South Carolina Enacts Insurance Data Security Act

South Carolina Governor Henry McMaster signed the South Carolina Insurance Data Security Act into law on May 3, 2018. The law, parts of which become effective January 1, 2019, requires entities licensed by the Department of Insurance to, “develop, implement and maintain a comprehensive information security program based on the licensee’s Board of Directors, if applicable to require a licensee monitor the security program and make adjustments if necessary, to provide that the licensee must establish an incident response plan, to require a licensee to submit a statement to the Director of the Department of Insurance annually; to establish certain requirements for a licensee in the event of a cybersecurity event; to require a licensee to notify the Director of certain information in the event of a cybersecurity event; to grant the Director the power and authority to examine and investigate a licensee; to provide that documents, materials, or other information in the control or possession of the Department must be treated as confidential documents under certain circumstances; to provide exemptions from the provisions of this Chapter; to provide penalties for violations; and to authorize the Director to promulgate regulations.”

The state’s purpose of the Act is “to establish standards for data security and standards for the investigation of and notification to the director of a cybersecurity event applicable to licensees.” It does not provide a private right of action for violation of the Act.

Significantly, the definition of a cybersecurity event, which requires notification to the Department of Insurance, is broad—“an event resulting in unauthorized access to or the disruption or misuse of an information system or information stored on an information system…” but “does not include the unauthorized acquisition of encrypted nonpublic information…” or “an event with regard to which the licensee has determined that the nonpublic information accessed by an unauthorized person has not been used or released and has been returned or destroyed.”

The definition of non-public information is equally broad, and includes “business-related information of a licensee the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations, or security of a licensee;” and personal information of a consumer including the usual data elements such as Social Security number, account number, driver’s license, etc., but also biometric records, or any health care provider’s information regarding the provision of health care to a consumer, such as the physical, mental or behavioral health of a consumer or his or her family, or the payment for health care provided to a consumer. There does not appear to be any harm standard, which is present in many data breach notification laws. This means that if an entity is a licensee of the South Carolina Department of Insurance, the notification obligations to the Department may be required when notification to a consumer may not be required by the State’s data breach notification law.

More and more states are implementing data security laws that mirror other state laws, such as the Massachusetts Data Security Regulations, and the New York Financial Services Cybersecurity Regulations, but each law has its own nuances, including this one. It is challenging to stay abreast of new state laws, and licensees of the South Carolina Department of Insurance would do well to become familiar with the compliance requirements of this new law, as the time to implement measures for compliance is ticking.

Preventing Emerging Threats Act Introduced

Last week, a group of U.S. Senators introduced a bill titled, “Preventing Emerging Threats Act of 2018,” which would give the U.S. Department of Homeland Security (DHS) and the Department of Justice (DOJ) the ability to take action against unmanned aircraft systems (UAS or drones) that pose an “unacceptable security risk” to public safety. Specifically, DHS and DOJ personnel would be permitted to take action against drones for the “safety, security or protection” of a “covered facility or asset.” “Covered facility or asset,” according to the bill, refers to operations near the U.S. Coast Guard and U.S. Customs and Border Protection; DOJ operations; Federal Bureau of Prisons; National Special Security Events; federal law enforcement investigations; and other mass gatherings. Additionally, the bill allows the DOJ and DHS to “detect, identify, monitor and track [drones] without prior consent, including by means of intercept or other access of a wire communication, an oral communication or an electronic communication used to control the [drone].” Further, the bill would allow the DOJ and DHS to “disrupt control” of the drone, “seize or exercise control” of the drone, as well as confiscate or “use reasonable force to disable, damage or destroy” the drone. The supporters of the bill say that threats posed by malicious drones are too great to ignore. Senator John Hoeven (R – ND) said, “Developing UAS detection and counter-UAS technologies is a key component necessary for us to safely integrate [drones] into our national airspace. This legislation provides the [DHS] and [DOJ] with the tools they need to protect against [drone] threats to our national security, which will help to ensure the safe use of legitimate [drones] so this industry can continue to grow and develop.”

Revised Restrictions on Drone Operations Over DoD Facilities

The Federal Aviation Administration (FAA) has previously used its authority under Title 14 of the Code of Federal Regulations sec. 99.7 (“Special Security Instructions”) to address the potential threat posed by malicious drone operations by creating unmanned aircraft system (UAS or drone) specific airspace restrictions over select, national security-sensitive locations at the request of the U.S. Department of Defense (DoD). This week, the FAA has modified those restrictions to include:

  • Naval Support Activity Monterey, Monterey, California
  • Naval Air Station Kingsville, Kingsville, Texas
  • Naval Support Activity Orlando, Orlando, Florida
  • Naval Support Activity South Potomac, Indian Head, Maryland

Drone flights up to 400 feet within the lateral boundaries of these sites are restricted effective June 1, 2018. This is in an effort to continue to protect sensitive areas and airspace across the country. Up-to-date information on these restrictions and all of the currently covered locations can be found on the FAA’s website.

Privacy Tip #140 – Your Cellphone Location Is Being Sold and Leaked

I have been watching several articles published by ZDNet with interest. First, ZDNet reported that “four of the largest cell giants in the US are selling your real-time location data to a company that you’ve probably never heard about before.” That company is LocationSmart, which touts itself as a data aggregator that has “direct connections” to the carriers in order to obtain locations from cell towers and provide it to law enforcement.

The back story is that a former sheriff used location data he obtained from Securus, a customer of LocationSmart, to conduct unauthorized surveillance without a warrant. The story was picked up by The New York Times and ZDNet, which then reported that our real-time location through our cell phone is being sold to this third-party company, which is then providing it to the police through a web portal. No doubt it is getting paid for the service. So the cell carriers are charging us a monthly fee for cell phone service, then selling our real-time location data to a third party company, which is selling it to law enforcement. I want a refund from my cell phone carrier. Although I do not keep my location-based services turned on, it is well known that the carriers still can track your location, but apps supposedly can’t.

If you are appalled, so is Senator Ron Wyden (D – OR), who sent a letter to the FCC last week demanding that this be investigated, and also to the four cell carriers demanding that they stop selling the data and to provide answers about the allegations.

After ZDNet reported on the sale of the phone location data, a researcher at Carnegie Mellon University started looking into LocationsSmart’s website and found a bug! According to ZDNet, “the real-time location data on millions of cell phone customers across North America had a bug in its website that allowed anyone to see where a person is located—without obtaining their consent.”

According to the researcher, when he went to LocationSmart’s website to “try-before-you-buy,” although the page requested express consent before location data could be used, “due to a very elementary bug in the website, you can just skip that consent part and go straight to the location…[T]here seems to be no security oversight here.” The researcher and ZDNET report that “the bug may have exposed nearly every cell phone customer in the US and Canada, some 200 million customers.” That probably includes me and you.

Senator Wyden issued a statement saying that this bug “represents a clear and present danger, not just to privacy but to the financial and personal security of every American family…The wireless carriers and LocationSmart appear to have allowed nearly any hacker with a basic knowledge of websites to track the location of any American with a cell phone…which poses ‘limitless’ dangers to consumers.”

OK, so this is not really a tip, but more of an OMG. What I want to know from my security colleagues is whether our location can be tracked by cell phone carriers while our cell phone is OFF?

I will update you on the answer to this question next week. I am going to turn my cell phone off now. Stay tuned.

California Consumer Privacy Act Likely to Appear on Ballot in November

Businesses are understandably focused this week on the looming effective date for the European Union’s General Data Protection Regulation (GDPR). For U.S. businesses, however, a proposed law closer to home would raise similar compliance burdens and create potential litigation risks.

This November, voters in California will likely vote on whether to pass a ballot initiative, titled “The Consumer Right to Privacy Act of 2018.” Proponents of the Act, which would broadly expand California residents’ rights to their personal data, announced this month that they submitted 625,000 signatures to the California Secretary of State in support of the measure. Assuming the secretary of state certifies that enough signatures are valid (approximately 366,000 signatures are required to qualify), California voters will be in position to directly pass the Act into law.

The California measure would grant consumers three principal rights: (1) the right to ask companies to identify the personal data they collected on the consumer; (2) the right to demand that personal data not be sold or shared for business purposes; and (3) the right to sue companies that violate the law or that experience data breaches.

The law would apply to companies that do business in California and which: (1) have $50 million or more in annual gross revenue; (b) sell the personal information of 100,000 or more consumers or devices; or (c) derive 50 percent or more of their annual revenue from selling consumers’ personal information.

Among the notable features of the proposed law is its expanded definition of personal information, which includes both traditional identifiers such as name, email, Social Security number, etc., as well as commercial information such as usage data, browsing or search history and purchasing tendencies. Businesses subject to the Act would be required to give consumers the right to opt out of the sale of such personal information and would be barred from discriminating against consumers that opt out.

As noted, the Act would create a private right of action both for violations of the Act and in connection with data breaches. Further, the Act provides that a breach of a consumer’s personal data constitutes an injury-in-fact, with statutory damages available in amounts from $1,000 to $3,000 per violation. This would likely prevent class action defendants from seeking dismissal of claims where plaintiffs could not establish actual harm.

Should the Act pass in November, the law would go into effect immediately, but would provide a nine-month grace period for compliance.

Cyber Fraud Cost $1.4 Billion in 2017

The Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) recently released its yearly internet crime report, which states that more than 300,000 consumers reported cyber-fraud and malware attacks in 2017, costing over $1.4 billion. Yes, that is with a “b.”

The threats at the top of the list reported by consumers include phishing, ransomware and whaling, as well as tech support fraud, non-payment scams and extortion. Whaling, which is when criminals pretend to be a senior executive and request wire transfers or the W-2 forms of employees racked up over $875 million in losses. This is real evidence that employee engagement and education are key to the management of this risk.

Sadly, but indicative of reality, senior Americans are the most targeted demographic for cyber fraud, and over 50,000 complaints were lodged by consumers over the age of 60, with an estimated loss to these individuals of almost $350 million. This is more evidence that we all need to help this vulnerable population become educated and engaged about these real risks to their financial well-being.

Cryptocurrency Debit Card Startup Founders Indicted

The U.S. Attorney’s Office in the Southern District of New York has announced that a federal grand jury has returned an indictment against three Florida men who co-founded the cryptocurrency company Centra Tech, Inc. The indictment alleges they defrauded investors of $25 million through conspiracy and securities and wire fraud, and that they lied to investors prior to the Initial Coin Offering.

According to the announcement, the three co-founders allegedly lured investors into buying unregistered securities by falsely advertising that they had hired two executives with superior qualifications and credentials who, by stating they had licensing agreements with major credit card companies, including Mastercard and Visa, and that the company had licenses in 38 states. The announcement also states that the CEO was fictitious.

According to the U.S. Attorney’s Office, the men sought to “capitalize on investor interest in the burgeoning cryptocurrency market.”

Following the arrest of the three men, the FBI seized 91,000 units of Ether, which was culled from investors who participated in the Initial Coin Offering. Although the Ether was worth $25 million at the time of the Initial Coin Offering, it is reported to be worth $60 million now.

Lincare Settles Class Action Data Breach Case with Employees

Lincare Holdings Inc. (Lincare), recently entered into a mediated settlement with its employees regarding a data breach that took place on February 3, 2017. On that date, a cyber-criminal posing as a high-level Lincare executive emailed a human resources employee requesting W-2 data for some of its employees. The human resources employee emailed the information to the “executive,” who was actually a hacker, compromising the information. As a result, Lincare notified the current and former employees affected by the incident about the data breach and provided two years of complimentary credit monitoring.

Several of the employees filed suit against Lincare alleging negligence, breach of fiduciary duty, breach of implied contract, and violation of Florida’s Deceptive and Unfair Trade Practices Act. The parties submitted the matter to mediation, resulted in the settlement.

The settlement includes no admission of liability of Lincare. A settlement fund has been established in the amount of $875,000 to reimburse the class members for out-of-pocket expenses (up to $1,000 each) or incidents (up to $500 each), an offer of enhanced credit and identity monitoring and protection services, and non-monetary relief, which includes the adoption and maintenance of enhanced data security measures. The amount awarded to the plaintiffs’ attorneys for fees was not disclosed in the settlement agreement.

Drones Used as Source to Infiltrate Corporate Networks

Drones are being used more than ever by nefarious actors to spy on networks, intercept data, disrupt communications and hack into servers. In fact, drones are becoming an increasingly more and more prevalent tool for infiltrating corporate networks each day. Few protections exist for businesses to prevent drone intrusions, but before a  business can even mitigate risks posed by drones, the business must first gain situational awareness and determine how many drones are entering their airspace. While businesses invest financial resources to secure their property and protect their employee, customer, and proprietary data from hackers, it is important that they add customized protections to prevent drones from infiltrating your business’s airspace and gaining unauthorized access to data.

When implementing a security program for your business, you should now also consider threats from drones in and around your business’s airspace. As drones are capable of:

  • Identifying and Following Targets: Drones are observing security gaps and detecting and manipulating vulnerable parts of networks.
  • Spying on Operations: Drones are evading security teams, capturing footage and using high-gain microphones to obtain spoken information as well.
  • Surreptitious Exfiltration of Data: Drones are detecting vulnerabilities in air-gapped computers installed with malware. Once a computer is infected, a drone with a camera can be deployed to hover outside a window, near the hardware.
  • Snooping and Infiltrating Networks: Drones are using sniffing devices or transceivers to monitor employees and security movement, and then can hack into wireless activity and intercept and log data.

Drone detection technology can be used to diagnose airspace activity, and therefore, help to secure and protect business operations and data against drone threats. Using detection technology can aid businesses in adjusting ground patrol or security, determining vulnerable areas and analyzing the severity of threats. The idea behind this technology is that the more proactive measures a business takes, the better able it will be to build security measures and strengthen existing security measures and programs.

Privacy Tip #139 – Update on Removing Your Name from Offers of Credit or Insurance and Access to Disclosure Report from NCTUE

Update on Removing Your Name from Offers of Credit or Insurance and Access to Disclosure Report from NCTUE

Last week’s Privacy Tip touched a nerve with many readers, and I received numerous comments and thank you’s from loyal readers who, like me, also had no idea about NCTUE or that they could opt out of receiving all those pre-approval letters in the mail. It is amazing how so many of us, including those of us in the field, didn’t know about these rights.

The response prompted me to update everyone on what happened in the past week after I requested access to my report from the National Consumer Telecom & Utilities Exchange (NCTUE) and tried to permanently opt out from receiving pre-approved offers of credit or insurance.

In response to these two tasks, I received two pieces of snail mail. The first was the disclosure report I requested from NCTUE. The report contained a lot of words to sift through, which prompted some empathy from me for non-lawyers trying to understand the message. Some interesting information it provided included that “The NCTUE is a national, member-owned consumer reporting agency comprised of cable, electricity/power, phone, gas, water and pay TV providers. These members, through its database, exchange information on new-connect requests, defaults account payment history and fraudulent account activity.” I never knew this organization existed in addition to the four consumer reporting agencies or that it had a database on all new-connect requests. It definitely keeps a low profile.

After lots of legalese, on page 3, the disclosure report begins. I was immediately very disturbed because at the top of the page it listed my name, full Social Security number, address and date of birth! I remind you that they sent this document to me in regular mail through the U. S. Postal Service, without even a passing attempt to send minimally necessary information to me and redact my highly sensitive information to protect my privacy! Why do they need to send my full Social Security number and date of birth? I already know it! And what about the fact that they disclosed my full Social Security number to all of their employees involved in processing my request? I was, and am still, appalled.

Needless to say, I am not happy. I am trying to protect my privacy and, in the process, NCTUE increased my risk because of its insecure practices.

For those of you who have been asking me to describe the contents of the disclosure report, it goes on to list my mobile telephone carrier, my monthly charges and payments for the past year for my mobile telephone, and an old cable account, including the monthly amounts paid and that there is a zero balance. This definitely was not worth the risk of NCTUE sending my full Social Security number through the regular mail. I am glad that I now know what is being disclosed for new-connect services, and I guess I am glad I can report to all of you that if you request your disclosure report, NCTUE will send your full Social Security number and date of birth through the unsecured mail.

The second task I performed last week was to request that I no longer receive pre-approval letters for credit or insurance. Although I requested by telephone last week that my name and address be permanently removed from receiving such offers, I received a letter from the OPT-OUT DEPARTMENT stating that my “telephone request to remove your name from lists for firm offers of credit or insurance has been processed. Your name will be removed for five years from the lists the consumer credit reporting companies, Equifax, Experian, Innovis and TransUnion, provide to businesses that send firm offers of credit or insurance. If you would like to remove your name permanently from the firm offer lists that these consumer credit reporting companies provide to businesses, you must submit a written request. To do so, please sign and date this form and return it to the address listed below.” Which I have done and it is back in snail mail to the OPT-OUT DEPARTMENT. Now the credit reporting agencies will not be able to include my name and address, (for which they get paid) to financial institutions or insurance companies. I will keep you posted on whether I receive less mail.

So—if you ask that your name be permanently deleted from lists provided by the credit reporting agencies to the firms they are selling your information to, you have to fill out another report and mail it back to them. The good news is that this piece of mail from the OPT-OUT DEPARTMENT didn’t include any personal information except name and mailing address.