Vevo Hacked through LinkedIn Message

Vevo announced this week that it experienced an intrusion into its servers by the hacking collective OurMine, self-described as a white hat organization that informs individuals and organizations of potential security vulnerabilities.

When OurMine reached out to Vevo to inform it of a vulnerability, a Vevo employee dismissed the claim and told OurMine that they didn’t have anything. As a result, OurMine published the data online before removing it after Vevo acknowledged that it had been compromised. The information included some sensitive information of individuals and companies using Vevo. 3.12 TB of Vevo’s internal files was compromised and posted online.

Vevo said “We can confirm that Vevo experienced a data breach as a result of a phishing scam via LinkedIn. We have addressed the issue and are investigating the extent of exposure.”

Security researchers at Malwarebytes have recently warned of an increase in phishing attacks through LinkedIn. The attackers are able to compromise a user account and then they spread a link to malicious document to the LinkedIn user’s connections. The users think the document is from the LinkedIn user, and opens the malware containing document and infects its system.

Security researchers are warning users of social media platforms to only interact with those who they trust, not to download file attachments sent through social media or clicking on links that come from an unfamiliar user, an enable two-factor authentication.

Offshore Cybersecurity Guidelines Issued

DNV GL recently issued a new globally applicable recommended practice (DNLVGL-RP-G108) to assist oil and gas operators, system integrators and managers, and vendors in the offshore industry to manage increasing cybersecurity threats. The guidance is designed to help the oil and gas industry improved the security of their operational technology.

A Ponemon Institute study found that over two-thirds of oil and gas companies globally suffered a significant cyber-attack in 2016, which does not include unreported or undetected incidents. According to DNV GL, cyber-attacks in the oil and gas industry (like virtually every other industry) are getting more sophisticated and costly, including malware, ransomware and unauthorized access to system infrastructure. This guidance [insert link here] will assist the industry with preparing for and managing the attacks, as well as the severity of the attacks.

Illinois Biometric Case Against Shutterfly Survives

We have been following biometric cases in Illinois, including the case against Shutterfly [view related posts]. Late last week, an Illinois federal judge denied Shutterfly’s motion to dismiss the case against Shutterfly alleging that it violates the Illinois Biometric Information Privacy Act when collecting and storing face geometry scans through facial recognition software.

In allowing the case to proceed, the Judge rejected Shutterfly’s argument that photographs are not included in the statutory definition of a biometric identifier, as that term applies to retina or iris scans, fingerprints, voiceprints, or scans of hand or face geometry, and that the statute excludes information from writing samples, signatures, photographs and tattoos.

The Judge found that if the statute is read so narrowly, it would only include an in-person scan of an individual’s face, which she found to be “problematic,” and if the legislature had wanted to narrow the definition to in person scans, it would have done so. She also noted that such a narrow interpretation would not allow the law to adapt to new technology.

Significantly, the Judge found that the plaintiff did not need to show actual damages in order to have standing to make a claim against Shutterfly. She noted that the plaintiff had “credibly alleges an invasion of his privacy” since he had not voluntarily provided his biometric information to Shutterfly. We will continue to watch the developments in this case.

Supreme Court to Discuss Granting Review in Microsoft E-Mails Case October 6

The U.S. Supreme Court recently indicated that it will consider the federal government’s petition for a writ of certiorari in United States v. Microsoft Corp. at its conference scheduled for October 6, 2017. United States v. Microsoft is a “cutting edge” case that concerns the ability of law enforcement to obtain electronic documents stored abroad via a warrant issued under the Stored Communications Act of 1986 (SCA).

In 2016, a panel of the U.S. Court of Appeals for the Second Circuit unanimously quashed an SCA warrant issued to the Department of Justice that sought the contents of a Microsoft customer’s emails stored on a server in Dublin, Ireland. In January 2017, the Second Circuit subsequently denied a request for an en banc rehearing (see our previous analysis of that decision here). In June 2017, the Office of the Solicitor General (OSG) filed a petition for a writ of certiorari with the Supreme Court requesting reversal of the Second Circuit’s decision (see previous analysis here).

In subsequent briefs filed in support of and in opposition to the petition for certiorari, the OSG and Microsoft duel on three intersecting claims regarding the suitability of this case for Supreme Court review:

  1. Whether Congress, and not the Judiciary, is the proper branch of government to address the acknowledged shortcomings of a law enacted in 1986 used to police 21st-century technological issues such as cloud-computing;
  2. Whether the Second Circuit properly determined that the Supreme Court’s extraterritoriality test supports its finding that the storage of the emails in Ireland, and not the compelled disclosure of the emails that would take place in the United States, was the focus of the SCA and thus the proper consideration in determining that the government sought extraterritorial application of the SCA; and
  3. Whether the legal conflict at issue is a proper vehicle for the Supreme Court to consider when there is currently no circuit split regarding extraterritoriality and the SCA, or whether the issue needs to further “percolate” at the circuit court level before the Supreme Court weighs in.

Of note, the OSG’s reply brief (distributed September 13) emphasizes the harmful effects the Second Circuit’s decision has allegedly had on law enforcement investigations, and also states that eleven district court and magistrate judges have “uniformly rejected” the Second Circuit holding in litigation involving SCA warrants for accounts held by Google and Yahoo!. Interestingly, the OSG also revealed that Google recently reversed its legal stance on SCA warrants and notified the government that it would now comply with such warrants (outside of the Second Circuit), provided that it will also appeal the adverse decisions to which it is a party. This revelation puts holders of Google accounts on notice that Google may accede to a demand for electronic documents stored abroad under an SCA warrant, and reiterates the importance that a Supreme Court decisions could have in the instant case. That said, it remains to be seen whether the Supreme Court will in fact take up the petition.

Advanced Weather Data: Vital for the Future of Commercial Drone Operations

Back in December 2016, Amazon executed its first customer delivery by drone in the United Kingdom. Now, as Amazon, and other large retailers, aim for widespread deployment of drones for the delivery of goods to consumers, it is increasingly clear that advanced weather data is vital for ensuring that these delivery drones can fly weather-sensitive missions safely and efficiently. While weather is just one of the challenges commercial drones will face, in addition to things like birds and other drones, (which will require advanced navigation systems and a lot of coordination, particularly since the Federal Aviation Administration (FAA) estimates that commercial drones will reach 1.6 million by 2021), weather data will in many ways dictate the speed and scope of commercial drone deployment. Advanced weather data can be leveraged for commercial drone operations for:

Pre-Flight Planning: Drone operations will require operators to forecast weather with hyper-local precision to determine where the sky will be clear, rainy or snowy, or, even more importantly, where severe weather is happening. With more advanced weather data, drone operations will be safer and more efficient. Additionally, businesses in oil and gas, construction, government, energy, and other weather-sensitive industries can leverage advanced weather data for safe site surveying, better response to disasters in emergencies and protection of their investments.

In-Flight Operations: Weather data impacts a drone’s path direction, flight elevation, mission duration and other in-flight variables. Wind-speed is a particularly critical component for smooth drone missions. For example, if there is significant wind or rain, a drone doesn’t operate effectively especially if the drone is trying to capture video or photograph –the video or photographs could be unusable with too much wind or rain.

Post-Flight Analysis: Data collected from drone missions paired with weather data can help operators understand how weather impacts certain sites and areas over time. Advanced weather data can help to not only guide commercial drone navigation, but some drones themselves will become microscopic sensors to detect hyper-local, micro-accurate weather patterns down to the minute.

Overall, by analyzing advanced weather data, commercial drone operations will improve and also help to ensure future drone mission success.

Privacy Tip #106 – Online Romance Scams

I haven’t been in the dating scene for decades but I know it sure has changed. Millions of people participate in online dating, and I even know several couples who have found their significant other using online dating platforms. That’s the good news. The bad news is that the Internet is used for bad intentions, so protecting your privacy and practicing safe online behavior when seeking romance is really important.

The FBI reports that romance scams account for the highest financial losses of all internet-facilitated crimes. That statistic really surprised me. FBI’s Internet Crime Complaint Center (IC3) reported that it received 15,000 romance scam complaints in 2016 ― a 20 percent increase over the previous year. Losses suffered by victims exceeded $230 million, but the FBI says that estimate is low, since only about 15 percent of these crimes are even being reported.

The most common states where victims live are California, Texas, Florida, New York, and Pennsylvania. In Texas last year, the IC3 received more than 1,000 complaints from victims reporting more than $16 million in losses related to romance scams.

How are all these people getting scammed?

The victims tend to be older widowed or divorced women who organized crime figures and scammers target online. The victim may be active on Facebook and in one case, the scammer reached out saying he was a friend of a friend. He started “liking” her posts on her wall and that turned into emailing back and forth. He posed as a construction executive who was working on a job in a foreign country, so they were unable to meet in person until a later time. Well, that later time never happened, and in the meantime, he got into an emergency and asked her to send him money, and since she was in love with him, she sent the money. Lots of it. How embarrassing.

According to the Huffington Post, victims who suffer romance scams are financially and psychologically “so embarrassed that they’re reluctant to come forward even when they realize they’ve been scammed.” It is such a problem that even operates a romance scam database that lists scams and alerts victims.

This week, the U.S. Attorney in the Southern District of New York were successful in prosecuting an online romance scammer who posed as a millionaire and induced people online to give him personal financial information and steal their identities. He stole hundreds of thousands of dollars from his victims. According to prosecutors, he “promised business opportunities and romantic relationships just to steal his victims’ identities and loot their bank accounts, then threatened those who discovered what he was doing.”

His victims were a dozen women in cities including New York, Philadelphia, Chicago, and Atlanta. He met women on online dating platforms. Prosecutors have charged him with bank fraud, aggravated identity theft, and threatening interstate communications. He plead guilty to wire fraud and sending threatening communications.

The lesson here is to stay safe online. Be careful what you post to social media sites, because scammers can and will use that information against you. Always use reputable websites, but assume that con artists are trolling even the most reputable dating and social media sites.

If you develop a romantic relationship with someone you meet online, the FBI suggests that you consider the following:

  • Research the person’s photo and profile using online searches to see if the material has been used elsewhere.
  • Go slow and ask lots of questions.
  • Beware if the individual seems too perfect or quickly asks you to leave a dating service or Facebook to go “offline.”
  • Beware if the individual attempts to isolate you from friends and family or requests inappropriate photos or financial information that could later be used to extort you.
  • Beware if the individual promises to meet in person but then always comes up with an excuse why he or she can’t. If you haven’t met the person after a few months, for whatever reason, you have good reason to be suspicious.
  • Never send money to anyone you don’t know personally.

If you suspect an online relationship is a scam, stop all contact immediately. And if you are the victim of a romance scam, file a complaint with the FBI’s Internet Crime Complaint Center.

General Data Protection Regulation (GDPR) Series, Part #3: GDPR Consent and Fair Processing

The General Data Protection Regulation (GDPR) (EU) 2016/679 of 27 April 2016 which comes into force in May 2018, will introduce major changes to the law on the processing of personal data in the European Union. Over the next several months, several European Union law firms we work very closely with will join us in providing you with more information on the GDPR. Different themes will be tackled month by month to help you prepare for the GDPR deadline.

Part 3 of this GDPR Series is brought to you by the German law firm of Graf von Westphalen. Other blog entries in this series will be brought to you by the law firms of Mills & Reeve (UK), FIDAL (France) and VanBenthem & Keulen (Netherlands) as well as Robinson+Cole (United States).

 Consent as a lawful basis for data-processing

Every data processing activity requires a lawful basis. Such lawful basis may be provided directly by law, or by consent granted by the data subject, both according to the statutory requirements set out in the Directive 95/46/EC and, importantly, national data protection laws. This general principle remains unchanged under the GDPR, however, the new Regulation provides for new or additional requirements for such consent to be a lawful basis for processing and transfer of personal data. Continue Reading

IRS Warns of Phishing Email Spoofing IRS and FBI

The Internal Revenue Service (IRS) has issued a warning alerting the public to a new email phishing scam that looks like a joint notice from the IRS and FBI about new tax laws.

The phishing email uses the emblems of both agencies, and asks recipients to download an FBI questionnaire related to “changes of tax laws of the United States.” When recipients click on the link, ransomware infects and encrypts the users’ data.

The email states:

“Owing to changes of Tax laws of the United States of America of June 21, 2017 (Federal tax regulations ref. no. 13-444876476) any business activity of resident or the non-resident citizens of the United States abroad, in particular the belonging of offshore companies, equity participation and offshore capitals, is transferred under the special control of the Federal Bureau of Investigation.”

It then states that the FBI “requires” that the recipient complete a questionnaire, embedded in a link infected with ransomware.

Apparently so many companies have become victims, that the IRS felt compelled to issue the alert.

Unfortunately, if employees have been warned about phishing emails, this one should have been caught. The grammar and punctuation are a clear give away.

The IRS has advised that anyone with a tax issue will not receive an email from the IRS and the IRS will not receive an email from the IRS about a tax delinquency.

This warning reiterates how important employee education and awareness is of phishing schemes for employees.

The Biggest Health Care Data Breaches in 2017

Health Data Management (HDM), using information compiled by Protenus Breach Barometer, published a list this week of the biggest health care data breaches so far in 2017.

The list used data accessible on the Office for Civil Rights website regarding self-reported breaches by health care entities. According to HDM, approximately 200 data breaches affecting more than 500 individuals have been reported to the OCR at the time the list was published.

The data breaches reported to date included compromised records totaling anywhere from a low of 25,000 records in one incident to 500,000 records in the largest one in 2017. The list can be accessed here.

State of Connecticut Provides Guidance on Changes to Education Records of Transgender Students

The Connecticut State Department of Education (DOE) recently published guidance on implementing civil rights protections for transgender students. The guidance, in part, provides information on issues related to requests that a school change a student’s education records to be consistent with their chosen name and gender identity. Notably, the guidance recognized tension that may arise in some circumstances over who is entitled to request a change to a student’s education records.

Under the Family Educational and Privacy Act (FERPA), a student who is 18 years old or older, or the parents/guardians of students under the age of 18 have a right to request that misleading or inaccurate information in the student’s education record be corrected. The DOE concluded, however, that under civil rights laws a student under the age of 18 may have the right to change their education records even if their parent/guardian disagrees with the change. Recognizing that there was not clear case law on this issue, the DOE recommended that schools consult with legal counsel and counseling staff if such a disagreement arises. Until the disagreement is resolved, however, schools are directed to refer to the student in accordance with the student’s preference.

Guidance was also provided as to the maintenance of education records. The DOE stated that under FERPA, in a circumstance where a student is using a chosen name, that student’s birth name and gender are considered private medical information and, thus, this information may not be disclosed unless the disclosure is permitted by one of FERPA’s exceptions. Any records containing this information must be kept separate from the student’s cumulative record to maintain the student’s privacy.

The DOE also advised schools to develop a process for students and/or their parents/guardians to request that a student’s education records be changed to be consistent with the student’s chosen name and gender identity. The process should not require unique hurdles for requesting these types of changes, and should recognize that a student is not required to legally change their name before correcting their school record. Students and/or their parents/guardians should be advised by the school that if a student does not complete a legal name change, the discrepancy between the student’s education records and his/her college materials, driver’s license and other future documents may create an issue.