Ubiquiti Notifies Customers of Breach

Ubiquiti, a manufacturer of products used for networks such as routers, webcams and mesh networks, announced this week that an unauthorized access to its systems hosted by a third-party cloud provider may have compromised customers’ name, email address and “the one-way encrypted password to your account” as well as address and telephone number if that also had been provided.

 Ubiquiti did not identify the name of the third-party cloud provider. It is urging customers to change their passwords and to enable multi-factor authentication.

 Changing the default passwords on networking equipment such as routers and webcams is good cybersecurity hygiene, and even more important following a data breach of the manufacturer of these products.

Activist Hackers Claim They Archived Parler Content Leading Up to Riots

Users of the Parler social media platform who participated in the riots last week at the U.S. Capitol are reportedly uneasy following the announcement that several activist hackers archived posts as they were happening in real time during the riots, and that they will release the posts publicly to assist law enforcement with investigations. Another activist hacker is reported to have said that she archived material as it was being posted to show how the platform was used to plan the attack and for communication by participants during the assault.

Parler is reported to have been a popular mode of communication during the months leading up to the election last fall after Facebook and Twitter began reviewing and labeling content that was false or misleading.

One of the activist hackers alleges that she archived 30 terabytes (equal to 30,000 gigabytes) of publicly-available posts of the events leading up to and during the riots so they would be preserved before the platform was taken down, which occurred on Monday.

Some of the data that were archived includes legally-obtained GPS data while posts were made by those participating in the riot. The GPS data show that Parler users were posting videos and pictures while they were inside the Capitol, including both chambers of Congress and offices of some politicians.

FTC Warns of COVID-19 Scam Targeted at Small Businesses

The Federal Trade Commission (FTC) is warning small businesses that they are being targeted by scammers through a new coronavirus-related scam. The scam “starts with an email that claims to come from the ‘Small Business Administration Office of Disaster Assistance.’ It says you’re eligible for a loan of up to $250,000 and asks for personal information like birth date and Social Security number.”

Unfortunately, many small businesses have been dramatically affected by the coronavirus and are seeking assistance to help retain their employees employed and keep their doors open for business. However, governmental agencies will never send an email advising you that you are eligible for a loan and will never ask for your Social Security number over email. Such material is sent through the mail and on official applications and letterhead.

In addition, governmental agencies will not call to advise you that you have been accepted for relief or ask you for your personal information over the phone. These are scams intended to get you to tell them your Social Security number so the caller can open up credit card or other accounts in your name without your knowledge.

The same is true for scam websites offering assistance with small business loans. If you need to apply for a loan, go to a trusted entity that you have done business with before. Scammers are using the coronavirus, the need for relief, and the government’s Disaster Loan program to fraudulently obtain funds from unwary small business owners. Be wary of these scams and websites and report any fraud to the FTC.

Privacy Tip #267 – Fertility Tracking App Settles with FTC

Flo Health, Inc., (Flo) which offers a fertility-tracking app (Flo Period & Ovulation Tracker) used by more than 100 million customers, has agreed to settle with the Federal Trade Commission (FTC) to dismiss the FTC’s claims that Flo shared the health information of its users with data analytics firms despite promising users that it would keep the information private.

According to the FTC’s press release, the FTC alleged that “Flo promised to keep users’ health data private and only use it to provide the app’s services to users. In fact,…Flo disclosed health data from millions of users…to third parties that provided marketing and analytics services to the app, including…Factbook,…Google…and Flurry.”

The Complaint further alleged that Flo disclosed the user’s sensitive information, such as pregnancy, to third parties and did not limit how third parties could use the data.

The settlement requires Flo to review its privacy practices, obtain consent from its users before sharing their health information, prohibits it from misrepresenting the purposes for which it collects, uses and discloses user data, notify users of the unauthorized disclosure of the information, and have any third parties who received the information destroy it.

In addition, the FTC issued guidance on health apps, including tips on how to select and use health apps and reduce privacy risks. The guidance can be accessed here.

SolarWinds Cyber-Attack Has Significant Implications for Developers and Contractors

ICYMI, on Wednesday, January 6, 2021, the United States Department of Justice (DOJ) issued an update about what it termed “a major incident under the Federal Information Security Modernization Act”: the global SolarWinds cyberattack that had compromised its email system. (SolarWinds is a software provider. In December, 2020, SolarWinds revealed that cybercriminals had injected malware into its Orion® Platform software, a platform used for centralized IT monitoring and management. In doing so, the cybercriminals were able to attack subsequent users of the software, i.e., SolarWinds’ clients, including multiple federal agencies and technology contractors.) The DOJ’s update advised that after removing the malware, it determined that 3 percent of the DOJ’s O365 mailboxes were potentially accessed, albeit there was no indication that any classified systems were impacted. This update was covered by Robinson+Cole’s Data Privacy + Cybersecurity Insider.

Cyber-crime continues to permeate all industries, including real estate development and construction. The SolarWinds incident could just as easily have occurred with a construction management company or general contractor using the construction industry’s various project management software programs. Digital attacks can intercept sensitive information, divert funds and hold hostage a company’s computer systems. Robinson+Cole’s Construction Group is available to discuss the value of adding data privacy and cybersecurity protocols to design and construction agreements, and its Data Privacy + Security Team is available to assist businesses in determining their current risks and liability exposure as well as the benefits of having cyber-liability insurance coverage.

This post was authored by Virginia Trunkes and is also being shared on our Construction Law Zone blog. If you’re interested in getting updates on current developments and recent trends in all areas of construction law, we invite you to subscribe to the blog.

Everalbum Settles with FTC over Facial Recognition Technology in its Ever App

The Federal Trade Commission (FTC) announced its settlement with Everalbum Inc. (Everalbum) for its Ever app, a photo and video storage app, due to its alleged deception of consumers related to the app’s use of facial recognition technology and its retention practices around deactivated accounts.

Pursuant to the settlement agreement, Everalbum must delete models and algorithms that it developed using users’ uploaded photos and videos and obtain express consent from its users prior to applying facial recognition to a photo. FTC Commissioner Rohit Chopra said that facial recognition technology is “fundamentally flawed and reinforces harmful biases.” As regulation and enforcement around this technology surely increases, the FTC seeks to suspend or inhibit and restrict the use of such software.

The Ever app (which is defunct as of August 2020), permitted users to upload their photos and videos to a cloud-based storage platform. The app then used facial recognition technology to automatically sort users’ photos and videos for the tag a “friend” feature. However, according to the FTC’s allegations, Everalbum’s use of facial recognition was NOT limited to its app’s friend feature; between September 2017 and August 2019, it allegedly combined facial images from its users’ accounts with facial images from publicly available datasets. The combined data was then used to develop Everalbum’s facial recognition technology. This technology (since it is no longer used in the Ever app) is now marketed through Paravision, which is a company that provides services related to building security, payments and travel. A Paravision representative said that the FTC settlement reflects “changes that have already taken place” as it continues to utilize the technology in a more ethical manner. The new Paravision model also does not use any of the Ever app’s user data previously collected from consumers.

This settlement raises more questions (than answers) about how to handle and use the data used to train facial recognition software. This settlement also highlights the potential for an increase in consumer class actions over the use of facial recognition technology, especially as consumers become more aware of the use of this technology, how it works and the perhaps uncontemplated uses by the companies with which many consumers are freely sharing their data.

Further Fall-Out from Russian Hacking of SolarWinds

U.S. intelligence agencies, including the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have confirmed that Russia was behind the SolarWinds hack. It is reported that the FBI is investigating whether Russia hacked into project management software JetBrains’ TeamCity DevOps tool to originally plant its malware in SolarWinds Orion, causing a cascade of downstream opportunities for Russia to access numerous governmental agencies’ systems, as well as thousands of private company systems.

In the fall-out, the Department of Justice, which includes the FBI, the Drug Enforcement Agency and the U.S. Marshal’s Service, announced this week that 3 percent of its employees’ emails were compromised as a result of the SolarWinds hack. This is very concerning and shows the magnitude and seriousness of the incident.

In more disturbing news, Microsoft has confirmed that the hackers behind the SolarWinds incident were able to access its systems and that some of its source code was viewed by the hackers. Notably, Microsoft confirmed that the code was not modified and that the Russians did not access its products or services, including customer information.

Cybersecurity firms are offering free solutions for companies to use to identify the SUNBURST malware variant and whether they have been affected, including Palo Alto Networks and SentinelOne.

We will continue to see significant fall-out from this devastating incident. If your company has not assessed its risk of being affected by the SolarWinds hack, you may wish to consider devoting time and resources to help make that determination now

Cyber Intelligence Facility in Port of Los Angeles to Thwart Maritime Threats

The maritime industry is an enticing target for hackers. The Port of Los Angeles (the Port) alone facilitated about $276 billion in trade last year, and the International Chamber of Shipping estimated that the total value of world shipping was around $14 trillion in 2019. The Port has plans to construct a multi-million-dollar cyber intelligence facility as a hub for information sharing between the public and private sectors to thwart the increasing attacks on the maritime and logistics industries. This facility, the Cyber Resilience Center, is one of the first of its type to be built in the United States. The Port’s Executive Director, Gene Seroka, said, “What we’ve noticed over time is that the potential penetrations and cyber threats have grown each and every year,” including incidents like the 2017 NotPetya attacks that affected shipping lines, the 2018 ransomware targeting of the Port of Long Beach, and the October 2020 ransomware attack on CMA CGM S.A., a French transportation and container shipping company. Seroka said that as the threat become more evident, the Port  “needed to find a way to bring the private sector into this space as well.” The Cyber Resilience Center is expected to go live by the end of 2021. Participants in this information exchange will be able to share information anonymously through the platform, which will standardize data from different companies’ cybersecurity tools. The Port’s Chief Information Officer will lead the project, which will operate alongside the Port’s cybersecurity operations center.

Seroka said that he hopes the Cyber Resilience Center will be a model for other large ports across the United States since information-sharing is such a vital defensive tool. As the shipping industry becomes even more digitized, cyber threats will require facilities such as ports to prioritize set data standards, business rules and open architecture for facilitating information sharing in a secure, protected manner.

Proposed New Breach Notification Rule for the Banking Industry

The Office of the Comptroller of the Currency, Treasury (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) recently announced a “Notice of Proposed Rulemaking for the Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” This new rule would require a banking organization to provide prompt notification to its primary federal regulator of any “computer-security incident” that rises to the level of a “notification incident” no later than 36 hours after the banking organization believes in good faith that a notification incident has occurred.  According to the information released jointly by the agencies, they anticipate that a banking organization would take a reasonable amount of time to determine that it has experienced a notification incident. Notification would be required only after that determination was made.

The proposed rule defines both a “computer-security incident” and a “notification incident.” Notification incidents trigger the notice to federal regulators. Some examples of notification incidents include large scale outages denial of service attacks that disrupt service for more than four hours, widespread system outages caused by service providers of its core banking platform, hacking and malware that causes widespread outages, system failures that result in the activation of a disaster recovery plan, and a ransomware attack that encrypts a core banking system or backup data.

In their notice, the agencies state that it is important that the primary federal regulator of a banking organization be notified as soon as possible of a significant computer-security incident that could jeopardize the viability of the operations of an individual banking organization, result in customers being unable to access their deposit and other accounts, or impact the stability of the financial sector.

The proposed rule would apply to the following banking organizations: national banks, federal savings associations, and federal branches and agencies; U.S. bank holding companies and savings and loan holding companies, state member banks, and the U.S. operations of foreign banking organizations; and all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.

The agencies are seeking public comment on all aspects of the proposal including 16 specific questions related to the proposal. Comments must be received within 90 days of publication of the proposed rules in the Federal Register.

Canon Hit with Data Breach Class Action Suit by Former and Current Employees

Canon U.S.A. Inc. (Canon) was hit with a class action lawsuit in the U.S. District Court for the Eastern District of New York this week for the ransomware attack that exposed current and former employees’ personal information in November 2020. The plaintiffs reside in Ohio, New York, Florida and Illinois, and allege that Canon was negligent in protecting employee data and violated state trade practice laws by failing to guard against such an attack. The plaintiffs further allege that Canon failed to notify the affected individuals in a timely manner.

The attack on Cannon occurred in August 2020 and affected current and former employees from 2005 to 2020, as well as their beneficiaries and dependents. The information affected included Social Security numbers, driver’s license numbers, financial account numbers, electronic signatures, and dates of birth. The plaintiffs are seeking certification of a nationwide class.

LexBlog