SEC Report Cautions Companies to Consider Cyber Threats with Internal Controls

The Securities and Exchange Commission (SEC) this week issued an investigative report that outlined cyber incidents that nine public companies had experienced, causing fraudulent losses totaling more than $100 million. The conclusion of the report is that public companies “should consider cyber threats when implementing internal controls.”

The investigations focused on business email compromises where intruders posed as company executives or vendors and used emails (usually through phishing and spear phishing campaigns) to trick employees into sending large amounts of money to bank accounts controlled by the fraudsters. According to the report, these campaigns lasted months on end, and the funds were largely not recoverable. The report cited an FBI statistic that business email compromise has cost U.S. companies more than $5 billion since 2013.

The companies were from different industries, including technology, machinery, real estate, energy , financial and consumer goods. This is instructive for all companies to see that victim companies are in every industry and no industry is immune. SEC Chairman Jay Clayton stated “Cyber frauds are a pervasive, significant, and growing threat to all companies including our public companies. Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats.”

Although none of the companies were fined as a result of the security incidents, the SEC stated “…our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations.”

Anthem Settles with OCR for $16M for 2015 Data Breach

The Department of Health and Human Services Office for Civil Rights (OCR) announced this week that it has settled the largest health care data breach for the largest enforcement fine in history. OCR settled the massive data breach Anthem suffered in 2015 for $16 million—a substantially larger fine than any others assessed by OCR for HIPAA violations. The data breach included the names, birth dates, and Social Security numbers of nearly 80 million individuals. The data breach was caused when hackers spear-phished an Anthem employee and were able to access the system and the individuals’ health and personal information.

Following Anthem’s notification of the data breach, which is required by regulation, the OCR commenced an investigation and alleged that Anthem violated HIPAA when it failed to run risk analyses, lacked procedures to regulatory review activity on its system, failed to detect or respond to security incidents, and failed to have appropriate access controls in place. According to the OCR, “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information.” Anthem denies liability in the agreement with OCR.

According to the OCR, in addition to the payment of the fine, Anthem will take “substantial” measures to assess and monitor its cyber risks.

This settlement follows Anthem’s settlement with consumers in June 2017 for $115 million.

Office 365 Migration

Many companies are migrating their email systems to Microsoft Office 365 (O365). The majority of security incidents in which we have been engaged in over the past six months involve a hacker successfully phishing an employee of the company (most of the time someone who is an executive in the company) and then spoofing the Office 365 credentials box, so the victim puts his or her user name and password into the hacker’s spoofed O365 pop-up, allowing the hacker full access to the email box.

Once the hacker gets into the email box, he places forwarding rules in the email box so all emails that the victim receives are forwarded to his email account. That way, he can monitor the existing email account, and gain access to all new emails sent to the executive to try to figure out how to either implement a wire fraud scheme, a man-in-the-middle scheme, or steal personal information of the victim or others if such information is flowing through the email traffic.

When the executive or the IT department discovers the incident, usually a forensic firm is hired to review the situation and try to figure out when the hacker was able to get into the system, what data was available, and if any information was ex-filtrated.

Almost every forensic analysis we have been involved in with an O365 incident comes to the same conclusion: the incident could have been prevented if multi-factor authentication had been utilized up front when migrating to O365. Following each O365 incident, the recommendation by the security experts is to implement multi-factor authentication. Learn from these other companies that have been victims of such schemes.

In addition, when the forensic firm requested the O365 logs, in only a few cases were we able to access the logs to determine the date the intruder was able to access the system. This is because apparently when companies implement O365, the auditing function for the logs is turned off by default, and the company has to manually turn the logging function on. Most companies have no idea that this is the case, and assume that the logging is turned on by default and that the logs are or would be available for a security incident. This is not the case, so learn from these companies and turn the logging function on when migrating to O365.

New Pennsylvania Law Imposes Fine for Using Drones to Spy

On October 12, 2018, Pennsylvania approved a new law that imposes criminal penalties on individuals who use drone to spy on others. The law takes effect in 60 days.

Under this law, the state may impose a fine of up to $300 on any individual who uses a drone to invade another person’s privacy or puts another person in fear of being physically harmed by the drone. The law also imposes a more serious penalty for an individual who uses a drone to deliver contraband to an inmate in prison—a prison sentence up to 10 years and a fine of up to $25,000. The law also prohibits municipalities from regulating drones, which will alleviate some of the patchwork drone law we currently have across the United States. Pennsylvania Governor Tom Wolf said, “With the rise in popularity of drones with video cameras, this is a commonsense step to prevent the use of drones to invade someone’s privacy. Drones should not be a tool to spy on someone in their yard or through their window.”

There are exceptions for law enforcement officials, first responders, and utility company employees, as well as some government employees, if they are using drones in furtherance of their official duties and responsibilities.

Privacy Tip #161 – FTC Launches “Data Spotlight”

The Federal Trade Commission (FTC) announced yesterday that it will release on a quarterly basis instead of annually an aggregated report of all of the consumer complaints lodged by individuals . The goal is to provide more up-to-date information about what consumers are experiencing so others can learn from them and protect themselves from becoming a victim.

The FTC also launched its Consumer Protection Data Spotlight, which it says will “take a deep dive into the data to illuminate important stories we are hearing from consumers.” This can be very helpful to consumers in learning about scams, how others have become victims, and to be vigilant against the same or similar scams.

The first Data Spotlight explains how scammers are asking to be paid not only with Bitcoin, but also with gift cards, including iTunes and Google Play cards. According to the Data Spotlight, the reports by consumers that scammers demanded payment in the form of cards increased 270 percent since 2015. The reason they want these cards is that they are difficult to reverse once they are issued and they can be used anonymously.

The FTC states, “The FTC’s advice is simple: if someone tells you to pay with a gift card, don’t do it. Gift cards are for gifts, not for payments.” Sound advice from the FTC.

Facebook Acknowledges Breach of Sensitive Data for Nearly 30 Million Users

As we previously noted, Facebook originally announced a breach late last month, in which hackers took advantage of a code vulnerability in the website’s “View As” feature, to access user’s data. However, on October 12, 2018, Facebook stepped back the number of affected accounts from 50 to roughly 30 million, and it acknowledged that hackers were able to view varying levels of information for different accounts.  Continue Reading

Consumers Mixed on Retailers’ Use of Facial Recognition Technology

Many consumers are unaware that retailers use facial recognition technology in retail stores to monitor shoppers and prevent shoplifting. Consumers see cameras in retail stores and assume it is to monitor for shoplifting and theft, but many are unaware that facial recognition technology is used so their actual identity can be determined while they are shopping in the store.

The Brookings Institute recently released a survey of 2,000 adults asking about their feelings relating to the use of facial recognition technology in retail stores, airports, schools and stadiums. Fifty percent of the respondents said they were “unfavorable” to the use of facial recognition technology in retail stores to prevent theft and only 27 percent were favorable. Interestingly, the results differ depending on the respondents’ gender and age, and the region in which they live. As to retail stores using facial recognition technology, 51 percent of women were unfavorable to its use, compared to 49 percent of men. Even more interesting, 58 percent of those aged 18-34 were unfavorable, compared to 50 percent of those aged 35-54 and 40 percent of those over 55.

With regard to schools, men were 38 percent and women 37 percent unfavorable to the use of facial recognition technology, and again, those in the 18-34 age bracket were 44 percent unfavorable, compared to 38 percent of those aged 35-54 and 28 percent of those over the age of 55.

When it comes to airports, 46 percent of women were unfavorable to the use of facial recognition technology, compared to 42 percent of men, and in stadiums, 46 percent of women were unfavorable and 40 percent of men were unfavorable to the use of facial recognition technology.

Those living in the west were by far the ones who object to the use of facial recognition technology in all four categories.

The results are very interesting and some of them make logical sense, but the results are helpful in determining the temperature of consumers with emerging technology in every-day life.

Website ADA Lawsuits

One of our clients told us this week that he loves to read the blog and Insider, but that he would really appreciate it if we would point out some hot compliance tips so when he scans the Insider he can see hot button topics that he should be aware of that he might not otherwise know about in the privacy and security world.

We thought it was a great idea, so here is the inaugural hot compliance topic.

Section 5 of the Federal Trade Commission Act requires all consumer facing websites to include a Privacy Policy or Statement of Privacy Practices to provide consumers with information about how the company collects, maintains and uses consumers’ information provided through the website.

We frequently complete website documents for companies, and we update them based upon new risks and litigation that crops up. For instance, several years ago, there was a rash of lawsuits around the Telephone Consumer Protection Act (TCPA), and many companies updated their websites to reflect language in response to that rash of litigation (among other compliance measures).

In the last year or so, there is a new rash of class action litigation relevant to websites that allege that websites are not compliant with the Americans with Disabilities Act (ADA), including allowing appropriate access for the visually impaired and most recently, alleging that the website failed to provide appropriate access for the physically impaired [view related post].

The Department of Justice has published ADA guidelines that are helpful in determining what measures companies should take for their websites to be ADA compliant. The guidance can be accessed here.

Plaintiffs’ attorneys are searching publicly available websites to determine whether they are ADA compliant, and if they aren’t, filing suit against them. As a result, now may be a good time to review your website documents and update them as necessary.

Privacy Tip #160 – In the Near Future: Taking Control of Your Data

I often hear people say that they have no control of their data, that their data is being monetized by big companies, that they don’t know what those companies are doing with their data, that they are frustrated when they receive notification that their data has been compromised, and they didn’t even know that company had their data in the first place.

Unfortunately, many people throw up their hands and give up trying to control their data, who has it and who is monetizing it. Their attitude is that the train has left the station already and the cows are out of the barn.

Enter Sir Tim Berners-Lee (who you might remember has been credited with creating the web 28 years ago). Berners-Lee is as frustrated as others, and has started a new open source project with the goal to put the control of individuals’ data back in the hands of the individual.

The project is called Solid (https://medium.com/@timberners_lee/one-small-step-for-the-web). According to Berners-Lee, his goal for Solid is to change “the current model where users have to hand over personal data to digital giants in exchange for perceived value. As we’ve all discovered, this hasn’t been in our best interests. Solid is how we evolve the web in order to restore balance—by giving every one of us complete control over data, personal or not, in a revolutionary way.”

He further states that Solid is “guided by the principle of ‘personal empowerment through data’ which we believe is fundamental to the success of the next era of the Web. We believe data should empower each of us…and you will have far more personal agency over data—you decide which apps can access it.”

Right now, it is just a framework, but the goal is that eventually Solid will be part of the “fabric of the web.” Rock on.

Privacy attitudes are changing. Technology is evolving, laws are changing, and when you think about it, the digital world is still in its infancy. Solid is a unique platform that is worth watching.

FTC Settles with Four Companies over Privacy Shield Certification

In the wake of the determination by the European Commission that the EU-US Safe Harbor Framework was insufficient to protect EU citizens’ personal information, the Privacy Shield Framework was implemented by the Department of Commerce.

Companies who apply for Privacy Shield certification are required to file an application, which requires the companies to attest to certain things that they are doing to protect personal data of individuals before personal information of EU citizens are transferred to the U.S.

Although the Department of Commerce administers the Privacy Shield Framework, the Federal Trade Commission (FTC) enforces it, which recently settled with four companies it alleged falsely claimed that they participated in Privacy Shield.

According to the FTC, IDMission, LLC, mResource LLC d/b/a Loop Works, LLC, SmartStart Employment Screening, Inc. and VenPath, Inc. falsely claimed that they were Privacy Shield certified. The allegations included that the companies listed participation in the Privacy Shield Framework on their websites and they either failed to complete their applications and certification, or failed to renew their certification.

The settlements require the companies to stop misrepresenting Privacy Shield status on their websites and comply with FTC reporting requirements.

These settlements are an important reminder to companies participating in the Privacy Shield Framework to monitor the status of their certification and not allow it to lapse, as well as keeping their websites accurate about certification. The FTC has been open about the fact that it continuously monitors company websites about Privacy Shield Certification.

LexBlog