New Ransomware Campaign Socks Victims with One-Two Punch

Cybercriminals have launched a new campaign that not only requires the victim to pay a ransom to have their data decrypted, but when the victim is directed to a PayPal account to pay the ransom to get the decryption key to unlock the data, the PayPal account page is fake and when the victim lands on the fake page, the criminals steal their account login credentials. On top of that, when the victim puts the credit card information in the fake account page to pay the ransom, the cybercriminals then steal the credit card information.

The fake PayPal site after http:// is[.]php, which is clearly fake and should be identifiable as a fake web page, but apparently it has duped many victims.

The ransomware campaign was discovered by MalwareHunterTeam. It is unknown whether the victims get the decryption key after the one-two punch, but it seems unlikely with this evil scheme.

CCPA – What is it and What Does Your Business Need to Know?

The California Consumer Privacy Act of 2018 (CCPA) is here and it’s best to start now to learn what this law is, who it applies to, and what you and your business can do to be prepared. This article is a follow up to our earlier post on the CCPA.

Although the Act was passed in 2018 and signed into law by Gov. Jerry Brown on June 28, 2018, the effective date is January 1, 2020 with a six (6) month delay in enforcement after that date. As we all know well, that date will be here before you know it. Systems take time to program, and lawyers and others need time to analyze and interpret definitions and provisions on behalf of their business clients. Add to that, the regulations to the CCPA still need to be developed and we are currently in the midst of the California public hearing process, whereby the Attorney General of California has undertaken a series of public hearings to hear and receive public comment about the CCPA [view related post].

What we know right now is that the CCPA deadline is coming soon.  What is this broad privacy law? Who does it apply to? What protections are included for consumers? How does it affect businesses? What rights do consumers have regarding their personal information? What happens if there is a violation? These are some of the questions we’ll try to answer in the coming weeks and we’ll begin by explaining the purpose of the CCPA, the types of businesses impacted, and the rights that the CCPA gives to consumers regarding their personal information.

It’s no surprise that the state of California tackled data privacy law in such a big way. News reports from 2018 rank California’s economy as the fifth largest in the world and science and technology is a big sector of that economy.  The CCPA’s stated legislative purposes describe how California’s world leader role in technology, the proliferation of personal information shared by consumers with businesses, and the right of privacy of California residents, all intersected into the development of this comprehensive law. Cal. Civ. Code Sec. 2.

One of the most critical facts to know is that the CCPA not only applies to consumers, but also applies to for profit businesses that do business in the state of California.  A business is defined as one that that collects consumers’ personal information, has more than $25 million in revenue, alone or in combination, and annually buys, receives for the business’s commercial purposes, sells or shares for commercial purposes, the personal information of 50,000 or more consumers, households or devices or derives 50% of its annual revenues from selling a consumer’s personal information. Cal. Civ. Code §1798.140. A key fact to note from this definition is that the CCPA applies to any business does that “does business in the State of California” not just businesses residing or incorporated in California.

The CCPA is a consumer directed law that empowers a consumer to determine how a business can store, retain and use their personal information. The CCPA gives consumers a set of rights about the personal information that businesses collect about them, and the CCPA then directs those businesses that possess that personal information what the business can or must do with a consumer’s personal information. It’s quite empowering for a consumer to be able to tell a big corporation: I don’t want you to sell my personal information or I want you to delete my personal information. The rights of consumers and the obligations of the businesses are distinct, but intertwined in this law: on one side are the rights of consumers, and on the other, the obligations of businesses to comply with the directions of their customers and consumers.

The consumer’s rights are broad and summarized generally:

  • The right to request that a business that collects a consumer’s personal information disclose to that consumer the categories and specific pieces of personal information the business has collected;
  • The right to request that a business delete any personal information about the consumer which the business has collected from the consumer;
  • The right to request that the business that collects personal information about the consumer discloses broad categories of information including, the categories of information it has collected about that consumer, the sources from which the personal information is collected, the business or commercial purpose for collecting or selling the personal information, the categories of third parties with whom the business share personal information, and the specific pieces of personal information it has collected about that consumer;
  • The right to request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose certain categories of personal information to that consumer;
  • The right to, at any time, direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information – known as the right to opt out.

Cal. Civ. Code §§1798.100, 105, 110, 115, 120.

The challenge for businesses will be to understand the rights of consumers and how to translate those rights and requirements into business operations, processes and practices to ensure compliance with the law. In the coming weeks, we’ll focus on understanding these challenges, as well as many other provisions, including how the CCPA will impact businesses with respect to the personal information of children under the age of 16. It certainly worth mentioning at that outset, penalties for violations can be up to $7,500 per incident. Doing the math, even a small data breach of 1,000 customers could cost a business $7.5 million dollars.

Judge Rules Biometric Identifiers Can’t Be Used to Unlock Phone

A federal magistrate judge in California has ruled that law enforcement personnel may not require suspects to unlock their phones with biometric identifiers like a fingerprint, iris scan or facial recognition, saying the practice is unconstitutional.

The decision followed the request for a search warrant in an extortion case. The prosecutors asked for an order to search digital devices in a residence and to require any individuals present in the residence to unlock the devices using their fingers or other biometric information, including iris or facial recognition.

The prosecutors were investigating an extortion case where the targets of the search warrant were allegedly using Facebook Messenger to threaten a victim with releasing an embarrassing video of the victim if the victim did not pay them. The judge held that there were other methods the prosecutors could use to obtain the information that did not violate the Fifth Amendment, including a subpoena to Facebook or with a warrant based on probable cause.

The judge found that there were sufficient facts to support a warrant to search the property, but not to require the residents to unlock their phones and left the door open for the prosecutors to apply for another warrant.

Do You Have a WISP?

Although the Massachusetts Data Security Regulations went into effect March 1, 2010, I still find that many companies have not implemented a Written Information Security Program (WISP) and don’t know that they are required to do so.

According to the regulations, any companies or persons who store or use personal information of a Massachusetts resident must develop and implement a WISP that outlines the measures the company is taking to protect the personal information of Massachusetts residents. Personal information is defined as a Massachusetts resident’s first and last name or first initial and last name in combination with 1) a Social Security number; 2) a driver’s license number or state-issued identification card number; or 3) financial account number, or credit or debit card number with or without a required security code, access code, personal identification number or password that would permit access to the account.

This basically means that if a company or person has an employee or customer or vendor, or takes credit cards or debit cards for payment must have a WISP in place. The law is very broad in its reach, and the purpose is to protect consumers from identity theft and fraud.

The statute has very specific requirements about what has to be included in the WISP, including (this is not an exhaustive list):

  • Someone designated to maintain and review and update it
  • A risk assessment
  • Develop security policies
  • Address access controls and termination of access rights
  • Implement a vendor management program and include compliance with the data security regulations in contracts with vendors which have access to personal information
  • Restrict physical access to personal information
  • Monitor the program so it stays relevant and up to date with new technology and risks
  • Review the program at least annually
  • Educate employees on the content of the program

Where we find clients struggle with developing and implementing the WISP is that once it is approved and in place, companies don’t include it in security education and awareness, which is required, don’t update it as internal processes change, and don’t review it annually. They forget about it until the Massachusetts Attorney General asks for it, which is common following a reportable data breach.

So check to see if you have a WISP and if not, let’s get one in place. Then determine next steps on how to comply with it, educate your employees on the content, determine which vendor contracts may need to be amended or updated to include the requirement for vendors to certify that they comply with the regulations, and set up a process to review it annually.

We used the Massachusetts regulations as an example because they were the first to be implemented, but other states have and will follow, as well as other specific industry requirements, so all companies should review whether a WISP may be an appropriate part of your enterprise-wide privacy and security plan.

Standard CGL Aircraft Exclusion Barred Liability Coverage

A California federal judge held that a standard comprehensive general liability (CGL) aircraft exclusion barred liability coverage for injuries suffered as a result of drone operations. The injuries occurred when a wedding photographer used a drone to capture images at a wedding reception and the drone hit a guest who sustained serious injuries, including loss of sight in one eye. The court determined that the insurance company could recover the costs incurred by the company in defending the wedding photographer because an “aircraft” (as defined by Merriam-Webster’s Collegiate Dictionary) was excluded from the CGL, and therefore, the company was not obligated to defend the photographer against the suit filed by the injured guest.

Generally, CGL policies can provide liability coverage for drone operations by endorsement. However, many CGL policies do not provide property coverage for the drone or its cargo–liability coverage only. On the other hand, a specialty drone policy will generally provide liability coverage for drone operations and property coverage for the drone itself as well.

Many insurance companies that offer these specialized drone policies also offer comprehensive coverage for those companies that regularly conduct drone operations. Before your company flies a drone or hires a third party to conduct a drone operation on its behalf check the scope of your CGL and understand what it does and does not cover in the event of an injury or property damage.

Privacy Tip #173 – Cell Phone Geolocation Data Being Sold

We previously cautioned that telephone companies sell customer data to third parties, including location data [view related posts here]. Last year, the telecom industry pledged to stop the practice after pressure by members of Congress.

Earlier this month, Joseph Cox of Motherboard released I Gave a Bounty Hunter $300. Then He Located Our Phone and outlined how he gave the individual his phone number and the individual (called a bounty hunter) was able to find the “current location of most phones in the United States.” When he did so for Mr. Cox, the bounty hunter was able to locate the phone within a few blocks of where the individual was located.

According to Mr. Cox, “The bounty hunter did this all without deploying a hacking tool or having any previous knowledge or the phone’s whereabouts. Instead, the tracking tool relies on real-time location data sold to bounty hunters that ultimately originated from the telcos themselves…” The article is fascinating and can be accessed here.

It is better to read it than for me to try to give it justice, but the thing I want to know is whether your location can be tracked if your location based services are turned off? I would love for someone to send me the answer, as I am a big fan of only using location based services when absolutely necessary (like when using ride-sharing apps or navigation). This is a tip to consider, particularly after reading the article.

Physician Convicted of HIPAA Violation Receives Probation

According to reports, a Georgia-based physician who previously pleaded guilty to criminal violations of the Health Insurance Portability and Accountability Act (HIPAA) received six months of probation from a Massachusetts federal judge earlier this week.

The physician – a pediatric cardiologist – pleaded guilty in February, 2018 to a misdemeanor count of wrongful disclosure of individually identifiable health information in violation of HIPAA, and had faced up to one year of imprisonment. The physician was prosecuted by the Department of Justice (DOJ) in Massachusetts in connection with DOJ’s investigation into Massachusetts-based pharmaceutical company Aegerion for mis-branding its prescription drug Juxtapid. As part of its resolution of the Aegerion investigation, Aegerion agreed to enter into a deferred prosecution agreement for criminal violations of HIPAA. According to the DOJ, the physician in this case allowed Aegerion sales representatives to access the confidential medical information of patients who were not diagnosed with a condition treated by Juxtapid to identify potential candidates for the drug, in violation of HIPAA’s prohibition on wrongful disclosures of health information.

The resolution of this criminal HIPAA prosecution with a non-custodial sentence is similar to the outcome of another recent criminal HIPAA case brought by DOJ in Massachusetts (see a report on the sentence in that case here, and our previous analysis here). Nonetheless, these cases underscore the significant potential criminal liability for violations of HIPAA, and the importance for health care providers of maintaining appropriate boundaries with pharmaceutical companies and their employees.

California AG’s Office Begins CCPA Rulemaking Process with Series of Public Forums

On January 8, 2019, the California Department of Justice hosted the first in a series of six public forums on the California Consumer Protection Act (CCPA). The forums offer the public an opportunity for comment in advance of the drafting of regulations by the state Attorney General’s office. These regulations are seen as being particularly significant given the rushed legislative process resulting in a perceived lack of clarity in several key provisions of the CCPA. Continue Reading

Marriott Confirms Over 5 Million Passport Numbers Stolen in Data Breach

Marriott International Inc. has released new numbers relating to its Starwood Hotel’s reservation database by stating that 5 million passport numbers were stolen in the database.

After further investigation, Marriott states that the information for fewer than 383 million guests (as opposed to 500 million) were exposed. The data that was compromised of these guests include combinations of names, addresses, telephone numbers, email addresses passport numbers, Starwood Preferred Guest account information, gender, date of birth and travel information. Of that number, 5.25 million guests’ passport numbers were compromised.

The unauthorized access to the Starwood Hotel’s reservation database started sometime in 2014 and was discovered on November 19, 2018.

Neiman Marcus Settles Data Breach Litigation for $1.5 Million

Neiman Marcus Group LLC has settled an investigation of its 2013 data breach with 43 states and the District of Columbia for $1.5 million. The data breach involved 370,000 credit cards, where 9,200 of the cards were used in a fraudulent manner [view related posts].

Illinois Attorney General Lisa Madigan, and Connecticut Attorney General George Jepsen led the investigation on behalf of the other AGs. As a result of the settlement, the AGs in all of the states that were involved will not pursue separate claims against Neiman Marcus, and Neiman Marcus has agreed to take steps to beef up security measures to protect a breach from occurring again.