Privacy Tip #193 – FBI Issues Warning to Parents about Sextortion

Summer vacation is almost here for school-age children, which means that kids will have more free time to roam the Internet. Unfortunately, according to the FBI, this means that the threat of online predators is high and the FBI is warning parents that it has seen an increase—a whopping 60 percent increase—in the number of sextortion cases that involve minors over the past five years.

Sextortion occurs “when an adult coerces or entices a child to a minor kid under 18 to produce a sexually explicit image of themselves and then transmit that image to them on the Internet,” the Assistant Section Chief of the FBI’s Criminal Division states in an interview with ABC News. In one case, a male predator set up a fake Facebook profile as a female modeling agent, luring under-age girls to respond by saying there were modeling jobs available that could earn them between $500 and $5000 per photo shoot. The impostor set up a line of communication, then asked the girls to send photos or videos of themselves in sexually suggestive positions.  When the predator received the photos, he would then threaten to post them online or hurt the victim if he didn’t receive more photos. View release.

The fallout from sextortion can be devastating to the victim—including shame, humiliation, depression, anxiety and fear. These predators are preying on vulnerable minors and the results can be tragic.

The FBI suggests that parents limit the screen time of their children, talk with them, and monitor with whom they are conversing online. It says that important messages to young people about online behavior are simple ones to discuss with your children. Children need to know and be reminded that:

  • Many people online are not who they say they are.
  • Don’t talk online to people you don’t know.
  • Understand that any content produced on a web-enabled device can be made public.
  • If you are being threatened or coerced online, tell someone. There is help and there is hope.

To report suspected sextortion, call the nearest FBI field office or 1-800-CALL-FBI (225-5324). To make a CyberTipline Report with the National Center for Missing & Exploited Children (NCMEC), visit report.cybertip.org.

OIG Issues Alert to Warn of ‘Free’ Genetic Testing Scams Seeking to Steal Information

On June 3, 2019, the U.S. Department of Health and Human Services Office of Inspector General (OIG) issued a fraud alert to notify consumers about genetic testing fraud schemes (the Alert). According to the OIG, fraudulent actors are using the provision of free genetic testing kits to obtain Medicare information from unwitting consumers, and then using the stolen information for purposes of fraudulent billing and/or identity theft.

In the Alert, OIG advises consumers to protect themselves by:

  • Not accepting mailed genetic testing kits unless ordered by a physician;
  • Closely scrutinizing any request for Medicare information tied to the offer of free genetic testing;
  • Verifying that your physician approves any requests for genetic testing; and
  • Not providing Medicare information to anyone other than a provider’s office.

That the OIG felt compelled to issue the Alert indicates its level of concern with fraudulent scams perpetrated under the guise of free genetic testing. It is not surprising that as genetic testing advances and the options for such testing proliferate, scammers are seeking to take advantage. The Alert therefore provides a welcome reminder to consumers to closely guard Medicare and other personal information. Health care providers and plans would be well-advised to review the Alert and notify their patients about the rising incidence of this scheme.

 

 

Health Care and Manufacturing Industries Still Threatened by WannaCry

Although many thought that WannaCry was in the rear view mirror, a recent report by Artemis, based on client experience, found that health care organizations and manufacturing companies are still being hit with the ransomware that affected hundreds of thousands of machines in 2017.

According to the report, 40 percent of Artemis’ health care clients and 60 percent of its manufacturing clients were hit with at least one WannaCry-related attack in the last six months. The reason for these dismal statistics is that these two industries use legacy systems that aren’t able to be patched, or haven’t been patched for the virus. As a result, the virus is still affecting a large number of machines in these industries.

It is such a widespread problem that Microsoft took the unusual step of releasing limited patches for some legacy systems, and issued a warning to these industries (and others still using legacy systems) to patch quickly or face an attack on a known vulnerability.

According to Artemis, there are 3,500 successful WannaCry attacks per hour worldwide, with more than 145,000 devices in 103 countries potentially compromised.

GozNym Malware Attack Hits Two Law Firms for Over $117K in Losses

Two law firms were among the latest victims of the GozNym malware attack that caused a combined loss of more than $117,000. Law enforcement authorities recently announced the dismantling of a cybercrime network that used this GozNym malware to attempt to steal an estimated $100 million from victims in the United States and around the world. GozNym malware was designed to steal personal and financial information from victims, sometimes starting with phishing emails to the affected companies.

According to a press release issued by the US Attorney’s Office for the Western District of Pennsylvania, an international law enforcement operation brought down the cybercrime network. An indictment names several victims; among them two law firms, a church in Texas, a furniture business in California, a casino in Mississippi, an association dedicated to providing recreation programs and other services to persons with disabilities in Illinois, a distributor of neurosurgical and medical equipment in Germany with a US subsidiary, an electrical safety device provider in Rhode Island, a contracting business in Michigan, a stud farm in Kentucky, a provider of cold pack shipping products in Pennsylvania, a bolt manufacturing company in Pennsylvania, and a Pennsylvania asphalt and paving business.

The two law firms were identified as a law firm in Washington D.C. and the other in Wellesley, Massachusetts. The indictment alleges that the Washington D.C. law firm was the victim of a phishing email that directed the recipient to click on a link in the email. That click led to the malware infecting the computer. As a result of the malware, the individuals listed in the indictment gained unauthorized access to the law firm’s bank account, using credentials captured by GozNym malware, which ultimately resulted in a $76,178.12 loss to the firm.

The Wellesley, Massachusetts law firm’s loss was as a result of an unauthorized electronic funds transfer in the amount of $41,000, which was the result of login credentials being captured by GozNym malware and then used by the individuals named in the indictment to transfer the funds to an account they controlled.

The losses reported in the indictment are unfortunately the tip of the iceberg, as the actual costs that companies face when hit by a cyber-attack are not confined to the theft of the funds. Forensic costs, legal expenses, costs for notification to affected individuals, and credit monitoring costs are all additional costs that companies face when they are the victims of a data breach. In addition, companies must also address regulatory compliance issues in the event that individual state laws trigger breach notification requirements.

Two lessons to learn from GozNym that may help to protect companies from cyber-attacks: train your employees to recognize what a phishing email is and how to avoid the latest scams, and talk to your broker to determine whether your business is protected with appropriate and sufficient cyber liability insurance coverage.

OCR Issues Fact Sheet Listing Circumstances in which Business Associates May Face Direct Liability for HIPAA Violations

In a development that may – understandably – have been overlooked by many heading into Memorial Day weekend, on May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Fact Sheet on Direct Liability of Business Associates under the Health Insurance Portability and Accountability Act (HIPAA).

The Fact Sheet provides an important reminder to covered entities, business associates, and their counselors regarding the circumstances in which OCR may – and may not – take enforcement actions directly against business associates for violations of HIPAA regulations. In the Fact Sheet, OCR explains that in 2009 the Health Information Technology for Economic and Clinical Health (HITECH) Act made business associates “directly liable for compliance with certain requirements” under HIPAA’s regulations, as addressed by OCR in its 2013 Omnibus Rule.

The Fact Sheet then identifies 10 categories of HIPAA violations for which a business associate may be directly liable, including without limitation:

  • Failure to cooperate with HHS investigations;
  • Taking retaliatory actions against individuals for filing a HIPAA complaint;
  • Failure to comply with HIPAA Security Rule requirements;
  • Failure to provide a breach notification to a covered entity or another business associate;
  • Impermissible uses or disclosures of PHI;
  • Failure to fully comply with HIPAA’s right of access to PHI in a readily available form and format;
  • Failure to adhere to the minimum necessary standard;
  • Failure to provide an accounting of disclosures in certain circumstances;
  • Failure to enter into HIPAA-compliant downstream business associate agreements (BAAs); and
  • Failure to take reasonable steps to address a breach or violation of a downstream BAA.

OCR provides the following examples in which direct liability can, and cannot, attach to a business associate. A business associate could be directly liable for failure to provide an individual with an electronic copy of the individual’s electronic Personal Health Information (PHI) upon request where the BAA requires it to do so. But a business associate cannot be held directly liable for violations of the “reasonable, cost-based fee” limitation set forth at 45 C.F.R. § 164.524(c)(4); instead, the covered entity is responsible for ensuring that fees for copying records or providing summaries/explanations of PHI comply with HIPAA, and OCR could take action against the covered entity (but not the business associate) for any such violations.

For counselors of HIPAA-covered entities, the Fact Sheet helpfully also provides references for each category of violation for which a business associate may face direct liability, which is not something OCR has done consistently in prior Fact Sheets. Compliance personnel and other advisors of entities that may be business associates would therefore be well-advised to study the Fact Sheet and underlying sources of OCR authority.

Questions to Consider Asking Your Broker About Cyberliability Coverage

One of the first questions we ask our clients when they call about a security incident is whether they have insurance that may cover the costs associated with investigating the incident, potential forensic analysis, and coverage for a data breach. Sometimes the client will say “Yes, we have cyber coverage.” However, when reviewing the coverage or making a claim, we find that the client does not have the coverage for the incident.

We suggest that clients work with a broker who has experience in this area, as it is rapidly changing with cases being litigated and new schemes that have never been seen before affecting companies.

To help with your conversation with your broker, here are some basic questions (this is not an exhaustive list) to discuss with your broker as you evaluate your cyber-liability insurance needs:

  • Confirm first-party coverage for a security incident/data breach for forensic analysis, legal, costs associated with data breach notification to individuals and regulators, and coverage for fines/penalties and costs associated with an enforcement action;
  • Confirm first-party coverage for ransomware, malware, wire fraud, phishing incident, social engineering, man in the middle scheme, including business interruption coverage;
  • Confirm third-party coverage for security incident/data breach, class action litigation, enforcement actions and individual litigation;
  • Discuss in detail the exclusions in the policy so you understand them and the incidents that the exclusions may be applicable to, including Telephone Consumer Protection Act exclusion, and determine whether to purchase the coverage that is excluded;
  • Discuss your particular industry and coverage that may be specifically applicable to you, including coverage for PCI fines and penalties, HIPAA privacy and security violations, GDPR or CCPA actions; and
  • Specifically discuss crime coverage, a social engineering endorsement, errors and omissions, business interruption, and other coverage you may need to supplement other policies that you have in place.

This is a rapidly changing area, so stay in touch with your broker as new endorsements come out from insurance carriers to respond to new threats. Staying on top of the coverages and exclusions is important to managing potential risk.

Privacy Tip #192 – Combating Robocallers: California AG Hits Scam Telemarketers with $1.5M in Judgments

Like many of you, I don’t answer my cell phone unless the number pops up as someone I know, because a majority of the calls I get are spam or robocalls. It’s so frustrating.

Although these calls are probably a violation of the Telephone Consumer Protection Act (TCPA), the Federal Trade Commission (FTC) – the federal enforcement agency with oversight of TCPA violations – and states’ Attorneys General have limited resources to enforce the millions of illegal robocalls that we all receive daily.

Some progress was made this week against scam telemarketers by California Attorney General Xavier Becerra, who secured $1.5 million in judgments against Consumer Rights Legal Services, which was calling consumers to perpetrate a fraud. According to Becerra, although the name Consumer Rights Legal Services sounds like an organization that will help consumers, the opposite was true—it was offering fake money-recovery services to over 150 investors—most of whom were elderly. These despicable telemarketers were calling elderly individuals and telling them that they could recover money lost from previous investments for a fee of several thousand dollars. In doing so, according to the Attorney General, they were preying on consumers who had already been victims of fraud.

Good for the California AG for protecting consumers from robocalls and fraudulent telemarketers. But what can we do on a daily basis to try to combat robocalls, telemarketers and others who are violating laws by calling us without our express consent?

Because it is such a problem and a nuisance, the FTC has a section of its website devoted to robocalls and what to do about them (www.consumer.ftc.gov). According to the website, the FTC has brought more than “a hundred lawsuits against over 600 companies and individuals responsible for billions of illegal robocalls and other Do Not Call violations.” It suggests that you register on the national Do Not Call list (which I have done, though it doesn’t eliminate all robocalls as those making illegal robocalls are not looking to comply with the Do Not Call list), and report the illegal call to the FTC. It suggests that you hang up when you receive an unwanted robocall. There is a good video on the website that was developed with the AARP that is worthwhile for seniors to watch, as they are particularly vulnerable. There is also new technology offered by telephone providers meant to help block robocalls, which you can sign up for with your carrier.

Knowing that these scammers are targeting seniors, I suggest that you educate the seniors in your life about illegal robocall scams, assist them with registering on the Do Not Call list, sign up for the robocall blocking technology with their service carrier, and tell them to hang up when they get a robocall or telemarketing call.

Model Rule for Securities Administrators Approved by NASAA

The North American Securities Administrators Association (NASAA) this week approved an information security model rule package aimed at improving the cybersecurity posture of the 17,543 state-registered advisers.

The proposed model would require state-registered investment advisers to establish written cybersecurity policies and procedures designed to safeguard clients’ records and information, and to deliver its privacy policy annually to clients. It provides investment advisers with a design structure for their data security policies and procedures.

The model is meant to help states determine whether they wish to adopt it and to implement it through regulation. It focuses on three areas:

  • Requiring advisers to adopt policies and procedures regarding physical and cybersecurity information security and deliver its privacy policy to clients annually;
  • Amending the existing investment adviser model record keeping requirements rule to require that investment advisers maintain these records; and
  • Amending the existing model rules to include the failure to establish, maintain an enforce a required policy or procedure to the list of unethical business practices/prohibited conduct.

These focused areas, especially the last one, are significant for investment advisers because if an investment adviser fails to adopt information security practices, and should there be a security incident or data breach, this could be investigated and ultimately determined to be an unethical business practice or prohibited conduct that could adversely affect the license of the adviser. According to NASAA, state-registered investment advisers are concentrated in California, Texas, Florida, New York, and Illinois.

According to the model rule, advisers’ policies must cover five areas, including identifying, protecting, detecting, responding, and recovering data. It outlines basic cybersecurity measures, which are important in the context of the type of sensitive client data that investment advisers have. Investment advisers may wish to review the model rule and prepare for the state in which they are licensed to adopt it. Whether or not that happens, the rule sets forth a roadmap of what regulators are concerned about and establishes reasonable data security practices.

Law Firm Domain Names Spoofed to Launch Phishing Scams

It is not unusual for lawyers to send emails to individuals and businesses they are about to sue to engage them before they do file suit to see if a settlement can be discussed or reached. The lawyer will reach out via email with a copy of the proposed Complaint, and tell the individual or business that they are about to be sued, that the Complaint is attached or in a link, and that if the individual does not respond within 7-10 days, the Complaint will be filed.

This is common practice. And apparently hackers and scammers know this, too, and are using it to launch phishing scams. The way it works is that they buy a domain name that looks like a law firm domain name, (usually several names strung together) and send a threatening email from the “law firm” with the attachment or link. When the recipient opens the “Complaint,” the attachment or link is infected with malware that then attacks the recipient’s operating system.

This scam is just another variant of other successful schemes—using enticing and scary messages to try to get people to click on an infected attachment or link. No matter how many times we tell people not to click on attachments or links from unknown sources, curiosity usually gets the best of them. Be aware of these new schemes so you or your employees don’t fall victim to them as well.

New FinCEN Cryptocurrency Guidance Clarifies Applicability of Anti-Money Laundering Regulations to Virtual Currency Business Models

The Financial Crimes Enforcement Network (FinCEN) is the U.S. Treasury Department bureau charged with monitoring financial transactions in order to combat domestic and international money laundering, terrorist financing, and other financial crimes.

Under FinCEN’s Bank Secrecy Act/Anti-Money Laundering regulations, money transmitters and other money service businesses are required to develop anti-money laundering/countering the financing of terrorism (AML/CFT) policies, including know your customer and suspicious activity reporting (SAR) procedures.

The advent of blockchain and the ensuing crypto currency business boom have posed significant challenges for FinCEN and other financial service regulators. See FinCen Advisory.

In order to help address those challenges, FinCen issued Guidance (FIN-2019-G001) on May 9 regarding the Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies (CVC). The Guidance is intended to “remind persons subject to the Bank Secrecy Act (BSA) how FinCEN regulations relating to money services businesses (MSBs) apply to certain business models involving money transmission denominated in value that substitutes for currency, specifically, convertible virtual currencies.”

While the Guidance does not purport to establish any new regulatory requirements, it consolidates current FinCEN regulations, rulings and guidance and gives specific examples as to how the current FinCEN requirements apply to certain current and emerging virtual currency business models.

The Guidance first confirms that money transmission involving virtual currencies, including CVC, are subject to the AML program, recordkeeping, monitoring and reporting requirements ) applicable to money transmitters generally,including SARs and Currency Transaction Reports.

The Guidance then goes on to set forth specific examples of how the BSA regulations apply to common business models involving the transmission of CVC, including: [1]peer-to-peer exchangers; [2] hosted, unhosted and multiple-signature CVC wallet providers; [3] CVC kiosks; [4] DApps ( money transmission services provided through decentralized applications); [5] anonymity-enhanced CVC transactions; [6] CVC payment processors; and [7] internet casinos.

The Guidance concludes with a description of specific business models involving CVC transactions that may qualify for exemption from the definition of money transmission. These business models include CVC trading platforms, Initial Coin Offerings, CVC creators, mining pools and cloud miners.

LexBlog