The Importance of Protecting the Last Four Digits of Your Social Security Number

We all know that it is important to protect our social security number. But sometimes companies still try to use the last four digits of our social security numbers as identifiers or to verify identity in some way. The use of social security numbers began in 1936 long before computers, the internet, and identity theft were on anyone’s radar screen. They started out being assigned geographically by region. So if you had a list of all the first three numbers of assigned social security numbers, you could tell whether someone was born in Rhode Island (with a low number) or in California (with a higher number). The middle two numbers represent a group number (01-99) so the middle two digits and the last four digits are random. To date, more than 453.7 million social security numbers have been issued by the federal government. For more information on the history of social security, see https://www.ssa.gov/history/hfaq.html.

Why might companies think that it’s ok to only reference the last four digits of a social security number? Probably because there’s a false sense of security in thinking that with only those last four, there’s less of a chance of identity theft or fraud.

A determined thief, however, can take that credit card application out of your trash (the one that is already pre-filled out with your name on it) and apply for a credit card in your name that will of course, go to a new address. It’s pretty easy today to obtain just a few key pieces of information such as name, address, perhaps even date of birth, (some people put their date of birth on Facebook and other social media sites). When combined with other key identifiers, thieves can use the last four to get keys to the identity kingdom.

Some states have protections in place that limit what companies can do with respect to social security numbers. In Rhode Island, companies actually can’t require you to use the last four digits of your social security number to access an internet website (unless also using a password or PIN number) or print all or part of a social security number on materials mailed to an individual. R.I. Gen. Laws § 6-48-8 (a) (4)-(5), known as the Consumer Empowerment and Identity Theft Protection Act of 2006.

What can you do to protect your social security number from thieves? Some things to consider are to not use the last four as your PIN# or in passwords, check your credit with the four credit reporting bureaus. You can go to www.usa.gov/credit-reports and get information on how to obtain a free credit report from each of the three major credit bureaus or click here [view related tip]. This will allow you to see if any new accounts have been opened that you didn’t authorize. Create an account with social security to check that your social security and wage information is accurate. www.ssa.gov/myaccount/. Also, as we have written before [view related posts], be careful not to respond to email or phone calls asking for your personal information.

Finally, be vigilant and protect the last four digits of your social security number when receiving phone calls, email or other requests for your social security number. Remember that the social security administration or other government agencies are not going to call you and ask for your social security number by telephone.

HHS Issues Limited Waiver Following Hurricane Florence

As Hurricane Florence was making landfall, Department of Health and Human Services Secretary Alex Azar issued HIPAA guidance that outlined when hospitals in declared state of emergency areas can qualify for a waiver of certain provisions of the HIPAA Privacy Rule, including fines and penalties.

According to the guidance, “the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need….while the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004…and section 1145(b) of the Social Security Act.”

The Secretary declared a public health emergency in North Carolina, South Carolina and Virginia as a result of Hurricane Florence and has “waived sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).”

The waiver “only applies:

  • in the emergency area and for the emergency period identified in the public health emergency declaration.
  • to hospitals that have instituted a disaster protocol.
  • for up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.”

The guidance reminds covered entities and business associates that “in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”

Vicious Kronos Variant Osiris Malware Recently Released and Proving Dangerous

We all remember Kronos—the malicious malware that was sold by Russian underground forums in 2014 for $7,000. If you bought it, you were promised updates and development of new modules.

The Kronos developers recently released a new update (dubbed Osiris), which is presently attacking individuals in Germany, Japan, and Poland, with the U.S. in the queue.

This week, Securonix researchers published research indicating that Osiris uses phishing campaigns and fraudulent emails that contain Microsoft Word documents or attachments with macros that when dropped or opened, may exploit a vulnerability in Microsoft Office Equation Editor Component, which was discovered in 2017. Microsoft has issued a patch to address the vulnerability. If the patch has not been implemented, Osiris can introduce arbitrary code that can be used by the thieves to steal data, including when individuals are accessing their online banking account.

If infected, the malware modifies the Windows registry to inject malicious code into browsers, so when an individual visits his or her bank domain, a man-in-browser attack is launched. It can then introduce keylogging in order to obtain the user’s bank credentials, thereby allowing the thieves to divert funds posing as the user.

Online banking customers are at risk, and being aware of the malware, as well as utilizing good cyber hygiene and vigilance is important as new variants are introduced into the environment.

Adidas Removes Putative Class Action Suit Arising Out of the Data Breach Announced Earlier this Year

On June 28, 2018, Adidas released a statement announcing that it recently “became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas consumers.” Adidas believed the breach was limited to contact information, usernames and encrypted passwords, and not any stored credit card or fitness information, relating to millions of its customers.

Subsequently, on July 3, 2018, a plaintiff, on behalf of himself and all others similarly situated, filed a complaint in the San Diego County Superior Court. The complaint set forth five separate counts: 1) negligence; 2) breach of contract; 3) breach of implied contract; 4) violation of the California Customer Records Act; and 5) unlawful and unfair business practices under the California Business and Professions Code.

The named plaintiff—Christian Duke—alleges that his claims are typical of the class because “[his] information, like that of other members of the class, was misused and/or disclosed by [Adidas] and requires responsive efforts.” As further justification for the class, he also notes that, individually, the putative-class’s damages may be insufficient to warrant the costs of litigation.

With regard to the breach, Duke alleged that Adidas failed to implement appropriate security processes, including that it:

[F]ail[ed] to ensure that the companies with which it shared members’ Personal Information implemented and maintained adequate security measures to safeguard such information, including encryption, implementation of multi-factor authentication, and usage of behavior monitoring technology to detect unusual activity and transfers of data.

Plaintiff further claims that Adidas failed to timely notify those members whose information had been compromised—despite the representations in Adidas’s statement that it was notifying customers within roughly forty-eight hours of being made aware of the breach. The complaint also asks the court to require Adidas to “notify customers of any future data breaches by email within 24 hours of a breach or possible breach.” (Emphasis supplied.) Plaintiff further seeks compensatory damages, statutory damages, and equitable relief, along with fees and costs.

Last Friday, September 7, 2018, Adidas removed the action to the United States District Court for the Southern District of California, where it is now pending before District Judge Larry Alan Burns. It will be interesting to see what challenges Adidas is able to raise, based on the Ninth Circuit’s fairly liberal view of standing in data breach cases. See, e.g., Ree v. Zappos.com, Inc. (In re Zappos.com, Inc.), 888 F.3d 1020, 1027 (9th Cir. 2018) (finding standing where “the information taken in the data breach […] gave hackers the means to commit fraud or identity theft”). It will also be fascinating to see if the court has the opportunity to consider Plaintiff’s claim for more stringent breach notification requirements—a rather unique remedy. We’ll keep an eye on this case as it potentially makes its way through the Southern District of California.

July Worst Month in 2018 for Health Care Data Breaches Reported to OCR

Data breaches continue to plague the health care industry, and July 2018 was the worst month so far this year in the number of data breaches reported to the Office for Civil Rights (OCR). Thirty-three data breaches were reported by covered entities and business associates in July, with the largest one reported by UnityPoint Health, a business associate—a hacking incident that exposed 1,421,107 individuals’ records.

There have been 221 data breaches (of incidents that included more than 500 records) reported to the OCR in 2018, which included the exposure of 6,112,867 individuals’ records. This number is 974,688 more records than in all of 2017.

These statistics do not bode well for the health care industry and emphasize that the health care industry continues to be a target that is proving successful for criminals.

Privacy Tip #156 – Don’t Get Scammed for Trying to Help Hurricane Victims

As Hurricane Florence bears down on the Carolinas in the next few days, beware of scammers trying to take advantage of the good hearts of those of us who want to help the victims.

We have seen it before, and no doubt it will happen again in the next few weeks as the devastation of the hurricane becomes known. Fraudsters use natural disasters to prey on the good intentions of individuals who want to contribute to those left behind by disasters, including hurricanes. As Hurricane Florence is reported to be one of the worst hurricanes to land in the Carolinas in decades, the Federal Trade Commission (FTC) has issued guidance on wise giving after a hurricane that outlines the risks of hurricane relief charity fraud.

According to the guidance, “the best way to avoid this and other kinds of charity fraud is to go online and do your research to make sure your money goes to a reputable organization.”

To verify a charity for hurricane relief, there are several organizations that have vetted organizations that you can check before you send your check or donate online:

  • Give.org
  • Charitynavigator.org
  • Charitywatch.org
  • Guidestar.org

Many of the scammers send out authentic looking materials that impersonate real charities, but may have a missing letter in the name or closely resemble the reputable organization. If you want to donate to a well-known, reputable charitable organization, go directly to its website instead of clicking on a link in the materials sent via email, or send a check directly to its headquarters or local office.

If you are donating to a charity that is not well known, search the charity online and see if people have said it is a scam or have negative reviews.

Many scammers will call you to try to get you to donate over the telephone, or thank you for a previous donation and ask you to donate again. Be very skeptical of these callers and report any scams to the FTC.

The victims of Hurricane Florence will need our support, but don’t get scammed because of your generosity.

“Drones are the Next Internet” Says the FAA

Federal Aviation Administration (FAA) administrator, Dan Elwell, said last week, “Drones are going to do for aviation what the internet did for information,” and called on the industry to work with the FAA to fully integrate drones into the National Airspace System. Elwell made this statement at the InterDrone conference held last week in Las Vegas, Nevada. Elwell said that, while the FAA wants the technology to take off (literally and figuratively), there are a lot of questions and concerns that need to be addressed first. While people want drone operations over people and at night, Elwell cautioned that the industry first needs to address national security concerns. Specifically, Elwell said that until the FAA sets remote ID requirements that will be universally applied to every drone, full integration is not possible. Elwell said, “The fact is that a lot of safety problems require technological solutions. And that means we need buy-in from all of you. The innovators. The inventors. The out-of-the-box thinkers.”

Elwell concluded by saying the FAA is ready to move now and quickly to enable the drone industry to grow; “[w]e’re building flexible, responsive regulatory processes that can keep up with all your creativity while ensuring safety isn’t compromised.”

Millions of Sensitive Records Leaked by Another Spyware Maker

We reported last week that a spyware maker compromised users’ and victims’ sensitive information [view related post]. Since that time, another spyware maker, mSpy, which holds itself out as having over a million users employing its product to “spy” on their partners and children, has reportedly leaked the passwords, call logs, text messages, location data, contacts and notes of victims whose mobile phones are being spied on by others.

Apparently, a security researcher found an open database on the Internet that allows anyone to query mSpy records for customer transactions and mobile phone data with no authentication.

Some of the information that could be accessed includes an individual’s contacts, call logs, text messages, browser history, events, notes, WhatsApp, installed applications and Wi-Fi networks used. It is being reported that there were millions of records available. When mSpy was notified of the vulnerability, it took the files offline.

According to KrebsOnSecurity, MSpy was previously hacked in May 2015, and customer data was posted to the Dark Web.

New York Department of Financial Services Cybersecurity Regulation 18-month Compliance Deadline Arrives

On September 4, 2018, the third stage of compliance deadlines under the New York Department of Financial Services’ (DFS) expansive cybersecurity regulation went into effect. This deadline, scheduled for implementation 18 months after the regulation (23 NYCRR 500) initially went into effect in March 2017 triggers Covered Entities’ obligations under the regulation to:

  1. Maintain systems that include audit trails that can detect and respond to security incidents; (b) establish procedures (Section 500.06);
  2. Include in their cybersecurity program written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house applications and to evaluate the security of externally developed applications (Section 500.08);
  3. Establish policies and procedures for the periodic disposal of nonpublic information no longer necessary for business operations or for other legitimate business purposes (Section 500.13);
  4. Implement risk-based policies, procedures and controls designed for training and monitoring authorized users of systems (Section 500.14(a)); and
  5. Based on the company’s risk assessment, implement controls, including encryption, to protect nonpublic information both in transit over external networks and at rest (Section 500.15).

As noted in Section 500.15, the requirement to implement encryption for nonpublic data both in transit and at rest is dependent on the company’s risk assessment. The regulation requires that each Covered Entity develop its cybersecurity program around. To the extent the company determines that encryption is not feasible, the regulation permits Covered Entities to implement alternative controls reviewed and approved by the Company’s Chief Information Security Officer.

Under the regulation, Covered Entities are required to certify compliance on an annual basis, with the next scheduled certification deadline set for February 15, 2019. The final deadline under the regulation is scheduled for implementation on March 1, 2019, and will require Covered Entities to implement a Third-Party Service Provider Security Policy as mandated under Section 500.11 of the regulation.

U.S. Cities Vulnerable to Cyberattacks—Recommendations for Preparedness

Not to be super scary, but the reality is that we live in a scary cyber world. A new report published by the Intelligence and National Security Alliance outlines the findings of a cyber exercise based on a hypothetical cyber-attack on Baltimore’s power companies. The exercise was orchestrated and played out by federal and state agency employees, operators of critical infrastructure facilities, nonprofit organizations, and cybersecurity and infrastructure-protection experts.

It is encouraging that such exercises are taking place to address vulnerabilities and develop preparedness. The exercise showed how unprepared cities are to such an attack, and the report provides recommendations of how to prepare for them.

According to the report, cities are heavily reliant on computer networks and information systems in the areas of energy, transportation and communication, all of which are vulnerable to a cyber-attack “with wide-ranging ramifications for public safety, commerce, and national security.”

The observations and recommendations following the exercise include:

  • State governors should appoint a unified incident commander to coordinate the response to the attack.
  • Create a single hub where meetings are held and information is disseminated.
  • State and federal agencies must work together and roles must be clearly defined so each person and agency knows what their role is in the response and there are no conflicts.
  • Safe-harbor provisions need to be clarified so organizations are indemnified for actions taken in emergency situations.
  • Regular exercises should be conducted to “explore the real-world applicability of policy guidance contained in relevant executive orders and presidential policy directives and test the mechanisms for coordinating incident response and recovery among all relevant stakeholders.”
  • There is a need for better information sharing between public and private sectors and among the different branches of government.
  • All infrastructure needs to be continually monitored to detect weaknesses.

The Intelligence and National Security Alliance will release a white paper regarding cyberthreats and weaknesses and recommendations in the future.

In the meantime, it has provided a clear path for state and federal agencies and leaders to plan and implement the recommendations.

LexBlog