Considering E-Discovery in Cloud Contracts

Earlier this year, I predicted that 2016 would be a year of increased focus on e-discovery from cloud-based sources and postulated that many organizations would demand better e-discovery solutions and increased cooperation from cloud providers. Industry experts agreed. So, what can proactive companies do to ensure that their cloud providers are on board for e-discovery purposes? Much can be accomplished before the contract is even signed. For most providers, e-discovery is not their primary concern so their form agreements are unlikely to address with any degree of specificity key components that could make compliance with discovery requests smoother. While there is no one-size fits all answer, trying to get specific commitments incorporated into the provider agreement will go a long way towards streamlining compliance.

Continue Reading

Survey Shows Employees Top Security Risk for Companies

A recent survey conducted by Arlington Research for OneLogin in May 2016 of 1,022 respondents found what most of us already know: employees continue to be a high risk for employers when it comes to security risk.

The survey shows that although companies are investing in ways to protect their data, cyber-attackers are getting access to company data through employees’ digital device practices.

The results of the survey show that 13 percent of U.S. employees allow their colleagues to use their company assigned device, even though the employee using the device does not have the same access control, which negates the company’s ability to assign access controls based on roles of employees in the company.

Further, 9 percent of the respondents allow their spouse/partner to use their company issued device, and 1 percent allow their children to use their work issued device.

On top of that, the survey confirms that employees frequently share their passwords with their colleagues and 12 percent share their passwords to other work applications, even though there are company policies against this behavior. Not surprisingly, the survey showed that almost 50 percent of the respondents were unaware of their company’s policy around sharing passwords.

Finally, the survey comments on how mobile device security is still a risk and is “lax.”

Some suggestions to combat the risks outlined in the survey are:

  • Educate employees on the risks associated with sharing passwords and allowing colleagues and unauthorized individuals access to company data
  • Implement multifactor authentication
  • Consider implementing a BYOD program
  • Develop security policies that are easy to understand and user friendly and give real life examples
  • Train, Educate, Re-Train and Re-Educate your employees—and consider doing live education as computer training is pretty boring
  • Assemble a Data Privacy + Security Team to develop continuous education and awareness for your employees so it is interesting, timely and understandable—the more you reiterate certain behaviors, the more they’ll hear the message and perhaps change their behavior—one time training is easily forgotten

Most employees really do want to follow company policies, but reading company policies are boring. The key is to find a way to keep employees engaged and part of the solution in data protection.

Judge Approves LifeLock’s $68M Proposed Settlement with Class and $10.2M with Lawyers

On Tuesday, September 20, 2016, a federal judge in California granted approval of the $68 million settlement between LifeLock and a class of plaintiffs that alleged it made false statements about the services it provides to consumers that it will alert them of possible identity theft as soon as possible. The judge also approved a fee of and additional $10.2 million for the lawyers. The settlement funds will come from the $100 million settlement LifeLock reached earlier with the Federal Trade Commission (FTC) last year [view related post]. The FTC alleged that LifeLock had failed to establish a comprehensive information security program and “falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions.”

The judge rejected several of the plaintiffs’ claims that the settlement amount was too low and that the consumers should be reimbursed for the actual amounts paid to LifeLock. One named plaintiff immediately appealed the Order approving the settlement saying the settlement funds should not come out of the FTC settlement and that the attorneys’ fees were too high, since the FTC had done most of the work. The attorneys’ fees granted by the judge will not be paid out of the settlement with the FTC.

The settlement was reached through mediation, and the consumers in the class will each get $20.

Employee’s Wife Pleads Guilty to Charges After He Stole Patient Information

The Manhattan District Attorney announced this week that a former employee of Lenox Hill Hospital’s wife plead guilty to grand larceny, identity theft in the first degree, and criminal possession of stolen property after her husband stole over 80 patients’ information while employed at the hospital, gave it to her, and she then used the information to access the patients’ bank accounts and buy hundreds of thousands of dollars of designer merchandise.

According to the DA, the accused’s husband, who worked at the hospital and had access to patients’ names, dates of birth, and Social Security numbers, gave the information to his wife, who used the patients’ credit card accounts and place fraudulent telephone orders. In some cases, she was able to obtain account information directly from the card holders’ customer service representatives since she had authentication information.

The DA further alleged that in one instance, she took over a deceased patients’ account just hours after the patient expired.

All in all, she was able to purchase over $300,000 of luxury merchandise and attempted to purchase over $1 million from Saks Fifth Avenue.

Her husband, the employee of Lenox Hill Hospital was fired and subsequently convicted of attempted grand larceny. The DA praised Lenox Hill Hospital on its assistance with the investigation, shutting down the scheme and bringing it to the DA’s attention.

Sentencing is scheduled for October 13, 2016.

Yuba Sutter Medical Center Hit With Ransomware

Yuba Sutter Medical Center in California (Yuba Sutter) has notified its patients that it has suffered a recent ransomware attack that caused parts of its network to be incapacitated. As a result, patient files were unable to be accessed, and patient treatment was delayed.

The attack occurred on August 3, 2016, and clinical data and health information was encrypted. The data was backed up, and although patient treatment may have been delayed, it does not appear from reports that Yuba Sutter paid a ransom.

Patients affected by the ransomware are being notified of the incident. The compromised data includes names, billing information, insurance details, addresses, and telephone numbers.

Yuba Sutter is recommending that its patients watch for suspicious activity on accounts, to obtain a credit report and place a fraud alert with the credit bureaus.

Integrating Drones into Your Business

Drones are becoming increasingly important for business of all types and sizes. There are already many applications of drones for businesses, but many more will certainly arise over the next few years. To most effectively and efficiently launch drone operations, here are a few tips on integrating drones into your business:

  1. Use Drones to Increase Value. Drones are only as valuable as what they can achieve for your business; before investing in drones, pilots and analysis software, create a clear plan for the advantages that drones can provide your business. For example, if your business is large and complex, drones can provide value to the supply chain, inventory management, data gathering, infrastructure inspections, and modelling and mapping. But if your business is smaller, start small.
  2. Educate your Business. Drones are frequently in the media these days –mostly for the problems they are causing. While there are certainly risks associated with drone operations, and regulatory requirements, drones can certainly be a value-add to your business. Do the research and prepare reports on how drones can help solve your business’s problems and provide your business with third party studies and reports about the same. The more you know about drones and drone operations will only benefit your business.
  3. Include Risk Managers and Legal Team in Drone Decisions. Risk management team members and legal counsel are at your business to help prevent accidents and reduce liability. Meet with your risk managers and legal team when considering how your business can integrate drones to benefit the business.
  4. Compliance and Operational Efficiency Go Hand-in-Hand. Businesses that invest in commercial drone operations must not only use drones to achieve business value but must also comply with Federal Aviation Administration (FAA) regulations and state laws as well. Compliance with regulatory requirements and drone operations should be part of one consistent workflow. Hired pilots should understand and abide by the rules and regulations every time.
  5. Try More than One Drone and More than One Drone Data Software. While drone aircrafts and data collection software are certainly advanced, there are many different types of aircrafts and software available to choose from. Be sure to shop around for the appropriate drone and software for your business. Use your business’s goals to find the right fit.
  6. Don’t Silo Drone Operations. Depending on the complexity of your business ( i.e., the number of departments/divisions, number of jurisdictions in which you operate), there may be a dozen use cases for drones, or even possibly hundreds of flights across the country. Be sure to encourage various departments/divisions in your business to operate on the same set of standards to reduce risks and create transparent drone operations across the business.

Privacy Tip #53 – Valuable Lesson: Don’t Write Down Passwords

I have been doing a lot of live employee training lately. I really enjoy it, and have been told that it is some of the most entertaining training around. The reason why I can get the audience to laugh is because I tell real stories of some ridiculous things people have done that have gotten themselves (or mostly their employers) in deep trouble.

I often advocate that everyone should be using passphrases instead of passwords, including a past Privacy Tip. Passphrases are long enough so they will pass muster with any IT security guy’s complex password requirement. They are easier to remember, and most importantly, since people usually can remember them, THEY DON’T WRITE THEM DOWN. Most people really warm to the idea and like it and try to come up with a good passphrase.

And then I read a recent article that made me shake my head in disappointment.

By now, everyone knows not to write down their passwords, not to put them in their top drawer, and not to paste it on a post-it note on the monitor of your work station. People actually chuckle at this—like anyone would ever do that…

And yet, people, yes, employees, still write down their passwords.

I also harp on why it is so important to encrypt laptops. If the laptop is encrypted and it is lost or stolen, there may be a safe harbor from breach notification. So encryption is important for mobile devices, including laptops.

In this particular case, the employee of U.S. HealthWorks had an encrypted laptop—so the employer was doing the right thing when it came to data security for laptops—but the employee wrote down his password, and then actually kept the paper that the password was written on WITH THE LAPTOP! So when the laptop was stolen on July 18, 2016, not only did the thief get the laptop, but the thief hit the jackpot because s/he got the password right along with the laptop and the key to the encrypted data, making the encryption useless.

Unfortunately for the employer, it had to notify the 1400 patients whose information was contained on the laptop, because although it was encrypted, the password was available to the thief in order to access the data.

So my tip for this week is DON’T WRITE DOWN PASSWORDS! Do it for yourself AND for your employer.

The (Regulated) Rise of the CISO

The proposed New York Department of Financial Services Cybersecurity Requirements for Financial Institutions (the “Regulation”) has many different aspects that are designed to bring about overall improvement in cybersecurity programs. One that has yet to be explored is how the Regulation elevates the role of the Chief Information Security Officer (the “CISO”) beyond the traditional role at many financial services companies. The Regulation has detailed requirements for what must be included in a company’s cybersecurity policy and procedures. While most of the requirements are standard for information security policies, a few place responsibilities for areas of business that are necessary for cybersecurity, but go far beyond cybersecurity within organizations.

One of the requirements is for inclusion of data governance and classification. Data must be appropriately classified and governance rules applied for proper cybersecurity. However, data classification includes many topics, such as licensed data, third party confidential information,  company confidential information, intellectual property and many others. Data governance ensures that data when correctly classified is used in a manner appropriate to the business need, objectives and in compliance with laws and regulations.

The Regulation also requires business continuity and disaster recovery planning and resources be a part of the cybersecurity policy and procedures. In many companies, the executive responsible for these areas and resources is does not report to the CISO. Business continuity and disaster recovery planning also goes far beyond traditional cybersecurity planning, and yet is critical to cybersecurity effectiveness.

Continue Reading

Attorneys Cannot Sue Avvo for Unauthorized Profiles According to Illinois Federal Court

An Illinois federal judge dismissed a proposed class action of lawyers whose business information was published by the online attorney database Avvo without their permission. The lead plaintiff, a Chicago-based personal injury lawyer, claimed that Avvo’s service violates the Illinois Right of Publicity Act.

Avvo is designated to permit users to search for attorneys by location, practice area and other criteria. The company generates revenues by offering attorneys the opportunity to purchase advertising space on competitors’ profiles or to ensure that others lawyers cannot promote on their profile.

In granting Avvo’s motion to dismiss, the Court relied on the First Amendment protection of publishing truthful newsworthy information. The decision compared Avvo’s business model to traditional newspapers that advertise space or a yellow pages directory where businesses can pay for a more prominent listing.

Continue Reading

Hackers Post Athletes’ Medical and Drug Testing Records Online

Hacking group Fancy Bear, reportedly a Russian group, who allegedly hacked into the Democratic National Committee emails which made headlines, has posted U.S. Olympians’ medical and drug testing records online. Although it has been described as a “smear” campaign, the U.S. Olympians, in Olympian style, tweeted and thumbed their noses at the hackers, by saying that the records show that they did everything by the book.

The World Anti-Doping Agency (WADA) announced that the hackers were previously linked to the Russian government, but they disputed that claim and said they were associated with Anonymous.

At any rate, the effect was minimal. WADA said in response to the hacking, “In fact, in each of the situations, the athlete has done everything right in adhering to the global rules for obtaining permission to use a needed medication. The respective International Federations, through the proper process, granted the permission and it was recognized by the IOC [International Olympic Committee] and the USADA…The cyber-bullying of innocent athletes being engaged by these hackers is cowardly and despicable.”