Yesterday, a massive ransomware attack now known as “Petya” spread across the globe in a similar fashion to the WannaCry cyberattack in May. In an Alert today, Fox Chief Privacy Officer and Partner Mark McCreary breaks down what we know about the attack, how to address it if your organization falls victim to it, and how to minimize the risks of future attacks:

Yesterday’s worldwide cyberattack once again exploited a vulnerability that has been known to experts for many months. These attacks are sure to continue and the best defense is knowledge. Awareness of how malware works and employee training to avoid the human error that may trigger an infection can prevent your organization from becoming a victim.

This latest ransomware variant, referred to as “Petya,” is similar in many respects to the “WannaCry” ransomware that affected hundreds of thousands of computers in mid-May, using the same Eternal Blue exploit to infect computers. The purpose of this Alert is to provide you some information believed or known at this time.

How Is a Computer Infected?

Experts believe the Petya malware is delivered in a Word document attached to an email. Once initiated by opening the Microsoft Word document, an unprotected computer becomes infected and the entire hard drive on that computer is encrypted by the program. This is notably different from WannaCry, which encrypted only files.

Once Petya is initiated, it begins seeking other unprotected computers in the same network to infect. It is not necessary to open the infected Microsoft Word document on each computer. An infection can occur by the malware spreading through a network environment.

To read Mark’s full discussion of the Petya attack, please visit the Fox Rothschild website.

Mark also notes that “I continue to stress to clients that in addition to hardening your IT resources, the absolute best thing your business can do is train employees how to detect and avoid malware and phishing.  In-person, annual privacy and security training is the best way to accomplish this.”

Eric Bixler has posted on the Fox Rothschild Physician Law Blog an excellent summary of the changes coming to Medicare cards as a result of the Medicare Access and CHIP Reauthorization Act of 2015.  Briefly, Centers for Medicare and Medicaid Services (“CMS”) must remove Social Security Numbers (“SSNs”) from all Medicare cards. Therefore, starting April 1, 2018, CMS will begin mailing new cards with a randomly assigned Medicare Beneficiary Identifier (“MBI”) to replace the existing use of SSNs.  You can read the entire blog post here.

The SSN removal initiative represents a major step in the right direction for preventing identity theft of particularly vulnerable populations.  Medicare provides health insurance for Americans aged 65 and older, and in some cases to younger individuals with select disabilities.  Americans are told to avoid carrying their social security card to protect their identity in the event their wallet or purse is stolen, yet many Medicare beneficiaries still carry their Medicare card, which contains their SSN.  CMS stated that people age 65 or older are increasingly the victims of identity theft, as incidents among seniors increased to 2.6 million from 2.1 million between 2012 and 2014.  Yet the change took over a decade of formal CMS research and discussions with other government agencies to materialize, in part due to CMS’ estimates of the prohibitive costs associated with the undertaking.  In 2013, CMS estimated that the costs of two separate SSN removal approaches were approximately $255 million and $317 million, including the cost of efforts to develop, test and implement modifications that would have to be made to the agency’s IT systems – see United States Government Accountability Office report, dated September 2013)

We previously blogged (here and here) about the theft of 7,000 student SSNs at Purdue University and a hack that put 75,000 SSNs at risk at the University of Wisconsin.  In addition, the Fox Rothschild HIPAA & Health Information Technology Blog discussed (here) the nearly $7 million fine imposed on a health plan for including Medicare health insurance claim numbers in plain sight on mailings addressed to individuals.

On June 14, Fox Partner Scott Vernick appeared on live-streaming financial news network Cheddar to provide background information on the European Union’s General Data Protection Regulation, which goes into effect on May 25, 2018. To comply with the new privacy rules, companies that provide online services to residents of the EU will be required to obtain documented “hard consent” from customers before processing and storing their data. For many American companies, this is a significant shift.

Scott L. Vernick, Partner, Fox Rothschild LLPScott outlines the high stakes for companies affected by the GDPR, in the form of a fine for failure to comply of four percent of their worldwide annual turnover (i.e., gross revenue). He also discusses the potential impact on EU-based user experience, and notes that companies will need to account for changes to the GDPR allowed within specific member countries.

We invite you to watch Scott’s informative segment.

On July 23, 2017, Washington State will become the third state (after Illinois and Texas) to statutorily restrict the collection, storage and use of biometric data for commercial purposes. The Washington legislature explained its goal in enacting Washington’s new biometrics law:

The legislature intends to require a business that collects and can attribute biometric data to a specific uniquely identified individual to disclose how it uses that biometric data, and provide notice to and obtain consent from an individual before enrolling or changing the use of that individual’s biometric identifiers in a database.

— Washington Laws of 2017, ch. 299 § 1.  (See complete text of the new law here).

Washington’s new biometrics act governs three key aspects of commercial use of biometric data:

  1. collection, including notice and consent,
  2. storage, including protection and length of time, and
  3. use, including dissemination and permitted purposes.

The law focuses on “biometric identifiers,” which it defines as

data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual.

— Id. § 3(1).

The law excludes all photos, video or audio recordings, or information “collected, used, or stored for health care treatment, payment or operations” subject to HIPAA from the definition of “biometric identifiers.” Id.  It also expressly excludes biometric information collected for security purposes (id. § 3(4)), and does not apply to financial institutions subject to the Gramm-Leach-Bliley Act.  Id. § 5(1).  Importantly, the law applies only to biometric identifiers that are “enrolled in” a commercial database, which it explains means capturing a biometric identifier, converting it to a reference template that cannot be reconstructed into the original output image, and storing it in a database that links the biometric identifier to a specific individual.  Id. §§ 2, 3(5).

Statutory Ambiguity Creates Confusion

Biometric data
Copyright: altomedia / 123RF Stock Photo

Unfortunately, ambiguous statutory language, combined with rapidly-advancing technology, virtually guarantees confusion in each of the three key aspects of the new law.

Regarding collection, the new law states that a company may not “enroll a biometric identifier in a database for a commercial purpose” unless it: (1) provides notice, (2) obtains consent, or (3) “provid[es] a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.”  Id. § 2(1).  Confusingly, the law does not specify what type of “notice” is required, except that it must be “given through a procedure reasonably designed to be readily available to affected individuals,” and its adequacy will be “context-dependent.”  Id. § 2(2).

If consent is obtained, a business may sell, lease or disclose biometric data to others for commercial use.  Id. § 2(3).  Absent consent, a business may not disclose biometric data to others except in very limited circumstances listed in the statute, including in litigation, if necessary to provide a service requested by the individual or as authorized by other law. Id. However, the new law may ultimately be read by courts or regulators as including a “one disclosure” exception because it says disclosure is allowed to any third party “who contractually promises that the biometric identifier will not be further disclosed and will not be enrolled in a database for a commercial purpose” inconsistent with the new law.  Id.

The new law also governs the storage of biometric identifiers.  Any business holding biometric data “must take reasonable care to guard against unauthorized access to and acquisition of biometric identifiers that are in the possession or control of the person.”  Id. § 2(4)(a).  Moreover, businesses are barred from retaining biometric data for any longer than “reasonably necessary” to provide services, prevent fraud, or comply with a court order.  Id. § 2(4)(b).  Here too the law fails to provide certainty, e.g., it sets no bright-line time limits on retention after customer relationships end, or how to apply these rules to ongoing but intermittent customer relationships.

The Washington legislature also barred companies that collect biometric identifiers for using them for any other purpose “materially inconsistent” with the original purpose they were collected for unless they first obtain consent.  Id. § 2(5).  Confusingly, even though notice alone is enough to authorize the original collection, it is not sufficient by itself to authorize a new use.

Interestingly, the new Washington law makes a violation of its collection, storage or use requirements a violation of the Washington Consumer Protection Act (the state analog to Section 5 of the FTC Act).  Id. § 4(1).  However, it specifically excludes any private right of action under the statute and provides for enforcement solely by the Washington State Attorney General, leaving Illinois’s Biometric Information Privacy Act as the only state biometrics law authorizing private enforcement.  Id. § 4(2).

Washington’s new law was not without controversy.  Several state legislators criticized it as imprecise and pushed to more specifically detail the activities it regulates; proponents argued that its broad language was necessary to allow flexibility for future technological advances. Ultimately, the bill passed with less than unanimous approval and was signed into law by Washington’s governor in mid-May.  It takes effect on July 23, 2017.  A similar, but not identical, Washington law takes effect the same day governing the collection, storage and use of biometric identifiers by state agencies.  (See Washington Laws of 2017, ch. 306 here).

Yesterday we witnessed new ransomware spread across the world with incredible speed and success, bringing businesses to their knees and home users learning for the first time about ransomware and why computer backups are so important.

With over 123,000 computers infected, experts believe the “WannaCrypt/WannaCry/WCry” attacks have stopped after researchers registered a domain that the software checks before encrypting.  However, nothing is stopping someone from revising the software to not require that check and releasing it into the wild.  In other words, do not expect the infections to stop.

To battle the malicious software, Microsoft took the highly unusual step of issuing updates for versions of Windows that have reached their end of life and otherwise are not supported (e.g., Windows XP, Windows 8, and Windows Server 2003).  WannaCrypt/WannaCry/WCry did not even try to target Windows 10 machines, but that does not mean Windows 10 machines cannot be affected and encrypted by the ransomeware.  The blog describing Microsoft’s efforts can be found here and is worth reading.  Although your business may normally take a wait and see approach to software updates to avoid conflicts with other programs, this is a situation you should fast track that process.

If there is any silver lining here, it is that it may lead to more organizations to focus harder on computer security and efforts to battle malicious attacks similar to WannaCrypt/WannaCry/WCry.  Having seen first hand from clients the panic and feeling of helplessness caused by WannaCrypt/WannaCry/WCry in mere hours, it seems likely that companies are starting to better understand the risk, loss of productivity and costs that can be associated with a ransomware attack.

Below is a screenshot of the WannaCrypt/WannaCry/WCry software on an infected machine.  (Note the financial aid offer in the last line of the “Can I Recover My Files?” paragraph.  The bad guys must have a public relations firm!)

wannacrypt

In one of the best examples we have ever seen that it pays to be HIPAA compliant (and can cost A LOT when you are not), the U.S. Department of Health and Human Services, Office for Civil Rights, issued the following press release about the above settlement.  This is worth a quick read and some soul searching if your company has not been meeting its HIPAA requirements.

FOR IMMEDIATE RELEASE
April 24, 2017
Contact: HHS Press Office
202-690-6343
media@hhs.gov

$2.5 million settlement shows that not understanding HIPAA requirements creates risk

The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement based on the impermissible disclosure of unsecured electronic protected health information (ePHI). CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan. This settlement is the first involving a wireless health services provider, as CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.

In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft. Additionally, CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. Further, the Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.”

The Resolution Agreement and Corrective Action Plan may be found on the OCR website at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/cardionet

HHS has gathered tips and information to help protect and secure health information when using mobile devices:  https://www.healthit.gov/providers-professionals/your-mobile-device-and-health-information-privacy-and-security

To learn more about non-discrimination and health information privacy laws, your civil rights, and privacy rights in health care and human service settings, and to find information on filing a complaint, visit us at http://www.hhs.gov/hipaa/index.html

With tax season in full swing, a different season is impacting businesses across all industries: “phishing season.”

Phishing scams
Copyright: fberti / 123RF Stock Photo

“Phishing” or “spear phishing” refers to cyberattack scams that target certain individuals within an organization with the hope of gaining access to valuable information.

These scams take advantage of the busy tax season, the desire to promptly respond to purported upper management and social engineering employees in order to target and trick only employees with immediate access to sensitive employee data. These scams have spread to a variety of for-profit sectors and even nonprofits and school districts.

Spear phishing attacks are virtual traps set up by criminals who, in this case, send emails to employees that appear to come from actual upper management. Typically, they are well-written and look authentic. Usually, there is some explanation or pressing reason offered for why personal information is required. The targets have increasingly become payroll and human resources personnel with the goal of stealing employees’ W-2 information during tax season.

Roughly 100 businesses with more than 125,000 employees were victims of phishing scams last year. This year has already seen a dramatic increase in phishing scams, as approximately 80 businesses have already been targeted during tax season. These are only the businesses that reported phishing scams, and the real number is certainly dramatically larger.

The IRS has previously stated that tax season is likely partly responsible for this surge in phishing emails. Last year, the IRS issued an alert to payroll and human resources professionals about emails purporting to be from company executives requesting employees’ personal information.

“Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS bulleted some of the requests contained in these fake emails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

No organization is immune during phishing season. Last year a large social media provider issued an apology and offered two years of identity theft insurance and monitoring after one of its workers inadvertently released sensitive company payroll information to a criminal. The unidentified employee opened an email that appeared to be from the victim company’s CEO. Although none of the company’s internal systems were breached and no user information was compromised, hundreds of employees had their personal information exposed to the public.

The FBI has also warned the public and has published suggestions to avoid becoming a victim during phishing season, including:

  • Keep in mind that most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call (but don’t use the phone number contained in the email — that’s usually phony as well).
  • Use a phishing filter. Many of the latest web browsers have them built in or offer them as plug-ins.
  • Never follow a link to a secure site from an email. Always enter the URL manually.
  • Don’t be fooled (especially today) by the latest scams.

The Minnesota Department of Revenue recently announced its excellent Stop. Connect. Confirm. program. From the Department of Revenue’s announcement:

When a request for private/sensitive information is made, Stop. Connect. Confirm.

  1. Stop – Stop for a moment before complying with the request and sending that information.
  2. Connect – Connect with the person who sent you the request by phone or by walking over to see them. Do not respond to the email to get confirmation of the sender’s identity. The sender may be a criminal who has disguised his or her identity by spoofing your colleague’s email address.
  3. Confirm – Confirm with the executive requesting the information that the request is legitimate.

Businesses can download and print this poster and display it in their human resources and payroll departments to remind employees to Stop. Connect. Confirm. if a request for employee personal information is made.

If your employer notifies you that your W-2 or other personal information has been compromised:

  • Review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
  • File a Form 14039, Identity Theft Affidavit if your tax return is rejected because of a duplicate Social Security number or if instructed to do so by the Internal Revenue Service.

More of these attacks should be expected as tax season, and phishing season, continue, so organizations should be vigilant about ensuring that all employees are aware about phishing scams.

On March 15, Fox Rothschild partner Scott Vernick will participate in a panel discussion on Developments in Data Privacy & Security as part of the 2017 Argyle Chief Legal Officer Leadership Forum. The Forum will take place from 8 a.m. to 5 p.m. at the Convene Conference Center at 730 3rd Ave in New York City.

Scott L. Vernick, Partner, Fox Rothschild LLPScott and his fellow panelists will discuss the evolution of the GC role to include cybersecurity and data privacy, how cybersecurity fits into an organization’s risk management structure, as well as proactive risk assessments GCs can use to identify and prioritize critical assets and data for their business. Attendees will also receive information on new regulatory challenges, how GCs can best collaborate with and advise other organization leaders on the topic of cybersecurity, and working with outside counsel on these and related issues. The panel discussion is scheduled from 10:10 a.m. to 11:00 a.m.

To register for the event, please visit the Argyle Forum event page.

Copyright: hywards / 123RF Stock Photo
Copyright: hywards / 123RF Stock Photo

France’s data protection regulator – the  Commission Nationale de L’Informatique et des Libertés (CNIL) – ordered Alphabet Inc.’s Google in 2015 to comply with the right to be forgotten.

If the ruling is upheld, the approach to personal privacy threatens the equal and competing legitimate freedom of expression and access to information rights of businesses and consumers outside the European Union.

Scott L. Vernick and Jessica Kitain recently authored the Bloomberg BNA Privacy and Security Law Report article “The Right To Be Forgotten – Protection or Hegemony?” We invite you to read the full article.

Reproduced with permission from Privacy and Security Law Report, 15 PVLR 1253, 6/20/2016. Copyright © 2016 by The Bureau of National Affairs, Inc. (800.372.1033) http://www.bna.com

The United States and Canada have teamed up to alert both nations of the threat of ransomware, illustrating the harmful impact of these cyberattacks to individuals and organizations all over the world.

The United States Computer Emergency Readiness Team (US-CERT) within the Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Centre (CCIRC) jointly issued alerts in response to ransomware variants infecting computers in the healthcare industry in the United States, New Zealand and Germany. The alert gives useful information about ransomware, including its main characteristics, its prevalence worldwide, variants that may be developing, and how individuals and businesses can prevent and reduce the prevalence of ransomware.

Ransomware is a type of malware that contaminates a computer system and will restrict a user’s access to said system. Often, a message will appear stating that the files have been encrypted, and the message will demand payment from the victim – usually in the form of virtual currency such as Bitcoin – as a condition to access being restored.

Amounts vary, but typically, the attacker will request $200-400 dollars, according to the US-CERT alert.

Attacks have been rampant in recent weeks with many of them targeting hospitals, and the hackers’ demands haven’t been cheap. Last week, Maryland-based MedStar Health was victimized by what appeared to be a ransomware attack in which the hacker demanded $18,500 in Bitcoin.

Earlier this year, Hollywood Presbyterian Medical Center in California paid a $17,000 ransom in Bitcoin to a hacker after the hospital’s computer systems were seized in a ransomware attack.

These recent attacks were likely ransomware variants, which typically demand more lucrative sums and can damage the entire organization’s files, not just the particular user’s device.  Sometimes, the ransomware can utilize spam emails, but in other cases, ransomware can take advantage of vulnerable web servers.

Systems damaged by ransomware are often infected with other types of malware which attempts to steal other information; one malicious malware, GameOver Zeus, was used to steal banking information and other types of data, according to the US-CERT alert.

One of the biggest impacts of ransomware, as the alert points out, is the lack of any guarantee that the encrypted files will be released, nor does decryption guarantee removal of the malware infection itself. The only thing certain is that the hackers receive the victim’s money and, in some cases, the victim or organization’s banking information.

US-CERT actually discourages organizations from paying the ransom due to the lack of guarantees that files will be released.

The US-CERT alert provides several recommendations for preventative measures individuals and organizations can take, including the following;

  • Have a data backup and recovery plan which can be tested regularly for all critical information; backups should be kept on separate storage devices;
  • Allow only specified programs to run on computers and web servers to prevent unapproved programs from running (known as application whitelisting);
  • Make use of patches to keep software and operating systems current with the latest updates;
  • Maintain current anti-virus software and scan all downloaded software from the internet prior to executing;
  • The “Least Privilege” principle should prevail – restrict users’ access to unnecessary software, systems, applications, and networks through the usage of permissions;
  • Preclude enabling macros from email attachments. Enabling macros allows embedded code to execute malware on the device. Organizations should have blocking software to cut off email messages with suspicious attachments;
  • Do not click on unsolicited Web links in emails.

As usual, report hacking or fraud incidents to the FBI’s Internet Crime Complaint Center (IC3).

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.