Model Rule for Securities Administrators Approved by NASAA

The North American Securities Administrators Association (NASAA) this week approved an information security model rule package aimed at improving the cybersecurity posture of the 17,543 state-registered advisers.

The proposed model would require state-registered investment advisers to establish written cybersecurity policies and procedures designed to safeguard clients’ records and information, and to deliver its privacy policy annually to clients. It provides investment advisers with a design structure for their data security policies and procedures.

The model is meant to help states determine whether they wish to adopt it and to implement it through regulation. It focuses on three areas:

  • Requiring advisers to adopt policies and procedures regarding physical and cybersecurity information security and deliver its privacy policy to clients annually;
  • Amending the existing investment adviser model record keeping requirements rule to require that investment advisers maintain these records; and
  • Amending the existing model rules to include the failure to establish, maintain an enforce a required policy or procedure to the list of unethical business practices/prohibited conduct.

These focused areas, especially the last one, are significant for investment advisers because if an investment adviser fails to adopt information security practices, and should there be a security incident or data breach, this could be investigated and ultimately determined to be an unethical business practice or prohibited conduct that could adversely affect the license of the adviser. According to NASAA, state-registered investment advisers are concentrated in California, Texas, Florida, New York, and Illinois.

According to the model rule, advisers’ policies must cover five areas, including identifying, protecting, detecting, responding, and recovering data. It outlines basic cybersecurity measures, which are important in the context of the type of sensitive client data that investment advisers have. Investment advisers may wish to review the model rule and prepare for the state in which they are licensed to adopt it. Whether or not that happens, the rule sets forth a roadmap of what regulators are concerned about and establishes reasonable data security practices.

Law Firm Domain Names Spoofed to Launch Phishing Scams

It is not unusual for lawyers to send emails to individuals and businesses they are about to sue to engage them before they do file suit to see if a settlement can be discussed or reached. The lawyer will reach out via email with a copy of the proposed Complaint, and tell the individual or business that they are about to be sued, that the Complaint is attached or in a link, and that if the individual does not respond within 7-10 days, the Complaint will be filed.

This is common practice. And apparently hackers and scammers know this, too, and are using it to launch phishing scams. The way it works is that they buy a domain name that looks like a law firm domain name, (usually several names strung together) and send a threatening email from the “law firm” with the attachment or link. When the recipient opens the “Complaint,” the attachment or link is infected with malware that then attacks the recipient’s operating system.

This scam is just another variant of other successful schemes—using enticing and scary messages to try to get people to click on an infected attachment or link. No matter how many times we tell people not to click on attachments or links from unknown sources, curiosity usually gets the best of them. Be aware of these new schemes so you or your employees don’t fall victim to them as well.

New FinCEN Cryptocurrency Guidance Clarifies Applicability of Anti-Money Laundering Regulations to Virtual Currency Business Models

The Financial Crimes Enforcement Network (FinCEN) is the U.S. Treasury Department bureau charged with monitoring financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes.

Under FinCEN’s Bank Secrecy Act/Anti-Money Laundering regulations, money transmitters and other money service businesses are required to develop anti-money laundering/countering the financing of terrorism (AML/CFT) policies, including know your customer and suspicious activity reporting (SAR) procedures.

The advent of blockchain and the ensuing crypto currency business boom have posed significant challenges for FinCEN and other financial service regulators. See FinCen Advisory.

In order to help address those challenges, FinCen issued Guidance (FIN-2019-G001) on May 9 regarding the Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (CVC). The Guidance is intended to “remind persons subject to the Bank Secrecy Act (BSA) how FinCEN regulations relating to money services businesses (MSBs) apply to certain business models involving money transmission denominated in value that substitutes for currency, specifically, convertible virtual currencies.”

While the Guidance does not purport to establish any new regulatory requirements, it consolidates current FinCEN regulations, rulings and guidance and gives specific examples as to how the current FinCEN requirements apply to certain current and emerging virtual currency business models.

The Guidance first confirms that money transmission involving virtual currencies, including CVC, are subject to the AML program, recordkeeping, monitoring and reporting requirements ) applicable to money transmitters generally,including SARs and Currency Transaction Reports.

The Guidance then goes on to set forth specific examples of how the BSA regulations apply to common business models involving the transmission of CVC, including: [1]peer-to-peer exchangers; [2] hosted, unhosted and multiple-signature CVC wallet providers; [3] CVC kiosks; [4] DApps ( money transmission services provided through decentralized applications); [5] anonymity-enhanced CVC transactions; [6] CVC payment processors; and [7] internet casinos.

The Guidance concludes with a description of specific business models involving CVC transactions that may qualify for exemption from the definition of money transmission. These business models include CVC trading platforms, Initial Coin Offerings, CVC creators, mining pools and cloud miners.

Fully Executed Contracts are Preferred

We have been involved in several situations lately with security incidents where we ask our clients for the final executed contract with the vendor that we believe caused the incident, but the contract that we receive has not been fully executed by both parties. Without getting into the legal implications of not having a fully executed contract in place between the parties, on a practical level it is always better to have a contract that has been signed by both parties when you are trying to use it to assert that the other party has not met its obligations under the contract or is responsible for costs associated with a security incident.

It is easier to use contractual provisions to request that the other party take responsibility for its actions when the contract has been signed than when it hasn’t. If it is a particularly contentious issue, sometimes we will hear from the other side—“try to enforce it.” We probably can enforce the contract, but it is usually a waste of time and money to have to go to court to do so.

From an operations standpoint, when you are finished negotiating a contract, make sure that it is signed and dated by both parties and that someone is responsible for maintaining the final contract and that it is archived in a way that makes it easily accessible When an issue arises, the first thing we will ask is to see the contract. If it is signed and dated, we can go straight to the contractual provisions and make our argument that the other party is responsible for the security incident and/or the costs associated with it, instead of getting hung up on whether the contract is enforceable.

Privacy Tip #191 – Trying to Protect Your Medical Information—Let’s Ask Questions About Data Security

In the top three of the list of highly sensitive personal data to be concerned about is our medical information. It’s so sensitive because it is so personal. It used to be that our medical information was located in paper charts at our doctor’s office, the hospital, the pharmacy and our health insurer. Now it’s digital and is accessible by any of our medical providers (which is good for our treatment), pharmacies, and wearable technology and ingestible device manufacturers. It’s not just our medical information that is protected by HIPAA, but also our medical information that is not protected by HIPAA, including the genetic information we voluntarily provide to companies like 23andMe, fitbit, and sleep monitors.

Our medical information is being sent by our medical providers to their business associates to have analytics performed, including utilization, predictive analysis of our health condition, aggregating the data to determine better ways to treat us, as well as with medical device companies in order to monitor our health. Although all of this data sharing is designed to make medical treatment more efficient, less costly and more comprehensive, it also means that our medical information is being transmitted digitally more than ever before. Add to that the fact that our non-HIPAA covered medical information can be aggregated with it, and, well, you get the picture. You can tell a whole lot about someone, and find out about their most personal information, if that information is aggregated and then compromised.

Unfortunately, April 2019 was the worst month ever since the Office for Civil Rights (OCR) has required covered entities and business associates to report data breaches (2010) when it comes to reportable data breaches. Last month, 44 data breaches were reported to OCR by covered entities and business associates.

Those data breaches included the compromised medical records of 686,953 people. These were not the largest breaches in history, but they are the most reported in one month since 2010. About two-thirds of the incidents were caused by hacking or IT incidents. This simply didn’t happen back in the day when all of our information was on paper, but medical providers have not implemented robust security measures to keep up with the sophisticated hacking schemes that we are seeing in the industry.

That is disappointing, but not surprising. We have been reporting for years about how the healthcare industry is a target, particularly of ransomware. The two largest breaches reported last month involved a medical billing company and a radiology provider.

So how do we protect our medical information? We probably can’t have any impact on the security practices our medical providers, health insurers, pharmacies and health insurer implement. However, we can put pressure on them by asking questions about data security when we go to a provider, to show that it is a priority and concern. (Although I will admit that when I ask my provider and dentist about data security, they look at me like I am crazy). But think about it—if we all start to ask our providers every time we go to the doctor, hospital or pharmacy about data security, maybe they’ll start talking about it, too, and look into their data security practices. I know it’s a long shot, but if it becomes the “buzz” of the rest of 2019, maybe we can have an impact so April 2019 goes down as the worst month in history. Of course, the OCR is the enforcement agency of HIPAA violations (including data breaches) and investigates these incidents, but we can help put pressure on providers, too, so data security becomes a top priority.

Other things to consider:

  • Shred all paper medical records
  • Be mindful that if any medical records are on a CD or thumbdrive that it is encrypted and destroyed when no longer needed
  • Avoid emailing medical records in an insecure way (use encryption)
  • Consider whether you want to share your medical records with genetic testing companies, health monitoring companies, or fitness apps, and read the privacy policy before you agree to participate
  • Research the privacy and security posture of medical device companies and whether they have had any recalls or reported any data breaches
  • Ask your provider about his/her data security processes and tell them it is a priority for you
  • If you are storing your medical information through apps or your personal email account, encrypt the data at rest
  • If you are given an option when sharing your information to refrain from disclosing it to others, take that option and limit the sharing
  • Consider requesting restrictions on the access and disclosure of your medical information when you present it to the provider
  • Consider requesting an accounting of disclosures from your medical provider so you can see who the provider has shared your information with (understand that under HIPAA the provider does not have to provide an accounting of disclosures if the disclosure was for treatment, payment or operations)
  • Be careful about sharing your medical information on social media sites.

The health care industry is getting attacked because medical records are worth more on the dark web than any other record. As patients, we can do our part to protect our medical information by using good data security practices, and also by pressuring our providers to do more when it comes to data security. Let’s ask questions about data security every time we go to the doctor, hospital or pharmacy to let our medical providers know that our medical information is important to us and that we expect them to protect it. If all patients do this, perhaps the message will get across to the healthcare industry to ramp up data security measures, and April will be behind us and remain as the worst medical information data breach month in history.

The WhatsApp Hack – Practice Good Phone Hygiene and Update Your Apps

WhatsApp, the popular instant messaging app announced a hack and the exposure of a security flaw this week. The flaw injected malware onto users’ phones, potentially exposing their otherwise encrypted data and messages. WhatsApp allows users to instant message and make phone calls throughout the world. The app features described on its website include simple, secure, and reliable messaging and is widely known for encrypting messages between users.

This week’s announcement of the security flaw and resulting malware reportedly targeted specific individuals. WhatsApp has not yet announced how many of its 1.5 billion users were affected, but is recommending that users upgrade to the latest version of the app – version 2.19.134 updated on May 10, 2019.

While you are updating the WhatsApp, it’s a good idea to keep all your apps up to date, change passwords frequently, and do a little phone hygiene and clean up your phone and delete unused and out of date apps.

FBI Flash: Ryuk Ransomware Continues to Attack U.S. Businesses

According to a recent FBI Flash, Ryuk ransomware has hit more than 100 U.S. companies since August 2018, with a “disproportionate impact on logistics companies, technology companies, and small municipalities.”

The Flash, “provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals,” seeks information from companies regarding Ryuk, which retains Hermes code. According to the Flash, once Ryuk is in the system, it deletes all files related to the intrusion, so it is impossible to identify the infection vector. It is able to steal credentials, and “in one case, the ransomware appears to have used unsecured or brute forced Remote Desktop Protocols (RDPs) to gain access. After the attacker has gained access to the victim network, additional network exploitation tools may be downloaded…” and “once executed, Ryuk establishes persistence in the registry, injects into running processes, looks for network connected file systems, and begins encrypting files.”

The attackers in the newest version of Ryuk provide email addresses to contact them to pay the ransomware and do not tell the victim how much ransomware is needed until the victim contacts them via email. Only then do they say how much bitcoin is necessary and provide a specific Bitcoin wallet where the payment is to be made and provides a sample decryption of two files to verify the files still exist.

The FBI says that it “does not encourage paying a ransom to criminal actors.” Instead, the FBI encourages all companies affected by ransomware to contact their local field office to report the event. The FBI is specifically seeking information on Ryuk, including:

  • Recovered executable file
  • Copies of the “read me” file—DO NOT REMOVE the file or decryption may not be possible
  • Live memory (RAM) capture
  • Images of infected systems
  • Malware samples
  • Log files
  • E-mail addresses of the attackers
  • A copy of the ransom note
  • Ransom amount and whether or not the ransom was paid
  • Bitcoin wallets used by the attackers
  • Bitcoin wallets used to pay the ransom (if applicable)
  • Names of any other malware identified on your system
  • Copies of any communications with attackers

If you are a victim of a cyber-attack or ransomware, the FBI can be contacted through its 24/7 Cyber Watch at www.fbi.gov/contact-us/field or CyWatch@fbi.gov or (855)292-3937.

Tech Company Execs Sweat Personal Liability for Privacy Violations

In the Privacy Law classes I teach in the Brown University Executive Masters of Cybersecurity and at Roger Williams University School of Law, we discuss the enforcement authority that the Federal Trade Commission (FTC), the Office for Civil Rights (OCR) and other federal and state agencies have over data privacy and security, including how effective the enforcement has been over the past decade. In the wake of massive data breaches, my classes uniformly are of the opinion that the present enforcement scheme is not a big enough stick to deter big tech companies from collecting, selling and monetizing data.

Recently, members of the FTC have publicly lamented that this is true. What look like large fines against tech companies that have violated consumers’ privacy are often not sufficient to act as deterrents, such as the $5.7 million levied against Musical.ly (or TikTok), which was less than 1% of the parent company’s annual revenue, and therefore inconsequential to company executives.

According to one member of Congress, “for large companies, fines are simply a cost of doing business.” This is consistent with my classes’ conclusion. Facebook is poised to pay a significant fine and has set aside $3-5 billion (yes, that’s with a “b”) to pay for various alleged privacy violations. Many observers have opined that this is a drop in the bucket for Facebook, and is not enough to change behavior.

Perhaps the private right of action in the California Consumer Privacy Act, which takes effect in 2020, will change tech companies thoughts about privacy violations. Congress is looking into how the FTC and other agencies can regulate the big tech companies, and candidates for the Presidency have gotten into the fray, with one declaring that the tech companies should be broken up. The FTC has publicly stated that it is looking into assessing personal fines against company executives as a way to encourage compliance.

No matter how this shakes out—and it will—the present discourse should be enough for tech company execs to be concerned about personal liability. Executives may want to start focusing on the organization’s data privacy and security plan, and making policy decisions on its implementation a top priority.

U.S. Senators Push for Remote Drone I.D.

U.S. Senators Edward J. Markey (D-MA) and John Thune (R-SD) called on the Federal Aviation Administration (FAA) to publish a proposed rule for the remote identification of unmanned aerial systems (UAS or drones). The request was issued through a letter sent to the U.S. Department of Transportation (DOT).

According to the Senators’ letter, remote identification could permit the public, the FAA, law enforcement and others to remotely track and identify drones and their operators during flight, which would assist in addressing unauthorized drone flights in sensitive areas such as airports and large public events. Specifically, the letter states, “In recent months, a series of UAS sightings in safety-sensitive areas have underscored the need to quickly adopt and implement remote identification. Remote identification will enhance safety, security and privacy and serve as a critical tool for law enforcement to respond to and address reports of illegal and unauthorized drone operations.” We will track this issue as it progresses through the FAA and the industry as a whole.

Privacy Tip #190 – Internet of Medical Things (IoMT)

These days, pretty much everyone is aware of potential security incidents and the risks involved with Internet of Things (IoT) devices because security was not built into the device during the manufacturing process, but there is less awareness of the risks associated with the Internet of Medical Things (IoMT).

Just like IoT devices, such as home security systems, TVs, coffee pots, cameras, fitness monitors and baby monitors —all of which are hackable—IoMT devices are those devices and monitors designed and manufactured to be used in the medical industry, such as heart monitors, pacemakers, drug monitoring devices, and radiology systems. All of these monitors and devices are also connected to the Internet, but they may be implanted in our bodies or ingestible. They are able to monitor our medical condition and report back electronically to our physicians or the electronic medical record of a hospital.

Although these IoMT devices are meant to improve our health, they are no different than home security systems, baby monitors, or fish tanks that were designed and manufactured without data security imbedded in them. That means that they are hackable as well. And that means that intruders can not only hack into our homes, but now they also can get into our bodies.

A new survey by Fortinet (see article for FierceHealthcare written by my friend and student Sonia Arista here) “reveals two noteworthy trends regarding the state of security in healthcare as well as what care providers need to do next.”

According to the article, the risk of IoMT is high, and one of the top threats is IP-enabled cameras being used in hospitals. “Compromised cameras could not only be used to obscure malicious onlsite activities or prevent healthcare providers from monitoring patients, but they could also open an entry point into connected cybersystems from which cybercriminals could launch DDos(distributed denial of service) attacks, steal personally identifiable information, initiate a ransomware attack, and more.”

Many physicians are unaware of the security risks of IoMT devices. When considering the use or surgical implanting or ingesting of a device that can be monitored digitally, discuss the security risks with your physician, and do some online research on the data security measures that are taken, and publicly disclosed, by the manufacturer of the device. If you can’t find any information about the data security of the device in a public search, then data security is probably not a high priority for the company. Don’t rely on your physician to have done any such research—do it yourself, and do it before something is implanted in you. The last thing you want is to be notified that the device has to be removed in order to update a security patch, as many patients have had to do with pacemakers.

LexBlog