Federal Reserve White Paper on Synthetic Identity Payments Fraud—A Growing Problem in the U.S. That Affects Consumers, Businesses, Financial Institutions, Government Agencies and the Health Care Industry

In the Federal Reserve’s July 11, 2019 White Paper, “Synthetic Identity Fraud in the U.S. Payment System, A Review of Causes and Contributing Factors,” the authors conclude that synthetic identity fraud is a serious and growing problem for the U.S. payments ecosystem that can only be addressed by a collaborative effort among all payments industry stakeholders.

While “cybersecurity” is a high priority for businesses and financial institutions generally and individuals are regularly bombarded by “identity theft” warnings, “synthetic identity theft” is a term that has largely flown under the radar—at least until now. Perhaps one reason for this is that this rapidly growing type of crime, by some accounts the fastest growing financial crime in the U.S. , is often unreported because many victims—children, the elderly or homeless—are less likely to access their credit information to uncover the fraud.

According to the Fed’s report, synthetic identities are created using certain key information, often Social Security numbers (SSNs) stolen from real people. These fictitious identities are then used to defraud financial institutions, government agencies, or individuals.

Synthetic identity payments fraud also takes advantage of gaps in the credit process, making this a potentially lucrative enterprise for criminals and crime rings. The report outlines a 5-Step process demonstrating how synthetic identities are used to commit payment fraud: [1] create an identity using stolen or fabricated personally identifiable information (“PII”); [2] apply for credit using the synthetic identity; [3] repeatedly apply for credit until approved; [4] accelerate a positive credit history; and [5] “bust out” by maxing out the credit line and vanishing!

The increase in PII available to fraudsters on the “darkweb”, including account login credentials, driver licenses, credit card numbers, SSN’s and other PII, appears to be a key factor in the dramatic growth of synthetic identity fraud.

The most alarming example of synthetic identify fraud cited in the report is the 2013 Department of Justice case charging 18 co-conspirators in “ one of the biggest, most complex credit card fraud schemes ever”. In that case, a crime ring spanning 38 states and eight countries used more than 7,000 synthetic identities to fraudulently obtain more than 25,000 credit cards. The total theft exceeded $200 million although there is speculation that the actual loss was closer to $1 billion.

The report estimates that the cost of synthetic identity fraud to U.S. lenders in 2016 was $6 billion.

The report concludes with a call for collaboration. “Like cybercrime, the growing problem of synthetic identity payments fraud cannot be addressed by any government or private sector organization working in isolation. It requires the attention of all payments industry stakeholders to collaborate and work together to understand, detect, mitigate and address synthetic identity fraud in the U.S. payments ecosystem.”

U.S. Cyber Command Issues Warning About Microsoft Outlook Vulnerability

Hackers are targeting U.S. government networks, according to U.S. Cyber Command, which says there is a vulnerability of CVE-2017-1174, which is a two year old flaw in Microsoft Outlook that is being used by attackers to install remote access Trojans and other malware.

U.S. Cyber Command recommends that the vulnerability be patched to prevent exploitation. The known flaw can be exploited by allowing an intruder access to credentials, which is usually accomplished through phishing attacks. Once the attacker has successfully obtained Outlook credentials, the attacker can change the user’s home page to a page the attackers have infected with malicious code that activates when Outlook is opened.

Security researchers believe the attacks are being launched by Iran-backed group APT33, and are in response to the political tensions with Iran. According to the security researchers, APT33 has been using brute force attacks with commonly used passwords.

The cyber tensions between the U.S. and Iran are continuing and do not look like they will stop in the near future. U.S. businesses are being attacked and are caught in the cross-fire, so awareness of the warnings provided by U.S. Cyber Command and U.S.-CERT (Computer Emergency Readiness Team) is important to stay abreast of new threats and vulnerabilities. Since these latest attacks are being launched through brute force attacks, educating employees on these threats, and reinforcing strong passphrases is an obvious first response.

Connecticut Budget Includes Insurance Data Security Law

For those of you who don’t know, a fun fact is that Robinson+Cole one of the oldest law firms in Connecticut, and among our claims to fame is that we represented Mark Twain and Helen Keller. We are quite proud of our history and our reputation, and rightfully so. We are steeped in Connecticut law, and we follow it closely, even when it is buried in the 580-page Connecticut budget bill! Yes, on page 288 of the budget bill is the Connecticut Insurance Data Security Law, which is applicable to our insurance clients.

Section 230 of the Connecticut budget bill is called the “Insurance Data Security Law” and becomes effective October 1, 2019. It requires any insurance licensee, (anyone who is authorized or licensed and subject to the insurance laws) to implement an information security program by October 1, 2020. The requirements include the implementation and maintenance of a written information security program (WISP) based upon a risk assessment as well as administrative, technical and physical safeguards to protect non-public information.

The WISP must include a number of things, including employee training, a record retention program, a risk assessment process, an incident response process, and to “[N]ot less than annually assess the effectiveness of such licensee’s safeguards’ key controls systems and procedures.”

The requirements are similar to the New York Department of Financial Services cybersecurity regulations, and are lengthy and specific. We did not complete a word-for-word analysis, but it looks nearly identical to the New York requirements, including requiring oversight by the Board of Directors.

Pay attention to the details, such as the fact that when there is a cybersecurity event, notification must be made to the Commissioner within three business days. If an insurance licensee notifies an individual under the Connecticut breach notification law, the insurer must notify not only the individuals, but also the Connecticut Attorney General and the Insurance Commissioner, and has a “continuing obligation to update and supplement such information.”

The enforcement provisions allow for the Commissioner to do things like, “suspending, revoking or refusing to reissue or renew any license, certificate of registration or authorization to operate,” … and state that the Commissioner “impose a civil penalty of not more than fifty thousand dollars for each violation of the provision of this section.”

The bill also requires insurance licensees to offer 24 months of credit monitoring to affected individuals in the event of a data breach, which is consistent with the Connecticut data breach notification law.

It is an impactful 20 pages for insurance companies, and we are pouring over the details.

ULC Model State Drone Legislation to be Discussed

The Uniform Law Commission (ULC) is set to meet this week and next in Anchorage, Alaska to discuss and vote on model state legislation concerning drones. The ULC’s proposed legislation is an attempt to recognize the fact that drones can be transformative to search and rescue, inspection and logistics, but that when misused, a drone could violate the rights to privacy and the quiet enjoyment of private property. If enacted by a state, this law would allow judges to weigh how many times and for how long a drone flew over the property, how low it was flying, why it was flying over the property, whether the drone was seen by anyone on the property, and the time of day that the drone was flown, in order to determine whether the drone has caused “substantial interference” with a property owner’s use and enjoyment of his or her property.

The ULC hopes this “test,” which can be performed by the courts, will allow drone flights like those for commercial package or medical supply deliver to move forward in our national airspace while still protecting the property and privacy rights of the people below. We will continue to monitor the progression of this model rule. To read the draft legislation click here.

Privacy Tip #198: Cybersecurity for Tax Professionals

Yesterday, I was honored to again have the opportunity to participate as a speaker at the Internal Revenue Service’s Nationwide Tax Forum 2019 in Washington, D.C. Through a generous grant provided by the American Coalition for Taxpayer Rights to the Pell Center of Salve Regina University, we are able to educate small- and medium-sized tax professional businesses on basic cyber hygiene, recent cyber threats, and the components of a data security program. This is one of my favorite speaking engagements, as the audience laughs at my jokes (well, most of the time, and if it isn’t right before cocktail hour), are eager to learn, and there’s always energy in the room.

The IRS provides a great deal of guidance for tax professionals, and is an important resource to follow via its website. The guidance is easy to understand, relevant and FREE!

We had two great sessions yesterday, and the participants were engaged and committed to implementing data security measures to protect tax payers’ data. One of the things I took away from the audiences is how important encryption technology is for tax professionals. If you are a tax professional, and you are not using encryption technology, look into it and implement it for your clients’ data. Another critical area of attention is data retention. Remember that there are both state and federal laws concerning data retention that tax professionals are required to follow.

Finally, there are civil and criminal penalties that can be assessed for tax professionals if there is an unauthorized disclosure or use of information furnished to a tax professional in connection with an income tax return. (“Criminal penalties” means jail). It also means that you could be responsible for your employees’ actions—which is why employee education is key for tax professionals.

Tax professionals are required to implement a Security Plan. The IRS provides guidance on the core elements of a Security Plan. If you are a tax professional, take advantage of the resources the IRS provides. You might also check out one of the 2019 Tax Forums where Robinson+Cole and CyberScout will be presenting throughout the summer to get some extra tips on data security.

2018 Cyber Incident & Breach Trends Report “All Bad”

The Internet Society’s Online Trust Alliance just released its “2018 Cyber Incident & Breach Trends Report, which says “2018–Some Better, Some Worse, All Bad.”

That’s our experience, too. Here are the highlights from the report, which can be accessed here.

Although the number of data breaches and exposed records decreased, and ransomware and DDoS (distributed denial of service) attacks were down, (that’s the “some better”), “the financial impact to businesses from ransomware increased by 60%, losses from business email compromise (BEC) doubled, cryptojacking incidents…more than tripled” (that’s the “some worse”) and “there continued to be a steady stream of high-profile data breaches” ( that’s the all bad”).

It is estimated that ransomware will cost U.S. businesses $8 billion in 2018, growing to $20 billion in 2021. Those numbers are staggering. The estimates confirm our experience that ransomware attackers are more targeted and vicious, and asking for higher ransom amounts when successful in infiltrating a system.

Supply chain attacks increased dramatically; according to the report, “formjacking” increased by 78% in 2018. Formjacking occurs when attackers “infect a website’s submission form via a third-party supplier or malicious code carried in ads and then either scrape the information or infect the user.” Symantec estimates that in 2018 about 5,000 websites a month contained formjacking code.

BECs increased in 2018 to more than 20,000 incidents, resulting in $2 billion in losses, and which are expected to continue to rise.

The report ends by saying the trends will continue and that 95% of all incidents could have been prevented. It provides an outline of trends, and tips for preparedness and readiness, and emphasizes that data security still comes down to people. We agree that “ongoing employee training is a critical key to success.”

States Struggle with Regulating Risks Associated with College Closures

Based on an unprecedented number of college closures, along with complex demographic challenges showing continued reductions in the number of college-aged students, states are struggling to determine how to best protect both students and college employees. Currently, most states have been reactive, and have only taken action after a college has announced its intention to close, often with little notice to employees and students. On the other hand, requiring a college that is just starting to show signs of financial struggle to publicly announce that position would surely chill student applications, encourage transfers, limit financing, and send employees fleeing for other employment. In turn, this could exasperate the college’s financial condition, all but ensuring closure.

In Massachusetts, where 18 colleges have closed or merged in the past five years, the legislature is looking at several options. Specifically, Massachusetts Governor Charlie Baker has proposed a bill that would require notification of “any known liabilities or risks which may result in imminent closure of the institution or jeopardize the institution’s ability to fulfill its obligations to current and admitted students,” with notice to the Massachusetts Board of Higher Education (MBHE). Because the proposed legislation allows the notification to be confidential, it is intended that colleges could still freely pursue financing, merger, and/or the continued enrollment of students in order to try to turn around its financial condition. When notifying the Board, the school must also put forth a contingency plan for notifying students and assisting with transfer in case closure becomes necessary. The bill also would allow the state to request financial data from schools.  If a school failed to provide the requested data, it could be sanctioned by the Board of Higher Education.

The MBHE has issued proposed regulations consistent with this bill. Two or three hearings to allow for public comment on the regulations will be scheduled in early August.

Oregon’s New IoT Law

Oregon became the latest state to require manufacturers of internet “connected devices” that make, sell or offer to sell the devices in the state to equip the device with “reasonable security features” according to Oregon House Bill 2395 amending ORS 646.607.

According to the law, “[R]easonable security features” means methods to protect a connected device – and any information the connected device stores – from unauthorized access, destruction, use, modification or disclosure that are appropriate for the nature and function of the connected device and for the type of information the connected device may collect, store or transmit.

The law goes on to define a “reasonable security feature” as:

  • (a) A means for authentication from outside a local area network, including:
    • (1) a preprogrammed password that is unique for each connected device; or
    • (2) a requirement that a user generate a new means of authentication before gaining access to the connected device for the first time; or
  • (b) Compliance with requirements of federal law or federal regulations that apply to security measures for connected devices.

Oregon’s law is similar to one in California in that it uses the same “reasonable security features” language, which we wrote about a few months ago, CA Civ. Code § 1798.91.04 (2018). Both of these laws take effect on January 1, 2020.

Why is this important? A preprogrammed unique password, or the requirement that a new user of the device generate a new means of authentication prior to using the device for the first time, ensures that your new smart device won’t have the same default password as everyone else’s device. These features also provide additional security so that your IoT device will be less susceptible to spying or hacking. Given the estimate of the number of IoT devices around the world to be in the billions, and that people value the convenience of the devices but don’t want to sacrifice privacy,  it’s more important than ever that IoT devices have at least “reasonable security features.”

Be Cautious When Collecting and Using Biometric Information

We only have one unique face, two irises and ten fingerprints. We can’t change our biometrics like we can a credit card number. Yet many companies are collecting and using their employees’ and our biometric information for convenience without thinking about the potential consequences.

I recently went into a high-end retailer and the sales clerk opened the fitting room with her fingerprint—her biometric information. Needless to say, I was appalled. There are numerous companies marketing technology that collects biometric information from consumers and employees without understanding or educating customers about the consequences.

One means of addressing possible outcomes is the Illinois Biometric Information Privacy Act (BIPA), which, along with other state laws, regulates the collection and use of biometric information. Numerous employers have been caught in the cross-hairs after implementing biometric collection technology, such as time cards that are activated with a fingerprint to clock in and out, and then have been sued for violating BIPA. BIPA has specific requirements that are clear and not difficult with which to comply. But many global employers don’t know about BIPA and, therefore, are not complying with it.

The same is true for other biometric information, such as facial recognition or iris scanning. Before you fall for a sales pitch by a company offering the streamlined use of technology that collects and uses biometric information, be aware of laws that apply to biometric information, and the fact that they are rapidly changing. Further, consumers are becoming more educated about their biometric information and are more reticent to share it. When deciding whether to collect and use biometric information, determine whether the technology is really worth it.  Before collecting and using biometric information from consumers or employees, assess the risk, determine what laws apply, comply with the laws and be transparent with those consumers and employees. Otherwise, you are likely to get tagged with a class action lawsuit.

Canada’s New Drone Regulations

In Canada, the drone industry has nearly doubled in size every two years over the past decade. With that boom, Canadian regulators have been grappling with many of the same questions that the U.S. Federal Aviation Administration (FAA) has been struggling with as well — how do you safely incorporate drones into the airspace? To address this issue, Canada released, and made effective, regulations amending the Canadian Aviation Regulations for Remotely Piloted Aircraft Systems (Regulations). These new Regulations cover small drones that weigh between 0.55 lbs. and 55 lbs., and that are operated within the operator’s visual-line-of-sight. The operation of a drone over 55 lbs. requires a Special Flight Operations Certificate (SFOC).

How do these new Regulations compare to the regulations effective in the U.S.? For example:

  • All drones must be registered with Transport Canada and marked with a registration number regardless of the operator intent (i.e. commercial and hobbyists both must register);
  • All drones must be flown at an altitude of less than 400 feet;
  • Drones may not be flown over or within a secured perimeter established by a public authority in response to an emergency or “advertised events,” such as outdoor concerts, festivals or sporting events, unless the operator is granted a SFOC;
  • Drone pilots must be at least 14 years old and complete an online knowledge exam, but for advanced operations (i.e. operations within controlled airspace; closer than 30 meters to a bystander; within three (3) nautical miles from an airport), the pilot must be at least 16 years old; and,
  • For certain advanced operations, the drone must meet RPAS (i.e. Remotely Piloted Aircraft Systems) Safety Assurance standards before being flown (i.e. technical requirements).

There are many similarities between the Canadian and U.S. regulatory requirements and restrictions. However, one notable difference between the regulations is that the new Canadian regulations permit flights over people (defined as operations that are less than five (5) meters horizontally and at any altitude) provided that the manufacturer of the drone makes required declarations and that other requirements for “advanced operations” are complied with as well. Additionally, the Canadian regulations do not distinguish between recreational or commercial drone uses, and require operators to demonstrate flight proficiency for advanced operations.

The FAA is working towards a rule for flights over people, but some of these other differences may be far down the road here.

LexBlog