FDA Classifies St. Jude Defibrillators as Class 2 Recalls for Cybersecurity Updates

We have previously reported on the ongoing cybersecurity issues with St. Jude defibrillators [view related posts here, here, and here].

On June 29, 2018, the Food and Drug Administration (FDA) classified the required firmware updates to St. Jude defibrillators as Class 2 recalls, which is the medium-severity category of classifications that is applicable to issues where adverse health consequences are considered temporary or reversible.

The manufacturer of the defibrillators is pushing the firmware updates to approximately 740,000 units that are able to accept the update. The communication system to older devices that can’t accept the update will be disabled. Therefore, both the FDA and the manufacturer are recommending that patients with implantable cardioverter defibrillators and cardiac resynchronization therapy defibrillators get the updates during their next doctor’s visit.

Obviously, patients with older units should consult with their physician about next steps if their communication system will be disabled. The manufacturer recommends “a discussion of the risks of cybersecurity vulnerabilities and proven benefits of remote monitoring with patients at their next regularly scheduled visit.”

ReadyTech Settles With FTC Over Claims of Participation in Privacy Shield

Although the U.S. – E.U. Privacy Shield Framework has been intensely criticized by E.U. authorities, the Federal Trade Commission (FTC) continues to enforce violations of it by U.S. companies.

On July 2, 2018, the FTC issued a press release stating that it has settled its complaint against ReadyTech, a California-based online training company for “falsely” claiming that it was in the process of Privacy Shield certification when it was not.

According to the FTC, ReadyTech initiated a Privacy Shield application with the Department of Commerce (DOC) in October 2016, but never finished the application nor received confirmation of certification by the DOC. Nonetheless, ReadyTech held itself out as a company that was in the process of obtaining Privacy Shield certification in marketing materials. The FTC alleged thatReadyTech’s false claim that it was in the process of Privacy Shield certification violated the FTC Act as a deceptive act or practice.

The settlement requires ReadyTech to stop misrepresenting its participation in the Privacy Shield Framework and comply with standard reporting and compliance requirements.

The Consent Agreement will be published in the Federal Register and comments to it may be submitted through August 1, 2018.

This settlement is a strong reminder for companies to determine whether they have applied for Privacy Shield certification, how they are portraying certification in marketing or website materials, and to renew certification on a timely basis.

Millions of Adidas Customers Affected by Data Breach

Adidas has published a customer warning that its U.S. customers could be at risk from a security incident it discovered on June 26, 2018. In the warning, Adidas says that it will reach out to certain customers who purchased goods through its website with more details about the incident. It has been reported that the incident could have affected millions of Adidas customers.

Adidas says it is in the process of undergoing a thorough forensic review, but that the initial analysis indicates that the customer information compromised includes customers’ usernames, encrypted passwords and contact information. Even though it appears that usernames and encrypted passwords were involved, Adidas stated that it is not aware that any credit card or fitness information was compromised.

Nonetheless, those who have purchased items through the Adidas website may wish to consider changing their password for the Adidas platform.

FAA Questionnaire Seeking Input of Drone Operators

A few weeks ago the Federal Aviation Administration (FAA) sent a questionnaire to each person who has registered a commercial drone—that is, for purposes other than recreational or hobby use. The survey also included those registered under government departments and first responders. The FAA’s goal is to collect information on drone flight activities under Part 107 (the Small Unmanned Aircraft System (UAS) Rule) to help the FAA improve the services it delivers to the UAS community at large. The FAA hopes to encourage participation by limiting the questionnaire to about 10 minutes to complete.

The questions include information related to:

  • Number of drones registered
  • Number and types of missions completed in 2017
  • Primary locations where the operator flies
  • Types of waivers requested
  • How operators want to get information from the FAA about drone-related issues
  • How satisfied operators are with the new channels the FAA now uses.

The FAA encourages all drone operators who have yet to complete the survey to do so soon. We will report back on the results of this questionnaire and how it might help shape the FAA’s goals over the next phase of UAS integration into the national airspace.

Drone Regulations Withstand Challenge

The United States government’s ability to police hobbyist drone use was upheld by an appellate court last week. The U.S. Court of Appeals for the D.C. Circuit rejected arguments by John Taylor, a drone hobbyist, who successfully overturned the Federal Aviation Administration’s (FAA) system for registering unmanned aerial systems (UAS or drones) last year. Judge Merrick Garland said, “Because the rule is within the agency’s statutory authority and is neither arbitrary nor capricious, the petition for review is denied.” This decision stems from Congress’ passage of a law in 2012 that gave the FAA authority over drones while also exempting model aircraft flown by hobbyists who already followed certain safety rules instituted by a “nationwide community-based organization.” That led to Taylor’s claim that the FAA can’t set regulations over drone flights by hobbyists. Taylor used the 2012 law to argue successfully that the FAA’s drone registration system was not legal; however, Congress reinstated the registry months later.

Now, this new ruling is a win in the eyes of many companies engaged in the UAS industry that have repeatedly urged regulators to impose additional standards on drone hobbyists’ operations so those companies can more safely implement autonomous delivery systems that are currently being developed. This ruling also supports the FAA’s plan to release a rule that will allow flights over people while also requiring most or all drones to identify themselves with radio beacons.

Wild-Fire Plagued Cities Look to Drones

With Independence Day fireworks now coming to an end, many cities in the Western United States are talking about the wildfire liability that comes with the use of fireworks over drought-stricken land. The alternative to fireworks? Well, possibly drones. This year in Aspen, Colorado, the city put on its annual Fourth of July show using drones outfitted with LED lights instead of fireworks. Debbie Braun, President of the Aspen Chamber Resort Association, said, “This year we realized it was a low snow year, so we realized we were going to be at risk. So we started innovating, and that is how we came upon the drone show.” She added, “It [was] a fabulous alternative to fireworks, which we really think is going to be the new norm going forward.” To watch some video from the company that launched this drone show in Aspen, click here.

Privacy Tip #147 – If You Use Timehop Listen Up!

Timehop, an app that allows users to find and claim old photos and posts on social media, has reported a data breach of its cloud computing environment on July 4, 2018, which compromised 20.4 million accounts, 3.8 million of which are in the GDPR zone.

According to an updated posting on its website yesterday, the information that was compromised includes users’ names, addresses, dates of birth, gender, country codes and telephone numbers. Further, access tokens provided to Timehop by its social media providers were also taken, which would allow the intruder to view social media posts without users’ permission.

Therefore, Timehop terminated the tokens and they can no longer be used. Timehop provided a very transparent list of information that was contained in the database so customers can confirm that no financial or Social Security numbers were involved.

Timehop should be commended for its transparency with regard to the amount of information it provided over the past week. It states on its website posting that it is trying to provide as much information as possible during the investigation (which is really difficult), but others have reported that they also were trying to comply with the new 72-hour reporting requirement for GDPR. This is a clear illustration of the difficulty that companies will face with an onerous GDPR notification requirement when all of the facts of the incident aren’t known. It adds confusion to the notification process to consumers when the facts change.

At any rate, if you have downloaded and use Timehop, take a look at Timehop’s website posting about the incident (https://www.timehop.com/security). Following the intrusion, Timehop implemented two-factor authentication and will require users to log in and reauthenticate each service to continue using the app. In addition, user streaks have been frozen and maintained. Since Timehop had users’ telephone numbers, it is also recommending that users “take additional security precautions with your cellular provider to ensure that your number cannot be ported” by adding a PIN to your account.

Missouri Hospital Diverts Patients, Shuts Down EHR due to Ransomware Attack

On July 9, 2018, Cass Regional Medical Center (CRMC) in Harrisonville, Missouri was hit with a ransomware attack that led to a complete shutdown of its electronic health record (EHR) and the diversion of trauma and stroke patients.

According to CRMC, the attack affected CRMC’s internal communications system and “access to” its EHR. In response, Meditech (CRMC’s EHR vendor) shut down the EHR system until the attack is resolved, although CRMC maintains that there is no indication that patient information has been breached. CRMC has engaged a cyber forensics firm to investigate the attack, and restoration of the EHR is pending the results of that investigation. As of July 10, CRMC estimated that restoration of its systems was 50 percent complete, and its EHR remained offline. As a precautionary measure, CRMC also diverted ambulances carrying trauma and stroke patients to other facilities to assure “optimal care” for such patients.

The attack on CRMC demonstrates the significant risks to hospitals and health systems posed by ransomware attacks, which risks are exacerbated by such organizations’ heavy reliance on EHR systems. The proliferation of ransomware attacks targeting health care organizations (and the valuable data held by such organizations) highlights the need to proactively address data security systems and breach-response procedures to reduce the risk of attacks and to enable organizations to respond quickly and (hopefully) limit the damage caused in the event of an attack.

For more information on ransomware attacks, please see previous Data Privacy and Security Insider posts here.

ReadyTech Settles With FTC Over Claims of Participation in Privacy Shield

Although the U.S.-E.U. Privacy Shield Framework has been intensely criticized by E.U. Authorities, the Federal Trade Commission (FTC) continues to enforce violations of it by U.S. companies.

On July 2, 2018, the FTC issued a press release that it has settled its complaint against ReadyTech, a California online training company for “falsely” claiming that it was in the process of Privacy Shield certification when it was not.

According to the FTC, ReadyTech initiated a Privacy Shield application with the Department of Commerce (DOC) in October of 2016, but never finished the application nor received confirmation of certification by the DOC. Nonetheless, ReadyTech was holding itself out as a company that was in the process of obtaining Privacy Shield certification in marketing materials. The FTC alleged that the false claim that it was in the process of Privacy Shield certification violated the FTC Act as a deceptive act or practice.

The settlement requires ReadyTech to stop misrepresenting its participation in the Privacy Shield Framework and comply with standard reporting and compliance requirements.

The Consent Agreement will be published in the Federal Register and comments to it may be submitted through August 1, 2018.

This settlement is a strong reminder for companies to determine whether they have applied for Privacy Shield certification, how they are portraying certification in marketing or website materials, and to renew certification on a timely basis.

Second Circuit Upholds Conviction Under the CFAA, Rejecting Argument That the Law Is Unconstitutional

In a recent decision, the federal Court of Appeals for the Second Circuit (which covers New York, Connecticut,  and Vermont) affirmed the conviction of an Italian citizen for misdemeanor computer intrusion in violation of the Computer Fraud and Abuse Act of 1986 (CFAA). The decision is noteworthy in that, among other things, the Second Circuit rejected a challenge to the statute as being unconstitutionally vague.

According to the Court’s summary of the underlying facts, the defendant in the case, Fabio Gasperini, was the mastermind behind a computer virus that affected QNAP-brand computers  specifically designed for the storage of data. The virus installed malware; once a computer was infected, the attacker installed a “backdoor” account that provided unrestricted access to and control over the computer’s data, and also blocked other hackers from getting onto the computer. The infected computer was then instructed to scan the internet for other computers with the same vulnerability and infect them. In this way, the attacker created a “botnet”—a network of infected computers within the attacker’s control. The virus accomplished many tasks, including copying username and password files from the infected computer to a server, directing the infected computer to click on certain advertisements, and prompting the botnet to launch coordinated attacks on specific websites.

Once the virus was detected, the subsequent investigation revealed that more than 155,000 computers were infected worldwide, with many of them located in the United States. Investigators identified Mr. Gasperini, an Italian citizen, as the creator of the virus and perpetrator of the various attacks. Further, Gasperini was linked to a related “click fraud” scheme, in which the botnet computers clicked on certain advertisements for websites registered in his name which in turn earned him money from an advertising company for each ad viewed on the websites.

A grand jury charged Gasperini with felony crimes of computer intrusion with intent to defraud, for financial gain, and in furtherance of criminal acts; wire fraud; and money laundering. However, after a jury trial, Gasperini was acquitted of all felony charges and convicted only of misdemeanor computer intrusion, a lesser-included crime, in violation of a provision of the CFAA which punishes anyone who “intentionally accesses a computer without authorization…and thereby obtains…information from any protected computer.” 18 U.S.C. § 1030(a)(2)(C).

Gasperini appealed his conviction, arguing that the statute was unconstitutionally vague because it did not define the terms “access,” “authorization,” and “information,” and because the definition of “protected computer” was overbroad. Reviewing the district court’s decision for plain error, the Second Circuit noted that Gasperini  had cited no authority from any court holding, or even suggesting, that the statute is unconstitutionally vague. Further, the Court found that there was no due process violation, as the statute adequately provided a person of average intelligence fair notice of what activity was prohibited, and Gasperini’s conduct fell “squarely and unambiguously within the core prohibition of the statute.”

The Court also rejected Gasperini’s contention that certain evidence should have been suppressed at trial, including evidence obtained pursuant to search warrants issued under the Stored Communications Act (SCA) and evidence obtained during searches of his home in Italy by Italian law enforcement officers pursuant to an Italian warrant. The Court found that suppression of evidence is not a remedy available for violation of the SCA. As for the searches done in Italy, Gasperini argued that the Italian officials acted at the behest of American law enforcement officials, thus making them subject to U.S. constitutional requirements for searches. However, the Court found that the U.S. officials did not control or direct the conduct of the Italian investigation, and that a mere request for a search is not sufficient to show control.

As for Gasperini, he was sentenced to a one-year prison term (the maximum allowed). Interestingly, for sentencing purposes, the trial judge found that the government had proven, by a preponderance of the evidence, that Gasperini had committed the felony offenses with which he had been charged. It is unclear from the decision why the jury let him off the hook for the felony charges and only found him guilty of a misdemeanor. Gasperini has already served his one-year sentence and has been deported to Italy.

LexBlog