Protecting Against Wire Fraud and Man in the Middle Schemes

The scammers continue to find easy ways to dupe unsuspecting businesses into sending information or money to them. It used to be that we had to address vast fraud schemes with phishing emails requesting the W-2s of employees. That is child’s play now as most companies are aware of the scheme and don’t fall victim to it.

Similarly, in the past year, we have seen a dramatic increase in wire fraud and man in the middle schemes. These schemes usually start with a sophisticated phishing email that an employee clicks that looks like it is from a trusted vendor, who has spoofed the signature line of the vendor and asks the employee to pay the outstanding invoice.

During the email trail, which can go back and forth on multiple occasions, the intruder will tell the employee that when they pay the outstanding invoice, the vendor has changed its bank account and wiring instructions, or is switching from the old paper check system to ECH and to use the wiring instructions in the email.

The money is wired per the email instructions to a legitimate bank in another state (that the hacker has opened online with someone else’s identity) and by the time the company finds out, the account has been drained. Sometimes the account can be frozen (usually within three days), but it is rare that the company knows in time to notify the bank and request that the account be frozen.

In this day and age, wiring instructions provided by email should never be trusted. If anyone requests payment to a new bank account or through ECH, major red flags should go up. Any requests should be confirmed in another way to properly authenticate the request, such as a telephone call to a known contact.

The hackers spoof the signature line of a known contact and put their own email and telephone number in the signature line, so when the employee calls to authenticate the instructions, the hacker is on the other end of the line. Those checking authentication should not email the hacker back through the existing email chain, but should start a new chain to the trusted contact, and not call the telephone number in the signature line, but the telephone number that the employee looks up separately in existing contacts or on the company’s website.

You all know that my mantra these days is for employees to be “wicked paranoid.” Those handling wires in your company should be aware of these schemes, be educated about them to be prepared for them and be wicked paranoid.

Super Bowl Intel Drone Light Show

Intel won’t disclose exactly how it was able to participate in the Super Bowl LIII halftime show, but it did disclose that it used 150 Intel Shooting Star drones to spell out the words “ONE” and “LOVE” during the musical performance. As Maroon 5 began singing “She Will be Loved,” Intel initiated its software directing 150 drones to float up and over the enclosed field. This show beat Intel’s previous indoor world record when it used 110 drones for an exhibit at CES 2018. This event was also different than other Intel Shooting Star drones show –for example, for Lady Gaga’s halftime show at the Super Bowl two years ago, the entire show was pre-recorded and then broadcast during the show –this year, because the drones were not flown in national airspace, the drones were flown in live-time. Of course, aside from the need for Federal Aviation Administration (FAA) waivers to fly in “no-drone zones” (i.e. the Super Bowl), there were still safety concerns about malfunction and loss of control during the show. Intel said that they conducted several rehearsals and plenty of planning before the big day to help avoid those mishaps.

While Intel does not disclose its underlying technology, it has disclosed that it uses a wireless-based technology along with transmitters and beacons that can provide a specific enough location for the choreographed drone flight patterns indoors. While Intel did not need special FAA clearance for this event, it did have to file for a Special Temporary Authorization (STA) with the Federal Communications Commission (FCC) to complete the light show.

Technology Boost Helps Protect Super Bowl LIII

The biggest sporting event of the year is now over— and the Patriots, with the help of NFL super duo Tom Brady (the oldest quarterback to ever win the Super Bowl) and Bill Belichick (the oldest head coach to ever win the Super Bowl) took the title—New England’s sixth since 2002.

Over 100 million people watched the game from home and over 70,000 watched it from inside Mercedes-Benz Stadium in Atlanta. However, what many fans may not have realized is that while they were watching the game from the stands, they themselves were being watched.

The U.S. Department of Homeland Security worked alongside approximately 600 other employees, and used a host of technology provided by the city of Atlanta and the federal government, to help keep the stadium safe. Atlanta Police Chief, Erika Shields, stated, “In addition to what the human talent affords us, we also are relying heavily on technology.” Some of the technology included advanced cargo and vehicle screening technology, magnetometer screening trainers (which use an electromagnetic field to detect metal objects, such as concealed handguns), low flying helicopters equipped with radiation sensing technology, and Bio Watch Screening (which is a system of sensors used to detect pathogens that are intentionally released into the air).

Echodyne, a start-up company based out of Washington state that builds technology for security and critical infrastructure for smart cities, obtained approval through the FCC to test their new anti-drone technology at the Super Bowl. They piloted two anti-drone radars near the stadium which would “alert security personnel of any unidentified drone activity.” Under the direct supervision of the Federal Bureau of Investigation (FBI), these drones could detect and follow unidentified drones (which were banned in the area pursuant to the Federal Aviation Administration’s (FAA) Super Bowl ‘no fly zone’) up to 0.6 miles away. This technology costs around $150,000, which is far less expensive than their military counterpart. If this technology works as anticipated, it could help with many of the issues surrounding drone safety in public spaces.

Thankfully, there were no security issues that became publicly known, suggesting that the massive amount of security and technological advancements helped protect the thousands of fans and workers in attendance.

This article authored by guest blogger Erik Mastriano a student at Roger Williams University School of Law.

EasyMile Autonomous Vehicle Hits the Roads in Denver

Last week, the EasyMile electric autonomous shuttle debuted on the roads in Denver, Colorado, marking the first autonomous vehicle venture in the state. The EasyMile is a self-driving shuttle that is scheduled to operate for the next 4-6 months connecting passengers from commuter rail stations to the EasyMile office and Park-n-Ride lots. The goal of this venture is to “assess the viability of autonomous services in providing first and last mile connections to and from transit.”

The shuttle will run Monday through Friday between 10 a.m. and 6 p.m., making a complete loop every 15 minutes, at an average speed of 12-15 miles per hour with a total of 12 passengers.

This venture was approved by the National Highway Traffic Safety Administration and the Colorado Autonomous Vehicle Task Force. All of the data collected will be shared between the project’s partners to help advance the technology, and to help lead to wider use of this type of technology.

Privacy Tip #176 – Sharing Your Genetic Information With Private Companies

I had very interesting conversations with both of my classes in the last week over the sharing of genetic information in the context of learning about the Genetic Information Non-Discrimination Act (GINA). GINA generally prohibits employers and insurers from using genetic information to discriminate in employment or insurance underwriting.

People mistaken believe that GINA protects the privacy of all genetic information. But it doesn’t. It only applies in very specific instances. When individuals take a swab from the inside of their mouth and send it to private companies for analysis to determine their ancestry or genetic predisposition, they are sending their DNA to a company that is not regulated like a doctor’s office or hospital. If an individual gets DNA testing at a doctor’s office or hospital, the doctor or hospital can perform the analysis, but then has very specific legal requirements on what they cannot do with the information, including disclose it to others or sell it.

Before you send that swab to a private company, take a look at their Privacy Policy so you are fully informed about what they are doing with the information, to who they are disclosing it, and to whom they are selling it. Try to determine how they can aggregate your genetic information with other information and if it can be disclosed to your life insurer, employer or law enforcement.

Here are some interesting articles to consider before you send that swab:

https://apple.news/A6vDj8z7GQFe6psTEYRZGTw

https://www.bloomberg.com/news/articles/2019-02-01/major-dna-testing-company-is-sharing-genetic-data-with-the-fbi

https://www.gsk.com/en-gb/media/press-releases/gsk-and-23andme-sign-agreement-to-leverage-genetic-insights-for-the-development-of-novel-medicines/

And you may wish to discuss this decision with the rest of your family, because when you send your genetic information to these companies, you are in effect sending your entire family’s as well without their consent.

Privacy Concerns Lead OSHA to Rescind its Electronic Filing Requirement

In response to concerns raised by employers and to protect worker privacy, the Occupational Health & Safety Administration (OSHA) recently amended its recordkeeping regulations to eliminate the requirement that larger employers submit certain information electronically. The final rule rescinds the mandate that establishments with 250 or more employees had to electronically submit information from OSHA Form 300 (Log of Work-Related Injuries and Illnesses) and OSHA Form 301 (Injury and Illness Incident Report) to OSHA each year.

OSHA’s electronic recordkeeping rule, enacted during the Obama administration, required large employers to submit a wide range of sensitive data, including descriptions of workers’ injuries and body parts affected, that might be traced back to identify particular employees. Employers raised numerous concerns about how the data might be used if it were to become publicly available either intentionally, inadvertently, or  under the Freedom of Information Act (FOIA), noting that the disclosure of such information would pose a serious breach of employees’ privacy. Many of these concerns were expressed in comments submitted by the E-Recordkeeping Coalition, a group of employers and trade associations. Indeed, data security concerns were validated during a test run of OSHA’s injury tracking application when the Department of Homeland Security informed OSHA of a possible breach of the system. While that potential security issue has since been resolved, it gave credence to the Coalition’s belief that such a large collection of sensitive data would inevitably encounter malware or incentivize cyber-attacks on the U.S. Department of Labor’s IT system.

As OSHA itself acknowledged, by preventing routine government collection of information that may be quite sensitive, OSHA is avoiding the risk that such information might be publicly disclosed under FOIA or otherwise. While the new rule does not address all of the concerns that have been raised, it will better protect personally identifiable information or data that could be traced back to specific individuals. The final rule does not alter an employer’s duty to maintain OSHA Forms 300 and 301 on-site, and OSHA will continue to obtain these forms as needed through inspections and enforcement actions.

Sammamish, Washington Declares Emergency After Ransomware Attack

I was a speaker at a recent conference of municipalities in a state last week, and during my presentation, I mentioned the various cyber-attacks that have affected cities, towns and educational departments in the U.S. (Atlanta, GA; Farmington, CT; West Haven, CT; Leeds, AL; Yarrow Point, WA; and Leominster, MA to name a few). Little did I know that at that very time, the City of Sammamish, WA was declaring an emergency following a ransomware attack on the City’s computer system.

The emergency was declared so City officials could quickly hire cybersecurity experts without going through standard contracting and procurement processes.

The City’s computers were shut down for most of the day when the attack occurred. Following the attack, the City took down a building permit portal and map services, and residents had to resort to the olden days of having to go to City Hall to access those services while the computers were down.

Municipalities are known targets of cyber-attacks due to limited resources and a perceived lack of cyber readiness and sophistication. These attacks can bring cities and towns to their knees, which is the reason to increase awareness and preparedness.

Girl Scouts Announce Another Cybersecurity Patch

We previously commended the Girl Scouts of the United States for encouraging girls to get involved in STEM, including cybersecurity by issuing a cybersecurity patch.

The Girl Scouts announced that it has partnered with the Hewlett Packard Enterprise (HPE) to develop a new patch that girl scouts will be able to obtain if they successfully complete Cyber Squad, a game that is designed to educate girls aged 9-11 years about privacy, security, online activities and cyberbullying. The goal is for the scouts to “navigate online as smart, cautious consumers protecting their identity, their data and their safety.”

Go Girl Scouts and HPE—sounds like a great idea!

TCPA Class Action filed Against Medspa for Unwanted Text Messages

Last week, Florida skin care spa, Medspa Del Mar LLC (Medspa) was hit with a Telephone Consumer Protection Act (TCPA) class action in federal court for allegedly using an automatic dialing system to send unwanted text messages advertising its treatments. Lead plaintiff claims that Medspa invaded her and other class members’ privacy by sending a series of impersonal, generic messages without their express written consent as required by the TCPA. The complaint includes screenshots of some of these text messages:

Flash Sale: All Restylane line of fillers $150 off! That includes Restylane-L, Lyft, Refyne and Defyne. Call us… to take advantage of the sale while supplies last.”

The proposed class is defined as all people in the United States who were sent a text message in the past four (4) years that advertised Medspa’s services without the individual’s prior express written consent. The class is seeking relief in the amount of $1,500 in statutory damages for each alleged TCPA violation.

CCPA Part 2 – What Does Your Business Need to Know? Consumer Requests and Notice to Consumers of Personal Information Collected

This week we continue our series of articles on the California Consumer Privacy Act of 2018 (CCPA). We’ve been discussing the broad nature of this privacy law and answering some general questions, such as what is it? Who does it apply to? What protections are included for consumers? How does it affect businesses? What rights do consumers have regarding their personal information? What happens if there is a violation? This series is a follow up to our earlier post on the CCPA.

In Part 1 of this series, we discussed the purpose of the CCPA, the types of businesses impacted, and the rights of consumers regarding their personal information. This week we’ll review consumer requests and businesses obligations regarding data collection, the categories and specific pieces of personal information the business has collected, and how the categories of personal information shall be used.

We begin with two questions regarding data collection:

  • What notice does a business need to provide to the consumer to tell a consumer what personal information it collects?
  • What is a business required to do if that consumer makes a verified request to disclose the categories and specific pieces of personal information the business has collected?

First, the CCPA requires businesses to notify a consumer, at or before the point of collection, as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section. Cal. Civ. Code §1798.100.

Second, under the CCPA, businesses shall, upon request of the consumer, be required to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. The CCPA states that “a business that receives a verifiable consumer request from a consumer to access personal information shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal information required by this section. The information may be delivered by mail or electronically, and if provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide personal information to a consumer at any time, but shall not be required to provide personal information to a consumer more than twice in a 12-month period.” Section 1798.100 (d).

Section 1798.130 (a) states that to comply with the law, a business shall, in a form that is reasonably accessible to consumers, (1) make available to consumers two or more designated methods for submitting requests for information required to be disclosed, including, at a minimum, a toll-free telephone number, and if the business maintains an Internet web site, a web dite address; and (2) disclose and deliver the required information to a consumer free of charge within forty-five (45) days of receiving a verifiable request from the consumer.

Many have suggested during the rule-making process that there should be an easy to follow and standardized process for consumers to make their requests so that it’s clear for both consumers and businesses that a consumer has made the verified request. This would be welcome so that it would make this aspect of compliance simpler for the consumer as well as the business.

When businesses respond to consumers’ requests, having a clear website privacy policy that explains the types of information collected, a documented process for consumers to make a verified requests, a protocol for responding to consumer requests, audit logs of consumer requests and business responses, a dedicated website link, and clear and understandable language in  privacy notices, are all suggestions that will help businesses respond to consumers and provide documentation of the business’ response.

As we continue to explore the CCPA and its provisions, we strive to understand the law and translate the rights conferred by the law into business operations, processes and practices to ensure compliance with the law. In the coming weeks, we’ll focus on understanding more of these provisions and the challenges they present.

LexBlog