C-Suite + Managers Pose Higher Security Risk to Organizations

By Linn Foster Freedman on December 24, 2020 Posted in Cybersecurity

You executives and managers who are in my age group (that is, you didn’t grow up with mobile devices and computers) listen up. According to several studies, you pose a higher security risk to your organization than the up-and-comers you manage.

According to a new survey of 2,000 workers aged 16 to 55+ in the U.S. and U.K., OneLogin found that senior managers (42 percent) were twice as likely to share a work device with someone outside the organization than their junior counterparts (20 percent), 19 percent of senior managers said they share confidential passwords with a family member compared to 7 percent of junior employees, and senior management reported working from public Wi-Fi networks at double the rate of their junior counterparts (30 percent vs. 15 percent).

There are some logical explanations for this, none of which are comforting or justified. According to OneLogin, some of the explanation is that those of us who did not grow up with technology find it difficult to learn how to use and we are intimidated by it. I have no sympathy for those who refuse to try to learn or try to get around security measures because they are intimidated. It’s not that hard and is vital to the security of your organization.

The second reason is that executives are trying to perform at a high level, and think security measures, like multi-factor authentication or logging into a VPN take too much time. That reason is also rubbish. The entire purpose of implementing security measures is to protect the user and the organization. Trying to figure out a work-around takes more time and resources than just implementing sound security practices. Executives and managers should be thinking about the consequences of a security incident caused by them first and foremost.

Here are some tips for organizations to address this issue:

Don’t wait for executives and managers to admit they don’t understand how to implement or use technology. Give them one-on-one training/education so you are sure they are using the security measures and are comfortable with them
Provide executives and managers with pointed educational sessions on data security so they are aware of the risks they pose to the organization if they do not adhere to data security practices
Be strong when executives and managers ask for work arounds. Instead of allowing the work around, take the time to show them how to use the security measures one-on-one and counsel them on why the measures are so important in layman’s terms
Make adherence to security measures part of executives’ and managers’ (for that matter, ALL employees’) performance evaluation. If they don’t follow security measures, that should be documented and considered in compensation and bonus decisions. This will certainly get their attention.
Don’t let them get away with it. If they cause an incident, there should be consequences.

As I always say, data security is a team sport. If the captains of our teams aren’t engaged, the plays won’t work and organizations will lose the game.

How Creepy is Your New IoT Device? Check Out This Privacy Guide!

By Deborah George on December 24, 2020 Posted in Data Privacy

There are billions of Internet of Things (IoT) devices out there in the world and this number will only grow. I’ve written before about smart light bulbs and smart security cameras and it’s no secret that I am fascinated by IoT technology. When I came across the Mozilla *privacy not included guide, I knew I had to share this website.

The guide includes several “smart” products for home and office and provides brief summaries of any relevant and available information related to the privacy of a particular product. The purpose of the guide is to share information regarding the privacy and data collection practices for the 136 smart products listed on the website. Clicking on a particular product on the website will provide a summary of the product’s data collection and privacy policies. Users are also able to rate products along a “creepiness” scale.

The standards that the guide uses include: whether a product uses encryption, automatic security updates, requires strong passwords, whether it has a system to manage vulnerabilities, and whether the privacy policy is accessible. According to the website, a new feature of the guide includes warning labels on certain products that consumers should “think twice about before buying.” Items marked with a yellow triangle icon with an exclamation point include the following: “warning: *privacy not included with this product.” The website includes additional information and answers questions about whether a product can snoop on you, whether an email address is required to sign up, and what personal data the device collects; all important things to know before you connect that smart product that you may be buying.

Show Your IT Professionals Some Love

By Linn Foster Freedman on December 24, 2020 Posted in New + Now

2020 will go down as one of the most stressful in my career as a cybersecurity professional. I have been working in this area of law full time since 2003. So that says a lot.

On top of the stress of the spread of the coronavirus, this has been a particularly stressful year assisting clients with security incidents, ransomware extortions, data security in migrating from on premises to work from home, and keeping employees educated and vigilant. Indeed, it has been difficult and exhausting. And I’m just the lawyer.

Your IT professionals have been through HELL this year. They are working beyond capacity, with limited resources, trying to keep organizations safe from highly sophisticated hackers and nation states, including Russia and China. They are doing their very best to find the right tools to keep the bad guys out of networks and systems, at the same time trying to get their users not to click on links, attachments or phishing emails. They are getting attacked from within and without. It is a war for them every day.

Give them some love. A thank you goes a long way. Our IT professionals are losing sleep every night, working long hours, keeping our data safe, and dealing with attacks that you can’t even begin to fathom.

They battle for us in the background, on the front line, and never get any credit for how important their job is to our ability to do our job.

So this holiday season, take a little time and reach out to your IT professionals and say “Thank you.” They deserve a ton of credit and LOVE from all of us.

FAA Fines Drone Pilot $182,000

By Kathryn Rattigan on December 24, 2020 Posted in Drones

The Federal Aviation Administration (FAA) issued an $182,000 fine to a drone pilot for multiple (continued) violations of Part 107 -at least 26 violations to be more precise. Between December 2019 and August 2020, the drone pilot flew his drone around Philadelphia in violation of FAA regulations, sometimes violating more than one part of the regulations during a single flight. Before issuing the fine, the FAA sent a warning letter in October 2019. In November 2019, the FAA provided the drone pilot with counseling and education regarding requirements for safe drone operations.

The drone pilot put a number of videos on YouTube showing screenshots of the ground control station that has all sorts of things like altitude, the drone’s distance from the pilot, the drone’s location on a map, direction of flight, and other information. The FAA was able to use these videos to prosecute this individual.

Part 107 requires operators to obtain an authorization for Class B, C, D, or E2 controlled airspace. All authorizations are done through the FAA’s Drone Zone portal or through LAANC. If there are no authorizations through those means in Philadelphia at the time of the video footage, then the FAA knows that the drone pilot did not fly in accordance with Part 107. Additionally, accordingly to the FAA the drone pilot also committed the following violations:

Drone flights at night, “in heavy fog” and “while it was raining,” “while it was snowing,” and “during strong winds.” (Part 107 prohibits night flying and flying with visibility less than 3 statute miles).
Multiple drone flights that were very close to multiple buildings and structures. (Part 107 does not allow you to cause undue hazard to people’s property if a loss of control were to happen for any reason during the drone operation).
Some of the flights were over the Philadelphia downtown area over moving vehicles and people. (Part 107 prohibits flying over people and, as noted above, prohibits causing undue hazard to people on the ground).
The drone pilot did not have a remote pilot certification.

Overall, the FAA alleges that the pilot violated 12 Part 17 regulations over 26 different flights, with each subsection of Part 107 a separate violation. The lesson here -follow Part 107, know the rules and operate safely. Happy flying.

Privacy Tip #265 – COVID-19 Phone Scams Continue to Victimize

By Linn Foster Freedman on December 24, 2020 Posted in Privacy Tips

Working from home has shed a new light on robocalls. It is unbelievable how many robocalls I get at home even though I am on the Do Not Call List. It is very easy to monitor these calls. If I recognize the number, I may pick up. If I don’t, I let it ring until it goes to the answering service. If the caller doesn’t leave a message, it is clear that it is a scam. These days, even scammers leave a message. One day last week, a scammer left three separate messages asking me to call back or I would get arrested. This is obvious to me, but to many individuals, these calls sound real and are scary.

The same is true for my mobile telephone. The number of unknown callers to my cell phone has definitely increased during the pandemic, and I use the same technique with calls to my cell phone as I do for a residential line. It is very easy to have someone leave a message and then call them back if they are legitimate. Screening your calls should be automatic for your safety.

A new study by First Orion shows that phone scams using COVID-19 as the subject matter have been highly successful this year.

According to the 2020 Annual Scam Call Report, “[P]hone scammers are getting better at tricking you into giving up your personal information…The survey shows that scammers improved their efficiency in 2020, mainly using the COVID-19 pandemic to steal personal information from millions of victims. The data paints a clear picture of why people are becoming more reluctant to answer their phones if the call is from an unknown number.”

The survey shows that scammers are getting better at scamming people even though the scammers were calling people at the same rate as last year. The survey showed that “[I]n 2020, scammers succeeded in getting people to give up their personal information 270 percent more often than in 2019. More than one in four people reported a loss of personal information or financial loss due to a phone scam in 2020. What’s more, scams targeting Social Security numbers were 550 percent percent more effective in 2020.”

This result is shocking and disappointing. What’s more, the survey showed that because more people were at home to answer the phone, “[O]ut of all the scam calls that succeeded in getting personal information, 17 percent used the COVID-19 pandemic to get in the door. The next most frequent cover story was fake banks at 12 percent, followed by family threats (10 percent), offering a prize or money (9 percent), and student loan scams (9 percent). The pandemic also showed up in charity fraud. When scammers used fake charities as bait to scam people, 44 percent of them said they were collecting money for pandemic relief.”

Other typical phone scams included auto warranty calls which were the most common scam and actually doubled from 2019. Fake bank or credit card calls were the second most common, and false IRS/tax and insurance calls tied for the third most common.

The moral of this story is to refrain from answering calls from numbers you do not recognize, don’t fall for any of these common scams and don’t give anyone your personal information or money over the phone.

A Hackers ‘Shipageddon’ Has Set Sail: Beware of Fake Shipping Messages

By Kathryn Rattigan on December 23, 2020 Posted in Data Security

As the holiday shopping season comes to end, consumers should still be aware that hackers are sending fake delivery notifications appearing to come from companies like FedEx and UPS, especially as the last few days of package arrivals pass by. The hackers’ messages prompt consumers to enter their personal information like credit card information to resolve an issue with package delivery or immediately launch malware or ransomware upon clicking a link. According to a recent CNBC report on this ‘shipageddeon’ launched by hackers, one consumer received an email message appearing to be from UPS informing him that his package could not be delivered. Once he clicked the link provided to solve the issue, his screen started flashing and his computer was encrypted with ransomware requesting 150 bitcoins (or about $66,000). Upon the consumer’s refusal, his computer was wiped clean.

According to the CNBC report, fraudulent delivery messages rose by 440 percent from October to November, according to data from cybersecurity firm Check Point Software Technologies. Overall, fraudulent shipping messages overall rose 72 percent since November 2019. Don’t fall victim to these scams -at a minimum before clicking on a provided link or offering up your personal information make sure that the messages include correct spelling and company logos.

CafePress to Pay $2 Million in Multi-State Data Breach Settlement

By Kathryn Rattigan on December 23, 2020 Posted in Data Breach, Enforcement + Litigation

On December 18, seven states have entered into a settlement agreement with e-retailer Cafe-Press for $2 million stemming from a 2019 data breach that exposed information of approximately 22 million consumers. The breach affected consumers’ personal information, including usernames and passwords, Social Security numbers, and/or Taxpayer Identification numbers.

Of the $2 million, $750,000 will be an immediate payment divided among the states: New Jersey, New York, Connecticut, Indiana, Kentucky, Michigan and Oregon.

According to the settlement agreement, if CafePress improves its data privacy practices, the states have agreed to suspend the balance of the settlement. Those improvements include implementing a comprehensive cybersecurity program that is updated and assessed regularly, a data breach notification plan (including preparation, detection, analysis, containment, eradication and recovery), as well as other safeguards like encryption, segmentation and penetration testing. CafePress must also update its disclosures to consumers including information on account closure and data deletion. The company must also have a third-party risk assessment for the next five years.

Update on the Massachusetts Right to Repair Lawsuit

By Kathryn Rattigan on December 23, 2020 Posted in Data Privacy, Enforcement + Litigation

As I wrote about previously on our blog, the Massachusetts Right to Repair amendment passed in November is up against a lawsuit from auto manufacturers. Now, the Massachusetts’ Attorney General’s office has responded stating that the state law does not conflict with any federal statute and that voters already rejected all of the lawsuits allegations. The Attorney General’s office further argues that the primary claim of this lawsuit relies on non-binding agency guidance, which is simply not enough to preempt the amendment. There is a heavy burden for facial, pre-enforcement challenges established by the Supreme Court and the First Circuit. At this point, the Attorney General has agreed not to enforce the law until the litigation has concluded. Massachusetts argues that rejecting the law before it takes effect is subversive to the democratic process. The case is set for a bench trial in June 2021. We’ll follow the case as it makes its way into the new year.

SolarWinds Cyber-Attack: CISA Recommends Disconnecting

By Linn Foster Freedman on December 17, 2020 Posted in Cybersecurity

On the heels of the concerning security incident experienced by FireEye [view related post], during the investigation of its own incident, FireEye discovered that multiple updates issued by SolarWinds, a cybersecurity firm that many governmental and private companies use to monitor networks, were “trojanized” and malware was inserted into the updates between March and May of 2020.

The malware allowed Russian operatives to hack into several governmental agencies, including the Departments of Homeland Security (DHS), State, National Institutes of Health, Commerce (National Telecommunications and Information Administration Office) and Treasury. In addition, it is reported that the Departments of Justice and Defense also were customers of SolarWinds. The DHS’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all government agencies to disconnect and stop using SolarWinds.

This compromising situation is obviously concerning for national security, particularly when CISA’s Director Christopher Krebs was recently summarily dismissed and many other top leaders of the organization have departed when we most need strong leadership from the federal agency in charge of cybersecurity.

Unfortunately, the bad news doesn’t stop there. SolarWinds reported to the Securities and Exchange Commission this week that it believes that approximately 18,000 of its private company customers also could be affected by the malware.

Security experts are warning all private companies to follow the CISA emergency directive to federal agencies and to disconnect and stop using SolarWinds until the details can be sorted out. Sound guidance for companies that use SolarWinds to mitigate risk until more information is available. It is important that executives and IT personnel be in close contact about whether the company uses SolarWinds and heed the CISA emergency directive to disconnect while the effects of the compromise are being determined.

SolarWinds and Cyber Liability Insurance – What Businesses Need to Know

By Deborah George on December 17, 2020 Posted in Enforcement + Litigation

The SolarWinds cyber-attack is on everyone’s mind this week, given that most experts believe this cyber-attack will have broad impact across both the public and private sectors. For more details about the SolarWinds attack, please read this. The sheer breadth of this attack led me to reflect on the role of cyber-liability insurance for businesses and why it is critical to understand key policy terms, coverage, exclusions, retention amounts and deductibles.

The initial work begins for businesses when they are selecting the appropriate cyber-liability insurance coverage. It is critical to think about the type of business it is and the nature of the data it possesses. Does the business handle protected health information, social security numbers, sensitive personal information, or biometric data? If so, these are some of the highest risk types of data that need protection. It is important to align risk with policy coverage and limits.

While there is no “standard” cyber-liability insurance policy, most policies provide coverage for financial losses as a result of a data breach or other unauthorized access or disclosure of personal or protected health information. Data breaches are not the only way a business can be damaged in a cyber-attack, however. Some insurance companies offer additional endorsements or specific policy provisions and coverage for losses caused by various other means such as social engineering (i.e., a breach caused by phishing), specific coverage for credit card losses, and denial-of-service attacks, such as ransomware. As we have noted many times in this blog, ransomware is probably one of the biggest threats to businesses today. Will the policy pay ransomware costs?

It also is important to determine whether the policy covers costs associated with breach response, including forensic and legal costs. Cyber policies typically cover breach response costs for first-party losses, which are direct financial losses to your business, whereas third-party losses include those losses claimed by others, e.g., vendors, clients, or customers who claim injury as a result of the data breach. The bottom line is to always check with your broker and read the policy language carefully to determine what is covered. It is important to understand the exclusions in a policy as well.

Coverage and retention amounts also are important, as the cost of a data breach can be very high, depending upon how many people are affected, the type of data breached, the number of regulated entities to be notified, the amount of forensic and legal costs, and whether call center and credit-monitoring services are offered. Sometimes a $50,000 coverage amount for social engineering fraud simply will not be sufficient to cover all of these expenses.

If your business is hit with a cyber-attack, depending on the circumstances, it is important to understand the obligations in the policy as you notify your broker and the insurance company. Policies typically have notice provisions, even if you are still gathering all of the facts. Timing is important, so before retaining experts for remediation, you may need to notify the insurance company of the claim or potential claim. Many policies have a breach response team ready to assist you. If you want to retain your own legal counsel or other experts to assist in your response, you will likely need the insurance company’s approval. Once the breach response experts are in place, they will guide your business along all of the necessary steps with respect to remediation, breach notification to regulators and affected individuals, call center activation, and credit monitoring.

This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Any opinions expressed on this Blog/Website are opinions only of the author, expressed at the time the material is written based on information available to the author at that time, and are not opinions of the author's law firm or any of the author's or the law firm's clients. This Blog/Website is not intended to be attorney advertising. To the extent it might be deemed to be attorney advertising, it should not be considered advertising or to be seeking legal work in any jurisdiction in which the author is not admitted to practice law (i.e., jurisdictions other than Connecticut, Massachusetts, and various federal courts).