States Legislate Cybersecurity Requirements for Insurance Companies

Following in the footsteps of the New York Department of Financial Regulation (NYDFS) in enacting cybersecurity requirements for the financial services industry, and in response to massive data breaches in the insurance industry, a wave of states have either enacted or are pursuing legislation aimed at regulating the cybersecurity measures of insurance companies.

In 2017, the National Association of Insurance Commissioners (NAIC) published a model rule that follows many of the NYDFS cybersecurity requirements, and most states are using that model in fashioning legislation for the insurance industry.

South Carolina, Michigan, and Ohio enacted cybersecurity laws applicable to insurance companies in the past year, and Mississippi, Connecticut, and New Hampshire have bills pending in their legislatures. More to come, for sure.

Since some states are not using the model law, there will be some variations from state to state. But basic security measures will be required in most of them, including having a Written Information Security Program (WISP) in place, completing a security risk assessment, and implementing procedures around incident response and breach notification.  Just as in other areas of the law, such as breach notification, it will be important to follow the most stringent law if a company does business nationally or in multiple states and to stay current as states adopt new laws regulating cybersecurity.

Another California Consumer Privacy Act of 2018 Amendment—Employees and/or Job Applicants Are Not Consumers

A few weeks ago, I pondered whether the California Consumer Privacy Act of 2018 (CCPA) is still a bit of a work in progress with the introduction of a proposed amendment. Recently, another amendment was proposed by Assembly Member Edwin Chau in the form of Assembly Bill 25.

Assembly Bill 25 would exclude employees and job applicants from the definition of “consumer.” The new amendment states: “Consumer does not include a natural person whose personal information has been collected by a business in the course of a person acting as a job applicant or employee, contractor, or agent, on behalf of the business, to the extent their personal information is used for purposes compatible with the context of that person’s activities for the business as a job applicant, employee, contractor, or agent of the business.”

If this amendment passes, the broad rights granted to consumers under the CCPA would not apply to employees and job applicants of CCPA-covered employers. The CCPA grants consumers (California residents):

  • the right to ask companies to identify the personal data they collected on the consumer and whether a business is collecting or selling/disclosing their personal information;
  • the right to demand that personal data not be sold or shared for business purposes;
  • the right to sue companies that violate the law or that experience data breaches,
  • the right to access and download their personal information in a transferrable way;
  • the right to opt-out; the right to request deletion of their personal information; and
  • the right not to be discriminated against.

This proposed amendment would likely mean that CCPA-covered businesses would not have to be concerned with their employees or job applicants asserting any of the consumer rights conferred by the CCPA. CCPA-covered businesses are defined as profit businesses that do business in California and meet any of the following three criteria:

  • annual gross revenue in excess of $25 million;
  • annual purchases, receipt or sales of the personal information of 50,000 or more California residents; or
  • companies that derive 50 percent or more of their annual revenue from selling consumers’ personal information.

A key fact to note from this definition is that the CCPA applies to any business that “does business in the State of California” as described above, and not just businesses residing or incorporated in California. This change would be most impactful to CCPA-covered employers in terms of their readiness preparation for CCPA compliance when the CCPA takes effect on January 1, 2020.

Think Like a Hacker

I was with a bunch of CFOs this week talking about cybersecurity and I told them how easy it is for hackers these days. They can infiltrate a company’s system by compromising an O365 account that doesn’t have multi-factor authentication, and according to a Ponemon study, are in the company’s system for over 200 days. They monitor literally everything that is happening in the company, since all companies rely on email communication, and then strike at the perfect time for a fraudulent wire transfer, change the integrity of banking instructions in Word documents, use social engineering to target certain people in the company, and learn exactly who the partners, customers, vendors and trusted individuals are with whom the company does business.

Just think about how much a hacker could figure out about your daily business if they followed your emails for over 200 days—six to seven months.  A lot. They know your contacts, who owes you money, to whom you owe money, who you are doing business with, and how much you are paid. What’s really brilliant is that after they commit the perfect fraud on your company, they now have six to seven months’ worth of information to leverage to launch their next attacks on your customers, vendors and contacts. This is called “island hopping.” They have contact information, they know who knows each other and what business is being conducted, and they know what projects you are working on together. Folks, they have lots of time to figure this out, as this is their day job. We have day jobs that do not involve criminal activity. Their day job is to analyze your email traffic to figure out their next scam, and it is so incredibly easy to do if you think about it.

Carbon Black has released its latest Global Incident Response Threat Report, which confirms that hackers are doing just that—leveraging the information that they obtain from the target company to target connected companies along the supply chain. The Carbon Black researchers found that 70 percent of all attacks involve the intruder moving laterally across the network and trying to take over the system. According to Carbon Black, ”attackers are fighting back. They have no desire to leave the environment. And they don’t just want to rob you and those along your supply chain…[they] want to ‘own’ your entire system.”

According to the report, hackers are using counter-incident response measures to thwart a company’s response to an incident by destroying logs, turning off anti-virus tools, disabling firewalls and using forensic tools to cover their tracks so the IT folks don’t know they are in the system.

One of the methods the hackers are using is “reverse business email compromise,” which involves the hackers taking over the mail server of the victim. These attacks are currently hitting the financial services industry.

According to Carbon Black, “businesses need to be mindful of companies they’re working closely with and ensure that those companies are doing due diligence around cybersecurity as well,” because the hackers are going after the weakest link in the supply chain.

So,think like a hacker. It’s not as hard as you might think it is. If, as a hacker, you wanted to go after the weakest link in your company or supply chain, who would you target? If that is an easy answer, start asking your weak links questions about their cybersecurity measures.

FAA Set to Approve First Drone Airline License

The Federal Aviation Administration (FAA) is expected to award its first license to operate a drone airline in May. Last year, the FAA determined that large-scale commercial package delivery drone operations would require certain safety and economic certification standards like other licensed U.S. airlines. The FAA has not yet announced which company will receive that certificate,  but to date, the only air carrier certificate application for a drone carrier listed on the applicant website has come from Wing Aviation LLC, which is a subsidiary of Google’s parent, Alphabet, Inc. We will watch the FAA’s press releases for more information on this new venture in the drone delivery industry.

Privacy Tip #185 – Scammers Are Getting Bolder and More Insistent

I try to keep my spam filter on the most restrictive setting, which has dramatically decreased the amount of spam I receive in my email box every day. But every once in a while, I receive an email that makes my gut twitch and my eyebrows raise. I got one today from a well-known bank, logo and all, looking very official and authentic. Those of you who know me know that I am “wicked paranoid,” so the frown was deep on my forehead when I read it.

Official looking or not, I do not do business with this bank (not to say that it isn’t a good bank), and of course, I do not conduct any banking business online or through email.

The missive said that the bank was alerting me to the fact that “we detect an issue on your account that needs to be resolved” and included a link to “Resolve here” from the Online Team. I was curious, so I looked at the url, and it was “security-online @[bank name].com”, which looked pretty legitimate. It could definitely dupe someone else, so I sent it to my IT team and asked them to blacklist it in the event that someone else received it.

But that’s not all. After I deleted the email and sent it to my IT team, I got a telephone call on my cell phone from a Rhode Island number of that bank. I don’t pick up any calls that are from unknown numbers, so I didn’t pick up. As I said before, I don’t do business with this bank. I had just received this bogus email, so my wicked paranoid tendencies kicked into high gear. The caller did not leave a message, so that is an obvious sign that it was not legit. Then one minute later, yes one minute later, the “bank” tried to call again, but this time it was from the same number except for the last digit, which was one digit higher. I didn’t answer this call either, and no message was left. I truly believe it was the hacker. When the email didn’t work, the scammer tried to call me to say how urgent the situation is, and to resolve it through the email.

Hackers are buying domain names that are very similar to real businesses in order to dupe people into believing it is the real business. They are spoofing numbers so the caller ID looks like it is from your area code or actually from the business. When emails don’t work, they call. And it’s always urgent.

Scammers are getting bolder and more insistent. They have the time. This is their day job. They target you and try to scare you. If this had been a bank with which I do business, I would have called the bank or my banker directly to inquire about my account. I would never reply to any email or telephone call from my “bank.” Delete that email and don’t answer that call.

FSB Releases its Directory of Crypto-Assets Regulators—In Anticipation of Upcoming G20 Meeting

The Financial Stability Board issued its Crypto-assets regulators directory on April 5, 2019, in anticipation of this week’s upcoming G20 Meeting. The directory contains a listing of the regulatory and standard-setting bodies in each FSB jurisdiction having responsibility for the supervision of crypto-assets and the enforcement of relevant legal and regulatory requirements. The directory will be provided to the G20 Finance Ministers and Central Bank Governors on April 11.

The purpose of the directory is to “provide information on the relevant regulators and other authorities in FSB jurisdictions and international bodies who are dealing with crypto-asset issues, and the aspects covered by them.” The directory is an outgrowth of the October 2018 FSB report on Crypto-asset markets: Potential channels for future financial stability implications.  The report stated that “crypto-assets do not pose a material risk to global financial stability at this time” but that “vigilant monitoring is needed in light of the speed of market developments”. In that regard, consumer and investor protection, anti-money laundering, tax evasion, circumvention of capital controls and illegal security offerings were cited in the report as some of the possible financial system vulnerabilities underlying the need for supervisory vigilance. Those vulnerabilities were also addressed in a July 2018 FSB Crypto-assets report setting forth the metrics that the FSB will use to monitor developments in crypto-asset markets as part of the FSB’s ongoing assessment of vulnerabilities in the financial system.

Established in the wake of the 2008 financial crisis, the Financial Stability Board is an international body that monitors the global financial system and makes recommendations to promote the implementation of effective regulatory, supervisory and other financial sector policies in the interest of financial stability. The FSB is currently chaired by U.S. Federal Reserve Vice Chair Randal Quarles.

New Malware Targets Big Banks and Cryptocurrency Apps

New malicious malware dubbed “Gustuff” targets big banks, fintech companies and cryptocurrency apps, according to the security firm Group IB.

According to Group IB, which discovered Gustuff on hacker forums, the new malware is affecting Android devices and is “a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces.”

The malware is reported to have completely-automated features that can steal files and cryptocurrency from user accounts “en masse.” Incredibly evil, it uses the Accessibility Service, which is intended to assist people with disabilities.

According to Group IB, the malware is targeting more than 100 banking apps, including 27 in the United States. “Gustuff infests Android smartphones through SMS with links to malicious Android Package (APK) files…at the server’s command Trojans spread further through the infected device’s contact list or the server database….It is able to autofill fields in legitimate mobile banking apps, cryptocurrency wallets and other apps.”

If you have an Android smartphone, consider reading more about Gustuff here: https://www.group-ib.com/media/gustuff/

Medical Marijuana Delivery App Agrees to Settle TCPA Case for $1.75M

The “Uber of weed” app developed by Eaze Solutions, Inc. (Eaze) provides information to users about the delivery of recreational and medical marijuana throughout California.

Unfortunately, Eaze allegedly violated the Telephone Consumer Protection Act (TCPA) by inundating its users with unsolicited, autodialed text messages about how to buy marijuana. The named plaintiff alleges that she never enrolled in or used Eaze’s services, but was inundated with texts from Eaze offering to sell her marijuana “at all hours of the day,” including at 2:10 a.m. She alleges that Eaze’s growth as the “Uber of weed” happened by “relentlessly bombarding existing and prospective customers with text messages and other digital spam, day after day, en masse, without anyone’s permission.”

Plaintiff alleged that this behavior was a clear violation of the TCPA. The parties have agreed in principle to a proposed settlement of $1.75 million with the approximately 51,000 class members. The settlement includes a proposed payment of around $230 per class member who file a valid claim, attorney’s fees of up to 25 percent (or $437,500) and $2,500 for each of the two named plaintiffs. Eaze has also agreed to revise its marketing practices to comply with TCPA.

Workplace Privacy

In the Privacy Law class I teach at Roger Williams Law School, we are discussing workplace privacy. Students over the years have been surprised that there are so few laws that govern employees’ privacy in the work place, and in general believe that workers have an expectation of privacy. The law doesn’t really reflect this assumption.

The expectation of employees’ privacy has changed over the years. Although laws basically allow employers to monitor employees except in changing rooms or bathrooms, employees are starting to question the methods that employers are using to monitor employees. Of course, all employees pretty much know that their use of an employer’s computer system can be, and is, monitored. We regularly educate employees during data privacy and security education sessions that the employer knows when they send any data to their private email account, and are doing a look back for several months when an employee provides notice or is terminated. So don’t think it is a secret if you send company data to your private email account—you will get caught!

On the other hand, there are other tricky areas that employers are facing these days—including telemetric monitoring of drivers (ride sharing), location-based services of drivers (package delivery), wearable technology to prevent workplace injuries (work boots, monitors for carpal tunnel syndrome, and construction vests to prevent back injuries), health monitors for wellness programs, and embedded chips or fingerprints for time cards.

Even more tricky is the report this week that a woman in San Diego has sued a San Diego hospital because the hospital was using hidden cameras in its women’s health center to video operating rooms in order for the employer to detect who was stealing anesthesia drugs during an investigation.

According to the lawsuit, motion-activated cameras were installed on drug carts in three operating rooms between July 17, 2012, and June 30, 2013. The health center says the cameras were installed for an investigation regarding the theft of anesthesia drugs. The lawsuit alleges that the cameras were recording women in the most vulnerable positions, including during C-Sections, hysterectomies, sterilizations, dilatation and curettage for miscarriages, and other procedures, as well as when women were undressing.

When considering the privacy expectations of employees, companies may wish to also consider the privacy expectations of its customers and vendors. Transparency is an important consideration when balancing the expectation of privacy with employee monitoring, and using minimum monitoring tools to accomplish your goal. Although it is difficult to be transparent during an investigation, collateral damage and risk are important considerations regarding the methods used to accomplish the goal of the investigation. Employees are asserting expectations that are worth listening to, whether laws apply or not, so when establishing employee monitoring programs, using common sense is worthwhile.

UPS and Matternet Team Up for Medical Supply Delivery Program

Last week, UPS formed a new partnership with drone developer Matternet to deliver medical samples via drone. The delivery program will take place in Raleigh, North Carolina at WakeMed’s hospital, with program oversight by the Federal Aviation Administration (FAA) and the North Carolina Department of Transportation (NCDOT).

Currently, medical samples and specimens are transported by courier cars, but the drone delivery system could provide an option for on-demand and same-day delivery, the ability to avoid traffic or accident delays on roadways, increase efficiency, lower costs, and an improved patient experience.

WakeMed President and CEO, Donald Gintzig said, “[We are] committed to innovation, and we believe drone technology has the potential to achieve transformative improvements in health and health care delivery.”

The goal of this program is to determine how drones can be applied to improve transport services at other hospitals and facilities across the country.

LexBlog