It’s true. Utility and power companies really love using drones. While it seems like drones are everywhere now, with trillions of dollars’ worth of industrial infrastructure aging across the country, worker safety and terrorism concerns, climate change putting strain on power grids, manufacturing facilities and oil and gas production, drones offer a cheaper and more effective way of monitoring infrastructure. Drones are being used to spot faults or overgrown foliage in transmission and distribution liens across the U.S. Monitoring hot, dry areas (like Northern California) is becoming increasingly important –one corporation may owe as much as $17.3 billion in liabilities from the 2017 fires in wine country. Drones were also used to restore power lines in Puerto Rico after Hurricane Maria shut off nearly 80 percent of the island’s electricity.

And, while threat detection and power-restoration services are certainly beneficial, there’s another set of services that drones can provide that is just as significant: operations and maintenance. Further, as drones improve, so will the services they provide. Drones that can only collect video footage or photos are limited to inspections. With machine vision, enhanced sensors and grabbing arms and probes, drones may be able to fix minor faults in wind turbines, clear away foliage and defend assets from bad actors. Drones will be able to fly longer, act independently and replace dangerous or boring human labor as advances in 3-D vision and computational photography, cheaper communications networks and lightweight batteries improve and make their way into the market.

Research conducted by Bloomberg L.P. also found that in-house drones are cheaper than third-party drone inspection as a service, which means that while in-house drones require up-front costs, such as the drone itself, the software, the payload, appropriate policies and procedures to comply with Federal Aviation Administration (FAA) regulations and training programs (perhaps new hires), in-house drones have better economics than using a third-party service.

Additionally, drones can be used to detect methane leaks coming from oil and gas pipelines at 1,000 times the accuracy of traditional methods, saving pipeline owners significant money on leaked product and potential fines.

However, of course, there are pitfalls –FAA regulations require drone pilots to stay within line of sight of the drone, heavy batteries limit flight times (sometimes only 20 minutes), buzzing rotors are often thought of as a nuisance to passersby. However, as technologies improve and regulations evolve these issues will likely be resolved.

The recent tragedy with gas customers in Massachusetts has everyone focused on their utilities. Which makes it a perfect time for scam artists to take advantage of worried customers—both individuals and small businesses.

One scam making headway is when a fraudster calls a customer over the telephone telling them that their water, electricity or gas will be shut off due to an outstanding bill. You don’t think that any of your past bills are outstanding, but they make it urgent and threatening that your utility will be shut off immediately if you don’t pay the outstanding bill. They can be very convincing and are well-trained.

The sure signs of a scam are if the caller requests your banking information, or asks you to pay by gift card, cash reload card, wiring money or through cryptocurrency. Utilities will not request this information over the telephone or force you to pay over the telephone as your only option.

The issue has become so widespread, that the Federal Trade Commission has been receiving complaints and has issued a Consumer Information notification about the scam.

The guidance provided by the FTC if you receive a call like this includes:

  • “Concerned that your bill is past due? Contact the utility company directly using the number on your paper bill or on the company’s website. Don’t call any number the caller gave you.
  • Never give banking information over the phone unless you place the call to a number you know is legitimate.
  • Tell the FTC. Your reports help us fight these scams. And report it to the real utility company. If you already paid, tell the payment provider – such as the wire transfer or gift card company. You may not get your money back, but it’s important to tell them about the scam.
  • Find out how you can protect yourself and your business from scams [by visiting ftc.com].”

Scammers know when to hit vulnerable individuals following a disaster or crisis, like the gas incident in Massachusetts. Be aware of their intent and protect yourself from becoming a victim from scare tactics.

We all know that it is important to protect our Social Security number. But sometimes companies still try to use the last four digits of our Social Security numbers as identifiers or to verify identity in some way. The use of Social Security numbers began in 1936 long before computers, the internet, and identity theft were on anyone’s radar screen. They started out being assigned geographically by region. So if you had a list of all the first three numbers of assigned Social Security numbers, you could tell whether someone was born in Rhode Island (with a low number) or in California (with a higher number). The middle two numbers represent a group number (01-99) so the middle two digits and the last four digits are random. To date, more than 453.7 million Social Security numbers have been issued by the federal government. For more information on the history of Social Security, see https://www.ssa.gov/history/hfaq.html.

Why might companies think that it’s ok to only reference the last four digits of a Social Security number? Probably because there’s a false sense of security in thinking that with only those last four, there’s less of a chance of identity theft or fraud.

A determined thief, however, can take that credit card application out of your trash (the one that is already pre-filled out with your name on it) and apply for a credit card in your name that will of course, go to a new address. It’s pretty easy today to obtain just a few key pieces of information such as name, address, perhaps even date of birth, (some people put their date of birth on Facebook and other social media sites). When combined with other key identifiers, thieves can use the last four to get keys to the identity kingdom.

Some states have protections in place that limit what companies can do with respect to Social Security numbers. In Rhode Island, companies actually can’t require you to use the last four digits of your Social Security number to access an internet website (unless also using a password or PIN number) or print all or part of a Social Security number on materials mailed to an individual. R.I. Gen. Laws § 6-48-8 (a) (4)-(5), known as the Consumer Empowerment and Identity Theft Protection Act of 2006.

What can you do to protect your Social Security number from thieves? Some things to consider are to not use the last four as your PIN# or in passwords, check your credit with the four credit reporting bureaus. You can go to www.usa.gov/credit-reports and get information on how to obtain a free credit report from each of the three major credit bureaus or click here [view related tip]. This will allow you to see if any new accounts have been opened that you didn’t authorize. Create an account with Social Security to check that your Social Security and wage information is accurate. www.ssa.gov/myaccount/. Also, as we have written before [view related posts], be careful not to respond to email or phone calls asking for your personal information.

Finally, be vigilant and protect the last four digits of your Social Security number when receiving phone calls, email or other requests for your Social Security number. Remember that the Social Security administration or other government agencies are not going to call you and ask for your Social Security number by telephone.

As Hurricane Florence was making landfall, Department of Health and Human Services Secretary Alex Azar issued HIPAA guidance that outlined when hospitals in declared state of emergency areas can qualify for a waiver of certain provisions of the HIPAA Privacy Rule, including fines and penalties.

According to the guidance, “the HIPAA Privacy Rule allows patient information to be shared to assist in disaster relief efforts, and to assist patients in receiving the care they need….while the HIPAA Privacy Rule is not suspended during a public health or other emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004…and section 1145(b) of the Social Security Act.”

The Secretary declared a public health emergency in North Carolina, South Carolina and Virginia as a result of Hurricane Florence and has “waived sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).”

The waiver “only applies:

  • in the emergency area and for the emergency period identified in the public health emergency declaration.
  • to hospitals that have instituted a disaster protocol.
  • for up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.”

The guidance reminds covered entities and business associates that “in an emergency situation, covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures. Further, covered entities (and their business associates) must apply the administrative, physical, and technical safeguards of the HIPAA Security Rule to electronic protected health information.”

We all remember Kronos—the malicious malware that was sold by Russian underground forums in 2014 for $7,000. If you bought it, you were promised updates and development of new modules.

The Kronos developers recently released a new update (dubbed Osiris), which is presently attacking individuals in Germany, Japan, and Poland, with the U.S. in the queue.

This week, Securonix researchers published research indicating that Osiris uses phishing campaigns and fraudulent emails that contain Microsoft Word documents or attachments with macros that when dropped or opened, may exploit a vulnerability in Microsoft Office Equation Editor Component, which was discovered in 2017. Microsoft has issued a patch to address the vulnerability. If the patch has not been implemented, Osiris can introduce arbitrary code that can be used by the thieves to steal data, including when individuals are accessing their online banking account.

If infected, the malware modifies the Windows registry to inject malicious code into browsers, so when an individual visits his or her bank domain, a man-in-browser attack is launched. It can then introduce keylogging in order to obtain the user’s bank credentials, thereby allowing the thieves to divert funds posing as the user.

Online banking customers are at risk, and being aware of the malware, as well as utilizing good cyber hygiene and vigilance is important as new variants are introduced into the environment.

On June 28, 2018, Adidas released a statement announcing that it recently “became aware that an unauthorized party claims to have acquired limited data associated with certain Adidas consumers.” Adidas believed the breach was limited to contact information, usernames and encrypted passwords, and not any stored credit card or fitness information, relating to millions of its customers.

Subsequently, on July 3, 2018, a plaintiff, on behalf of himself and all others similarly situated, filed a complaint in the San Diego County Superior Court. The complaint set forth five separate counts: 1) negligence; 2) breach of contract; 3) breach of implied contract; 4) violation of the California Customer Records Act; and 5) unlawful and unfair business practices under the California Business and Professions Code.

The named plaintiff—Christian Duke—alleges that his claims are typical of the class because “[his] information, like that of other members of the class, was misused and/or disclosed by [Adidas] and requires responsive efforts.” As further justification for the class, he also notes that, individually, the putative-class’s damages may be insufficient to warrant the costs of litigation.

With regard to the breach, Duke alleged that Adidas failed to implement appropriate security processes, including that it:

[F]ail[ed] to ensure that the companies with which it shared members’ Personal Information implemented and maintained adequate security measures to safeguard such information, including encryption, implementation of multi-factor authentication, and usage of behavior monitoring technology to detect unusual activity and transfers of data.

Plaintiff further claims that Adidas failed to timely notify those members whose information had been compromised—despite the representations in Adidas’s statement that it was notifying customers within roughly forty-eight hours of being made aware of the breach. The complaint also asks the court to require Adidas to “notify customers of any future data breaches by email within 24 hours of a breach or possible breach.” (Emphasis supplied.) Plaintiff further seeks compensatory damages, statutory damages, and equitable relief, along with fees and costs.

Last Friday, September 7, 2018, Adidas removed the action to the United States District Court for the Southern District of California, where it is now pending before District Judge Larry Alan Burns. It will be interesting to see what challenges Adidas is able to raise, based on the Ninth Circuit’s fairly liberal view of standing in data breach cases. See, e.g., Ree v. Zappos.com, Inc. (In re Zappos.com, Inc.), 888 F.3d 1020, 1027 (9th Cir. 2018) (finding standing where “the information taken in the data breach […] gave hackers the means to commit fraud or identity theft”). It will also be fascinating to see if the court has the opportunity to consider Plaintiff’s claim for more stringent breach notification requirements—a rather unique remedy. We’ll keep an eye on this case as it potentially makes its way through the Southern District of California.

Data breaches continue to plague the health care industry, and July 2018 was the worst month so far this year in the number of data breaches reported to the Office for Civil Rights (OCR). Thirty-three data breaches were reported by covered entities and business associates in July, with the largest one reported by UnityPoint Health, a business associate—a hacking incident that exposed 1,421,107 individuals’ records.

There have been 221 data breaches (of incidents that included more than 500 records) reported to the OCR in 2018, which included the exposure of 6,112,867 individuals’ records. This number is 974,688 more records than in all of 2017.

These statistics do not bode well for the health care industry and emphasize that the health care industry continues to be a target that is proving successful for criminals.

As Hurricane Florence bears down on the Carolinas in the next few days, beware of scammers trying to take advantage of the good hearts of those of us who want to help the victims.

We have seen it before, and no doubt it will happen again in the next few weeks as the devastation of the hurricane becomes known. Fraudsters use natural disasters to prey on the good intentions of individuals who want to contribute to those left behind by disasters, including hurricanes. As Hurricane Florence is reported to be one of the worst hurricanes to land in the Carolinas in decades, the Federal Trade Commission (FTC) has issued guidance on wise giving after a hurricane that outlines the risks of hurricane relief charity fraud.

According to the guidance, “the best way to avoid this and other kinds of charity fraud is to go online and do your research to make sure your money goes to a reputable organization.”

To verify a charity for hurricane relief, there are several organizations that have vetted organizations that you can check before you send your check or donate online:

  • Give.org
  • Charitynavigator.org
  • Charitywatch.org
  • Guidestar.org

Many of the scammers send out authentic looking materials that impersonate real charities, but may have a missing letter in the name or closely resemble the reputable organization. If you want to donate to a well-known, reputable charitable organization, go directly to its website instead of clicking on a link in the materials sent via email, or send a check directly to its headquarters or local office.

If you are donating to a charity that is not well known, search the charity online and see if people have said it is a scam or have negative reviews.

Many scammers will call you to try to get you to donate over the telephone, or thank you for a previous donation and ask you to donate again. Be very skeptical of these callers and report any scams to the FTC.

The victims of Hurricane Florence will need our support, but don’t get scammed because of your generosity.

Federal Aviation Administration (FAA) administrator, Dan Elwell, said last week, “Drones are going to do for aviation what the internet did for information,” and called on the industry to work with the FAA to fully integrate drones into the National Airspace System. Elwell made this statement at the InterDrone conference held last week in Las Vegas, Nevada. Elwell said that, while the FAA wants the technology to take off (literally and figuratively), there are a lot of questions and concerns that need to be addressed first. While people want drone operations over people and at night, Elwell cautioned that the industry first needs to address national security concerns. Specifically, Elwell said that until the FAA sets remote ID requirements that will be universally applied to every drone, full integration is not possible. Elwell said, “The fact is that a lot of safety problems require technological solutions. And that means we need buy-in from all of you. The innovators. The inventors. The out-of-the-box thinkers.”

Elwell concluded by saying the FAA is ready to move now and quickly to enable the drone industry to grow; “[w]e’re building flexible, responsive regulatory processes that can keep up with all your creativity while ensuring safety isn’t compromised.”

We reported last week that a spyware maker compromised users’ and victims’ sensitive information [view related post]. Since that time, another spyware maker, mSpy, which holds itself out as having over a million users employing its product to “spy” on their partners and children, has reportedly leaked the passwords, call logs, text messages, location data, contacts and notes of victims whose mobile phones are being spied on by others.

Apparently, a security researcher found an open database on the Internet that allows anyone to query mSpy records for customer transactions and mobile phone data with no authentication.

Some of the information that could be accessed includes an individual’s contacts, call logs, text messages, browser history, events, notes, WhatsApp, installed applications and Wi-Fi networks used. It is being reported that there were millions of records available. When mSpy was notified of the vulnerability, it took the files offline.

According to KrebsOnSecurity, MSpy was previously hacked in May 2015, and customer data was posted to the Dark Web.