Almost Entire Ecuadorian Population Affected by Massive Data Breach

The Ecuadorian Ministry of Telecommunications and Information Security has announced an investigation into data analytics company Novaestrat after news broke this week that the company left an Elasticsearch server open without any password protection, allowing open access to the data.

According to officials, Novaestrat was not supposed to have the data in the first place. The data included the personal information of nearly 21 million Ecuadorians, including 6.7 million children, 7.5 million financial and banking records, and 2.5 million records relating to car ownership.

According to reports, the Ecuadorian government believes the company obtained the information of almost all of the country’s citizens when it was awarded government contracts during the former political regime between 2015 and 2017.

The government reacted quickly, and following the announcement of the investigation, law enforcement raided Novaestrat’s office, seized computers and arrested Novaestrat’s general manager.

The data breach is the largest in Ecuador’s history

California CCPA Amendment Update: Here’s What Passed

The California legislature passed six amendments to the California Consumer Privacy Act (CCPA) that are on their way to Governor Gavin Newsom’s desk. The Governor has until October 13, 2019, to act on the amendments. With the end of the legislative session on September 13, this means that should the Governor sign all the amendments, the CCPA will take effect on January 1, 2020, as planned, with a few changes.

What do the amendments mean for businesses and consumers? Probably the most significant changes are those with respect to the exclusion of employee information and B2B communications and transactions for one year, until January 1, 2021. Another important change would eliminate the requirement of a toll-free number as one of the two methods for consumers to submit requests for businesses that operate exclusively online. The legislature also made a couple of changes regarding verifiable consumer requests; notably, adding the requirement that if a consumer already has an account with a business, the consumer request must be made through that account, and adding additional language giving the California Attorney General (AG) additional rulemaking authority with respect to verifiable consumer requests. Continue Reading

Why Having a Chief Data Ethics Officer is Worth Consideration

Emerging technology has vastly outpaced corporate governance and strategy, and the use of data in the past has consistently been “grab it” and figure out a way to use it and monetize it later. Today’s consumers are becoming more educated and savvy about how companies are collecting, using and monetizing their data, and are starting to make buying decisions based on privacy considerations, and complaining to regulators and law makers about how the tech industry is using their data without their control or authorization.

Although consumers’ education is slowly deepening, data privacy laws, both internationally and in the U.S., are starting to address consumers’ concerns about the vast amount of individually identifiable data about them that is collected, used and disclosed.

Data ethics is something that big tech companies are starting to look at (rightfully so), because consumers, regulators and lawmakers are requiring them to do so. But tech companies should consider looking at data ethics as a fundamental core value of the company’s mission, and should determine how they will be addressed in their corporate governance structure. I teach the value of data ethics in both the Executive Masters of Cybersecurity program at Brown University, as well as the Privacy Law class at Roger Williams University School of Law. Young executives and lawyers should be thinking about data ethics for the future.

Companies that are thinking about data ethics in a new way are hiring Chief Data Ethics Officers, sometimes referred to as CXOs. Data science does not traditionally teach data ethics, but with the advent of artificial intelligence, and the biases that may be inherent in AI, the discussion is delving into a new realm and considering how to address whether products come to market, whether biases may have societal implications, and whether the use of data is the “right thing to do.”

Data ethics is important to consider when developing new products and services, and hiring a Chief Data Ethics Officer will help promote a company culture devoted to determining the appropriate collection, use and disclosure of data going forward, instead of the “grab and monetize” attitude of the past. Consumers will appreciate the ethical considerations given to their data, and will make purchasing decisions that take into account the care taken by companies in handling their data.

Privacy Tip #208 – Last Pass Patches Bug that Leaks Passwords

I am not a big fan of putting all of one’s passwords in one place, but many people use password managers. If you use Last Pass (see previous blog posts about Last Pass here and here), be aware that it was recently advised by a Google Project Zero researcher that there was a vulnerability that made it possible for websites to steal credentials using a Chrome or Opera extension. (Last Pass subsequently announced that it has addressed the identified vulnerabilities.)

This means that when visiting a website, because of a vulnerability in the pop-up mechanism, the website may use the password from the last website visited instead of requiring the user to put the new password into the site to gain access to the account.

The risk of this vulnerability is clickjacking, which occurs when “you can leak the credentials for the previous site logged in for the current tab.” When users click on the link, it might open a malicious link instead of a trusted site.

Many security experts are fans of password managers as a way to manage complex passwords. I am always concerned about the risk of storing all passwords in one place and the possibility that they could be compromised in one fell swoop, which has happened before to Last Pass. When using a password manager, consider adding the additional security measure of multifactor authentication as well.

School System Victimized by Second Ransomware Attack in Months

The Wolcott school system in Wolcott, Connecticut has been recovering for four months from a ransomware attack that hit its system at the end of the school year. Last week, it was hit with a second attack. According to reports, the cyber criminals behind the recent ransomware attack were holding teacher lesson plans hostage. The school system shut down its computer system again and are devoting resources to combat the recent attack. Needless to say, this situation is chaotic for the school system.

Hackers are criminals and will try to victimize any system they can. It is unknown whether this was a random or coordinated attack when the cybercriminals knew the school system was recovering from the previous attack. Was it retaliation for not paying the ransom? Maybe. Was it a random attack that found another vulnerability to get through? Maybe. I don’t know the answer, but the reality is that municipalities and school systems are being targeted like never before, and paying ransom to the criminals is not the answer to the problem. When criminals get paid for their crime, they are incentivized to continue attacking victims. The problem will not be solved by paying the criminals for their crimes.

Municipalities and school systems are targets because of lack of resources. Only when adequate resources are provided to implement basic cyber hygiene, employees are provided education to combat intrusions, and back up programs are implemented will the root of the problem start to be addressed. Taxpayers do not want their local governments to pay ransom to criminals. But taxpayers must be willing to put adequate resources into protecting the information systems of their local governments or we will never be able to combat this cyber epidemic.

NIST Privacy Framework Draft Released

The National Institute of Standards and Technology (NIST) recently released its draft Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management (Privacy Framework).

What is the NIST Privacy Framework?

First, let’s begin with what is NIST? NIST was founded in 1901 and is now part of the U.S. Department of Commerce. According to the NIST website, it is one of the nation’s oldest physical science laboratories, involved in a variety of industries and technologies, from nanomaterials to the smart electric power grid. NIST’s Information Technology Laboratory focuses on the priority areas of Cybersecurity, Internet of Things, and Artificial Intelligence. NIST Security Standards are well known in the cybersecurity field.

The Privacy Framework is a voluntary tool to help organizations and to “foster the development of innovative approaches to protecting individual’s privacy; and increase trust in systems, products, and services.” With the release of the Privacy Framework, NIST recognizes that privacy risks and cybersecurity risks are interconnected, and the Privacy Framework provides a flexible tool that can be used to explore that interconnection.

What Can Organizations Do with the NIST Privacy Framework?

In Section 3.0 of the draft Privacy Framework, it states that “the Privacy Framework can assist an organization in its efforts to optimize beneficial uses of data and the development of innovative systems, products, and services while minimizing adverse consequences for individuals. The Privacy Framework can help organizations answer the fundamental question, ‘How are we considering the impacts to individuals as we develop our systems, products, and services?’”

According to the draft, the Privacy Framework can be used for risk management, to strengthen accountability within an organization, and to establish or improve a privacy program. From a practical standpoint, privacy concerns can be incorporated into product development, service delivery, and supply chain management. Organizations may be able to use the Privacy Framework as they seek to mitigate privacy risks in the development of products and services as well as when they store, collect, process, or sell data. Considering the impact to individual privacy in the development of new technology is a key to protecting that privacy.

NIST is accepting public comments on the draft Privacy Framework  until 5 p.m. EST on October 24, 2019.

$267 Million Judgment Against Debt Collector for TCPA Violations

On September 10, 2019, California federal judge, U.S. District Judge Yvonne Gonzalez Rogers, entered a $267 million judgment against a debt collection agency, Rash Curtis & Associates (Rash Curtis), for its violation of the Telephone Consumer Protection Act (TCPA) for over 534,000 unsolicited robocalls. This judgment comes after a May jury trial in which the jury found for the plaintiff, Ignacio Perez and the class of consumers, based on the fact that Rash Curtis made over 501,000 calls to class members using its Global Connect dialer, 2,600 calls using a VIC dialer and more than 31,000 calls using a TCN dialer. Rash Curtis made 14 unwanted calls to Perez using the Global Connect dialer and an artificial or prerecorded voice. All of these actions are prohibited by the TCPA without prior express written consumer consent.

Each class member will receive $500 per call, totaling $267 million. Perez will receive a separate award of $7,000 for the calls he received in violation of the TCPA. This judgment covers all individuals who received these unsolicited calls between June 17, 2012, and April 2, 2019, but excludes anyone who provided their cell phone numbers in credit applications to a creditor that had opened an account with Rash Curtis in that debtor’s name prior to Rash Curtis placing its first call to that individual.

Municipalities and School Systems: Educate Your Employees

The pace and number of cyber-attacks against municipalities and school systems is staggering and likes of which we have never seen. Municipalities and school systems are obvious targets for cyber criminals as it is well known that resources are scarce to implement measures to combat cyber-attacks.

Nearly all of the attacks that we’ve written about or are following are caused because an employee has clicked on a phishing email that contained malicious code known as malware. A form of malware is ransomware, which locks the system so no one can access it.

If that employee had not clicked on that link, the attack would not have been successful. Hackers are inherently lazy and will not keep trying to get into a locked door. They will move on and find the next open one.

These incidents will continue to happen because local governments do not have adequate resources, so another step is to arm employees with knowledge and education about how they can be part of the solution and don’t click on malicious code.

The City of Ridgefield, Connecticut is on the right track. They know how important employees are to protecting data. They are providing their employees with education about data security, including phishing attacks, and testing their employees without their knowledge. This is a good start and way that municipalities can start to prevent these attacks from locking down their system.

Another idea is to put resources into a data back up system so that when the attack occurs, the municipality or school system can restore the data instead of paying a ransom.

The reality is that these attacks will continue. Putting measures in place to prevent and restore systems when they happen will diminish the chaos that occurs following a successful attack.

Privacy Tip #207 – Digital Assets

I haven’t written about digital assets in a while [view related posts] and I was reminded of the importance of putting digital assets into your estate plan this week in a conversation with a colleague.

After my experience of serving as the executor of three estates, it became clear to me how important it is to include digital assets into an estate plan. Including these assets and the information needed by heirs and executors to assemble and distribute digital assets in an estate plan can make a dramatic difference in the orderly and efficient administration of an estate.

Discuss your digital assets and the information that is needed for your heirs and executor with your estate planning professional when conducting estate planning.

For First Time Ever, Government Brings HIPAA Enforcement Action Alleging Violations of Right to Access Medical Records

On September 9, 2019, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that it had settled its first ever HIPAA enforcement action arising from alleged violations of the individual right to access health information under HIPAA. OCR entered into a settlement with Bayfront Health St. Petersburg (Bayfront) in response to allegations that it failed to provide a mother with timely access to medical records concerning her unborn child. Under the terms of a resolution agreement, Bayfront agreed to pay $85,000, and enter into a one year corrective action plan (CAP).

OCR initiated an investigation of Bayfront in response to a 2018 patient complaint. According to OCR’s investigation, the patient initially submitted a written request for fetal heart monitor records in October, 2017, and subsequently submitted follow-up requests through counsel in January and February of 2018. Bayfront allegedly did not provide a complete set of records to the patient’s counsel until August of 2018, and the patient reportedly did not receive the records directly until February, 2019. OCR’s investigation thus “indicated that Bayfront failed to provide access” to PHI about the patient in a designated record set, in accordance with 45 C.F.R. § 164.524. Bayfront did not admit liability as part of the resolution agreement.

Under the terms of the CAP, Bayfront is obligated to update its written access policies to comply with HIPAA, and provide HHS with access to those policies within 60 days for review and approval. The policies must include provisions addressing HIPAA’s right of access, as well as protocols for training of workforce members and sanctions for non-compliant workforce members. Bayfront will also be obligated to submit an implementation report within 120 days after receiving HHS approval of the policies and procedures, and an annual report that includes training materials on the new HIPAA policies and procedures, as well as attestations of compliance with the CAP’s requirements.

This enforcement action is part of OCR’s new “Right of Access Initiative” that is intended to “vigorously” ensure that patients are able to “receive copies of their medical records promptly and without being overcharged.” Health care providers and other entities subject to HIPAA would therefore be well-advised to review their policies and procedures for providing access to medical records, because potential violations of HIPAA’s right to access are under heightened governmental scrutiny at this time.