Years-Long Exposure of Sensitive Client Information Results in $200,000 Settlement with New York Attorney General

In late August, the Attorney General of the State of New York announced a $200,000 settlement with a New York-based non-profit organization that provides services to developmentally disabled individuals and their families after concluding that the organization exposed sensitive personal information of its clients on the Internet for almost three years.

The settlement is the result of an investigation initiated in early 2018 in response to a tip that sensitive information of the organization’s clients was available on its website. An investigator subsequently determined that a spreadsheet containing personal information of 3,751 clients – including without limitation names, social security numbers, diagnosis codes, IQs, and insurance information – had been publicly available online between July 2015 and February 2018. As noted by the Attorney General in its press release announcing the settlement, the organization was obligated under the Health Insurance Portability and Accountability Act (HIPAA) to implement appropriate administrative, technical and physical safeguards to protect that client information.

In addition to the monetary penalty, the organization also agreed to (i) perform an assessment of its security risks and vulnerabilities and submit a report with its findings to the Attorney General’s Office within 180 days of the settlement, (ii) review its data security policies and procedures based on the risk assessment, and (iii) notify the Attorney General of any action taken in response to that assessment (or provide an explanation to the Attorney General of why no action is necessary).

The settlement is an important reminder of the enforcement authority held by state Attorneys General in response to data breaches, which authority can arise under HIPAA or state law. The Office of the New York Attorney General has been among the most active in the country in exercising that authority (see, e.g., here). All organizations that receive and maintain sensitive personal information of clients or patients, and particularly health care organizations, would therefore be well-advised to exercise proactive compliance efforts to assess security vulnerabilities and mitigate potential data security risks, and to bear in mind that data breach enforcement actions are not limited to those taken by the federal Office for Civil Rights under HIPAA.

Schneider Electric USBs Infected with Malware

Schneider Electric recently issued a consumer warning that it mistakenly shipped USB drives to its customers that were infected with malware. Schneider Electric stated in its alert that “Schneider Electric has determine that some USB removable media shipped with [two products] were contaminated with malware during manufacturing by one of our suppliers.”

According to the overview of the Security Notification issued by Schneider Electric, “Schneider Electric is aware that USB removable media shipped with the Conext Combox and Conext Battery Monitor products may have been exposed to malware during manufacturing at a third-party supplier’s facility.” The product identification for the Conext Combox is sku 865-1058 (all versions) and Conext Battery Monitor sku 865-1080-01 (all versions).

The alert recommends that the USB drives not be used, and further that “users are strongly encouraged to securely discard any USB removable media provided with these products….Users who believe they may have used one of the potentially-affected USB removable media are encouraged to perform a full scsan of their system to check for and clean any identified malicious software using any standard anti-malware application program. Users are also encouraged to maintain good end point protection including active malware detection and remediation as part of their cybersecurity maintenance program.”

USB and flash drives continue to pose risk to organizations, and this warning reiterates the importance of assessing the risk of the use of any USB and/or flash drives and testing any removable media before it is introduced into an organization’s system.

Ohio Passes Law Providing Safe Harbor for Businesses Suffering Data Breach

The Ohio legislature recently passed S.B. 220, which gives businesses that suffer a data breach an affirmative defense against tort claims brought in class action suits.

The law goes into effect on November 2, 2018. Basically, the law gives the business a safe harbor if the business implements and complies with “a recognized cybersecurity framework.” The law lists the recognized cybersecurity frameworks that are included in the safe harbor, which are the well-known existing frameworks, such as:

  • NIST frameworks
  • HIPAA
  • Title V of Gramm-Leach-Bliley Act
  • PCI standards

The Act does not require minimum standards, and allows businesses to adopt a framework that is appropriate for the business, but the adoption and maintenance of the framework will be scrutinized if a business asserts the affirmative defense.

The legislation does not unilaterally provide a safe harbor as many data breach notification laws do for the adoption of statutorily approved encryption technology, but instead, allows the business to assert the safe harbor as an affirmative defense against the suit. It further does not allow a private right of action for plaintiffs to assert if a business does not implement a cybersecurity framework for its organization and then suffers a data breach.

The purpose of the Act is to “encourage businesses to achieve a higher level of cybersecurity through voluntary action.”

Yahoo! Data Breach Estimated to Cost Successor Company Net $47 Million

Altaba Inc., the successor company of Yahoo Inc., recently noted in a filing with the Securities and Exchange Commission that after its settlement of consumer and shareholder suits relating to Yahoo’s data breach that affected all 3 million of its users, it will have paid a net $47 million in expenses.

This estimate is based upon a tentative agreement to resolve pending state and federal class action suits, as well as a shareholders derivative suit, which is on top of a securities class action suit settlement of $80 million (including $14.4 million in attorneys’ fees) that recently received final approval from the court. That settlement has been touted as the largest securities class action in history involving a data breach.

Choice Hotels Sued for Failing to Provide Information about Accessibility to Users

Choice Hotels International Inc., was recently sued for failing to provide disabled users with information about its rooms’ and grounds’ accessibility. The suit, referencing the Comfort Inn in Gainesville, Florida, states that the hotel’s online reservation system fails to provide users with information about the accessible features for those using wheelchairs or canes.

According to the suit, the hotel has “failed to make its reservations services fully and equally accessible to individuals with disabilities, thereby denying those individuals the same benefits and privileges afforded to guests without disabilities” which is required under the Americans with Disabilities Act (ADA).

Another area that has experienced increase litigation under the ADA is when companies failure to follow ADA guidelines for their websites to be accessible to the visually impaired.

These suits provide incentive for companies to take a fresh look at their websites to determine whether they are compliant with the myriad of laws that apply to websites, including the ADA.

FAA’s LANNC: Last Stop, Central North U.S.

As of last week, the Federal Aviation Administration’s (FAA) Low Altitude Authorization and Notification Capability (LAANC) is nationwide. We wrote about the FAA’s initiation of LAANC in April, with incremental deployment at air traffic facilities and airports, with the final deployment on September 13 (last week). That last deployment occurred in the Central North region of the U.S. Now, LAANC has expanded to 288 air traffic control facilities and 470 airports across the country. Drone pilots using LAANC can receive an authorization to fly in certain restricted airspace in near real-time (as opposed to completing an application through the FAA’s DroneZone and obtaining a waiver for the operation). This is a huge step for the safe and efficient deployment of drones in the national airspace. To learn more about LAANC click here.

Drone Crashes in San Francisco During Building Inspection

While inspecting a cracked window at San Francisco’s tilting Millennium Tower, a drone fell from the sky, just missing pedestrians below. The Millennium Tower’s homeowners association hired a drone pilot to take photos of a cracked window. However, during the aerial inspection, the drone lost its satellite signal. Once the signal was lost, the drone was no longer under the pilot’s control. The drone drifted and hit another building across the street from the Millennium Tower. The drone crashed on the sidewalk below just missing several pedestrians walking by. The homeowners association attorney said, “We’re trying to evaluate whether the tilting [of the building] has anything to do with [the cracked window] but we’re also looking at all other aspects of it, structural, whether it’s part of the window assembly, the manufacturing process, the installation process.” The hope is that the drone footage (obtained before it crashed) will help experts determine what is causing the window to crack. The drone’s pilot had to launch the drone from three different locations due to interference with his GPS and satellite signals. Congested cities are often difficult to get a signal due to all of the high-rise buildings like the Millennium Tower. This is something to consider when conducting drone operations in cities.

Why Utility Companies Love Drones

It’s true. Utility and power companies really love using drones. While it seems like drones are everywhere now, with trillions of dollars’ worth of industrial infrastructure aging across the country, worker safety and terrorism concerns, climate change putting strain on power grids, manufacturing facilities and oil and gas production, drones offer a cheaper and more effective way of monitoring infrastructure. Drones are being used to spot faults or overgrown foliage in transmission and distribution liens across the U.S. Monitoring hot, dry areas (like Northern California) is becoming increasingly important –one corporation may owe as much as $17.3 billion in liabilities from the 2017 fires in wine country. Drones were also used to restore power lines in Puerto Rico after Hurricane Maria shut off nearly 80 percent of the island’s electricity.

And, while threat detection and power-restoration services are certainly beneficial, there’s another set of services that drones can provide that is just as significant: operations and maintenance. Further, as drones improve, so will the services they provide. Drones that can only collect video footage or photos are limited to inspections. With machine vision, enhanced sensors and grabbing arms and probes, drones may be able to fix minor faults in wind turbines, clear away foliage and defend assets from bad actors. Drones will be able to fly longer, act independently and replace dangerous or boring human labor as advances in 3-D vision and computational photography, cheaper communications networks and lightweight batteries improve and make their way into the market.

Research conducted by Bloomberg L.P. also found that in-house drones are cheaper than third-party drone inspection as a service, which means that while in-house drones require up-front costs, such as the drone itself, the software, the payload, appropriate policies and procedures to comply with Federal Aviation Administration (FAA) regulations and training programs (perhaps new hires), in-house drones have better economics than using a third-party service.

Additionally, drones can be used to detect methane leaks coming from oil and gas pipelines at 1,000 times the accuracy of traditional methods, saving pipeline owners significant money on leaked product and potential fines.

However, of course, there are pitfalls –FAA regulations require drone pilots to stay within line of sight of the drone, heavy batteries limit flight times (sometimes only 20 minutes), buzzing rotors are often thought of as a nuisance to passersby. However, as technologies improve and regulations evolve these issues will likely be resolved.

Privacy Tip #157 – Protect Yourself From Utility Scams

The recent tragedy with gas customers in Massachusetts has everyone focused on their utilities. Which makes it a perfect time for scam artists to take advantage of worried customers—both individuals and small businesses.

One scam making headway is when a fraudster calls a customer over the telephone telling them that their water, electricity or gas will be shut off due to an outstanding bill. You don’t think that any of your past bills are outstanding, but they make it urgent and threatening that your utility will be shut off immediately if you don’t pay the outstanding bill. They can be very convincing and are well-trained.

The sure signs of a scam are if the caller requests your banking information, or asks you to pay by gift card, cash reload card, wiring money or through cryptocurrency. Utilities will not request this information over the telephone or force you to pay over the telephone as your only option.

The issue has become so widespread, that the Federal Trade Commission has been receiving complaints and has issued a Consumer Information notification about the scam.

The guidance provided by the FTC if you receive a call like this includes:

  • “Concerned that your bill is past due? Contact the utility company directly using the number on your paper bill or on the company’s website. Don’t call any number the caller gave you.
  • Never give banking information over the phone unless you place the call to a number you know is legitimate.
  • Tell the FTC. Your reports help us fight these scams. And report it to the real utility company. If you already paid, tell the payment provider – such as the wire transfer or gift card company. You may not get your money back, but it’s important to tell them about the scam.
  • Find out how you can protect yourself and your business from scams [by visiting ftc.com].”

Scammers know when to hit vulnerable individuals following a disaster or crisis, like the gas incident in Massachusetts. Be aware of their intent and protect yourself from becoming a victim from scare tactics.

The Importance of Protecting the Last Four Digits of Your Social Security Number

We all know that it is important to protect our Social Security number. But sometimes companies still try to use the last four digits of our Social Security numbers as identifiers or to verify identity in some way. The use of Social Security numbers began in 1936 long before computers, the internet, and identity theft were on anyone’s radar screen. They started out being assigned geographically by region. So if you had a list of all the first three numbers of assigned Social Security numbers, you could tell whether someone was born in Rhode Island (with a low number) or in California (with a higher number). The middle two numbers represent a group number (01-99) so the middle two digits and the last four digits are random. To date, more than 453.7 million Social Security numbers have been issued by the federal government. For more information on the history of Social Security, see https://www.ssa.gov/history/hfaq.html.

Why might companies think that it’s ok to only reference the last four digits of a Social Security number? Probably because there’s a false sense of security in thinking that with only those last four, there’s less of a chance of identity theft or fraud.

A determined thief, however, can take that credit card application out of your trash (the one that is already pre-filled out with your name on it) and apply for a credit card in your name that will of course, go to a new address. It’s pretty easy today to obtain just a few key pieces of information such as name, address, perhaps even date of birth, (some people put their date of birth on Facebook and other social media sites). When combined with other key identifiers, thieves can use the last four to get keys to the identity kingdom.

Some states have protections in place that limit what companies can do with respect to Social Security numbers. In Rhode Island, companies actually can’t require you to use the last four digits of your Social Security number to access an internet website (unless also using a password or PIN number) or print all or part of a Social Security number on materials mailed to an individual. R.I. Gen. Laws § 6-48-8 (a) (4)-(5), known as the Consumer Empowerment and Identity Theft Protection Act of 2006.

What can you do to protect your Social Security number from thieves? Some things to consider are to not use the last four as your PIN# or in passwords, check your credit with the four credit reporting bureaus. You can go to www.usa.gov/credit-reports and get information on how to obtain a free credit report from each of the three major credit bureaus or click here [view related tip]. This will allow you to see if any new accounts have been opened that you didn’t authorize. Create an account with Social Security to check that your Social Security and wage information is accurate. www.ssa.gov/myaccount/. Also, as we have written before [view related posts], be careful not to respond to email or phone calls asking for your personal information.

Finally, be vigilant and protect the last four digits of your Social Security number when receiving phone calls, email or other requests for your Social Security number. Remember that the Social Security administration or other government agencies are not going to call you and ask for your Social Security number by telephone.

LexBlog