the result of a sophisticated, never-before-seen, unpreventable, zero-day attack. Instead, networks are often as fallible as the people who build and maintain them. Both skilled and unskilled attackers are able to access networks, whether the networks have little or “next gen” security. Continue Reading

Crowdsourcing Cybersecurity in 2017

2017-DP-ReportBakerHostetler began publishing its Data Security Incident Response Report in 2015. Although we were the first law firm to do so, inspiration for the report came from similar reports that cybersecurity firms issue. We will be publishing our 2017 Report on April 13, 2017, containing statistics and insights from the 450+ incidents we led clients through in 2016. We think companies can use our report as a “crowdsourced” tool for identifying risks/threats, response metrics and risk mitigation investment priorities. As a preview to the release of our 2017 Report, we thought it would be helpful to provide a similar crowdsourced summary of the 2017 cybersecurity predictions from Mandiant, Stroz Friedberg, Crypsis, Kroll, Protiviti, Wombat and TrendMicro to see what commonalities and trends exist. It didn’t take long to determine that nearly everyone identified ransomware, social engineering and the internet of things (IoT) as high on the list of cybersecurity risks for 2017. Continue Reading

Massachusetts AG Settlement Bars Geofencing Near Medical Facilities

On April 4, 2017, the Massachusetts Attorney General’s office announced that it had settled with a digital advertiser following allegations the company was using geolocation technology to target ads to women visiting reproductive health facilities. Although the company denied that it geofenced clinics in Massachusetts, the AG indicated that such targeting would violate the Massachusetts Consumer Protection Act and has preemptively prohibited geofencing near medical centers in the Commonwealth.

The Assurance of Discontinuance discusses the practice of geofencing, a technique that allows an advertiser to tag an internet-enabled mobile device that then trips a virtual “fence” if the device enters a particular geographic area. Once a device has been flagged, the advertiser “causes third party digital advertisements to display on certain mobile applications the consumer accesses on that mobile device for up to thirty days.” Continue Reading

Virginia, Tennessee and New Mexico Are the Latest States to Amend Breach Notification Laws

Data_Security_100392496Breach notification statutes remain one of the most active areas of the law. Seldom does a month go by without a new bill or amendment addressing privacy or data security, and this month is no exception.


The state of Virginia recently expanded its breach notification statute to include income tax information among the types of information that require notification to the Office of the Attorney General. Likely a reaction to the increase in W2 tax fraud discussed in greater detail by my colleague here, this new amendment does not require notification to the individual taxpayers. Instead, affected entities must notify the Virginia attorney general, who in turn must notify the Department of Taxation. Of course, if the incident involves Social Security numbers, which the majority of W2 tax fraud incidents do, then the existing provisions would require notification to affected individuals. Continue Reading

IoT Device Maker Settles Class Claims for $3.75 Million

In one of the first Internet of Things (IoT) class action settlements, the maker of a Bluetooth-enabled personal vibrator agreed to settle privacy class claims for $3.75 million.

The We-Vibe product allows a user to connect the product to a smartphone. The user can then control the device from the phone via Bluetooth connection. The We-Vibe also allows different users to communicate with each other through video chats and text messages, and by remotely controlling their partner’s We-Vibe device in real-time. However, consumers must download the company’s mobile application, or “app,” to access these features. The class plaintiffs alleged that the company, through its app, collected a substantial amount of information about its customers and their usage habits without customer knowledge or consent. Such information purported to include (1) the date and time of each use, (2) the vibration intensity level selected by the user, (3) the vibration mode or pattern selected by the user, and (4) where available, the email address of customers who registered with the app. Continue Reading

Colorado Proposes Cybersecurity Requirements for Investment Advisers and Broker-Dealers

DollarOn March 27, 2017, the Colorado Department of Regulatory Agencies proposed changes to the Colorado Securities Act that would impose new cybersecurity requirements on investment advisers and broker-dealers (the “Proposed Rule”). Among other obligations, the Proposed Rule would require these entities to include cybersecurity as part of their risk assessments, and establish and maintain written procedures “reasonably designed” to ensure cybersecurity.

The Proposed Rule states that the written cybersecurity procedures must provide for the following, to the extent reasonably possible:

  • An annual cybersecurity risk assessment;
  • Use of secure email, including encryption and digital signatures;
  • Authentication for employee access to electronic communications, databases, and media;
  • Procedures for authenticating client instructions received via electronic communications; and
  • Disclosure to clients of the risks of using electronic communications.

Under the Proposed Rule, the Colorado Securities Commissioner could consider the following factors to determine whether an adviser’s or dealer’s written procedures had been “reasonably designed”:

  • Size of the firm;
  • Relationships with third parties;
  • Policies, procedures, and training of employees;
  • Authentication practices;
  • Use of electronic communications;
  • Automatic locking of devices used to conduct the firm’s electronic security; and
  • Process for reporting lost or stolen devices.

Although Colorado’s Proposed Rule is not nearly as expansive or detailed as the cybersecurity regulations recently issued by the New York Department of Financial Services (which took effect March 1), we may be witnessing the beginning of a wave of state-level cybersecurity requirements applicable to entities in the financial services sector.

A public hearing on the Proposed Rule is scheduled for May 2, 2017.

FCC Broadband Privacy Rule Dead and Buried

bigstock-Internet-Concept-30269060The Federal Communications Commission (FCC) Privacy and Data Security Rule for broadband internet access service (BIAS) providers (the Privacy Rule) is dead. As we discussed here, the new rule that was set to start phased implementation was recently put on hold. We detailed what the Privacy Rule would have required in prior blog posts available here and here.

On Monday night, President Trump signed the Senate Joint Resolution 34, effectively nullifying the Privacy Rule. The Privacy Rule was repealed under the Congressional Review Act, which prohibits the FCC from promulgating regulations of similar effect in the future. With this repeal, it is unlikely that anything less than a significantly toned down version of the Privacy Rule will be coming from the FCC anytime soon. This does not mean that the FCC cannot adopt any privacy rules, but any rules adopted would have to be substantially different from the nullified Privacy Rule, and likely would match the Federal Trade Commission (FTC) standards for internet privacy and data security. Continue Reading