A robot for the food delivery market first debuted at George Mason University in January 2019 from Starship Technologies (Starship). Starship did minimal marketing for these new robots for package and food delivery, but students found them, found the app, and then started requesting package and food delivery. It took off from there.

Now, more than a year later, students dress them up for events and make sure the robots can get through sometimes crowded sidewalks. The robot is now seen as simply another pedestrian. While there is a small percentage of people who are suspicious of these robots, the majority view them as a way to make their lives easier.

Following recent releases of robot delivery forces at Purdue University and the University of Wisconsin, Starship plans to release such robots on more than 100 university campuses over the next two years, and several new job postings seeking operators and support staffing college towns such as Austin, Texas and Tuscaloosa, Alabama have appeared.

Package and food delivery with autonomous robots may be a relatively small market in the near term, but according to industry experts, it’s already attracting a large number of competitors using a wide variety of systems (e.g., FedEx’s SameDay delivery robot). The delivery robot market is expected to grow from $11.9 million in 2018 to $34 million in 2024. Perhaps your next pizza will be delivered by a Starship robot, if you happen to be strolling around a college campus any time soon.

Security researchers are warning companies to be aware of a new resurgence of the Emotet botnet that has been reactivated after a hiatus of five months.

According to the researchers, the Emotet malware steals information, and has been used to distribute the banking Trojan Trickbot. Attackers using the Emotet botnet use simple emails that are personalized, often with the subject line of “RE.” The emails often contain fake invoices, purchase orders, shipping notifications or receipts, and ask the recipient to click on a link or open an attachment. When the link or attachment is opened, the Emotet malware then is activated and the malware hijacks the email accounts and uses them to forward spam emails that contain malicious links and attachments from the legitimate email account to the contacts in that email account. The recipients, believing the email is coming from a trusted source, click on the link or attachment  and the malware exponentially infects other email accounts and systems.

Emotet is known to spread to other devices on the network and those infected devices are then added to the botnet. As of last week, security researchers confirmed that over 250,000 emails containing Emotet are being sent every day.

According to the researchers, if Emotet is detected, it is important to respond as soon as possible, and to isolate the device and remove the malware. Protection from the infection is focused on employee awareness and asking them to be very cautious about opening any Word documents or Excel spreadsheets, even if they think they are coming from a trusted source.

We all have noticed an increase in email traffic and spam during the pandemic. Protecting devices and networks for security personnel has been challenging with a remote workforce; educating a remote workforce on botnets is even more challenging. However, keeping your employees vigilant about emails and attachments, and engaging them to be part of your first line of defense, is critically important to help reduce the spread of Emotet and other malicious malware. As employees, we need to be aware of attacks such as Botnet so we can be responsible and valuable team members in our organization’s data security.

On July 20, 2020, the Connecticut Insurance Department issued a bulletin to licensees reminding them that the Connecticut Insurance Data Security Law (“Act”) becomes effective on October 1, 2020 and providing guidance on compliance.

The Act requires “all persons who are licensed, authorized to operate or registered, or required to be licensed, authorized or registered pursuant to the insurance laws of Connecticut” to “develop, implement and maintain a comprehensive written information security program (“ISP”) that complies with” the Act “not later than October 1, 2020.” The Act generally applies to domestic insurers and health care centers, with some exemptions.

The Act requires the licensee’s ISP to be based upon a risk assessment “and contain safeguards for the protection of nonpublic information and the licensee’s information systems commensurate with the size and complexity of the licensee, its activities, including use of third-party services providers, and the sensitivity of the nonpublic information used by the licensee or in its possession, custody or control.”

The bulletin reminds that unless a licensee is exempted, the licensee must perform due diligence on its third-party service providers and require those third-party service providers to implement appropriate administrative, technical and physical measures to protect the information disclosed to the third-party service provider by the licensee. Although not specified in the bulletin, licensees may wish to consider documenting such measures through security questionnaires and written contractual obligations.

All licensees (except those licensees exempt from the law) must provide written confirmation to the Insurance Commissioner by February 15, 2021 and annually thereafter certifying that it is in compliance with the Act. Documentation of plans for material improvements, updates or remedial efforts must be maintained by the licensee and be “available for inspection by the Insurance Department.”

The bulletin outlines in detail the obligations of licensees following a cybersecurity attack or event. Similar to the New York Department of Financial Services Cybersecurity Regulations, the Act requires licensees to notify the Insurance Commissioner “as promptly as possible, but in no event later than three (3) business days after the date of the cybersecurity event” if the licensee is domiciled in the State of Connecticut or the licensee believes that the event involves more than 250 residents of the State of Connecticut and notification to individuals is required by state or federal law or the licensee believes that the event has “a reasonable likelihood of materially harming any consumer residing in Connecticut….” The notification will be through the Insurance Commissioner’s website and will be available by October 1, 2020.

The bulletin reminds licensees that it has the power to examine and investigate compliance with the Act and to impose penalties for noncompliance. Nonetheless, the bulletin states that because of COVID-19, the Department “intends to exercise appropriate discretion in evaluating the facts and circumstances of a licensee’s compliance…and in the imposition of sanctions for noncompliance.” The bulletin further states that the Department will not impose sanctions against a licensee if it fails to file its annual certification of compliance by February 15, 2021 as long as the certificate of compliance is filed by April 15, 2021. However, if a licensee is unable to file the certification on a timely basis due to COVID-19, the licensee “is urged to contact the Insurance Department Market Conduct Division” to explain why it is unable to file by the deadline.

Licensees may wish to consider prioritizing compliance with the Act now and develop and implement their ISP to be ready for both the October 1, 2020 compliance deadline, and the February 15, 2021 certification deadline.

As a follow-up to last week’s post on the importance of due diligence regarding high-risk vendors’ security practices, Blackbaud, a global company providing financial and fundraising technology to not-for-profit entities, notified its customers late last week that it was the victim of a ransomware attack in mid-May. Blackbaud offers a number of products to its customers, including aggregating research data of publicly available information on the wealth of individuals for not-for-profits to assess donors’ giving capacity.

Blackbaud admitted that the ransomware attackers did get access to donor data and were able to remove a copy of a subset of data from Blackbaud’s hosted environment. It has further stated that it paid an undisclosed amount to the ransomware attackers and received a certificate of destruction from the attackers. Blackbaud has stated that no sensitive information, including donors’ Social Security numbers, credit card information or bank account information, was accessed or exfiltrated. According to a company spokesman, “[W]hile this sophisticated ransomware attack happened, we were able to shut it down and have no reason to believe this will result in any public disclosure of any of our customers’ data.”

Nonetheless, multitudes of not-for-profits have received notification of the incident and are struggling with how to respond. The responses have been anything but uniform. In addition, not-for-profit health care entities may have different legal requirements than other not-for-profits because of the Health Information Portability and Accountability Act (HIPAA).

The incident illustrated several things to consider:

  • Do you have a vendor management program in place?
  • Have you vetted or completed due diligence on your vendors’ security practices?
  • Do you have up-to-date and accurate contracts with your vendors, including a Business Associate Agreement, as applicable?
  • Do you have contractual language in place with your vendors concerning appropriate data security measures to protect your data, what happens following a security incident, notification and indemnification?
  • What are your reporting/notification obligations if one of your vendors experiences a data security incident?
  • Who can help navigate these questions?

Mapping vendors that have access to data of your employees or customers is the first step in a vendor management program. This incident is a reminder that vendors are getting attacked just like your organization is.Your company data is your responsibility, even if it is in the possession of a vendor, so prioritizing your vendor management program may be worth consideration.

The Federal Aviation Administration (FAA) has been granting drone flight waivers for certain restricted flights to help during the COVID-19 pandemic, but the FAA says that it is unlikely the waivers will extend beyond current stay-at-home restrictions. Thus far, the FAA has been granting waivers for companies using drones to deliver food and supplies in certain parts of the country in order to enable people to stay home while still being able to get the things they need. These approvals have been granted under the Part 107 (Small Unmanned Aerial Systems (UAS) Rule), Special Government Interest Approval (e.g., a public safety aircraft), Part 137 Certification (i.e., agricultural aircraft operations) and Part 135 Certification (i.e., package delivery and beyond visual line of sight). As we look ahead, whether the FAA will continue to grant waivers as readily as they are in the current landscape is unknown.

Several autonomous vehicle developers stopped their on-road testing to keep staff at home during the COVID-19 pandemic, but others pivoted to COVID-19 relief, not only to be useful but to gain experience. Some companies and developers in this space have taken this opportunity to deploy self-driving cars and driverless bots to help deliver goods both on the frontlines and to residents during the stay-at-home orders across the country, including pharmaceutical deliveries for those affected by the virus and quarantined at home. Additionally, many of these cars and bots have been used to deliver food, water, supplies and equipment to staff at temporary health care facilities, which has assisted in reducing contact among workers on the front lines. Others have used driverless vehicles to deliver food from food banks to senior centers and groceries to those individuals who are at higher risk. In this time of need, the autonomous driving vehicle industry has leveraged its existing capabilities to assist the community. Now, the industry, with more experience under its belt and real-life testing of its capabilities, may be able to make some headway in receiving more approvals and exemptions from the Department of Transportation in the future.

The National Highway Traffic Safety Administration (NHTSA) said in a recent report, “The development of advanced automated vehicle safety technologies including fully self-driving cars, may prove to be the greatest personal transportation revolution since the popularization of the personal automobile nearly a century ago.” However, the automobile and transportation industry is still struggling with how this revolution will take place and what it means for one of the key components – the electrical grid. Vehicle-grid integration will present an opportunity to more efficiently plan and operate infrastructure broadly.

To address this big issue, leaders in the industry formed the Vehicle Grid Innovation Council (VGIC). One of the items for discussion includes allowing more rate flexibility for electrical vehicles. For example, electric vehicles owners could pay less if they charge their vehicles during low power-usage times. The group also will discuss automated vehicles using the grid; that is, automated vehicles present an even greater challenge than manned ones. Manned electric vehicles have a driver to plug them in, but autonomous ones will not. This means wireless charging. While this has been in the works for several years, the system is far from perfected. Currently, the prototyped system can charge an all-electric vehicle in one to two hours, while a plug-in hybrid could be charged in less than an hour. A wireless charging system would include a plate that the vehicle would drive over to charge. However, to increase safety, autonomous vehicles may be better served by overhead charging plates. On the flip side, there are also companies working on charging robots that would seek out electric vehicles and charge them before moving on to the next “customer.” For the moment, all we know is that these new technologies will mean a big change for the way we transport goods and people, and the way we operate our electrical grid.

This week, I received a breach notification letter from a large financial institution stating that my personal information, including my name, Social Security number, account name and number, contact information, date of birth, and asset information may have been compromised. UGH—that is highly sensitive information. Unfortunately, this is not the first time my personal information has been compromised. Even more unfortunate is the fact that this incident apparently occurred four years ago.

The letter advised me that I can sign up for credit monitoring and identity restoration services, which I will do.

And that’s my point this week. Data breaches are becoming more common. Although this incident was not a hacking incident, hackers are becoming more sophisticated and bolder. It is almost inevitable that our personal information will be compromised if it has not been already. It is important that when we receive these letters advising us that our information has been compromised that we do what we can to protect ourselves, including signing up for credit monitoring and placing a credit freeze on accounts if that is appropriate. Here is more information about how to protect yourself in the event you, too, receive a breach notification letter [view related post].

Last week, authorities from the United States, United Kingdom and Canada accused a well-known hacker group tied to the Russian government, APT29 a/k/a Cozy Bear of using malware to exploit security vulnerabilities to enable it to steal COVID-19 vaccine research from companies located in these countries working to develop a vaccine. This was after a Federal Bureau of Investigation warning that Chinese hackers were targeting research organizations to gain access to research related to a COVID-19 vaccine, treatments and testing.

Earlier this week, the U.S. Department of Justice (DOJ) announced an indictment against two Chinese nationals believed to be associated with China’s Ministry of State Security for stealing or trying to steal terabytes of data from companies located in eleven countries, including companies located in Massachusetts, Maryland and California that were researching COVID-19 vaccines and antiviral drugs.

In addition to targeting COVID-19 research facilities, according to the DOJ press release, the alleged hackers, LI Xiaoyu and Dong Jiazhi targeted and successfully hacked “hundreds of victim companies, governments, non-governmental organizations, and individual dissidents, clergy and democratic and human rights activists in the United States and abroad…” The hackers worked for their own personal gain, but also to benefit the Chinese Ministry of State Security “or other Chinese government agencies.”

The victim companies were not identified by name, but were listed as “high tech manufacturing; medical device, civil, and industrial engineering; business, educational and gaming software; solar energy; pharmaceuticals; defense.” The DOJ further stated that “[I]n at least one instance, the hackers sought to extort cryptocurrency from a victim entity, by threatening to release the victim’s stolen source code on the Internet.”

In announcing the indictment, Assistant Attorney General for National Security John C. Demers said, “China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research.”

The COVID-19 pandemic has certainly forced companies to innovate and explore new ways of working across its workforce and client base. Some have decided to dive head first into implementing collaboration technologies such as Microsoft Teams. Afterall, it’s part of the Microsoft stack, so in theory such a decision doesn’t require a significant financial investment. This is true, but it does require time to be set aside to discuss a governance plan and what role this new technology will play in your company. This involves defining the people, processes and structure behind your Microsoft Teams setup.

Next, we’ll share three initial steps your company can take to ensure a successful Microsoft Teams journey.

Clearly Define Roles

A successful Microsoft Teams governance plan begins with deciding who will be allowed to create new teams. For example, should all creation requests funnel though a centralized business unit and vetting process or should users be able to create a team at will? It’s likely that a major deciding factor in this decision will be the amount resources available or lack thereof. In either case, create a document explaining when a new team should be created is a good place to start.

Create a Naming Convention

To ensure a data swamp doesn’t occur, it’s important to establish a clearly defined naming convention. At a minimum, this will include a glossary of standard terms and abbreviations. Using abbreviations when appropriate can help shorten team names and make things look cleaner. This will translate into increased findability of content and reduce those needles in a haystack search adventures.

Establish Polices & External Access Requirements

Another way to ensure data swamp doesn’t occur is to establish policies within Microsoft Teams. One policy that you have the ability create is an archive policy. This policy allows you to archive content that is no longer useful (after certain number of days, years, when project is complete, case is closed, etc.) Users can still access a “read only” copy, while still preserving the integrity of the content.

Another policy consideration is whether to allow external access to Microsoft Teams or not. Of course, external access is an excellent way to share and collaboration with clients and partners outside the organization, but it also presents several security concerns that will need to be considered.

These three steps are only the tip of the iceberg but should provide a solid foundation from which to start. In the coming weeks and months, it will be interesting to see how companies decide to use Microsoft Teams and other collaboration tools during this unprecedented time.