With tax season in full swing, a different season is impacting businesses across all industries: “phishing season.”

Phishing scams
Copyright: fberti / 123RF Stock Photo

“Phishing” or “spear phishing” refers to cyberattack scams that target certain individuals within an organization with the hope of gaining access to valuable information.

These scams take advantage of the busy tax season, the desire to promptly respond to purported upper management and social engineering employees in order to target and trick only employees with immediate access to sensitive employee data. These scams have spread to a variety of for-profit sectors and even nonprofits and school districts.

Spear phishing attacks are virtual traps set up by criminals who, in this case, send emails to employees that appear to come from actual upper management. Typically, they are well-written and look authentic. Usually, there is some explanation or pressing reason offered for why personal information is required. The targets have increasingly become payroll and human resources personnel with the goal of stealing employees’ W-2 information during tax season.

Roughly 100 businesses with more than 125,000 employees were victims of phishing scams last year. This year has already seen a dramatic increase in phishing scams, as approximately 80 businesses have already been targeted during tax season. These are only the businesses that reported phishing scams, and the real number is certainly dramatically larger.

The IRS has previously stated that tax season is likely partly responsible for this surge in phishing emails. Last year, the IRS issued an alert to payroll and human resources professionals about emails purporting to be from company executives requesting employees’ personal information.

“Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS bulleted some of the requests contained in these fake emails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

No organization is immune during phishing season. Last year a large social media provider issued an apology and offered two years of identity theft insurance and monitoring after one of its workers inadvertently released sensitive company payroll information to a criminal. The unidentified employee opened an email that appeared to be from the victim company’s CEO. Although none of the company’s internal systems were breached and no user information was compromised, hundreds of employees had their personal information exposed to the public.

The FBI has also warned the public and has published suggestions to avoid becoming a victim during phishing season, including:

  • Keep in mind that most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call (but don’t use the phone number contained in the email — that’s usually phony as well).
  • Use a phishing filter. Many of the latest web browsers have them built in or offer them as plug-ins.
  • Never follow a link to a secure site from an email. Always enter the URL manually.
  • Don’t be fooled (especially today) by the latest scams.

The Minnesota Department of Revenue recently announced its excellent Stop. Connect. Confirm. program. From the Department of Revenue’s announcement:

When a request for private/sensitive information is made, Stop. Connect. Confirm.

  1. Stop – Stop for a moment before complying with the request and sending that information.
  2. Connect – Connect with the person who sent you the request by phone or by walking over to see them. Do not respond to the email to get confirmation of the sender’s identity. The sender may be a criminal who has disguised his or her identity by spoofing your colleague’s email address.
  3. Confirm – Confirm with the executive requesting the information that the request is legitimate.

Businesses can download and print this poster and display it in their human resources and payroll departments to remind employees to Stop. Connect. Confirm. if a request for employee personal information is made.

If your employer notifies you that your W-2 or other personal information has been compromised:

  • Review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
  • File a Form 14039, Identity Theft Affidavit if your tax return is rejected because of a duplicate Social Security number or if instructed to do so by the Internal Revenue Service.

More of these attacks should be expected as tax season, and phishing season, continue, so organizations should be vigilant about ensuring that all employees are aware about phishing scams.

On March 15, Fox Rothschild partner Scott Vernick will participate in a panel discussion on Developments in Data Privacy & Security as part of the 2017 Argyle Chief Legal Officer Leadership Forum. The Forum will take place from 8 a.m. to 5 p.m. at the Convene Conference Center at 730 3rd Ave in New York City.

Scott L. Vernick, Partner, Fox Rothschild LLPScott and his fellow panelists will discuss the evolution of the GC role to include cybersecurity and data privacy, how cybersecurity fits into an organization’s risk management structure, as well as proactive risk assessments GCs can use to identify and prioritize critical assets and data for their business. Attendees will also receive information on new regulatory challenges, how GCs can best collaborate with and advise other organization leaders on the topic of cybersecurity, and working with outside counsel on these and related issues. The panel discussion is scheduled from 10:10 a.m. to 11:00 a.m.

To register for the event, please visit the Argyle Forum event page.

Copyright: hywards / 123RF Stock Photo
Copyright: hywards / 123RF Stock Photo

France’s data protection regulator – the  Commission Nationale de L’Informatique et des Libertés (CNIL) – ordered Alphabet Inc.’s Google in 2015 to comply with the right to be forgotten.

If the ruling is upheld, the approach to personal privacy threatens the equal and competing legitimate freedom of expression and access to information rights of businesses and consumers outside the European Union.

Scott L. Vernick and Jessica Kitain recently authored the Bloomberg BNA Privacy and Security Law Report article “The Right To Be Forgotten – Protection or Hegemony?” We invite you to read the full article.

Reproduced with permission from Privacy and Security Law Report, 15 PVLR 1253, 6/20/2016. Copyright © 2016 by The Bureau of National Affairs, Inc. (800.372.1033) http://www.bna.com

The United States and Canada have teamed up to alert both nations of the threat of ransomware, illustrating the harmful impact of these cyberattacks to individuals and organizations all over the world.

The United States Computer Emergency Readiness Team (US-CERT) within the Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Centre (CCIRC) jointly issued alerts in response to ransomware variants infecting computers in the healthcare industry in the United States, New Zealand and Germany. The alert gives useful information about ransomware, including its main characteristics, its prevalence worldwide, variants that may be developing, and how individuals and businesses can prevent and reduce the prevalence of ransomware.

Ransomware is a type of malware that contaminates a computer system and will restrict a user’s access to said system. Often, a message will appear stating that the files have been encrypted, and the message will demand payment from the victim – usually in the form of virtual currency such as Bitcoin – as a condition to access being restored.

Amounts vary, but typically, the attacker will request $200-400 dollars, according to the US-CERT alert.

Attacks have been rampant in recent weeks with many of them targeting hospitals, and the hackers’ demands haven’t been cheap. Last week, Maryland-based MedStar Health was victimized by what appeared to be a ransomware attack in which the hacker demanded $18,500 in Bitcoin.

Earlier this year, Hollywood Presbyterian Medical Center in California paid a $17,000 ransom in Bitcoin to a hacker after the hospital’s computer systems were seized in a ransomware attack.

These recent attacks were likely ransomware variants, which typically demand more lucrative sums and can damage the entire organization’s files, not just the particular user’s device.  Sometimes, the ransomware can utilize spam emails, but in other cases, ransomware can take advantage of vulnerable web servers.

Systems damaged by ransomware are often infected with other types of malware which attempts to steal other information; one malicious malware, GameOver Zeus, was used to steal banking information and other types of data, according to the US-CERT alert.

One of the biggest impacts of ransomware, as the alert points out, is the lack of any guarantee that the encrypted files will be released, nor does decryption guarantee removal of the malware infection itself. The only thing certain is that the hackers receive the victim’s money and, in some cases, the victim or organization’s banking information.

US-CERT actually discourages organizations from paying the ransom due to the lack of guarantees that files will be released.

The US-CERT alert provides several recommendations for preventative measures individuals and organizations can take, including the following;

  • Have a data backup and recovery plan which can be tested regularly for all critical information; backups should be kept on separate storage devices;
  • Allow only specified programs to run on computers and web servers to prevent unapproved programs from running (known as application whitelisting);
  • Make use of patches to keep software and operating systems current with the latest updates;
  • Maintain current anti-virus software and scan all downloaded software from the internet prior to executing;
  • The “Least Privilege” principle should prevail – restrict users’ access to unnecessary software, systems, applications, and networks through the usage of permissions;
  • Preclude enabling macros from email attachments. Enabling macros allows embedded code to execute malware on the device. Organizations should have blocking software to cut off email messages with suspicious attachments;
  • Do not click on unsolicited Web links in emails.

As usual, report hacking or fraud incidents to the FBI’s Internet Crime Complaint Center (IC3).

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

In my previous post, I reviewed the New York State Department of Financial Services’ (NYDFS) findings and conclusions of survey results of financial institutions and insurers’ programs, costs, and future plans related to cybersecurity.

Anthony J. Albanese – Acting Superintendent of Financial Services – writes in a November 9, 2015 letter to Financial and Banking Information Infrastructure Committee (FBIIC) Members that these conclusions have demonstrated a need for new cybersecurity regulations for financial institutions.

Such “robust regulatory action” would be a coordinated effort between state and federal agencies to create a thorough cybersecurity framework addressing critical concerns as well as covering New York-specific interests.

Potential regulations implemented by the NYDFS would require covered financial entities to meet specific cybersecurity obligations in the following areas:

  • Cybersecurity policies and procedures;
  • Third-party service provider management;
  • Multi-factor authentication (i.e., requiring covered entities to apply such authentication to customer, internal, and privileged access to confidential information as well as any access to internal systems or data from an internal network);
  • Chief Information Security Officer (i.e., covered entities will be required to have a CISO responsible for overseeing and implementing a cybersecurity policy, among other duties);
  • Application security (i.e., covered entities must have and set forth written policies, procedures, and guidelines to ensure the security of all applications utilized by the entity which need to be updated annually by the CISO);
  • Cybersecurity personnel and intelligence (i.e., covered entities will need to hire cybersecurity personnel who can handle certain cyber risks and perform core functions of “identify, protect, detect, respond and recover,” as well as providing mandatory training to such personnel);
  • An audit function; and
  • Notice of cybersecurity incidents.

Some of these proposed requirements are set forth in more detail below.

 

Cybersecurity Policies and Procedures

Covered entities, Albanese writes, would need to implement and maintain written cybersecurity policies and procedures addressing the following areas:

(1) information security;

(2) data governance and classification;

(3) access controls and identity management;

(4) business continuity and disaster recovery planning and resources;

(5) capacity and performance planning;

(6) systems operations and availability concerns;

(7) systems and network security;

(8) systems and application development and quality assurance;

(9) physical security and environmental controls;

(10) customer data privacy;

(11) vendor and third-party service provider management; and

(12) incident response, including by setting clearly defined roles and decision making authority.

 

Third-party Service Provider Management

Albanese wants covered entities to ensure that third-party cybersecurity policies and procedures are implemented. Third-party service providers who hold or have access to sensitive data or systems will need to adhere to certain contractual terms, including the following provisions:

(1) the use of multi-factor authentication to limit access to sensitive data and systems;

(2) the use of encryption to protect sensitive data in transit and at rest;

(3) notice to be provided in the event of a cyber security incident;

(4) the indemnification of the entity in the event of a cyber security incident that results in loss;

(5) the ability of the entity or its agents to perform cyber security audits of the third party vendor; and

(6) representations and warranties by the third party vendors concerning information security.

 

Audits

Annual penetration testing as well as quarterly vulnerability assessments will be a new requirement for covered entities. Such entities will also be responsible for maintenance of an audit trail system that perform the following functions:

(1) logs privileged user access to critical systems;

(2) protects log data stored as part of the audit trail from alteration or tampering;

(3) protects the integrity of hardware from alteration or tampering; and

(4) logs system events, including access and alterations made to audit trail systems.

 

Notice of Cybersecurity Incidents

Covered entities, Albanese writes, will need to immediately notify the NYDFS of any cyber security incident that is reasonably likely to materially affect such entity’s normal operation, including a cybersecurity incident

(1) that triggers certain other notice provisions under New York Law;

(2) of which the entity’s board is notified; or

(3) that involves the compromise of “nonpublic personal health information” and “private information” as defined under New York Law, payment card information or any biometric data.

 

These potential requirements are subject to further review and revision by the NYDFS, and there is no timetable for when these requirements will become the law of the land in New York. It will be interesting to see if and when covered entities begin implementing these requirements in advance of a legal obligation to do so. Will other states’ regulatory agencies enact similar regulations modeled on the NYDFS proposals? Look for developments on this topic in the news and on this website.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

In reaction to two surveys of more than 150 regulated banking organizations and 43 regulated insurers in New York, the state’s Acting Superintendent of Financial Services issued a letter to all Financial and Banking Information Infrastructure Committee (FBIIC) Members addressing the need for potential new cybersecurity regulations in the financial sector.

The New York State Department of Financial Services (NYDFS) expects that the November 9, 2015 letter will trigger more “dialogue, collaboration and, ultimately, regulatory convergence” among New York agencies on “strong” cybersecurity norms for financial institutions.

In the letter, Anthony J. Albanese – Acting Superintendent of Financial Services – discusses the NYDFS’ review of the two surveys which were conducted in 2013 and 2014. The surveys asked about the banks’ and insurers’ programs, costs, and future plans pertaining to cybersecurity. Albanese writes that the findings of those surveys led to some additional actions:

  • The NYDFS expanded its information technology examination procedures to focus more attention on cybersecurity;
  • NYDFS began conducting risk assessments of its financial institutions in late 2014 and early 2014 to compile information about risks and vulnerabilities;
  • In response to a realization of the financial industry’s reliance on third-party service providers for banking and insurance functions, the NYDFS conducted an additional survey of regulated banks in October 2014, specifically pertaining to banks’ management of third-party service providers; and
  • NYDFS published an April 2015 update to its earlier report with the most critical observations.

Those reports and risk assessments as well as the “dozens of discussions” the NYDFS has held with New York financial entities, cybersecurity experts, and other stakeholders have led to several “broad conclusions,” Albanese writes:

  • Financial institutions need to stay “dynamic” to keep pace with ever-changing technological advances and sophisticated cyberthreats;
  • Financial institutions’ third-party service providers must also have sufficient cybersecurity protections as these service providers often have access to an institution’s sensitive data and information technology systems; and
  • Cybersecurity is a “global concern” that affects every industry as evidenced by recent data breaches.

My next post will analyze the proposed regulatory actions and requirements NYDFS is considering for financial institutions and insurers.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

Fox Partner and Chair of the Privacy and Data Security Practice Scott L. Vernick was a guest on Fox Business’ “The O’Reilly Factor” and “After the Bell” on February 17, 2016, to discuss the controversy between Apple and the FBI over device encryption.

A federal court recently ordered Apple to write new software to unlock the iPhone used by one of the shooters in the San Bernardino attacks in December. Apple CEO Tim Cook has vowed to fight the court order.

The Federal Government vs. Apple (The O’Reilly Factor, 02/17/16)

Apple’s Privacy Battle With the Federal Government (After the Bell, 02/17/16)

 

 

 

The White House is building on recent laws addressing cybersecurity in the United States with the release of a new Cybersecurity National Action Plan (“CNAP”). The plan focuses on:

  • improving cybersecurity awareness and protections;
  • additional privacy and security protections for individuals through the creation of a permanent Federal Privacy Council;
  • maintenance of public safety, economic security and national security through a new Commission on Enhancing National Security; and
  • encouraging citizens to take better control of their digital information and security.

CNAP includes a request to Congress to invest over $19 billion for the 2017 Fiscal Year Budget, which is a 35% increase to resources allocated to cybersecurity during FY 2016.

The plan is highlighted by a new Commission on Enhancing National Security (“Commission”). The Commission will be comprised of top technical, strategic, and business advisors in the private sector chosen by bipartisan Congressional leadership.  It will make detailed recommendations to improve cybersecurity awareness both inside and outside the government.  The Commission will also make specific findings about improving national security and empowering citizens to better handle their digital security.  These recommendations and findings must be reported to the President before the end of this year.

The White House looks to make significant improvements in government cybersecurity as part of a $3.1 billion Information Technology Modernization Fund, which will allow agencies to modernize outdated IT infrastructure, networks and systems. A new Federal Chief Information Security Officer will be solely dedicated to developing, managing, and coordinating cybersecurity policies, strategies and operations in the federal government.  The Department of Homeland Security will have new federal civilian cyber defense teams to protect associated networks, systems and data.  The plan also calls for disrupting cyberattacks and improving cyber incident response.

CNAP’s concern for citizens’ privacy and security is reflected in an Executive Order making the Federal Privacy Council permanent. Privacy officials from across the government will help ensure that more strategic and comprehensive federal privacy guidelines are implemented.  The Administration wants citizens to leverage multiple layers of authentication when logging into online accounts instead of just a password. Extra factors like a fingerprint or a single use code via text message are ways to improve online security. The federal government is accelerating adoption of this approach for citizen-to-government digital services, such as tax and health benefit information.  The White House’s new milestones for the 2014 BuySecure Initiative will build upon the already 2.5 million issued Chip-and-PIN payment cards.

Research and development will continue to be a focus with a new Federal Cybersecurity Research and Development Strategic Plan. The strategic plan outlines research and development goals so that U.S. can advance cybersecurity technologies.  CNAP further mentions working with the Linux Foundation’s Core Infrastructure Initiative to maintain and improve internet infrastructure.

——–

Randall J. Collins is a law clerk in Fox Rothschild’s Philadelphia office.

The “new age” of internet and dispersed private data is not so new anymore but that doesn’t mean the law has caught up.  A few years ago, plaintiffs’ cases naming defendants like Google, Apple, and Facebook were at an all-time high but now, plaintiffs firms aren’t interested anymore.  According to a report in The Recorder, a San Francisco based legal newspaper, privacy lawsuits against these three digital behemoths have dropped from upwards of thirty cases in the Northern District of California i 2012 to less than five in 2015.   Although some have succeeded monumentally—with Facebook writing a $20 million check to settle a case over the fact that it was using users’ images without their permission on its “sponsored stories” section—this type of payout is not the majority.  One of the issues is that much of the law in this arena hasn’t developed yet.  Since there is no federal privacy law directly pertaining to the digital realm, many complaints depend on old laws like the Electronic Communications Privacy Act and Stored Communications Act (1986) as well as the Video Privacy Protection Act (1988).  The internet and its capacities was likely not the target of these laws—instead they were meant to prohibit such behavior as tapping a neighbor’s phone or collecting someone’s videotape rental history.

Further, it seems unavoidable now to have personal data somewhere somehow.  Privacy lawsuits attempting to become class actions have a difficulty in succeeding in a similar way that data breach class actions do: the plaintiffs face the challenge of proving concrete harms.  In a case later this year, Spokeo v. Robins, the Supreme Court may change this area of law because it will decide whether an unemployed plaintiff can sue Spokeo for violating the Fair Credits Reporting Act because Spokeo stated that he was wealthy and held a graduate degree.  The issue will turn on proving actual harm.  Companies that deal with private information on a consistent basis should protect themselves by developing privacy policies that, at the very least, may limit their liability.   The reality is that data is everywhere and businesses will constantly be finding creative and profitable ways to use it.

To keep up with the Spokeo v. Robins case, check out the SCOTUSblog here.

http://www.scotusblog.com/case-files/cases/spokeo-inc-v-robins/

New innovations come hand in hand with new privacy issues.  Privacy policies may seem like a last minute add-on to some app developers but they are actually an important aspect of an app.  Data breaches are an imminent risk and a business’s first defense to potential problems is a privacy policy.

Fordham University in New York hosted its Ninth Law and Information Society Symposium last week where policy and technology leaders came together to discuss current privacy pitfalls and solutions.  Joanne McNabb, the California attorney general’s privacy education director and a leader in policies affecting the privacy agreements of companies such as Google and Apple, emphasized in a panel that she “wants to make the case for the unread privacy policy.”  She noted that the policy mainly promotes “governance and accountability [and] it forces an organization to be aware of their data practices to some degree, express them and then therefore to stand behind them.”  The privacy policy still matters because it protects businesses from the risks associated with having a high level of data. It is especially necessary for those businesses that depend solely on private information because they are at a higher risk of breach.

The FTC (Federal Trade Commission) has suggested using an approach called “Privacy By Design” which is a method of imbedding privacy protections into the infrastructure of the app.  This approach removes the concern of implementing privacy policies post-development. Another method of simplifying the privacy policy is the alert prompt that some apps have employed to consistently give consumers notice of when and where their information is used. McNabb and her fellow panelists found this method of “short, timely notices” helpful in closing the gap between the unread privacy policies and the claimed “surprise” of consumers who blame an app for the dissemination of information.

As the industry moves forward, privacy will become an even greater part of the equation. Whether a privacy policy is read is insignificant. The protections it puts in place for all parties involved are crucial. As apps and technologies become more connected to the private preferences of consumers, businesses with a leg up on privacy protections will thrive against the backdrop of those who view privacy as a second tier requirement.

For more information on “Privacy By Design” click here.