Data Security Breach Response

Venerable insurer Lloyd’s of London says a global cyber attack on a major provider of cloud services could carry costs of up to $53 billion, reports Data Breach Today.

That’s a hefty price tag that explains the rising demand for cyber insurance. It also sheds light on why insurers are proceeding extremely carefully. The costs of a major data breach can be significant and difficult to predict.

To help define the level of exposure, Lloyd’s worked with cyber consultant Cyence to produce a new report that outlines the direct economic costs of two types of global cyber attacks and estimates the portion of the loss in each scenario that would covered by insurance. In the case of a cloud services attack, only 17 percent of the loss would be insured, Lloyd’s estimates. In the case of a global attack exploiting a software vulnerability, only 7 percent of the estimated loss of up to $28 billion would be assured.

Analysts estimate the cyber insurance market is worth up to $3.5 billion today and could grow to $7.5 billion by 2020.

Cybersecurity workforce
Copyright: Tawatdchai Muelae / 123RF Stock Photo

Cybersecurity positions are increasingly difficult to fill and the long-term prospects for the industry don’t appear to be getting any brighter, Ericka Chickowski warns at the blog DARKReading. More than 25 percent of organizations take six months or longer to fill priority positions, she reports in “Desperately Seeking Security: 6 Skills Most In Demand.”

By 2022, Chickowski notes, there will be a global shortfall of cybersecurity workers of 1.8 million people, according to the Global Information Security Workforce Study conducted by Frost & Sullivan.

Read more at DARKReading

Yesterday, a massive ransomware attack now known as “Petya” spread across the globe in a similar fashion to the WannaCry cyberattack in May. In an Alert today, Fox Chief Privacy Officer and Partner Mark McCreary breaks down what we know about the attack, how to address it if your organization falls victim to it, and how to minimize the risks of future attacks:

Yesterday’s worldwide cyberattack once again exploited a vulnerability that has been known to experts for many months. These attacks are sure to continue and the best defense is knowledge. Awareness of how malware works and employee training to avoid the human error that may trigger an infection can prevent your organization from becoming a victim.

This latest ransomware variant, referred to as “Petya,” is similar in many respects to the “WannaCry” ransomware that affected hundreds of thousands of computers in mid-May, using the same Eternal Blue exploit to infect computers. The purpose of this Alert is to provide you some information believed or known at this time.

How Is a Computer Infected?

Experts believe the Petya malware is delivered in a Word document attached to an email. Once initiated by opening the Microsoft Word document, an unprotected computer becomes infected and the entire hard drive on that computer is encrypted by the program. This is notably different from WannaCry, which encrypted only files.

Once Petya is initiated, it begins seeking other unprotected computers in the same network to infect. It is not necessary to open the infected Microsoft Word document on each computer. An infection can occur by the malware spreading through a network environment.

To read Mark’s full discussion of the Petya attack, please visit the Fox Rothschild website.

Mark also notes that “I continue to stress to clients that in addition to hardening your IT resources, the absolute best thing your business can do is train employees how to detect and avoid malware and phishing.  In-person, annual privacy and security training is the best way to accomplish this.”

On June 14, Fox Partner Scott Vernick appeared on live-streaming financial news network Cheddar to provide background information on the European Union’s General Data Protection Regulation, which goes into effect on May 25, 2018. To comply with the new privacy rules, companies that provide online services to residents of the EU will be required to obtain documented “hard consent” from customers before processing and storing their data. For many American companies, this is a significant shift.

Scott L. Vernick, Partner, Fox Rothschild LLPScott outlines the high stakes for companies affected by the GDPR, in the form of a fine for failure to comply of four percent of their worldwide annual turnover (i.e., gross revenue). He also discusses the potential impact on EU-based user experience, and notes that companies will need to account for changes to the GDPR allowed within specific member countries.

We invite you to watch Scott’s informative segment.

Yesterday we witnessed new ransomware spread across the world with incredible speed and success, bringing businesses to their knees and home users learning for the first time about ransomware and why computer backups are so important.

With over 123,000 computers infected, experts believe the “WannaCrypt/WannaCry/WCry” attacks have stopped after researchers registered a domain that the software checks before encrypting.  However, nothing is stopping someone from revising the software to not require that check and releasing it into the wild.  In other words, do not expect the infections to stop.

To battle the malicious software, Microsoft took the highly unusual step of issuing updates for versions of Windows that have reached their end of life and otherwise are not supported (e.g., Windows XP, Windows 8, and Windows Server 2003).  WannaCrypt/WannaCry/WCry did not even try to target Windows 10 machines, but that does not mean Windows 10 machines cannot be affected and encrypted by the ransomeware.  The blog describing Microsoft’s efforts can be found here and is worth reading.  Although your business may normally take a wait and see approach to software updates to avoid conflicts with other programs, this is a situation you should fast track that process.

If there is any silver lining here, it is that it may lead to more organizations to focus harder on computer security and efforts to battle malicious attacks similar to WannaCrypt/WannaCry/WCry.  Having seen first hand from clients the panic and feeling of helplessness caused by WannaCrypt/WannaCry/WCry in mere hours, it seems likely that companies are starting to better understand the risk, loss of productivity and costs that can be associated with a ransomware attack.

Below is a screenshot of the WannaCrypt/WannaCry/WCry software on an infected machine.  (Note the financial aid offer in the last line of the “Can I Recover My Files?” paragraph.  The bad guys must have a public relations firm!)

wannacrypt

With tax season in full swing, a different season is impacting businesses across all industries: “phishing season.”

Phishing scams
Copyright: fberti / 123RF Stock Photo

“Phishing” or “spear phishing” refers to cyberattack scams that target certain individuals within an organization with the hope of gaining access to valuable information.

These scams take advantage of the busy tax season, the desire to promptly respond to purported upper management and social engineering employees in order to target and trick only employees with immediate access to sensitive employee data. These scams have spread to a variety of for-profit sectors and even nonprofits and school districts.

Spear phishing attacks are virtual traps set up by criminals who, in this case, send emails to employees that appear to come from actual upper management. Typically, they are well-written and look authentic. Usually, there is some explanation or pressing reason offered for why personal information is required. The targets have increasingly become payroll and human resources personnel with the goal of stealing employees’ W-2 information during tax season.

Roughly 100 businesses with more than 125,000 employees were victims of phishing scams last year. This year has already seen a dramatic increase in phishing scams, as approximately 80 businesses have already been targeted during tax season. These are only the businesses that reported phishing scams, and the real number is certainly dramatically larger.

The IRS has previously stated that tax season is likely partly responsible for this surge in phishing emails. Last year, the IRS issued an alert to payroll and human resources professionals about emails purporting to be from company executives requesting employees’ personal information.

“Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS bulleted some of the requests contained in these fake emails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

No organization is immune during phishing season. Last year a large social media provider issued an apology and offered two years of identity theft insurance and monitoring after one of its workers inadvertently released sensitive company payroll information to a criminal. The unidentified employee opened an email that appeared to be from the victim company’s CEO. Although none of the company’s internal systems were breached and no user information was compromised, hundreds of employees had their personal information exposed to the public.

The FBI has also warned the public and has published suggestions to avoid becoming a victim during phishing season, including:

  • Keep in mind that most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call (but don’t use the phone number contained in the email — that’s usually phony as well).
  • Use a phishing filter. Many of the latest web browsers have them built in or offer them as plug-ins.
  • Never follow a link to a secure site from an email. Always enter the URL manually.
  • Don’t be fooled (especially today) by the latest scams.

The Minnesota Department of Revenue recently announced its excellent Stop. Connect. Confirm. program. From the Department of Revenue’s announcement:

When a request for private/sensitive information is made, Stop. Connect. Confirm.

  1. Stop – Stop for a moment before complying with the request and sending that information.
  2. Connect – Connect with the person who sent you the request by phone or by walking over to see them. Do not respond to the email to get confirmation of the sender’s identity. The sender may be a criminal who has disguised his or her identity by spoofing your colleague’s email address.
  3. Confirm – Confirm with the executive requesting the information that the request is legitimate.

Businesses can download and print this poster and display it in their human resources and payroll departments to remind employees to Stop. Connect. Confirm. if a request for employee personal information is made.

If your employer notifies you that your W-2 or other personal information has been compromised:

  • Review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
  • File a Form 14039, Identity Theft Affidavit if your tax return is rejected because of a duplicate Social Security number or if instructed to do so by the Internal Revenue Service.

More of these attacks should be expected as tax season, and phishing season, continue, so organizations should be vigilant about ensuring that all employees are aware about phishing scams.

On March 15, Fox Rothschild partner Scott Vernick will participate in a panel discussion on Developments in Data Privacy & Security as part of the 2017 Argyle Chief Legal Officer Leadership Forum. The Forum will take place from 8 a.m. to 5 p.m. at the Convene Conference Center at 730 3rd Ave in New York City.

Scott L. Vernick, Partner, Fox Rothschild LLPScott and his fellow panelists will discuss the evolution of the GC role to include cybersecurity and data privacy, how cybersecurity fits into an organization’s risk management structure, as well as proactive risk assessments GCs can use to identify and prioritize critical assets and data for their business. Attendees will also receive information on new regulatory challenges, how GCs can best collaborate with and advise other organization leaders on the topic of cybersecurity, and working with outside counsel on these and related issues. The panel discussion is scheduled from 10:10 a.m. to 11:00 a.m.

To register for the event, please visit the Argyle Forum event page.

A recent District of Nevada ruling could cause issues for consumers in data breach class action cases moving forward.  On June 1, 2015, the court ruled that a consumer class action against Zappos.com Inc. could not proceed because the class did not state “instances of actual identity theft or fraud.”  The suit was brought as a result of a 2012 data breach where Zappos’ customers’ personal information was stolen, including names, passwords, addresses, and phone numbers.  Even though the information was stolen, the court dismissed the case because the class could not prove that they had been materially harmed and had no other standing under Article III.

If a data breach has occurred, but the victims cannot claim any harm besides the fear that a hacker has their information, courts have been willing to grant defendants’ motions to dismiss.  The ruling by the District of Nevada court is the most recent decision in a trend to block consumer class actions relating to data breaches.  Many of these recent rulings have been influenced by the Supreme Court’s 2013 decision in Clapper v. Amnesty International USA.  In Clapper, the Supreme Court held that claims of future injury could only satisfy the Article III standing requirement if the injury was “certainly impending” or if there was a “substantial risk” that the harm was going to occur.  Unfortunately for the consumer class in the Zappos’ case this means that unless their stolen information has been used to harm them, the data breach alone is not enough standing to bring a suit.

However, some district courts have been able to find sufficient standing for data breach victims in spite of the Clapper decision.  In Moyer v. Michaels Stores, a district court in the Northern District of Illinois ruled that data breach victims had standing to sue.  The court relied on Pisciotta v. Old National Bancorp, a Seventh Circuit pre-Clapper decision, which held that the injury requirement could be satisfied by an increased risk of identity theft, even if there was no financial loss.  Moyer further distinguished itself from Clapper by explaining that Clapper dealt with national security issues, and not general consumer data breaches.  Other district courts have distinguished their cases from Clapper by holding that Clapper dealt with harm that was too speculative to quantify, while consumer data breach cases deal with the concrete possibility of identity theft.

Although Clapper set the tone for consumer data breach claims, district courts have been divided because of different interpretations in the ruling.  The Supreme Court recently granted certiorari in another Article III standing case, Spokeo Inc. v. Robins Inc., which deals with a private right of action grounded in a violation of a federal statute.  Although it does not directly deal with consumer data breaches, the decision may lead the Supreme Court to expand the standing requirements generally.  Given society’s increasing use of technology and inclination to store personal information electronically, consumer data breach claims will only increase in the future.  The courts’ standing requirements must adapt to meet the changing needs of individuals and businesses alike.

With 2013 being dubbed as the “Year of the Mega Breach” it comes as no surprise that the Federal Trade Commission (“FTC”), on June 30, 2015 published “Start with Security: A Guide for Businesses” to educate and inform businesses on protecting their data.  The FTC is tasked with protecting consumers from “unfair” and “deceptive” business practices and with data breaches on the rise, it has come to take that job much more seriously.  The lessons in the guide are meant to aid businesses in their practices of protecting data and the FTC cites to real examples of its data breach settlement cases to help companies understand each lesson and the real world consequences that some companies have faced.  Here are the lesson headlines:

  1. 1. Start with security;
  2. 2. Control access to data sensibly;
  3. 3. Require secure passwords and authentication;
  4. 4. Store sensitive personal information securely and protect it during transmission;
  5. 5. Segment networks and monitor anyone trying to get in and out of them;
  6. 6. Secure remote network access;
  7. 7. Apply sound security practices when developing new products that collect personal information;
  8. 8. Ensure that service providers implement reasonable security measures;
  9. 9. Implement procedures to help ensure that security practices are current and address vulnerabilities; and
  10. 10. Secure paper, physical media and devices that contain personal information.

  Katherine McCarron, the Bureau of Consumer Protection attorney, explained that the Bureau “look[s] at a company’s security procedures and determine[s] whether they are reasonable and appropriate in light of all the circumstances” when evaluating an organization’s conduct.  It is likely that this guide will become the FTC’s road map for handling future enforcement actions and will help businesses to remain on the safe side of the data breach fence.

Whether you run a mom and pop shop or a multi-million dollar company, this guide is a must-read for any business that processes personal information.

Start reading here.

https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

After a Cyberattack

This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security.  The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs.  This post will focus on what a business should not do after a cyberattack.  Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.

Do Not Search Through the Network

Once a cyberattack has been identified, most individuals may feel compelled to immediately examine their network and search through all of their system’s files.  This sudden reaction can cause further damage and may result in a total system failure.  Some hackers rely on the natural inclination to examine a network in order to cause more destruction.  They may install dormant malware that is triggered after an authorized user accesses the network to survey the damage.  If the hackers are monitoring the network after the attack, they may also be able to steal additional information such as passwords and usernames if individuals attempt to log on.

The better option is to immediately suspend all use of the network and commence the action plan.  By limiting network activity, a business may be able to contain the attack and safeguard unaffected systems.  Furthermore, suspending the network will help preserve evidence of the attack for law enforcement officials.  As a last resort, a business should be prepared to shut its entire system down in order to contain the attack if it is still active.

Do Not Release Information to Unconfirmed Parties

After a cyberattack, a business should be very careful to only communicate information to credible sources.  Some hackers will pose as law enforcement officials and send inquiring messages to the business after the attack.  These messages are sent in an attempt to gain information from the business.  The hackers may use this information to launch a second cyberattack on the already damaged network.  All communication should be via the telephone or in person if possible.  It is important that a business designate one individual to communicate on behalf of the business.  This individual should not share information with anyone until he or she has confirmed the identity of the other party.

Do Not Attempt to Retaliate Against Other Networks

If a business is able to determine the source of the cyberattack, it may be tempted to retaliate with cyber warfare against the source.  Not only is this tactic illegal under U.S. and foreign cybersecurity laws, but it may also cause further damage to a business’ system or provoke a second attack.  Additionally, many cyberattacks originate from innocent networks that have previously been hacked.  Retaliation against these networks would only hurt a previous victim and would not impact the hackers.  Remaining calm and following the action plan is always the best course of action after a business has been impacted by a cyberattack.