Privacy Tip #245 – Another Breach Notification Letter

This week, I received a breach notification letter from a large financial institution stating that my personal information, including my name, Social Security number, account name and number, contact information, date of birth, and asset information may have been compromised. UGH—that is highly sensitive information. Unfortunately, this is not the first time my personal information has been compromised. Even more unfortunate is the fact that this incident apparently occurred four years ago.

The letter advised me that I can sign up for credit monitoring and identity restoration services, which I will do.

And that’s my point this week. Data breaches are becoming more common. Although this incident was not a hacking incident, hackers are becoming more sophisticated and bolder. It is almost inevitable that our personal information will be compromised if it has not been already. It is important that when we receive these letters advising us that our information has been compromised that we do what we can to protect ourselves, including signing up for credit monitoring and placing a credit freeze on accounts if that is appropriate. Here is more information about how to protect yourself in the event you, too, receive a breach notification letter [view related post].

Chinese and Russian Hackers Targeting COVID-19 Vaccine Makers in U.S. Crosshairs

Last week, authorities from the United States, United Kingdom and Canada accused a well-known hacker group tied to the Russian government, APT29 a/k/a Cozy Bear of using malware to exploit security vulnerabilities to enable it to steal COVID-19 vaccine research from companies located in these countries working to develop a vaccine. This was after a Federal Bureau of Investigation warning that Chinese hackers were targeting research organizations to gain access to research related to a COVID-19 vaccine, treatments and testing.

Earlier this week, the U.S. Department of Justice (DOJ) announced an indictment against two Chinese nationals believed to be associated with China’s Ministry of State Security for stealing or trying to steal terabytes of data from companies located in eleven countries, including companies located in Massachusetts, Maryland and California that were researching COVID-19 vaccines and antiviral drugs.

In addition to targeting COVID-19 research facilities, according to the DOJ press release, the alleged hackers, LI Xiaoyu and Dong Jiazhi targeted and successfully hacked “hundreds of victim companies, governments, non-governmental organizations, and individual dissidents, clergy and democratic and human rights activists in the United States and abroad…” The hackers worked for their own personal gain, but also to benefit the Chinese Ministry of State Security “or other Chinese government agencies.”

The victim companies were not identified by name, but were listed as “high tech manufacturing; medical device, civil, and industrial engineering; business, educational and gaming software; solar energy; pharmaceuticals; defense.” The DOJ further stated that “[I]n at least one instance, the hackers sought to extort cryptocurrency from a victim entity, by threatening to release the victim’s stolen source code on the Internet.”

In announcing the indictment, Assistant Attorney General for National Security John C. Demers said, “China has now taken its place, alongside Russia, Iran and North Korea, in that shameful club of nations that provide a safe haven for cyber criminals in exchange for those criminals being ‘on call’ to work for the benefit of the state, here to feed the Chinese Communist party’s insatiable hunger for American and other non-Chinese companies’ hard-earned intellectual property, including COVID-19 research.”

Three Keys to Avoid Microsoft Teams Data Swamp

The COVID-19 pandemic has certainly forced companies to innovate and explore new ways of working across its workforce and client base. Some have decided to dive head first into implementing collaboration technologies such as Microsoft Teams. Afterall, it’s part of the Microsoft stack, so in theory such a decision doesn’t require a significant financial investment. This is true, but it does require time to be set aside to discuss a governance plan and what role this new technology will play in your company. This involves defining the people, processes and structure behind your Microsoft Teams setup.

Next, we’ll share three initial steps your company can take to ensure a successful Microsoft Teams journey.

Clearly Define Roles

A successful Microsoft Teams governance plan begins with deciding who will be allowed to create new teams. For example, should all creation requests funnel though a centralized business unit and vetting process or should users be able to create a team at will? It’s likely that a major deciding factor in this decision will be the amount resources available or lack thereof. In either case, create a document explaining when a new team should be created is a good place to start.

Create a Naming Convention

To ensure a data swamp doesn’t occur, it’s important to establish a clearly defined naming convention. At a minimum, this will include a glossary of standard terms and abbreviations. Using abbreviations when appropriate can help shorten team names and make things look cleaner. This will translate into increased findability of content and reduce those needles in a haystack search adventures.

Establish Polices & External Access Requirements

Another way to ensure data swamp doesn’t occur is to establish policies within Microsoft Teams. One policy that you have the ability create is an archive policy. This policy allows you to archive content that is no longer useful (after certain number of days, years, when project is complete, case is closed, etc.) Users can still access a “read only” copy, while still preserving the integrity of the content.

Another policy consideration is whether to allow external access to Microsoft Teams or not. Of course, external access is an excellent way to share and collaboration with clients and partners outside the organization, but it also presents several security concerns that will need to be considered.

These three steps are only the tip of the iceberg but should provide a solid foundation from which to start. In the coming weeks and months, it will be interesting to see how companies decide to use Microsoft Teams and other collaboration tools during this unprecedented time.

What Does 2020 Have in Store for CCPA Enforcement and Litigation?

While the California Consumer Privacy Act (CCPA) went into effect on January 1st of this year, the California Attorney General submitted the final draft of proposed regulations only last month. With the CCPA’s inclusion of a private right of action for California residents to seek actual or statutory damages if their personal information has been “subject to an unauthorized access and exfiltration, theft or disclosure” due to a business’s failure to “implement and maintain reasonable security procedures,” there is added exposure in California consumer class actions if a business suffers a data breach, especially because the CCPA allows for statutory damages without having to prove actual harm. The CCPA sets the statutory limit between $100 and $750 per consumer per incident. The amount awarded is based on “any one or more of the relevant circumstances presented by any of the parties to the case, including, but not limited to, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.”

Now, with the Attorney General’s enforcement in effect as of July 1, the second half of 2020 could reveal much more about the Attorney General’s CCPA enforcement strategy. Additionally, the strategy of private litigants, who have been able to file CCPA claims since January 1, may also be instructive on what to expect for enforcement by the state.

While COVID-19 has certainly halted much litigation (or perhaps moved it to the digital world), the migration to remote work has actually led to several CCPA actions, as threat actors have exploited this unsteady transition and immense strain on information technology departments, which, for the first time, are dealing with a large group of employees working from home. So far this year, April was the most active month for new CCPA litigation, with over a dozen complaints being filed in both state and federal courts, mostly in California (no surprise), but also in Florida, New York, and Washington.

To date, the CCPA has yet to be interpreted in court. However, some of the recent case filings indicate that plaintiffs are attempting to interpret the CCPA’s private right of action very broadly.

It would seem that the limitations on the CCPA’s private right of action are clear. Section 1798.150(a)(1) of the CCPA states: “Any [California resident] consumer whose nonencrypted and nonredacted personal information…is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action.” Civil actions maybe be instituted for actual or statutory damages, injunctive relief and other relief the court deems proper.

The civil private right of action applies only if personal information has been the subject of a data breach and the statute makes clear that the “cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title.” Nonetheless, many litigants are attempting to bring actions for statutory damages related to a violation (i.e., failure to comply) of the CCPA without including any allegations related to the limited private right of action for a loss related to a data breach.

Furthermore, the CCPA expressly precludes consumers from using it as “the basis for a private right of action under any other law.” Section 1798.155 of the CCPA provides the Attorney General with broad enforcement authority over all CCPA violations, which means that there is no need for enforcement via any other consumer protection law. However, plaintiffs in many of the recent pleadings filed attempt to use the CCPA as a means of indicating violation of other consumer protection laws.

Overall, there have been 50 consumer class actions alleging some type of CCPA violation filed in the first six months of the year. And in the second half of 2020? Well, there is no indication of it slowing down. Because the Attorney General’s enforcement powers just took effect, the next six months will likely see more private litigant activity and state enforcement, even though the CCPA regulations are not yet effective; the Attorney General may bring an action under the CCPA for CCPA violations that occurred any time after January 1 by relying on the statute rather than the regulations. Therefore, if a business has been hit with a consumer class action, it could see an enforcement action down the road as well.

Currently, with the CCPA’s onerous requirements and the heightened possibility of email compromises and data security incidents due to the remote work situation, the liability risk for failing to comply with the CCPA could be very significant for businesses. Businesses that are vigilant in their CCPA compliance may be in a position to avoid the ominous threat of CCPA enforcement.

Benefit Vendors’ Security Practices

Most employers use vendors to assist with managing various employee benefits, including payroll, health and dental benefits, pharmacy, cost-reduction strategies, retirement, analysis and wellness programs.

When using these vendors, the personal information of employees is provided to the vendor in data dumps. Usually that means that the vendors receive employees’ names, addresses, dates of birth, financial information, salary information, benefit elections, beneficiaries and other dependents, and oftentimes, full Social Security numbers.

Because benefit vendors are receiving high-risk data, they are considered high-risk vendors and companies may wish to consider completing security questionnaires or other due diligence regarding the vendors’ security practices.

Case in point is the recent successful credential hack of Benefit Recovery Specialists (BRS). BRS provides billing and collection services for health care entities. It is reported that more than 274,000 individuals are being notified by BRS that their data may have been compromised as a result of a malware incident that was discovered on servers on April 30, 2020.

According to BRS, a hacker successfully accessed an employee’s credentials to hack into the network for approximately 10 days. During that time, 274,000 individuals’ names, dates of birth, provider names, procedure codes, and dates of service, as well as some Social Security numbers, may have been accessed or compromised.

Although not confirmed, this sounds like a phishing incident. To avoid such a compromise, take care to assess the security practices of vendors and third-party service providers when transmitting high risk employee, customer or patient information to them. The integrity of a business’ security is only as good as that one employee who clicks on a phishing email.

Reinventing Supply Chains to Reach Patients in Remote Areas

Greater access to medicines and other health commodities (as well as timely delivery of test results) in remote areas could improve health outcomes and potentially save lives. To broaden this access, the USAID Global Health Supply Chain Program-Procurement and Supply Management (GHSC-PSM) project, with the U.S. President’s Emergency Plan for AIDS Relief (PEPFAR) funding, launched a new approach to achieve the last-mile delivery in Malawi in Southeastern Africa using unmanned aerial systems (UAS or drones) for bi-directional delivery of medicines, lab samples and test results.

This project began over a year ago and is now making regular bi-directional deliveries to and from eight health facilities in this area. The drone lands autonomously with local health staff present to collect medicines and test results and then load the samples for the return flight. Prior to the use of drones for these tasks, the roundtrip transport took up to eight weeks, and some samples never even made it back to the health facilities, getting lost in transit entirely.

The drone delivery project is achieving faster and more reliable delivery of patient diagnostic samples and results for HIV, early infant diagnosis and tuberculosis. Since the project launched, the drone has traveled over 4,291 miles during 184 flights, and carried medicines, medical supplies, lab samples and test results to and from eight different locations. This project is pioneering in medical supply and lab test delivery because it:

  • Extends the outer reaches of the formal supply chain by collecting and delivering to previously unserved or underserved last-mile health facilities;
  • Successfully integrates the use of drones into the existing supply chain and distribution channels;
  • Optimizes the use of drones;
  • Demonstrates the relevance of sustained use drone over several months;
  • Demonstrates the sustainability of using drones for public health programs;
  • Builds local capacity by hiring and training locals to be part of the flight operations team; and
  • Advances transparent information sharing for local and global actors interested in developing similar drone programs.

Ultimately, this project will contribute a body knowledge on the health impacts, costs and operational considerations of UAS programs for consideration by national and global actors.

Privacy Tip #244 – Beware of Scammers Posing as Utility Company Employees

The coronavirus pandemic has caused millions of people to lose their jobs and many are struggling to make ends meet, including paying their utility bills. With economic turmoil comes scammers ready to take advantage of heightened anxiety and to prey on individuals when they are the most vulnerable.

Recently, scammers have been posing as employees and representatives from utility companies, telling individuals that if they don’t pay their utility bills, their power will be terminated. By threatening to turn off power, they scare people into giving them credit card or other financial information over the telephone.

It has been such a problem that the Federal Trade Commission (FTC) issued a warning to consumers this week.

The FTC provides tips on how to respond when someone posing as a caller from the utility contacts you:

  • “Thank the caller for the information. Then firmly tell them you will contact the utility company directly using the number on your bill or on the company’s website.
  • Even if the caller insists you have a past due bill or your services will be shut off, never give banking information over the phone unless you place the call to a number you know is legitimate.
  • Utility companies don’t demand banking information by email or phone. And they won’t force you to pay by phone as your only option.
  • If the caller demands payment by gift card, cash reload card, wiring money or cryptocurrency, it is a scam. Legitimate companies don’t demand payment by gift cards (like iTunes or Amazon), cash reload cards (like MoneyPak, Vanilla, or Reloadit), or cryptocurrency (like Bitcoin).
  • Tell your friends and loved ones about the scam so they can protect themselves. If you got this scam call, others in your community probably did to. We know when people hear about scams, they’re much more likely to avoid them.

Tell the FTC. Your reports help the FTC and our law enforcement partners stop scammers.”

SEC Issues Warning for Advisors and Broker-Dealers on Increased Ransomware Attacks

On July 10, 2020, the Securities and Exchange Commission, through its Office of Compliance Inspections and Examinations (OCIE), issued a warning to advisors and broker-dealers to “immediately” review their cybersecurity controls to prevent and respond to an increase in phishing campaigns and ransomware attacks.

The Risk Alert advises that the OCIE has “observed an apparent increase in sophistication of ransomware attacks on SEC registrants, which include broker-dealers, investment advisors, and investment companies….OCIE has observed ransomware attacks impacting service providers to registrants” and referred SEC registrants and other financial services providers to the Department of Homeland Security Infrastructure Security Agency’s (CISA) guidance published on June 30, 2020 warning of recent ransomware attacks.

OCIE encouraged SEC registrants and providers to share the CISA guidance with their vendors that have access to, collect and maintain client assets and records for SEC registrants.

The OCIE Alert provides “observations to assist market participants in their consideration of how to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks. We have observed registrants utilizing the following measures:”

  • Incident response and resiliency policies, procedures and plans
  • Operational resiliency
  • Awareness and training programs
  • Vulnerability scanning and patch management
  • Access management
  • Perimeter security

All of these observations are basic cyber hygiene and are a timely reminder in the wake of a continued rise in ransomware attacks.

Health Care Providers Continue to Be Hit with Ransomware and Phishing

It doesn’t matter in which  state you are located, how many patients you treat, what kind of medicine you practice or how many employees you have, if you are a health care provider, you are being targeted and hackers are successful in victimizing you.

That’s my take on the recent Becker’s Health IT article that lists 66 healthcare providers around the country that have suffered a cyber-attack in the form of malware, ransomware or a phishing attack in the first six months of 2020. Although we know that health care providers are being targeted, the list of incidents is sobering.

The only thing that the 66 companies have in common is that they are healthcare providers and the attacks were successful. The list confirms the stark reality of the risk healthcare providers face from cyber-attacks.

Amazon Offers a “Quickstart Package” for Compliance with DOD’s CMMC

Amazon has announced that it has developed and is offering a “CMMC Quickstart Package” to help contractors comply with the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) required for contractors to enter into contracts with DOD.

According to an Amazon spokesman, Amazon Web Services (AWS) will be releasing a responsibility guide that “lists the CMMC requirements and, based on our shared responsibility model, outlines practices and processes that are either the customer’s responsibility, an AWS responsibility, or a shared responsibility.” In addition, AWS will issue a “CMMC compliance document template” that companies can use to assist them in seeking certification.

AWS’s stated goal “is to help companies reduce the level of effort and cost for CMMC compliance by leveraging their existing investment in other compliance program authorizations.”

Despite some confusion over the timing and details around DOD’s CMMC program, all indications are that DOD is moving forward with the program, and defense contractors are gearing up to be ready for it.