Privacy Tip #217 – Law Enforcement Warns of Juice-Jacking Scam

If, like me, you travel a lot, listen up—the Los Angeles District Attorney’s Office has issued an advisory as part of its fraud education campaign warning travelers not to use free USB charging stations offered in airports, hotels and other public places. 

According to the warning, “juice jacking” occurs when hackers have loaded malware into the free USB charging stations or plugs connected to a public charging station, so that when a traveler plugs in their phone, the phone is infected with malware, allowing the hacker to lock the phone, hold it as hostage for ransom, or forward sensitive information to the hacker.

Plugging your phone into an unknown device is not the best cyber hygiene in the first place, particularly when the charging station is in a public place easily accessible by hackers. Take the advice of the the L.A. District Attorney’s Office and think twice before plugging into a public charging station.

Beware of PureLocker Ransomware

Security researchers Intezer and IBM X-Force have identified a new ransomware that is seriously vicious. It’s PureLocker—named because it is programmed in PureBasic language, which is apparently unusual.

The scary thing about this ransomware being written in PureBasic programming language is that it can target different platforms and is transferable between different operating systems, including Windows, Linux and OS-X.

Currently, ransomware attacks are being launched against servers for cryptocurrency ransom. Although it is unknown how many victims have been attacked by PureLocker, the researchers have confirmed that the ransomware campaign is active, with PureLocker being offered to attackers as a service, and is being used by known cyber criminals.

It is believed that PureLocker is being launched through phishing campaigns. Big surprise there.

Consumer-Facing DNA Testing Company Suffers Data Breach

Last week, Veritas Genetics, a consumer-facing DNA testing company, suffered a security breach affecting customer information in its database. Veritas offers whole-genome sequencing to consumers for $599. The security incident affected its customer portal, which Veritas said does not contain genetic data, DNA test results or health records. How did that information remain protected from the unauthorized access to the customer portal? Veritas actually segregates it genomic data on separate systems for this exact reason. However, Veritas did not indicate what information was affected, only that a handful of customers were affected, and that once it discovered the unauthorized access, it fixed the issue and launched an investigation. The forensic investigation is ongoing and Veritas said it will notify those affected in accordance with applicable laws.

As of July 2019, Veritas said it has sequenced 5,000 genomes, with a goal of more than 15,000 by 2021. We will keep you updated of any new reports about this security incident.

To Extend or Not to Extend Consumer Rights to All

Microsoft announced this week that it would extend the consumer rights currently given to California consumers through the California Consumer Privacy Act to all consumers—no matter where they reside.

I applaud this move (especially because I don’t reside in CA). But why should my personal information be protected differently than those who live in California?

Many global companies are making the same choice, deciding to treat everyone’s personal information the same. It appears many states will follow California in affording similar privacy rights to consumers, and it sometimes is easier to implement the same policies and procedures for all consumers than for just those in specific states. And it does not appear that we will have a national privacy law any time soon. So what is a business to do?

For global companies, a one-size-fits-all solution makes sense from an efficiency and operational point of view. For others, baby steps make sense.

The point with CCPA compliance is that it is not one-size-fits-all. Each business needs to determine what makes sense for it in terms of risk and the cost and efficiency of operations. For some, it makes sense to extend the technological and compliance obligations to all consumers. But for others, the cost of doing so, as well as the number of people it affects, is prohibitive.

Businesses have to determine what makes sense for them for CCPA compliance.  They need to determine whether CCPA applies, how it applies, and how they will comply. It might make sense to implement a global compliance program or a baby step one. Either way, compliance is required by January 1, 2020, so now is the time to figure out which way to go.

Privacy Tip #216 – Another Caution about Biometric Data

Biometric information is unique to each of us, including our fingerprints, voice, face, iris, and DNA. We can’t replace our biometric data like we can a credit card. If it is compromised, it is compromised forever. It is uber sensitive.

Yet, many people give it away without a second thought. Luckily, there are privacy advocates who are watching out to protect us. Last week, the Electronic Privacy Information Center (EPIC), which I am a huge fan of, requested that the Federal Trade Commission investigate HireVue Inc. because it allegedly uses facial recognition technology, biometric data and “secret” algorithms to determine the “employability” of candidates.

According to EPIC, “Because these algorithms are secret—even to HireVue itself, in some cases—it is impossible for job candidates to know how their personal data is being used or to consent to such uses…HireVue’s intrusive collection and secret analysis of biometric data thus causes substantial privacy harms to job candidates.”

EPIC is requesting that the FTC stop HireVue’s scoring of job applicants and change the company’s business practices. It also is requesting that HireVue make its algorithm public for evaluation.

Think twice before allowing recruiting or other services to collect and use your biometric information.

Managed Service Providers Hit with Ransomware Attacks

Cyberliability insurance provider Beazley Insurance Company has analyzed its internal breach response data and determined that in its experience, there has been a thirty-seven percent (37%) increase in ransomware attacks this most recent quarter from the last quarter of 2019. Twenty-five percent (25%) of those incidents were against managed service providers (MSPs).

An MSP assists small- to medium-sized businesses with IT infrastructure and services, either on site periodically, or virtually. MSPs provide services to numerous clients, and support clients remotely to provide the services in a cost-effective way. Often, MSPs are small businesses as well, and don’t have the resources to combat persistent cyber-attacks. Hackers know that these MSPs are supporting numerous clients, and target MSPs to gain access to multiple organizations. If the MSP gets hit with a ransomware attack, the result may be that not only is the MSP’s own system down, but it cannot provide ongoing cybersecurity services for its clients, including patching and other critical security measures. Furthermore, when an MSP is the victim of ransomware, its customers may not have access to their own data, and MSPs may request that their customers assist with paying the ransom in order to regain access to their data.

Unfortunately, when an MSP suffers a cyber attack or security intrusion, the incident may also be a reportable data breach, which then could be the responsibility of the customer. Security incidents are difficult to respond to in your own system, let alone trying to coordinate with an MSP in the middle of a crisis.

All in all, when your MSP is the victim of a security incident or a data breach, it often becomes your problem, too. Here are some tips to consider when outsourcing your IT function to an MSP:

  • Complete data security due diligence on the MSP
  • Confirm that the MSP has cyber liability insurance
  • Negotiate and require the MSP to sign a contract that includes, for instance, (this list is not exhaustive, but may be helpful)
    • Prompt notification of any security incident that affects the confidentiality, security or integrity of your data and cooperation and coordination;
    • Indemnification and reimbursement for all costs associated with a security incident or data breach, including first- and third-party claims;
    • No limitation of liability for a security incident, ransomware attack or data breach;
    • Encryption of sensitive data both at rest and in transit;
    • Compliance with all applicable state and federal laws relating to data privacy and security; and
    • Termination in the event of a security incident or data breach, with provisions for an orderly transition to a new provider.
  • Confirm that the MSP has contingency operations and disaster recovery processes in place in the event of a security incident, ransomware attack or data breach. and that it has tested them

These are just some examples of things to consider when choosing an MSP. The key takeaway is not to choose your MSP based on cost alone. You get what you pay for, and picking the cheapest MSP may not serve you well in the long run. Understand that MSPs are being targeted, which means your data are at risk. Talk to your MSP about how it is protecting its own system and your data, feel comfortable that the MSP is the right choice for you, and document obligations and responsibilities in a written contract to protect yourself in the event of an incident. Many companies simply sign the contract given to them by the MSP, but these form contracts do not have provisions that can be needed to protect you in the event of an incident. The contract with your MSP is a high-risk contract, and therefore, needs special attention.

Stalemate in Use of DNA Profiles from Consumer Databases Meant to Help Crack Cold Cases

More than a year ago, in April 2018, police announced that they had used a new investigative technique to arrest a man known as the Golden State Killer. For the first time, the police submitted DNA from a crime scene into a consumer DNA database, where the information in that database about distant relatives helped them to identify the suspect. Since that announcement, DNA databases have been used to help solve more than 50 rape cases and homicides in 29 different states. However, this year, GEDmatch, the consumer DNA database that helped police crack the Golden State Killer case, changed its privacy policy to restrict law enforcement searches. GEDmatch’s revised terms set forth specific details of how investigators were using the website and excluded all users from law enforcement searches unless they specifically opt-in. This dropped the number of profiles available to investigators from more than 1 million to zero overnight. While some users do opt-in to allow their data to be accessed by investigators, cases remain a bit more difficult to solve now.

This drop in accessible data has caused law enforcement agencies to start campaigns to persuade the public to opt-in and share their DNA profiles from consumer websites with law enforcement for investigative purposes. Rightfully, many members of the public are reluctant to share this information for fear that their DNA profiles will be used for other purposes or sold to marketing or health care companies. Nevertheless, law enforcement continues to urge the public to allow access to these data for the greater good. So far, about 180,000 users have opted-in. But before you choose to release your DNA profile, be sure to do your due diligence and learn more about what it might mean for the future privacy and security of data.

HHS Increases Civil Monetary Penalties under HIPAA

In accordance with the Inflation Adjustment Act, the Department of Health and Human Services (HHS) has updated its regulations to reflect required annual inflation-related increases to civil monetary penalties, including those for certain violations of HIPAA’s “administrative simplification” provisions. The final regulations became effective on November 5, 2019, the date they were published in the Federal Register.

Administrative simplification generally includes HIPAA’s privacy and security requirements, including rules as to how health plan data are exchanged, and the affected penalties are included in the Code of Federal Regulations at 45 C.F.R. § 160.404(b).

Under the new rules, penalties for pre-February 18, 2009 violations of HIPAA’s administrative simplification provisions have increased to $159 per violation, with a $39,936 cap per calendar year.

Penalties for violations occurring on or after February 18, 2009, where it is established that the covered entity or business associate did not know and could not reasonably have known of the violation, are now a minimum of $117 and a maximum of $58,490. If it is established that the violation was due to reasonable cause and not willful neglect, the minimum per violation increases to $1,170, with the maximum remaining at $58,490. If it is established that the violation was due to willful neglect but was corrected during the 30-day period running from the date the entity knew or should have known the violation had occurred, the penalties per violation are a minimum of $11,698 and a maximum of $58,490. If the violation was due to willful neglect and not corrected during the 30-day time period, the penalties per violation are $58,490 (minimum) and $1,754,698 (maximum). For all of these situations, the calendar year cap is $1,754,698.

The annual inflation adjustment for each applicable civil monetary penalty is determined using the percent increase in the Consumer Price Index for all Urban Consumers (CPI–U) for the month of October of the year in which the amount of each civil penalty was most recently established or modified (in this case, 2018). The cost-of-living adjustment multiplier HHS used in calculating the 2019 increases was 1.02522, based on the CPI–U for the month of October 2018.

CCPA Amendment Details to Consider

In delving deeply into the California Consumer Privacy Act (CCPA), the Amendments recently signed by the California Governor, and the proposed Regulations issued by the California Attorney General, we thought it would be helpful to point out some details that are important to consider for compliance which are not obvious in the CCPA discussions we have been following. This week, we focus on the Amendment relating to employee information.

Although one of the recent Amendments delayed the requirement for employers to comply with the CCPA requirements for employee information until January 1, 2021, the exemption does not apply to 1798.100(b), which states “A business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.” This means that businesses with California resident employees, job applicants, owners, officers, contractors, directors, or medical staff members must still provide notice to those California residents that the business is collecting personal information at or before the point of collection, and inform those individuals of the categories of personal information to be collected, why it is being collected, and how it is going to be used.

Many people think the employee information exemption applies to all CCPA compliance for one year, but, in fact, it is limited.

The other point to consider is that the employee information exemption also does not apply to the private right of action that CCPA affords to consumers when their personal information is breached. This is a very important piece of CCPA that still applies in the event that there is a data breach of employee information. We hope these details are helpful, and we will provide further details for consideration in the weeks ahead.

Cybersecurity Considerations for Drones

The Federal Aviation Administration (FAA) estimates that by 2023 there will be more than 835,000 commercial drones in the United States. As the use of drones for many commercial purposes (such as aerial inspections, utility projects, monitoring real estate and construction activities) increases, more and more organizations will consider how to integrate these devices into existing networks and systems. However, these organizations must also consider how to limit the cybersecurity and privacy risks associated with the data collected by the drones.

Drones operate by using software or firmware. Drone operators use computers and mobile devices to run drone applications. Drones store data (on the drone itself in many cases) and often communicate via wireless connections to ground stations and operators below. What are the risks? Well, hackers are already exploiting drone software and firmware vulnerabilities to take over the drone and gain access to the connected system and network (and the data stored on the drone). Malware is often embedded in drone software and can compromise not only the date collected on the drone, but the systems that the drone, software or connected devices are linked to.

For tips and considerations related to the cybersecurity of drones and drone data and software, check out the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Best Practices for Operating Commercial Unmanned Aircraft Systems here.