FFIEC Members Issue Joint Statement to Financial Institutions on Role of Cyber Insurance as Risk Management Tool

By Norman Roos and Scott Baird on April 23, 2018 Posted in Cybersecurity

On April 10, the Federal Financial Institutions Examination Council (FFIEC) members issued a joint statement discussing cyber insurance and its potential role in the risk management programs of financial institutions. Members of the FFEIC include the Board of Governors of the Federal Reserve System, Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and State Liaison Committee.

Cyber insurance covers losses related to cyber-attacks and data breaches and may include coverage for customer notification, event management, business interruption, cyber extortion, and claims made by financial institutions’ customers, partners, or vendors as a result of cyber incidents. Traditional general liability or basic business interruption insurance coverage may only partially cover cyber risk exposures or may not cover them at all.

The FFIEC does not currently require financial institutions to maintain cyber insurance. However, the joint statement cites the increasing number and sophistication of cyber-attacks faced by financial institutions and suggests that cyber insurance should be evaluated as an effective addition to an institution’s risk management strategy. The joint statement emphasizes that “cyber insurance does not remove the need for a sound control environment. Rather, cyber insurance may be a component of a broader risk management strategy that includes identifying, measuring, mitigating, and monitoring cyber risk exposure.”

The FFIEC recommends that financial institutions considering cyber insurance do the following:

Involve multiple stakeholders, such as legal, enterprise and operational risk management, finance, information technology, and information security management, in the cyber insurance decision.
Perform proper due diligence to understand cyber insurance coverage, triggers, exclusions, and limits.
Evaluate cyber insurance in the annual insurance review and budgeting process.

The full FFIEC joint statement is available here.

Manufacturing Sector Getting Hit with Cyber-Attacks: Portable Oxygen Device Manufacturer Notifies 30,000 Patients of Breach

By Linn Foster Freedman on April 19, 2018 Posted in Cybersecurity

Inogen, which manufactures portable oxygen devices, has alerted the Securities and Exchange Commission in a recent filing that it is notifying 30,000 individuals that their personal information was compromised when a hacker gained access to one of its employees’ email accounts through a phishing scheme.

The incident illustrates how the manufacturing sector is continuing to get hit with cyber-attacks, despite the fact that manufacturing companies view the risk of a data breach as low because they don’t typically collect, use or disclose customer personal information.

In this incident, the compromised employee’s email account contained the Medicare identification numbers, insurance policy information and the medical equipment provided to the individuals by the company.

The manufacturing sector, including device manufacturers, is often surprised at the amount of customer and/or employee personal information it has access to, collects and maintains outside of the usual places like the human resources department. When we assist manufacturers with data mapping, clients find that personal information is located in surprising places, including email accounts that can be compromised by phishing incidents.

This case is a reminder that manufacturers are at risk of a data breach and may wish to consider developing a privacy and security plan for management of the risk of compromise.

HHS Warns Health Care Organizations About SamSam Ransomware

By Linn Foster Freedman on April 19, 2018 Posted in Cybersecurity

The health care industry continues to get hammered by SamSam ransomware attacks, to the point that the Department of Health and Human Services Healthcare Cybersecurity and Communications Integration Center (HCCIC) has issued a report outlining the danger of ongoing SamSam ransomware campaigns, with tips to help organizations detect and block SamSam.

According to the report, since December 2017, there have been ten major SamSam attacks on health care organizations and the government in the U.S. Those affected include AllScripts, whose system was down for days, preventing health care providers from accessing electronic medical records for up to a week, the City of Atlanta, which shut down its IT systems to prevent its spread, Hancock Health, which paid the ransom to recover its data, the Colorado Department of Transportation, and Erie County Medical Center, which took six weeks to recover from the attack, costing the organization several million dollars.

The tips offered by HCCIC include:

Conduct a risk analysis
Train end users to help them detect malicious software
Implement procedures to protect against malicious software and apply detection software
Back up data regularly—3-2-1—3 backups made on 2 different media, with 1 stored offsite
Develop (and I would add test) contingency plans to minimize business disruption
Develop (and I would add test) incident response procedures, including specifically for a ransomware attack
Conduct annual penetration testing
Use rate limiting to block brute force attacks
Restrict the number of users who can login remotely
Restrict access to RDP behind firewalls
Use a VPN or RDP gateway
Set up multi-factor authentication

Frankly, none of these tips are new and are a reminder that health care organizations are still struggling with implementation of basic security measures to protect data. These ransomware attacks continue to exploit the fact that organizations are finding it extremely difficult to train employees and prevent an employee from clicking on a link or attachment that introduces malware or ransomware into the system. Until we can change the entire culture around work flow with email, ransomware will continue to cripple organizations.

This fact was emphasized by Beazley this week in a report on recent data breaches, which indicated that companies using Microsoft Corporation’s cloud based products (also known as Office 365) are seeing a rise in cyber-attacks due to employees providing their credentials to a hacker who has gained access to the employee’s email account . We too have seen a dramatic rise in successful phishing attacks with clients using Office 365.

Beazley recommended that organizations implement two-factor authentication, enforce strong password policies and train employees to spot phishing emails to combat the ever increasing risk of ransomware attacks.

Update on the FAA Reauthorization Bill

By Kathryn Rattigan on April 19, 2018 Posted in Drones

On April 13, 2018, the U.S. House Transportation and Infrastructure Committee (Committee) leadership introduced a five-year Federal Aviation Administration (FAA) reauthorization bill, FAA Reauthorization Act of 2018 (H.R. 4) (the Act). This bipartisan Act focuses on stabilization of the FAA with consistent funding instead of efforts to reform the air traffic control system. The Act also seeks to continue investment in U.S. airports and make reforms to improve U.S. competitiveness and safety in aviation. Specifically, the Act includes proposed funding for the FAA’s operations account ranging from $10.4 billion in fiscal year 2019 to $11.3 billion in fiscal year 2023.

Additionally, according to the Committee leadership, the Act:

Helps the U.S. lead in the aviation industry by putting American jobs, American innovation, and the traveling public first.
Cuts “red tape” so that U.S. manufacturers can get products to market on time, stay competitive globally, and continue to employ millions of Americans.
Encourages American innovation in aviation technologies to promote a stronger American workforce.
Gives the American traveling public a better flight experience.
Helps the national airspace system remain as safe as possible for the American traveler and addresses factors related to recent incidents.

Committee Chairman, Bill Shuster of Pennsylvania, said, “This FAA authorization is the culmination of years of hearings and listening sessions to solicit input from aviation stakeholders, commercial passengers, general aviation pilots and our colleagues. In the truest sense, this legislation represents bipartisan cooperation and compromise to advance the Nation’s aviation interests and safety in the skies.”

EPIC Files Suit to Enforce Transparency Obligations related to U.S. Drone Policy

By Kathryn Rattigan on April 19, 2018 Posted in Drones

Last week, the Electronic Privacy Information Center (EPIC) filed a lawsuit against the Federal Aviation Administration’s (FAA) Drone Advisory Committee (Committee) to enforce the open government obligations of the Committee. The Committee is an industry-led committee that advised the FAA regarding drone policy in the U.S. EPIC claims that for over one year, the Committee has conducted its work “in secret” and “ignored the privacy risks posed by the deployment of drones.” EPIC claims that the Committee violated the Administrative Procedure Act by failing to open its meetings to the public and failing to make its records open to the public. EPIC hopes to force the Committee to disclose its work to the public as a result of this lawsuit. EPIC’s complaint can be viewed here.

Privacy Tip #135 – Cybersecurity Spring Cleaning Tips

By Linn Foster Freedman on April 19, 2018 Posted in Privacy Tips

Here’s a great idea offered by the National Cyber Security Alliance and the Better Business Bureau: while you are doing your spring cleaning, don’t forget to do a digital spring cleaning too—that is, your computer, cellphone and Internet-connected devices.

The tips acknowledge that we all have information contained on our computers, cellphones and mobile devices that should be culled and discarded, just like our closets. While cleaning our closets and our sock drawer, take the time to clean your digital closets too.

Here are the seven tips they offer for digital spring cleaning:

Fortify your online accounts and enable the strongest authentication tools available, such as biometrics, security keys, or a unique one-time code through an app on your mobile device. Usernames and passphrase are not enough to protect key accounts like email, banking and social media
Delete unused apps and keep others current, including the operating system on your mobile devices
Clean up your email: save only those emails you really need and unsubscribe to email you no longer need/want to receive
Check that all software on Internet-connected devices is up to date to reduce risk of infection from malware, or implement automat updates
Permanently delete old files using a program that deletes the data, wipes it from your device and overwrites it by putting random data in place of your information ‒ so it cannot be retrieved
De-packrat your old digital devices you never use. Information still exists on them and could be stolen. Don’t wait: wipe and/or destroy unneeded hard drives as soon as possible. For devices like tape drives and thumb drives, remove any identifying information that may be written on labels before disposal
Review the privacy and security settings on websites (and I would add social platforms) that you use to privacy settings that are consistent with your comfort level.

These are all great tips to follow for cyber hygiene. And since it is still snowing in the Northeast and Midwest, now’s the time to do it while waiting for Spring to arrive!

EU-US Transatlantic Data Flows Subject to Further Legal Challenge

By Kathleen Porter on April 18, 2018 Posted in Enforcement & Litigation, International Privacy Laws

Last week, the High Court of Ireland submitted eleven questions to the Court of Justice for the European Union (CJEU) to consider about the personal data transfer regime between the European Union (EU) and the United States. This referral stems from a new claim by Max Schrems, an Austrian lawyer and privacy activist. Schrems previously challenged the adequacy of the U.S. Safe Harbor data transfer regime to protect EU personal data transferred by technology companies and affiliates in Ireland (including Facebook) to the United States. In 2015, the CJEU struck down the U.S. Safe Harbor as a valid mechanism to transfer data to the US as a result of a referral from the Irish High Court arising from Schrems’ prior lawsuit.

Schrems’ new claim specifically challenged whether EU’s standard contractual clauses (SCCs) adequately protect EU personal data transferred from Facebook’s Irish entity to the United States. Schrems’ concern is that EU personal data transferred by Facebook to the U.S. under the SCCs could be accessed by the National Security Agency as part of the NSA’s mass surveillance programs.

However, the Irish High Court’s eleven question referral to the CJEU was much broader than questioning just the adequacy of SCCs. The CJEU is being asked to consider the adequacy of the Privacy Shield mechanism (adopted in 2016 as a replacement to the EU-U.S. Safe Harbor) as well as SCCs, to address how to resolve conflicts between conflicting country data protection rules and regulations, as well as violations of individual rights caused by surveillance law and the authority of data protection authorities to suspend cross border data transfers, particularly based on concerns about mass surveillance law.

Additionally, in the EU Article 29 Data Protection Working Party’s (WP29) first annual review of the Privacy Shield data transfer mechanism, it called for an appointment of a permanent Privacy Shield ombudsperson in the U.S. among other protective safeguards. The WP29 requested that the U.S. address these safeguards by May 25, 2018, when the GDPR, the EU’s new data protection law comes into effect. To date, the U.S. has not addressed the WP29’s concerns. If anything, US extension to FISA earlier this year may have created more questions, as it is did not include privacy protections for foreigners’ data. While CJEU’s response to the eleven questions is not likely to be issued for months, significantly higher fines for violations of the GDPR are possible beginning on May 25.

Pipeline Companies Targeted by Cyber-Attacks

By Linn Foster Freedman on April 12, 2018 Posted in Cybersecurity

Reports show that U.S. energy companies reported more than 350 cybersecurity incidents to the U.S. Department of Homeland Security between 2011 and 2015. Pipeline companies are included in that statistic.

Last week, Energy Transfer Partners (ETP) notified its oil and gas shippers that its pipeline network system was hacked. According to ETP, the hacking targeted an ETP contractor that manages the ETP system, ETP was not hacked directly. Further, the hacking did not affect the actual pipeline system, but targeted the electronic data interchange system that facilitates transactions regarding oil and gas movement through pipelines.

The incident is presumed to have been focused on gaining pricing information for competitive advantage as opposed to disruption of the pipeline. Nonetheless, it shows the importance of vendor management.

Four other gas networks shut down their communication networks in the last week as a result of cyber-attacks. One natural gas pipeline company disabled its communication system as a precaution after a third-party provider was the target of a cyber-attack. Three others reported communications breakdowns with customers and websites that are hosted by third-party companies. The Department of Homeland Security is investigating.

New Jersey AG Fines Virtua Medical Group $418,000 for Data Breach Caused by Vendor

By Linn Foster Freedman on April 12, 2018 Posted in Health Information Privacy, HIPAA and Health Information

The New Jersey Attorney General’s office announced this week that it has fined Virtua Medical Group, which is comprised of more than 50 medical practices in New Jersey, for failing to protect the privacy of 1,650 patients when their medical information was accessible online.

The information was uploaded to a password-protected FTP website, but during a software upgrade to the server the password protection was removed, which allowed the data to be accessed without a password. The information was also searchable, and 462 patients’ information was indexed by search engines.

Although the misconfiguration of the website was caused by Virtua’s business associate, the New Jersey AG fined the medical group for HIPAA violations because it found that Virtua failed to conduct a risk assessment, a security awareness program had not been implemented for the entire workforce, no procedures had been implemented to facilitate retrieval of copies of the ePHI maintained on the FTP site, no logs had been maintained, and the information was exposed. According to the AG, these constituted violations of both HIPAA and the New Jersey Consumer Fraud Act.

Outcome Health Settles TCPA Class Action Suit

By Linn Foster Freedman on April 12, 2018 Posted in Telephone Consumer Protection Act

Ever notice the flatscreen TVs and tablets in your doctor’s office that run different health-related and wellness stories? Many of them are provided by Outcome Health, which installs free TVs and tablets in doctor’s offices to provide educational material to patients while they are sitting in the waiting room.

The company makes its money by selling ads to pharmaceutical companies, which pop-up during the educational stories. It also offers patients the ability to receive automated daily nutrition tips via text message. One patient agreed to the tips, but then was inundated by them, and she tried to opt-out of the texts over 25 times. She got fed up and sued the company for violation of the Telephone Consumer Protection Act (TCPA).

The company denies violating the TCPA, but settled the case for $2.9 million.

This Blog/Website is made available by the lawyer or law firm publisher for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog site you understand that there is no attorney client relationship between you and the Blog/Website publisher. The Blog/Website should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Any opinions expressed on this Blog/Website are opinions only of the author, expressed at the time the material is written based on information available to the author at that time, and are not opinions of the author's law firm or any of the author's or the law firm's clients. This Blog/Website is not intended to be attorney advertising. To the extent it might be deemed to be attorney advertising, it should not be considered advertising or to be seeking legal work in any jurisdiction in which the author is not admitted to practice law (i.e., jurisdictions other than Connecticut, Massachusetts, and various federal courts).