Cloudflare Software Bug Causes Data Leak

Cloudflare, Inc., a provider of performance and security solutions for websites, recently disclosed that a software bug caused it to leak customer data that was then cached by search engines. Uber, Fitbit, and OkCupid sites may have been affected. While the leaked data is believed to contain private information, the extent of that information is unclear. End-user passwords, cookies, and authentication tokens used to log in to multiple website accounts may have been exposed. In an incident report published on its website, Cloudflare emphasized that customer SSL private keys were not leaked.

Tavis Ormandy, a security engineer with Google’s Project Zero, discovered the bug and contacted Cloudflare to report the issue. The bug affected Cloudflare’s systems since September, 2016 however the greatest impact occurred between February 13 and February 18, 2017. According to Cloudflare’s incident report, its initial mitigation occurred in 47 minutes and it had resolved the problem in less than seven hours. Cloudflare is working with search engines, including Google, Yahoo, and Bing, to scrub the data from their caches.

NIST Issues Practice Guide for Electric Utilities

On February 16, 2017, the National Cybersecurity Center of Excellence released its draft practice guide for electric utilities, entitled “Situational Awareness for Electric Utilities.”

The guide was developed to provide an example solution that can be used by electric utilities to alert staff to the potential for or an actual cyber-attack directed at the electric grid. This will assist the electric utility sector to develop a more comprehensive approach to situational awareness of the environment to enhance resilience of operations.

The draft Guide can be accessed here: Situational Awareness for Electric Utilities. It is open to public comment until April 17, 2017.

New York Financial Services Cybersecurity Regulations Go Into Effect on March 1

We have previously reported about the upcoming New York Financial Services Cybersecurity Regulations [view related posts here and here]. On February 16, 2017, Governor Andrew M. Cuomo announced that “the first-in the-nation cybersecurity regulation to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks will take effect on March 1, 2017.”

The regulation is being touted by New York officials as being a “risk based” regulation, which requires financial services companies regulated by the New York State Department of Financial Services (DFS) to comply by implementing a cybersecurity program that will prevent and avoid cyber breaches.

In addition, the regulation requires that the top levels of the company instill a culture of compliance into the organization and be responsible for the cybersecurity program, including certifying compliance to the Superintendent on an annual basis.

The regulation has specific requirements that must be included in the cybersecurity program, including designating a Chief Information Security Officer and appropriate oversight of the program.

The Superintendent of DFS will enforce the regulations. The regulations go into effect on March 1, 2017, and covered entities will be required to annually prepare and submit a Certification of Compliance with the Superintendent starting February 15, 2018.

$5.5 Million Shelled Out to OCR for Alleged HIPAA Violations

Florida Memorial Healthcare Systems has agreed to pay the Office for Civil Rights (OCR) $5.5 million to settle alleged HIPAA violations relating to an incident that occurred in
April 2012 that two employees accessed patient information of 106,000 patients in an unauthorized manner and with criminal intent, including their names, dates of birth, and Social Security numbers.

This penalty matches the largest penalty paid to OCR so far, which was paid by Advocate Health Care. To read more, click here.

Report Summarizes Healthcare Data Breaches in January 2017

Health care data breaches are not slowing. According to a report issued by Protenus, in conjunction with, the summary of healthcare data breaches in 2017 continues where 2016 left off.

In January 2017, there were 31 data breaches reported to the Office for Civil Rights. The breaches resulted in the compromise of 388,307 patient and health plan members’ Personal Health Information (PHI).

The largest breach reported in January was by CoPilot Provider Support Services, which reported a data breach of 220,000 from a breach that occurred in October 2015.

The report noted that 40 percent of HIPAA covered entities that self-reported a data breach in January of 2017 reported it outside of the statutorily mandated “no later than 60 days” window for reporting under the HIPAA Breach Notification Rule. Hence the first payout by a health care provider (Presence Health) for a delayed breach notification [view post here]. The report notes that the average number of days for the OCR to receive notification was 174 days, and it took those organizations an average of 123.5 days to even discover the breach. The data breaches were reported by entities in 21 states.

The biggest culprit for the breaches? Insider incidents—both error and wrongdoing. Another reason to train and monitor employees.

FTC and Ten States Settle with Caribbean Cruise Lines for Robocall Accusations

This week, the Federal Trade Commission (FTC) and ten states settled charges against the Florida-based cruise line, Caribbean Cruise Line, Inc. (CCL), for an illegal telemarking campaign that inundated consumers with billions of unwanted robocalls. In settling these charges, CCL’s owner, Fred Accuardi, and all of his companies are barred from robocalling and illegal telemarketing. The settlement includes a judgment of $1.35 million, which will be suspended if defendants pay $2,500. If the FTC finds that the defendants have misrepresented their financial condition, then the entire judgement will become due.

This robocall campaign ran from October 2011 to July 2012 and averaged about 12-15 million illegal sales calls per day. These illegal calls used a pre-recorded message asking consumers to take a short survey after which they would receive a free two day cruise; the reality was that these calls were designed to market CCL cruises and up-sell packages.

This settlement comes after collaboration between the FTC and the Attorneys General of Colorado, Florida, Indiana, Kansas, Mississippi, Missouri, North Carolina, Ohio, Washington and the Tennessee Regulatory Authority.

Yahoo Data Breach Update: A Third Notification + Shareholders Sue

Last week, Yahoo issued another warning to some of its customers telling them that their personal information may have been compromised in a data breach. This is the third notification to Yahoo users that their information has been exposed. [view related posts here and here].

The discovery was revealed during the investigation of the massive breach it reported last September. The notification states, “Based on the ongoing investigation, we believe a forged cookie may have been used in 2015 or 2016 to access your account.” The outside forensic firm has identified user accounts that contained the forged cookies to allow the hackers to access their accounts without a password.

As if this isn’t enough, Yahoo shareholders filed a shareholders’ derivative suit in Delaware claiming that the company breached its fiduciary duty by failing to alert 1.5 billion users that their information was stolen by hackers. The main plaintiff is the Oklahoma Firefighters Pension and Retirement System. The suit is against Yahoo, the Chairman of the Board, the company’s co-founder and its CEO.

The Yahoo breach is reported to be the largest in history.

W2 Phishing Scam Hits Citizens Memorial Hospital

We continue to see all industries hit with W2 phishing scams, including the health care industry.

Citizens Memorial Hospital, located in Bolivar, Missouri, was hit with the scam when one of its employees believed that an email received from another employee was legitimate, and sent the W2s of its employees from 2016 to a hacker. Usually, the W2s are used by the hackers to then file false tax returns seeking a quick tax refund before the taxpayer files his or her return.

Employees continue to fall victim to the scheme as they do not check the email address to confirm that it is legitimate (by hovering over it), or do not pick up the phone or walk down the hall to confirm that the request is legitimate.

Providing employees with training and tools to combat these schemes will help them from not becoming victims in the future.

The Defend Trade Secrets Act of 2016: A Year Later by the Numbers

It has been almost a year since the Defend Trade Secrets Act of 2016 (DTSA) took effect. Since Forbes Magazine called the DTSA the “Biggest IP Development in Years,” we thought it might be helpful to take a look at how often litigants have chosen to use the DTSA in federal cases this past year.

Let’s turn to the numbers. Looking at dockets for the First and Second Circuits, since May 2016, we located only 31 complaints that included a claim under the DTSA. The vast majority of these cases were filed in the Southern District of New York (16), followed by the Eastern District of New York (6), the District of Connecticut (5), the District of Massachusetts(3), and only one case filed in the Western District of New York.

Approximately 20 of those cases remain pending, meaning a relatively small number of cases are proceeding to the close of discovery and trial as the first year of the DTSA draws to a close. These are the cases we will be monitoring to see whether, in fact, the DTSA is having a big impact on how litigants protect their trade secret data.

DJI Drone Manufacturer Hit with Class Action Lawsuit Over Firmware Update

Last week, a class action law suit was filed against leader in the drone industry, DJI Technology, Inc. (DJI), for an allegedly harmful firmware update that occurred in December 2015 that rendered certain commercial drones in its Phantom 2 line of drones unable to record video or take photographs. DJI is accused of ignoring the injury that thousands of Phantom 2 drone owners faced in light of this damaging update. DJI allegedly refused to reimburse them, replace the product or take responsibility for the alleged flaw. The complaint states, “The lost functionality of the Phantom 2 drones occurred because the defective firmware update created and released by defendants, which critically affected the drones’ range extender and Wi-Fi modules, which are component parts of the drones.”

Lead plaintiff, Kevin Sives of Pennsylvania, says that DJI is responsible for loss of money and property due to the allegedly defective update. He seeks to represent a nationwide class (and a subclass of Pennsylvania residents fitting the same qualifications) of all purchasers of the Phantom 2, Phantom 2 Vision and Phantom 2 Vision + quadcopter drones who downloaded and installed the December 2015 DJI Vision update. Sives claims include breach of express warranty, breach of written warranty, breach of implied warranty, breach of duty of good faith dealing, negligence and breach of Pennsylvania’s unfair trade practices and consumer protection law for the proposed subclass of plaintiffs. Sives is seeking general and punitive damages, a court order for DJI to repair or recall the Phantom 2 drones and attorneys’ fees.