FTC Launches Website to Help Small Businesses with Cyber-Attacks

The Federal Trade Commission (FTC) announced on May 9, 2017, that it has launched a new website that “helps small businesses avoid scams and cyber-attacks.”

The website, www.ftc.gov/SmallBusiness.com, is filled with articles, videos and other information to help small businesses avoid scams and recover from a cyber-attack, as well as security tips to protect networks and customer data.

The website is a collaboration between the FTC and the Small Business Administration. It includes a Small Business Computer Security Basics guide, guidance on employee awareness and training, security of wireless connections and data breach response. It also alerts small businesses to common cyber threats aimed at small businesses, such as malware, ransomware and phishing schemes.

Small businesses do not have the resources of larger organizations to implement the most sophisticated security techniques. Nonetheless, cybersecurity awareness, risk reduction and management are important to their bottom line. Starting somewhere is better than ignoring the risk, so this website is a good way to start the process. It can be accessed here.

Central Payment Co. Settles TCPA Class Action for $6.5 Million

Last week, Georgia federal judge, U.S. District Judge Clay D. Land, approved the final order and judgment to settle class action claims that Central Payment Co. LLC (Central Payment) violated the Telephone Consumer Protection Act (TCPA) for $6.5 million. Lead plaintiff, Fred Heidarpour, claimed that Central Payment violated the TCPA by hiring third parties to ‘cold call’ prospective clients using prerecorded telemarketing calls without the required prior consent. This class action was filed back in August 2015. Discovery in this case revealed that more than 27 million attempted prerecorded calls had been made on behalf of Central Payment during the proposed class period.

Judge Land approved the settlement, and dismissed the case with prejudice, after no objections were received from over 310,000 proposed settlement class members. He found that the settlement was fair, adequate, reasonable and in the best interests of the settlement class. Members of the settlement class have been defined as any individual or entity who, at any time between August 18, 2011, to the date of the settlement agreement, received one or more telemarketing calls from Korthals LLC on behalf of Central Payment. It also includes individuals who received these calls, but were on the national do-not-call registry. All settlement class members will receive equal shares after payments for notice, administration, attorneys’ fees and costs, and plaintiff’s service payments are distributed.

Counsel for plaintiff is permitted to collect a maximum of $2,166,666 in attorneys’ fees along with out-of-pocket expenses of up to $44,000. Heidarpour will be awarded an incentive of $25,000 “in light of the service performed by plaintiff for the class.”

Filmmaker Arrested for Flying Drone over the NFL Draft

A 27-year old resident of Philadelphia, Pennsylvania, Jonathan Kolleh, was arrested and spent 14 hours in a holding cell last week for flying his drone in the vicinity of the National Football League (NFL) Draft. Kolleh began using drones for his filmmaking last year after purchasing a DJI drone. While shooting his latest project, “Straight Outta Philly,” capturing images near the Schuylkill River Boardwalk, a bridge over the river that splits Center City and West Philadelphia and Franklin’s Paine Skatepark near the Philadelphia Museum of Art, he was approached by a police officer. The police officer informed Kolleh that he was not allowed to fly drones ‘at this event’ –he was not aware of any restrictions. The event that Kolleh was unaware of was the NFL Draft held on Benjamin Franklin Parkway in front of the Philadelphia Museum of Art. Drones were banned from inside the fan event held at the draft, but Kolleh was outside the perimeter. Kolleh was questioned by the police officer ( e.g, what is your name, what are you filming, is the drone registered, etc.). After a counter-terrorism unit showed up, Kolleh was eventually handcuffed.

Kolleh was transported to the police station and charged with reckless endangerment. He was eventually released, but he did not receive his drone back however. The good news for Kolleh–when local law enforcement submitted the charged for reckless endangerment to the District Attorney’s office, the charge was rejected so there are no pending charges against Kolleh.

The problem is: The rules are confusing and often change. The Federal Aviation Administration (FAA) issued press releases saying drones couldn’t be used before previous major Philadelphia events, like the Papal visit and the Democratic National Convention. But none were issued before the NFL Draft. And Kolleh was flying over a skate park, not the NFL draft. For now, Kolleh seems to be off the hook but drone-less. The lesson here is to check the FAA’s B4UFly mobile app along with local and state laws, and fly safely so you can steer clear of any issues with the FAA or local law enforcement.

Drone Package Delivery Calls for Drone Traffic Management System

By 2020, it is estimated that 7 million drones will be flying around the country delivering packages, taking photos, inspecting infrastructure or conducting search and rescue missions. However, before that happens, we will need a system in place to avoid collisions –between the drones themselves, building, people, and most importantly, passenger aircraft. The National Aeronautics and Space Administration (NASA), along with the Federal Aviation Administration (FAA) and industry partners, have been researching the requirements needed to establish a drone traffic management system. The hope is to test out those systems this summer.

Unlike the air traffic management system that we currently have, the drone traffic management system won’t rely on human controllers perched in towers; instead, drone operators will use an electronic system to get access to constraint notifications and input flight information. And drone operators will be expected to follow the FAA’s operational rules. Eventually, the system will be autonomous. The research is scheduled to be finished by 2019, which in turn will lead to ideas for this drone traffic management system to be implemented by the FAA no later than 2025. In the end, the FAA will not be creating the entire electronic traffic management system; instead that task will largely be handled by companies that are already developing drone navigation and communication software, or drone manufacturers that want to create their own system. Here are some of the major requirements and challenges to drone traffic management:

  • Tracking the Weather: Small drones are much more susceptible to weather changes because they fly low. As such, drones will need to be properly spaced out just like manned aircraft. But tools have not yet been developed to predict how weather will affect small drones flying around obstacles such as buildings or hills at such low altitude.
  • Making Complete Maps: Many industry leaders see a future where drones will not only be flying in the skies in swarms, but they will be flying completely autonomously, so data about their surroundings will be a key to traffic management. The navigation of a drone will require more than just a basic street map. In addition to locations of physical buildings, navigation systems will also need to pick up dynamic data — information that changes in real time and enables drones to steer clear of dangerous or restricted areas, much like driverless cars are doing now.
  • Dialing Up Directions: Drones currently cannot fly beyond their operators’ visual line of sight unless they get a waiver from the FAA. But NASA is already testing what drones will need if they’re allowed to fly further away–location tracking handled through technology including satellites and cellular networks, which is why telecommunications providers are working with NASA.
  • A Common Language: Drones will need to “talk” to each other and exchange information. NASA, the FAA and the industry will have to figure out the exact types of information that need to pass from one type of drone operating system to another. The systems will also need a common communication protocol and consistent cybersecurity practices. However, many drone manufacturers and software developers, may resist passing potentially proprietary data to competitors.

As this area evolves we will see more challenges, but surely, more solutions as the FAA, NASA and industry leaders push forward to integrate drones into the National Air Space.

Privacy Tip #87 – “Share with Care”

This week (May 8-12, 2017) is Privacy Awareness Week—an annual initiative of the Asia Pacific Privacy Authorities Forum (APPA) that concentrates on sharing information about privacy practices and rules.

The APPA is an interesting group made up of privacy regulators from Australia, British Columbia, Canada, Colombia, Hong Kong, Japan, Korea, Macao, Mexico, New South Wales, New Zealand, The Northern Territory, Peru, Queensland, Singapore, the United States (both the Federal Communications Commission and the Federal Trade Commission are included), and Victoria. It has been in existence since 1992 (way before privacy became such a huge issue with the Internet), and they meet twice a year to “form partnerships and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints.” What a brilliant idea…

This year’s theme for Privacy Awareness Week is “Care When you Share,” and APPA is “encouraging individuals to care about their privacy and better inform themselves of what will or might happen to their personal information before they share it” as well as better educating employees of governmental agencies to understand their responsibilities with others’ personal information and to basically respect it and treat it as their own.

APPA and its members have distributed great resources for Privacy Awareness Week, including posters with the theme “Pause for Privacy,” a Quickguide for CIOs, a guide on “How to Embed and Support a Culture of Privacy,” and guides for the sharing of information between governmental agencies.

So embrace Privacy Awareness Week and “Share with Care.” Pause before you click “I agree.” Think twice before you give your Social Security number to someone or enter all of your personal information into a website form. These are all previous Privacy Tips from this blog, but it is always good to revisit them—especially when the theme of Privacy Awareness Week is “Share with Care.”

OCR Settles With Texas Health System for $2.4 Million for Disclosing PHI to Media In a Press Release

The Office for Civil Rights (OCR) issued a press release today announcing that it has settled alleged HIPAA violations with Memorial Hermann Health System (MHHS) for $2.4 million. According to the Resolution Agreement it has inked with the OCR, MHHS must also implement a corrective action plan, including updating its policies and procedures, training staff and requiring all of the facilities in the system to “attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media.”

The OCR commenced its investigation following media accounts reporting that MHHS disclosed a patient’s PHI without the patient’s authorization. The underlying facts are that in September 2015, a patient presented what appeared to be a fraudulent identification card to office staff when seeking medical care. The staff alerted law enforcement about the alleged fraudulent identification card, and the patient was arrested. According to the OCR, the disclosure to law enforcement was permitted under HIPAA. However, senior management then approved a press release about the incident, which included the patient’s name in the title of the press release. The OCR found that this was an impermissible disclosure of the patient’s PHI.

In its press release, the OCR stated “Senior management should have known that disclosing a patient’s name on the title of a press release was a clear HIPAA Privacy violation that would induce a swift OCR response…This case reminds us that organizations can readily cooperate with law enforcement without violating HIPAA, but that they must nevertheless continue to protect patient privacy when making statement to the public and elsewhere.”

This is not the first OCR fine coming from a health care entity’s release of PHI to the media. Shasta Regional Medical Center settled with the OCR in June 2013 for $275,000 when members of the senior management “intentionally” disclosed a patient’s PHI “to multiple media outlets on at least three separate occasions” without the patient’s authorization and shared details about the patient’s medical condition, diagnosis and treatment in an email to its entire workforce.

The facts of the two cases are similar, but today’s fine is a stark reminder to health care entities to be cautious when interacting with the media.

Repeal of FCC Privacy Rules Sparks Concern in U.S. and Europe

The Federal Communications Commission (FCC) privacy rules required providers such as Comcast Corp. and AT&T Inc. to get subscribers’ permission before collecting and sharing their personal data. On April 4, 2017, President Donald Trump signed a congressional resolution rescinding those rules and sparking major concern both in the U.S. and Europe.

Indeed, according to a survey taken shortly after the rollback of the federal privacy rules was announced, some 95 percent of Americans said that they are concerned about businesses’ collection and sale of their personal information without permission.

In Europe, the new concerns over the commitment of the U.S. to privacy come as the EU prepares for its first annual review of the EU-U.S. Privacy Shield cross-border data transfer program in September. The Privacy Shield permits U.S. companies that self-declare their compliance with EU-approved privacy and security standards to legally transfer personal data from the EU to the U.S. Over 2,000 U.S. companies are certified under the Privacy Shield, including Facebook, Google and Microsoft.

While the repeal of the FCC rule does not have a direct effect on the data transfer program because the Privacy Shield does not depend on the FCC rules in any way, it adds further stress to the already strained EU-U.S. Privacy Shield agreement. Indeed, the Privacy Shield is currently at the center of two lawsuits that challenge its efficacy in protecting Europeans from surveillance abuses as well as the independence of a U.S. ombudsperson in charge of handling complaints.

Shortly after the repeal was announced, the European Parliament passed a resolution questioning the U.S.’ commitment to the Privacy Shield and requesting access to documents showing how U.S. authorities are enforcing the Privacy Shield on their end.

The U.S. administration’s decision to repeal the FCC’s data privacy rules is a possible indicator of the direction the U.S. administration is taking with regard to privacy rights. The repeal could suggest that the U.S. is moving towards a new standard of protection for personal privacy.

In the Privacy of Your Home

By now, it’s pretty common knowledge that Alexa has been on a dollhouse shopping spree, and is also helping to solve a murder. Clearly, Alexa cannot be trusted and that’s why she has only limited trigger words, including options such as “Alexa,” “Amazon,” “computer,” and “Echo.” When you speak those words, or other “wake words” that you program yourself, Alexa starts to listen…and record.

Recordings are becoming a normal, but often unexpected, part of our daily routines. Urban legend has it that some smart televisions record your conversations. The same goes for smartphones; supposedly, some of your mobile apps can record every word that falls from your lips. Also questionable. Security cameras? Obviously.

The Nest camera only records and stores footage if you subscribe to an additional service, called Nest Aware. Absent this subscription, the only video clips available are those triggered by sound or motion, and those clips are kept for only three hours. If a customer is interested in storing footage, by subscribing to Nest Aware, clips can be stored for ten or thirty days in the cloud; important clips can even be downloaded. What is less obvious in the terms and conditions, though, is that when switching from free use to the subscription service, the level of monitoring also changes. What was previously triggered by sound or motion is now a continuous recording, which means that thirty days’ worth of conversations and activity are stored in the cloud, securely, but remotely. For some customers, the idea that thirty days of your home life are in the cloud might be an unpleasant surprise, and it could raise real concerns about the privacy you’re actually enjoying.

As a society, it’s safe to say that many of us have willingly given up our privacy for convenience and functionality but how much we’re willing to sacrifice may be an open question. At a minimum, we should be making conscious decisions about whether our devices are storing or streaming.

EFF Report Finds That Student Data is Not Adequately Protected By Ed Tech Companies

On April 13, 2017, the Electronic Frontier Foundation (EFF) published Spying on Students, a report detailing its investigation into school-issued devices and student privacy. EFF found that parents were overwhelmingly not informed about what educational technology (Ed Tech) their students were using. As a result, students and/or parents were the ones burdened with investigating what Ed Tech was used, what privacy policies were governed, and what privacy implications they may carry. Not surprisingly, parents were particularly concerned with what personally identifiable information was being collected and whether that information would be shared or sold.

EFF also analyzed the privacy policies of every Ed Tech app, software, programs or services identified by its survey recipients. Of the 152 Ed Tech services reported, only 118 had privacy policies available online. Few policies addressed deletion of data after periods of inactivity. Less than a third stated that the vendor used encryption or mentioned de-identification or aggregation of user data. Continue Reading

Old Locky Ransomware Resurfacing Using PDFs—Alert Your Employees

We have previously reported on the vicious ransomware Locky and how it victimized companies throughout 2016 [View previous posts here, here, and here].

Although Locky quieted down in late 2016, according to researchers at Cisco Talos, Locky is perking up again in 2017 in a major way. Only this time, instead of using phishing email schemes that used attached Word documents, the attackers are now using PDF files. When the user opens the PDF, the PDF contains an embedded Word document, which the user is asked to open. When the user opens the Word document, the user is told that the document is protected, and that macros need to be enabled to view the document. When the macros are installed by the user, the ransomware is downloaded.

The scary thing about this new delivery method is that most employees now know not to open attachments or click links in emails from unknown individuals. But by using the PDF format, employees may not be as suspicious, and may open the PDF. Then when it looks like the document is protected (which could easily be mistaken as “encrypted”), the user believes s/he is using special precaution and abiding by good security measures. But the user is being duped into downloading the ransomware by thinking s/he is doing the right thing.

This is very frustrating for those of us who are working hard to educate employees on good security practices and protect them and companies from becoming victims.

The hackers will continue to get more and more creative, and keeping up with their creativity is exhausting. In this case, let your employees know about this new campaign, and empower them to ask questions, and to be vigilant and highly suspicious.