Industry Groups Push for Modifications to California Consumer Privacy Act

As previously detailed, the California Consumer Privacy Act of 2018 was hastily passed by the California legislature as a compromise designed to avoid a more far-reaching ballot initiative. Recognizing the need to clarify various drafting errors, the drafters are currently working on Senate Bill 1121, intended to clarify certain provisions of the Act and to make other technical corrections.

Advocates for the business community have seized on this opportunity to push for more significant changes to the Act. In a letter to the bill’s sponsor, Senator Bill Dodd, dated August 6, 2018, dozens of business groups from the advertising, technology, retail, health, and banking sectors recommend substantive changes to the Act that go well beyond the “technical” corrections phase contemplated by the Senate Bill 1121.

The changes advocated by the industry groups include: (1) delaying implementation of the Act (currently set for January 1, 2020) until 12 months after the Attorney General’s office completes its rulemaking process; (2) narrowing the definition of “personal information” to exclude de-identified and aggregate consumer information and to align with the notion of that is reasonably linkable to a particular person; and (3) clarifying the definition of a “consumer” subject to the Act to exclude employees of a business and those involved in business-to-business transactions. Consumer advocacy groups have pushed back in a response letter dated August 13, arguing that the proposals from the industry groups would fundamentally weaken the protections of the Act.

While changes to the Act are inevitable, the most interesting battle will likely occur over the definition of “personal information” and whether the legislature will heed the call from the technology advertising sector to exclude data used for ad targeting, such as cookies, IP addresses and web tracking information.

FBI Releases Article on IoT Risks

The Federal Bureau of Investigation (FBI) released a Public Service Announcement on August 2, 2018 entitled “Cyber Actors Use Internet of Things Devices as Proxies for Anonymity and Pursuit of Malicious Cyber Activities,” which outlines how cyber criminals search for and compromise vulnerable IoT devices “for use as proxies or intermediaries for Internet requests to route malicious traffic for cyber-attacks and computer network exploitation.”

The smart devices most commonly targeted by cyber criminals include: routers, wireless radio links, time clocks, audio/video streaming devices, Raspberry Pis, IP cameras, DVRs, satellite antenna equipment, smart garage door openers, and network attached storage devices.

According to the article, these devices are used as proxy servers and allow the criminal to use them anonymously for malicious activity. If the cyber criminal uses the victim’s legitimate IP address, it allows the criminal access to business websites that block malicious IP addresses, thereby making it difficult for a business to distinguish the malicious actor from a legitimate user.

“By using the compromised IoT device, the threat actor can use it as a proxy to:

  • Send spam e-mails;
  • Maintain anonymity;
  • Obfuscate network traffic;
  • Mask Internet browsing;
  • Generate click-fraud activities;
  • Buy, sell, and trade illegal images and goods;
  • Conduct credential stuffing attacks, which occurs when cyber actors use an automated script to test stolen passwords from other data breach incidents on unrelated web-sites; and
  • Sell or lease IoT botnets to other cyber actors for financial gain.”

The article suggests that malicious actors target devices that have weak authentication, don’t have up-to-date patching, or that they compromise with brute force attacks. It also provides tips on protection and defense against these risks.

OCR Issues Guidance on Disposing Electronic Data and Media

In its July newsletter on cybersecurity, the Office for Civil Rights (OCR) released “Guidance on Disposing of Electronic Devices and Media,” which outlines the requirements health care providers and business associates have regarding the security of electronic data and media under the HIPAA Security Rule.

The newsletter reminds health care providers and business associates that they are required to have policies and procedures in place addressing the disposal and re-use of hardware and electronic media, and in that process consider the following guidelines:

  • “Determine and document the appropriate methods to dispose of hardware, software, and the data itself.
  • Ensure that ePHI is properly destroyed and cannot be recreated.
  • Ensure that ePHI previously stored on hardware or electronic media is securely removed such that it cannot be accessed and reused.
  • Identify removable media and their use (tapes, CDs/DVDs, and USB thumb drives).
  • Ensure that ePHI is removed from reusable media before they are used to record new information.”

OCR refers to its “Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” which sets forth permissible methods of disposal, and which are important to protect an organization from a data breach.

Department of Homeland Security Says the U.S. Isn’t Ready for the Growing Threat of Drones

Secretary of Homeland Security, Kirstjen M. Nielsen, wrote in an op-ed piece in the Washington Post, that the Department of Homeland Security (DHS) has been worrying about the dangers of drones for years; so much so, that DHS has sought legal authority in the past (and continues to do so) to protect the U.S. and its citizens from corrupted drones. After the attack on Venezuelan President, Nicolas Maduro [view related post], Nielsen tweeted a link to this op-ed piece that had been published earlier this summer.

Nielsen said that the technology is outpacing the U.S.’s ability to respond to drone threats,  writing that, “Without congressional action, the U.S. government will remain unable to identity, track and mitigate weaponized or dangerous drones in our skies.” Currently, DHS and the Department of Justice (DOJ) have limited capabilities when it comes to rogue drones. DHS and DOJ largely lack updated tools to monitor and mitigate inbound threats in the national airspace. She added in her op-ed, “DHS should be able to access signals being transmitted between a nefarious drone and its ground controller to accurately geolocate both quickly. This could allow authorities to take control of the device or stop its operator on the ground to prevent a potential attack. Yet, current legal constraints prohibit us from doing so and from addressing other drone-threat scenarios, such as drone configured to operate without a human operator, which will require a separate set of solutions.”

Nielsen urges the legislature, “[L]et’s make sure [drones] don’t become an everyday threat.”

New Milestone in U.S. Drone Delivery

Last week, in Blacksburg, Virginia, two-year old, Jack Smith—made history. Only six minutes after a technician from Alphabet Inc.’s Wing clicked the “Confirm Order” button on a smartphone app, a drone operated by the company flew from a simulated store about a mile away, hovered over Jack’s lawn and lowered the popsicle he had ordered (with the help of his mom). The Smith family was part of a Federal Aviation Administration (FAA) approved test that allowed flights over congested areas where people live and flew beyond the visual line of sight of the operator. It was the first and most realistic public demonstration in the U.S. that consumers may someday soon get near-instant purchases sent to their homes by drones.

This demonstration was conducted under the FAA’s Drone Integration Pilot Program, which began last May. Of course, widespread deliveries by drones are likely still years away due to a range of issues and concerns about the low-level air traffic control system in our national airspace.

Privacy Tip #152 – Device Self-Defense

If you have bought a new cell phone recently, you have seen that the technology of the newest smart phones is far more advanced than in the past, and have features that most people don’t understand or use.

When I conduct employee education for companies on data privacy and security, I devote a portion of the session to teaching employees about their smart phones, because most people don’t understand even the basic components of their phones, let alone how to activate appropriate privacy or security settings on them.

I recently engaged a salesperson at a well-known technology retail store in a conversation about their responsibility to teach consumers the basics of privacy and security settings and the capabilities of phones when they sell consumers these mini-computers. I was met with a nod and “Yes, we should,” which is a good customer relations response, but the problem continues that people buy millions and millions of devices and have no concept of the risk they pose.

Why is it important that employees understand how powerful the microphone on their phone is, or that when they click “I agree” when they download an app that they are allowing that company full access to everything that is said in that person’s personal and professional life? For that very reason—the confidentiality of personal and business information is lost when the microphone is on and capturing all information at all times. This is a basic capability of a smart phone that, surprisingly, most people don’t understand.

The Electronic Frontier Foundation (EFF) has great resources for consumers to learn about technology (like cell phones) they are buying from the technology giants, understand their capabilities, and use settings and other strategies to enhance privacy and security, since the manufacturers are not providing basic training on the risks associated with the technology.

The EFF offers “Surveillance Self-Defense—Tips, Tools and How-Tos for Safer Online Communications,” and other popular guides, including “Creating Strong Passwords,” “Assessing Your Risks,” “Protecting Yourself on Social Networks,” “How to: Use Signal on IOS and Android,” and “How to: Enable Two-Factor Authentication,” and “How Strong Encryption Can Help Avoid Online Surveillance.”

The guides are easy to understand and super helpful for both individuals and companies that are providing privacy and security awareness campaigns to employees.

FBI Issues Private Warning to Banks about Unlimited ATM Cash-outs

On August 10, 2018, the Federal Bureau of Investigation (FBI) issued a private warning to banks that cybercriminals are planning to “conduct a global Automated Teller Machine (ATM) cash-out scheme in the coming days, likely associated with an unknown card issuer breach and commonly referred to as an ‘unlimited operation.’”

A typical unlimited operation uses a phishing campaign to insert malware into the financial institution or payment card processor’s system so the cybercriminals have access to customers’ accounts, which allows the criminals to then steal large amounts of money through ATMs.

After the cybercriminals get into the financial institution or payment card processor’s system, they alter customer accounts so there are no limits on the account for ATM withdrawal, sometimes altering the balance, and then removing any fraud detection systems the financial institution or card processor put in place to prevent large amounts of cash from being withdrawn through the ATM or that a customer can only withdraw money from their account through an ATM on so many occasions in one day. This allows the criminals to withdraw large amounts from accounts have altered to look like there is more money in them than is actually in the balance, and so the accounts can be wiped out in one ATM transaction. Then the criminals create fraudulent cards based on the legitimate ATM cards and simultaneously withdraw large amounts from ATMs around the country, usually on a holiday weekend.

The FBI provides these considerations for banks and card processors:

  • review present security measures, including implementing strong password requirements and two-factor authentication using a physical or digital token when possible for local administrators and business critical roles
  • implement separation of duties or dual authentication procedures for account balance or withdrawal increases above a specified threshold
  • implement application whitelisting to block the execution of malware
  • Monitor, audit and limit administrator and business critical accounts with the authority to modify the account attributes
  • Monitor for the presence of remote network protocols and administrative tools used to pivot back into the network and conduct post-exploitation of a network, such as Powershell, cobalt strike and TeamViewer
  • Monitor for encrypted traffic (SSL or TLS) traveling over non-standard ports
  • Monitor for network traffic to regions wherein you would not expect to see outbound connections from the financial institution or card processor

With the three-day Labor Day weekend right in front of us, banks would do well to pay attention to the FBI warning.

Using Drones For Business? Don’t Forget About Insurance

The use of drones use has grown rapidly in recent years, especially in the commercial sector, where the Federal Aviation Administration projects that the number of units in the commercial small drone fleet will exceed 420,000 units by 2021. As businesses continue to incorporate drones into their everyday operations, they also will want to set up compliance programs early on that take into account federal, state, and local regulations; identify best practices for drones; and ensure that the business has the appropriate insurance to mitigate the risks associated with drone use.

Businesses and the individual drone operators who recognize that their use of drones leaves them exposed to potential claims or actions for liability stemming from their drone use will be better prepared for unexpected contingencies. This includes potential claims for personal and property injuries from malfunctioning or errant drones; claims of invasion of privacy for drones flying over properties while recording footage; and nuisance and trespass claims.

TCM Bank Website Flaw Compromises About 10,000 Customers’ Data

TCM Bank, a subsidiary of ICBA Bancard Inc., notified some 10,000 credit card applicants in the past week that their names, addresses, dates of birth, and Social Security numbers were compromised between March 2017 and the middle of July 2018.

TCM assists approximately 750 community and smaller banks with issuing credit cards to account holders. According to TCM, a website configuration that was mismanaged by a third-party vendor, exposing the data.

TCM refused to name the third-party vendor responsible for managing its website and presumably responsible for the compromise, but stated that the issue was corrected, and that it is requiring the vendor to evaluate procedures and technology to “detect and prevent similar issues going forward.”

This incident is a reminder of the importance of a vendor management program, including website hosts, and having contractual measures in place in the event of a security incident caused by a vendor, subcontractor, or other third-party.

First Known Drone Attack in Venezuela

Last weekend, in Venezuela, the Venezuelan President, Nicolas Maduro, was attacked by two armed drones carrying explosives that were detonated while Maduro was delivering a speech on live television during a military ceremony. Although Maduro was not struck by the explosives, his administrative officials called it an assassination attempt. This drone attack was the most recent of assassination attempts against Maduro, who was declared the winner of the election in May of this year, meaning that his term will not end until 2025. During the drone attack, the video feed was interrupted, but Maduro continued to talk as other voices in the background were heard yelling for people to leave the area. A spokesperson for the U.S. State Department said its Caracas embassy issued a security alert, but did not respond to Maduro’s allegation of a plot by the opposing political party in Venezuela.

Drone incidents involving heads of state date back to September 2013, when German Chancellor Angela Merkel was disrupted during a public appearance by a drone which was a publicity stunt by an opposing political party. Of course, in that instance, the drone was not equipped with weaponry of any kind.

As the threat of drone terrorism attacks becomes more prevalent, anti-drone technology will likely become increasingly important not only for government officials, but also for critical infrastructure and highly-attended events and gatherings.

LexBlog