Small and Mid-Sized Businesses Continue to Be Targeted by Cybercriminals

A recent Ponemon Institute study finds that small and mid-sized businesses continue to be targeted by cybercriminals, and are struggling to direct an appropriate amount of resources to combat the attacks.

The Ponemon study finds that 76 percent of the 592 companies surveyed had experienced a cyber-attack in the previous year, up from 70 percent last year. Phishing and social engineering attacks and scams were the most common form of attack reported by 57 percent of the companies,  while 44 percent of those surveyed said the attack came through a malicious website that a user accessed. I attended a meeting of Chief Information Security Officers this week and was shocked at one statistic that was discussed—that a large company filters 97 percent of the email that is directed at its employees every day. That means that only 3 percent of all email that is addressed to users in a company is legitimate business.

A recent Accenture report shows that 43 percent of all cyber-attacks are aimed at small businesses, but only 14 percent of them are prepared to respond. Business insurance company Hiscox estimates that the average cost of a cyber-attack for small companies is $200,000, and that 60 percent of those companies go out of business within six months of the attack.

These statistics confirm what we all know: cyber-attackers are targeting the lowest hanging fruit—small to mid-sized businesses, and municipalities and other governmental entities that are known to have limited resources to invest in cybersecurity defensive tools. Small and mid-sized businesses that cannot devote sufficient resources to protecting their systems and data may wish to consider other ways to limit risk, including prohibiting employees from accessing websites or emails for personal reasons during working hours. This may sound Draconian, but employees are putting companies at risk by surfing the web while at work and clicking on malicious emails that promise free merchandise. Stopping risky digital behavior is no different than prohibiting other forms of risky behavior in the working environment—we’ve just never thought of it this way before.

Up to this point, employers have allowed employees to access their personal phones, emails and websites during working hours. This has contributed to the crisis we now face, with companies often being attacked as a result of their employees’ behavior. No matter how much money is devoted to securing the perimeter, firewalls, spam filters or black listing, employees still cause a large majority of security incidents or breaches because they click on malicious websites or are duped into clicking on a malicious email. We have to figure out how employees can do their jobs while also protecting their employers.

NSA Warns of Hackers Attacking VPN Service Applications

The National Security Agency issued an advisory last week to warn companies and users that nation-state actors are actively exploiting vulnerabilities in several virtual private network (VPN) service applications to obtain access to users’ devices. The hackers are leveraging vulnerabilities in older versions of VPN applications, and if successful, the attackers can then remotely execute and download files and intercept encrypted network traffic.

The purpose of a VPN is to allow remote users to use their computer to obtain access to company systems via extremely secure connections to the local network. But apparently some companies and users have not patched the VPN application and older vulnerabilities are being targeted by attackers.

The advisory urges companies and users to update their VPN services with patches that have been issued by the service providers. The advisory illustrates the importance of staying current with patching of all applications, and this one is vitally important.

Privacy Tip #212 – National Cybersecurity Awareness Month: “Own IT”

Everyone should be aware that October is National Cybersecurity Awareness Month. TechNewsWorld is urging all users to “Own IT,” which “means staying safe on social media, updating privacy settings, and keeping tabs on apps. Simply put, users need to take better ownership of their data and their online presence as part of daily safe cyber practices.”

One of the problems the authors see, and with which I agree, is that “people tend to share too much on social media…[u]sers need to limit what they’re sharing and do a better job of protecting sensitive data and information.”

Some solid suggestions for “owning it” include:

  • Be vigilant about privacy and know how your data are collected and used (this means READ the privacy policy when you download an app and make an informed decision about whether you want to download it or not)
  • Use long and strong passphrases
  • Update software regularly
  • Implement multifactor authentication
  • Place a fraud alert though the credit bureaus
  • Keep privacy settings up to date, and reset them when you download a new application or patch
  • Only download apps from an official app store
  • Refrain from divulging or displaying personal information on social media that “could be used in any nefarious way,” including birth dates, detailed information about upcoming events, plans or vacations, or personal information about your residence.

“Think from the perspective of what a malicious actor would do with the information you’ve posted.”

I couldn’t agree more. For National Cybersecurity Awareness Month, focus on your cyber hygiene and Own IT.

CCPA News: Amendments Signed into Law by the California Governor and Draft Regulations Released by the State’s Attorney General

Last week was a busy week for the California Consumer Privacy Act (CCPA), as Attorney General Xavier Becerra released draft regulations on October 10 and Governor Newsom signed several pending CCPA amendments into law on October 11.  The CCPA amendments clarified several important issues, including:

  • employee information and business-to-business (B2B) communications are exempt from the CCPA until January 1, 2021;
  • the definition of personal information includes information that is “reasonably” capable of being associated with a particular consumer or household, as opposed to “capable” of being associated with a consumer or household; and
  • the elimination of the requirement of a toll-free number for customer contact if a business operates exclusively online and has a direct relationship with a consumer.

The draft regulations focus on consumer notices, business processes, verification requests and financial incentives. Specifically, the regulations address four notices required under the CCPA: (1) notice to consumers at or before the collection of personal information; (2) notice of the right to opt-out of sale of personal information; (3) notice relating to financial incentives; and (4) notice through a website privacy policy.

One theme regarding consumer notices that is obvious throughout the draft regulations is that consumer notices must be designed and presented to consumers so they are easy to read and understand by an average consumer. The draft regulations require the use of plain, straightforward language, a format that draws the consumer’s attention to the notice, and that the notice be in the language(s) in which the business provides consumer contracts. They also require businesses to create a button on their website or apps for California users to be able to opt-out of the collection of their personal information.

With respect to business processes, the draft regulations establish the following:

  • Details regarding the content of a website privacy policy
  • Methods for businesses to provide for consumers to submit requests
  • Require businesses to develop a process to respond to consumer requests
  • Rules regarding how businesses can seek additional time to respond to consumer requests, including deletion requests
  • Training requirements
  • Record-keeping guidance so businesses can demonstrate compliance with the CCPA
  • Procedures regarding verifiable consumer requests and deletion requests
  • Rules regarding password-protected accounts so consumers may use their existing password authentication processes if the business implements reasonable security measures to detect fraud
  • Businesses to comply with the opt-in requirements regarding the sale of the personal information of minors under 13 years of age, and minors between the ages of 13 and 16
  • Discriminatory practices and financial incentive offerings
  • Guidance regarding how to calculate the value of consumers’ data in designing financial incentives and the requirement that the business publicly disclose the estimated value of the consumer’s data and the method by which the amount was calculated.

The Attorney General stated that the law is designed to protect more than $12 billion worth of personal information used for advertising every year. The total all-in projected cost of compliance with the regulations over the next decade ranges from $467 million to $16.4 billion, including legal, operational, technical and business costs as well as special contingencies such as potential fines or penalties. He has indicated that he’ll be amending the draft regulations to conform with the recent amendments to the law. The deadline for the public to submit comments on the draft regulations is December 6 at 5 p.m. Four public hearings are scheduled in Sacramento, Los Angeles, San Francisco, and Fresno, California between December 2 and December 5. Final Regulations will be issued after the comment period.

Enforcement of the Regulations by the Attorney General will begin on July 1, 2020, and include civil penalties of up to $7,500 per violation.

The CCPA also provides California residents with the right to sue companies for data breaches of their personal information if the company fails to use reasonable security measures to protect that information. Residents can seek damages of between $100 and $750 per consumer per incident under the law. This limited private right of action for a data breach is the first of its kind in the nation. The law allows consumers to sue following a data breach without having to prove they suffered actual harm or damages.

FBI Warns of Sharp Increase in Ransomware Attacks in Certain Sectors

The Federal Bureau of Investigations Internet Crime Complaint Center (IC3) recently issued a public service announcement warning private companies about the increasing numbers of ransomware attacks affecting private industry. According to the warning, “Although state and local governments have been particularly visible targets for ransomware attacks, ransomware actors have also targeted health care organizations, industrial companies, and the transportation sector.”

The ransomware attacks are initiated through “large scale or targeted phishing campaigns and exploiting software and Remote Desktop Protocol (RDP) vulnerabilities to get a foothold on their victims’ systems before encrypting their systems.”

The FBI is urging companies not to pay the ransom, and to contact the FBI in the event of an attack so it can use the information, along with information provided by other victims, to track the ransomware attackers, find them and hold them accountable, in order to prevent future attacks.

The FBI also recommends that companies:

  • Regularly back up data and verify its integrity
  • Focus on awareness and training
  • Patch the operating system, software, and firmware on devices
  • Enable anti-malware auto-update and perform regular scans
  • Implement the least privilege for file, directory, and network share permissions
  • Disable macro scripts from Office files transmitted via email
  • Implement software restriction policies and controls
  • Employ best practices for use of RDP
  • Implement application whitelisting
  • Implement physical and logical separation of networks and data for different org units
  • Require user interaction for end-user apps communicating with uncategorized online assets

Ransomware is extremely disruptive to business operations, so preparing for such incidents is mission critical, including deploying an incident response team and testing incident response plans.

Dental Practice Pays $10,000 Fine to OCR for Disclosing PHI on Social Media

Elite Dental Associates (Elite), located in Dallas, Texas has agreed to settle alleged HIPAA violations with the Office for Civil Rights (OCR) for $10,000.

The OCR alleged that it received a complaint from a patient in June of 2016 that Elite had disclosed the patient’s last name and details of the patient’s health condition on social media. After an investigation, the OCR “found that Elite had impermissibly disclosed the protected health information (PHI) of multiple patients in response to patient reviews on the Elite Yelp review page.”

The OCR further alleged that “Elite did not have a policy and procedure regarding disclosures of PHI to ensure that its social media interactions protect the PHI of its patients or a Notice of Privacy Practices that complies with the HIPAA Privacy Rule.”

According to the OCR, it “accepted a substantially reduced settlement amount in consideration of Elite’s size, financial circumstances, and cooperation with OCR’s investigation.”

In its press release, the OCR stated, “Social media is not the place for providers to discuss a patient’s care. Doctors and dentists must think carefully about patient privacy before responding to online reviews.”

The Settlement Agreement and Corrective Action Plan also requires Elite to be monitored for two years and to implement appropriate HIPAA-compliant policies and procedures.

From California to Nevada: Another State Privacy Law That You Need to Know

While we’ve discussed the California Consumer Privacy Act (CCPA) at length, Nevada was busy amending its internet privacy law and in the process beat California’s deadline for the effective date by three months. Nevada’s SB 220 is effective as of October 1, 2019.

This law prevents covered operators from selling individual’s personal information and allows consumers to submit verified requests to a business to exercise their opt-out rights. Covered operators must start accepting these requests from individuals now. Key provisions to note include:

  • SB 220 amends existing state law that requires an operator of an Internet website or online service that collects certain items of personally identifiable information about consumers in Nevada to make available a notice containing certain information relating to the privacy of covered information collected by the operator.
  • SB 220 revises the definition of the term “operator” to exempt certain financial institutions and entities that are subject to Gramm-Leach-Bliley Act, entities covered by the Health Insurance Portability and Accountability Act, and certain persons who manufacture, service or repair motor vehicles.
  • One of the most important provisions to note is that SB 220 requires an operator to establish a designated request address through which a consumer may submit a verified request directing the operator not to sell any covered information collected about the consumer. This consumer opt-out right is similar to opt-out rights that we’ve discussed previously regarding the CCPA.
  • “Sale” means the exchange of covered information for monetary consideration by the operator to a person for that person to then license or sell the covered information to additional persons.

The new law prohibits an operator who has received an opt-out request from a consumer from selling any covered information collected about the consumer. The law does not provide a private right of action to consumers; however, the Nevada Attorney General is authorized to seek a temporary or permanent injunction or seek to impose a civil penalty not to exceed $5,000 for each violation if the Attorney General has reason to believe that an operator, either directly or indirectly, has violated this law.

What’s next? Determine if your business needs to comply with this Nevada law. Generally speaking, businesses and other entities that operate a website and collect and maintain covered information about consumers who reside in Nevada and who use that website may need to review and update their website privacy policies; create processes for consumers to exercise their opt-out rights regarding the sale of their personal information; maintain a designated address for consumers to submit opt-out requests; and establish a process to respond to consumers within sixty (60) days of receipt of the opt-out request.

U.S. Supreme Court Declines to Hear Case on Whether Commercial Websites and Mobile Apps Subject to Title III of the Americans with Disabilities Act (the “ADA”)

The ADA was enacted in 1990 to prohibit discrimination against persons with disabilities. It did not include express rules about access to websites and mobile apps. But that hasn’t stopped a flood of lawsuits against companies based on claims their websites or mobile apps might not be accessible to people with disabilities, such as visual, hearing or limited manual dexterity.

According to UsableNet, a technology and accessibility company, nearly 2000 ADA-related lawsuits are expected to be filed by the end of 2019. UsableNet claims almost half of top 500 retailers have been sued since just the last two years.

In one such case, the pizza chain Domino’s was sued in federal District Court in California by a blind man who wasn’t able to order pizza on Domino’s website and mobile app. Domino’s claimed applicable law didn’t require it make its website accessible to people with visual impairments because websites and mobile apps generally didn’t exist in 1990 when the ADA was enacted. The plaintiff argued the ADA should apply, so long as the business contains physical locations in the US and is soliciting customers over the Internet. The District Court agreed with the plaintiff.

On appeal, the Ninth Circuit held that the ADA and California law applied to Domino’s websites and mobile apps, which were inaccessible by persons with visual disabilities. The Ninth Circuit then ordered the case to be sent back to the District Court for further rulings, but before that could happen, Dominos filed a petition for a Writ of Certiorari hearing with the United States Supreme Court, asking it to review whether its website is required to comply with ADA, or a comparable California state law.

To the disappointment of companies and the U.S. Chamber of Commerce, the Supreme Court recently decided not to review the Ninth Circuit decision. This means the Ninth Circuit court decision will stand, and the case will return to the District Court to determine whether and perhaps how Domino’s makes its website and mobile app accessible to all of its prospective customers.

The Supreme Court’s decision is difficult for companies, as there are no federal regulations or rules describing the steps they must take to comply. In 2017, the Justice Department withdrew its compliance guidance on this topic. Companies are typically left to negotiate a settlement regarding the applicable standards with the applicable plaintiff and court. Often that settlement requires compliance with the Web Content Accessibility Guidelines (WCAG), the international standards in digital accessibility for business websites that are set by the World Wide Web Consortium (W3C). Hopefully, the District Court in California can provide more guidance to companies to comply with the ADA and California law. Or perhaps, Domino’s will appeal again.

The case is known as Domino’s Pizza v. Guillermo Robles, No. 18-1539.

Department of Defense Subcontractors: Cybersecurity Compliance is Top Priority

The Office of the Under Secretary of Defense for Acquisition and Sustainment has been on a fast track mission to shore up the cybersecurity measures of defense contractors and the supply chain to the Department of Defense (DOD). It is in the process of developing a Cybersecurity Maturity Model Certification (CMMC) requirement for those vendors.

Many DOD vendors and subcontractors are small businesses, and could be left behind if they don’t focus on and invest in cybersecurity readiness.

It is the goal of the DOD to release CMMC Rev 1.0 in January 2020, and there have been public announcements that the DOD will be auditing existing contractors immediately to determine compliance with the requirements.

For those looking to get into the defense contractor industry, and who don’t already have a contract, it is anticipated that CMMC will be included in all Requests for Information starting in June of 2020, and in all Requests for Proposals in the fall of 2020.

In order to be certified, a company has to be accredited by a third-party company; no self-certification will be permitted. The CMMC model has 18 domains, and certification will be provided based upon the level requested, which is dependent on the work being performed for the DOD. The levels start with basic cyber hygiene and get more sophisticated from there. Certification of contractors will be dependent on the risk posed by the work being performed and the sensitivity of data shared and disclosed.

January is coming quickly, so DOD contractors should become familiar with CMMC and get ready to be audited. We are hearing that DOD is serious about getting audits started quickly and that they won’t have much tolerance if their contractors aren’t ready. This could have a huge impact on small contractors who are not prepared for the roll out of CMMC.

UPS Receives FAA Approval for Drone Deliveries

The Federal Aviation Administration (FAA) has granted UPS Flight Forward, Inc. (UPS) a Part 135 air carrier and operator certification for unmanned aircraft systems (UAS or drone) delivery. The certification was granted through the FAA’s UAS Integration Pilot Program and will allow UPS to perform revenue-generating package-delivery activities using drones. As a Part 135 operator, UPS will not have pre-set limits on the size or scope of its operations. Operationally, this allows UPS to fly an unlimited number of drones with an unlimited amount of remote operators in command, and also permits the drone and cargo to exceed the 55-pound limit set by the Small UAS Part 107 Rule. Additionally, UPS is permitted to operate beyond visual line of sight and at night without further authorization.

Moving forward, UPS has a long-term plan for:

  • Expansion of its drone delivery service to new hospitals and medical campuses;
  • Build-out of ground-based detect-and-avoid technology to enable safe drone operation and expansion of its delivery service;
  • Construction of a centralized operations control center;
  • Regular and frequent beyond-visual-line-of-sight operations; and,
  • Partnering with drone manufacturers to design and build new drones with different types of cargo capacities.

David Abney, CEO of UPS, said, “[UPS] will soon announce other steps to build out our [drone delivery service] infrastructure, expand services for healthcare customers and put drone to new uses in the future.”