Data Security Breach Response

With tax season in full swing, a different season is impacting businesses across all industries: “phishing season.”

Phishing scams
Copyright: fberti / 123RF Stock Photo

“Phishing” or “spear phishing” refers to cyberattack scams that target certain individuals within an organization with the hope of gaining access to valuable information.

These scams take advantage of the busy tax season, the desire to promptly respond to purported upper management and social engineering employees in order to target and trick only employees with immediate access to sensitive employee data. These scams have spread to a variety of for-profit sectors and even nonprofits and school districts.

Spear phishing attacks are virtual traps set up by criminals who, in this case, send emails to employees that appear to come from actual upper management. Typically, they are well-written and look authentic. Usually, there is some explanation or pressing reason offered for why personal information is required. The targets have increasingly become payroll and human resources personnel with the goal of stealing employees’ W-2 information during tax season.

Roughly 100 businesses with more than 125,000 employees were victims of phishing scams last year. This year has already seen a dramatic increase in phishing scams, as approximately 80 businesses have already been targeted during tax season. These are only the businesses that reported phishing scams, and the real number is certainly dramatically larger.

The IRS has previously stated that tax season is likely partly responsible for this surge in phishing emails. Last year, the IRS issued an alert to payroll and human resources professionals about emails purporting to be from company executives requesting employees’ personal information.

“Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS bulleted some of the requests contained in these fake emails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

No organization is immune during phishing season. Last year a large social media provider issued an apology and offered two years of identity theft insurance and monitoring after one of its workers inadvertently released sensitive company payroll information to a criminal. The unidentified employee opened an email that appeared to be from the victim company’s CEO. Although none of the company’s internal systems were breached and no user information was compromised, hundreds of employees had their personal information exposed to the public.

The FBI has also warned the public and has published suggestions to avoid becoming a victim during phishing season, including:

  • Keep in mind that most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call (but don’t use the phone number contained in the email — that’s usually phony as well).
  • Use a phishing filter. Many of the latest web browsers have them built in or offer them as plug-ins.
  • Never follow a link to a secure site from an email. Always enter the URL manually.
  • Don’t be fooled (especially today) by the latest scams.

The Minnesota Department of Revenue recently announced its excellent Stop. Connect. Confirm. program. From the Department of Revenue’s announcement:

When a request for private/sensitive information is made, Stop. Connect. Confirm.

  1. Stop – Stop for a moment before complying with the request and sending that information.
  2. Connect – Connect with the person who sent you the request by phone or by walking over to see them. Do not respond to the email to get confirmation of the sender’s identity. The sender may be a criminal who has disguised his or her identity by spoofing your colleague’s email address.
  3. Confirm – Confirm with the executive requesting the information that the request is legitimate.

Businesses can download and print this poster and display it in their human resources and payroll departments to remind employees to Stop. Connect. Confirm. if a request for employee personal information is made.

If your employer notifies you that your W-2 or other personal information has been compromised:

  • Review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
  • File a Form 14039, Identity Theft Affidavit if your tax return is rejected because of a duplicate Social Security number or if instructed to do so by the Internal Revenue Service.

More of these attacks should be expected as tax season, and phishing season, continue, so organizations should be vigilant about ensuring that all employees are aware about phishing scams.

On March 15, Fox Rothschild partner Scott Vernick will participate in a panel discussion on Developments in Data Privacy & Security as part of the 2017 Argyle Chief Legal Officer Leadership Forum. The Forum will take place from 8 a.m. to 5 p.m. at the Convene Conference Center at 730 3rd Ave in New York City.

Scott L. Vernick, Partner, Fox Rothschild LLPScott and his fellow panelists will discuss the evolution of the GC role to include cybersecurity and data privacy, how cybersecurity fits into an organization’s risk management structure, as well as proactive risk assessments GCs can use to identify and prioritize critical assets and data for their business. Attendees will also receive information on new regulatory challenges, how GCs can best collaborate with and advise other organization leaders on the topic of cybersecurity, and working with outside counsel on these and related issues. The panel discussion is scheduled from 10:10 a.m. to 11:00 a.m.

To register for the event, please visit the Argyle Forum event page.

A recent District of Nevada ruling could cause issues for consumers in data breach class action cases moving forward.  On June 1, 2015, the court ruled that a consumer class action against Zappos.com Inc. could not proceed because the class did not state “instances of actual identity theft or fraud.”  The suit was brought as a result of a 2012 data breach where Zappos’ customers’ personal information was stolen, including names, passwords, addresses, and phone numbers.  Even though the information was stolen, the court dismissed the case because the class could not prove that they had been materially harmed and had no other standing under Article III.

If a data breach has occurred, but the victims cannot claim any harm besides the fear that a hacker has their information, courts have been willing to grant defendants’ motions to dismiss.  The ruling by the District of Nevada court is the most recent decision in a trend to block consumer class actions relating to data breaches.  Many of these recent rulings have been influenced by the Supreme Court’s 2013 decision in Clapper v. Amnesty International USA.  In Clapper, the Supreme Court held that claims of future injury could only satisfy the Article III standing requirement if the injury was “certainly impending” or if there was a “substantial risk” that the harm was going to occur.  Unfortunately for the consumer class in the Zappos’ case this means that unless their stolen information has been used to harm them, the data breach alone is not enough standing to bring a suit.

However, some district courts have been able to find sufficient standing for data breach victims in spite of the Clapper decision.  In Moyer v. Michaels Stores, a district court in the Northern District of Illinois ruled that data breach victims had standing to sue.  The court relied on Pisciotta v. Old National Bancorp, a Seventh Circuit pre-Clapper decision, which held that the injury requirement could be satisfied by an increased risk of identity theft, even if there was no financial loss.  Moyer further distinguished itself from Clapper by explaining that Clapper dealt with national security issues, and not general consumer data breaches.  Other district courts have distinguished their cases from Clapper by holding that Clapper dealt with harm that was too speculative to quantify, while consumer data breach cases deal with the concrete possibility of identity theft.

Although Clapper set the tone for consumer data breach claims, district courts have been divided because of different interpretations in the ruling.  The Supreme Court recently granted certiorari in another Article III standing case, Spokeo Inc. v. Robins Inc., which deals with a private right of action grounded in a violation of a federal statute.  Although it does not directly deal with consumer data breaches, the decision may lead the Supreme Court to expand the standing requirements generally.  Given society’s increasing use of technology and inclination to store personal information electronically, consumer data breach claims will only increase in the future.  The courts’ standing requirements must adapt to meet the changing needs of individuals and businesses alike.

With 2013 being dubbed as the “Year of the Mega Breach” it comes as no surprise that the Federal Trade Commission (“FTC”), on June 30, 2015 published “Start with Security: A Guide for Businesses” to educate and inform businesses on protecting their data.  The FTC is tasked with protecting consumers from “unfair” and “deceptive” business practices and with data breaches on the rise, it has come to take that job much more seriously.  The lessons in the guide are meant to aid businesses in their practices of protecting data and the FTC cites to real examples of its data breach settlement cases to help companies understand each lesson and the real world consequences that some companies have faced.  Here are the lesson headlines:

  1. 1. Start with security;
  2. 2. Control access to data sensibly;
  3. 3. Require secure passwords and authentication;
  4. 4. Store sensitive personal information securely and protect it during transmission;
  5. 5. Segment networks and monitor anyone trying to get in and out of them;
  6. 6. Secure remote network access;
  7. 7. Apply sound security practices when developing new products that collect personal information;
  8. 8. Ensure that service providers implement reasonable security measures;
  9. 9. Implement procedures to help ensure that security practices are current and address vulnerabilities; and
  10. 10. Secure paper, physical media and devices that contain personal information.

  Katherine McCarron, the Bureau of Consumer Protection attorney, explained that the Bureau “look[s] at a company’s security procedures and determine[s] whether they are reasonable and appropriate in light of all the circumstances” when evaluating an organization’s conduct.  It is likely that this guide will become the FTC’s road map for handling future enforcement actions and will help businesses to remain on the safe side of the data breach fence.

Whether you run a mom and pop shop or a multi-million dollar company, this guide is a must-read for any business that processes personal information.

Start reading here.

https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business

After a Cyberattack

This blog post is the sixth and final entry of a six-part series discussing the best practices relating to cyber security.  The previous post discussed the individuals and organizations that should be notified once a cyberattack occurs.  This post will focus on what a business should not do after a cyberattack.  Key points include (1) not using the network, (2) not sharing information with unconfirmed parties, and (3) not attempting to retaliate against a different network.

Do Not Search Through the Network

Once a cyberattack has been identified, most individuals may feel compelled to immediately examine their network and search through all of their system’s files.  This sudden reaction can cause further damage and may result in a total system failure.  Some hackers rely on the natural inclination to examine a network in order to cause more destruction.  They may install dormant malware that is triggered after an authorized user accesses the network to survey the damage.  If the hackers are monitoring the network after the attack, they may also be able to steal additional information such as passwords and usernames if individuals attempt to log on.

The better option is to immediately suspend all use of the network and commence the action plan.  By limiting network activity, a business may be able to contain the attack and safeguard unaffected systems.  Furthermore, suspending the network will help preserve evidence of the attack for law enforcement officials.  As a last resort, a business should be prepared to shut its entire system down in order to contain the attack if it is still active.

Do Not Release Information to Unconfirmed Parties

After a cyberattack, a business should be very careful to only communicate information to credible sources.  Some hackers will pose as law enforcement officials and send inquiring messages to the business after the attack.  These messages are sent in an attempt to gain information from the business.  The hackers may use this information to launch a second cyberattack on the already damaged network.  All communication should be via the telephone or in person if possible.  It is important that a business designate one individual to communicate on behalf of the business.  This individual should not share information with anyone until he or she has confirmed the identity of the other party.

Do Not Attempt to Retaliate Against Other Networks

If a business is able to determine the source of the cyberattack, it may be tempted to retaliate with cyber warfare against the source.  Not only is this tactic illegal under U.S. and foreign cybersecurity laws, but it may also cause further damage to a business’ system or provoke a second attack.  Additionally, many cyberattacks originate from innocent networks that have previously been hacked.  Retaliation against these networks would only hurt a previous victim and would not impact the hackers.  Remaining calm and following the action plan is always the best course of action after a business has been impacted by a cyberattack.

Notification

This blog post is the fifth entry of a six series discussing the best practices relating to cyber security.  The previous post discussed the important steps that a business should take to preserve evidence and information once a cyberattack has been identified.  This post will discuss the individuals and organizations that should be notified once a cyberattack occurs.  The four most important groups to contact are (1) individuals within the business, (2) law enforcement officials, (3) The Department of Homeland Security, and (4) other possible victims.

Individuals within the Business

A business’ Response Plan should list the specific employees to be contacted once a business has been attacked.  These employees normally include the senior executives, information technology officers, public affairs officials, and a business’ legal counsel.  Multiple methods of communication for each employee, including cell phone numbers, home phone numbers, and personal email addresses, should be listed in the Response Plan.  These critically important individuals should be contacted at the first sign of a cyber incident.

Law Enforcement Officials

Law enforcement officials should be contacted once a business suspects that its cyber incident is a result of criminal activity.  A business should not hesitate to contact law enforcement even if it fears that its business operations will be disrupted.  Both the FBI and the U.S. Secret Service prioritize their ability to work around a business’ normal operations when conducting an investigation.  These government organizations will work with a business to ensure that sensitive information is not released and that the business’ reputation is not unnecessarily tarnished.  Both groups will help the company release a press statement and decide what information is necessary to disclose to shareholders.  In addition, law enforcement officials are able to receive support from international counterparts in order to track stolen data around the globe.

The Department of Homeland Security

The National Cybersecurity & Communications Integration Center (NCCIC) is a branch of the Department of Homeland Security that provides continuous updates on cyber incidents, cybersecurity information, and recovery efforts.  By alerting the NCCIC to a cyber incident, a business is able to share and receive information that may be beneficial in its recovery efforts.  A business should keep in regular contact with the NCCIC, even if it is not experiencing a cyber incident, in order to stay alert to the latest trends in cyberattacks.

Other Potential Victims

After a business discovers a cyberattack it should alert other businesses in its network because they are potential victims.  Cyberattacks often use network communications between businesses to spread malware and disrupt work flow.  Notifying other businesses may allow them to take preventative measures and insulate themselves from possible attacks.  If a business does not feel comfortable contacting other potential victims it should communicate through law enforcement officials.  Victims may also be able to share information to assist each other in managing the cyber incident and discovering the source of the cyberattack.

The next blog post will discuss what a business should not do after a cyberattack and how a business should begin to recover.

Preservation of Evidence

This blog post is the fourth entry of a six-part series discussing the best practices relating to cyber security.  The previous post discussed the initial steps that a business should take once a cyberattack has been identified.  This post will discuss further steps that a business should take after an attack.

Preservation is critical when responding to a cyberattack, the more evidence that a business is able to preserve, the greater the chance that the business will be able to determine how its system was hacked.  “Forensic imaging” is a useful way to preserve a system because it is an exact copy of a computer’s hard disk.  A forensic image will capture all of the deleted files, the system’s files, and any other information that may be necessary for a detailed analysis of the attack.

After the necessary information and evidence of an attack has been preserved, the business should begin to transfer its information onto a clean system.  It is important to ensure that the new data is completely free of any impacted documents when transferring information.  The business should write-protect the transferred data to ensure that it is unable to be altered by other corrupted documents.  In order to maintain authenticity of the documents, access to the documents should be restricted and a chain of custody should be used.

All personnel involved with the response to the attack should keep detailed records of their actions.  This will not only help when modifying the Response Plan in the future, but may also be useful for law enforcement during its investigation.  Preferably, one employee should be in charge of coordinating and maintaining each individual’s information.  This ensures organization and continuity between employees’ responsibilities.  Important information to record includes (1) a description of all incident-related events, (2) details of all communications regarding the incident, (3) a description of each employee’s duties in response to the attack, (4) a listing of how each network system was impacted by the cyberattack, and (5) the version of software on the network.

If an attack is continuous, like a worm circulating through the network, a business should attempt to record the attack’s actions.  A business may be able to use network monitoring devices, like a “sniffer,” to intercept and note communications between the cyberattack and the business’ servers.  This type of monitoring is usually lawful if it is done to protect the business’ property or if network users have previously given consent.  However, a business should consult its legal counsel if it plans to engage in this type of monitoring because it may implicate the Wiretap Act or impact the business’ employment agreements.  A business should also ensure that is has enabled the ability to log on an impacted server if it has not previously done so.  Finally, increasing the default size of the log files can help to prevent data loss and defeat the cyberattack.

The following blog post will discuss which individuals and organizations a business should contact after a cyberattack.

Executing an Response Plan

This blog post is the third installment of a six-part series discussing the best practices relating to cyber security.  The first two blog posts discussed the best practices for preparing a business in case of a cyberattack.  This post will discuss the initial steps that a business should take after a cyberattack occurs.

Once an employee discovers a cyber incident, the business should immediately assess the nature and range of the situation.  It is important to determine whether the disruption is a purposeful cyberattack or a system accident.  This determination will assist a business in executing the appropriate Response Plan.  If the incident is a malicious cyberattack, the business may need to disengage its entire system and shut down its technological operations.  If the incident is a product of faulty software, the business may be able to take less extreme measures.

Gathering the correct information as quickly as possible will not only help defend the system from additional attacks, but also provide law enforcement with information to begin its investigation.  The system administrator should survey the network to determine which computer systems were impacted, where the incident originated, and what malware may have been installed on the network.  Additional information concerning which users were logged onto the network and which programs were running on the network is also useful in determining the source of the attack.

During the initial assessment it is important to determine if data was exported from the system.  The data trail may illustrate the possible motive behind the attack and where it could strike next.  If a business can identify other networks that are impacted by the attack it should alert those networks’ administrators.  This may help to weaken the attack and increase the chance of retrieving stolen data.

After the initial assessment is complete, the business may need to employ preventative measures in order to stop the loss of data.  Common approaches to prevent additional attacks include (1) redirecting network traffic, (2) segregating all or part of a network, or (3) filtering all messages and communications on the network.  If a specific user or network terminal is identified as being the root of the attack, it should be blocked and disabled immediately.  In more extreme cases, an entire network may need to be shut down if an attack persists.  A business should store backup copies of critical data if its Response Plan calls for the network to be shut down.  This allows the business to continue some operations from a remote network while its main network is disabled.

It is important that all steps taken to gather information and diminish damages are recorded accurately.  This information will be useful in law enforcement’s efforts to bring criminal charges and for a business’ insurance claims.

The following blog post will discuss the next steps for a business to take once these initial steps are complete.

On July 20, 2015, in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. 2015), the Seventh Circuit held that the United States District Court for the Northern District of Illinois wrongfully dismissed a class action suit brought against Neiman Marcus after hackers stole their customers’ data and debit card information.  The District Court originally dismissed the plaintiffs’ claims because they had not alleged sufficient injury to establish standing.  The District Court based its ruling on a United States Supreme Court decision, Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013), which held that to establish Article III standing, an injury must be “concrete, particularized, and actual or imminent.”

However, the Seventh Circuit clarified that Clapper “does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.”  Rather, “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” are sufficient to confer standing.

In Remijas, the Seventh Circuit explained that there is a reasonable likelihood that the hackers will use the plaintiffs’ information to commit identity theft or credit card fraud.  “Why else would hackers break into a store’s database and steal consumers’ private information?” – the Seventh Circuit asked.  The Seventh Circuit held that the plaintiffs should not have to wait until the hackers commit these crimes to file suit.

The Seventh Circuit also considered that some of the plaintiffs have already paid for credit monitoring services to protect their data, which it held is a concrete injury.  Neiman Marcus also offered one year of credit monitoring services to its customers affected by the breach, which the Seventh Circuit considered an acknowledgment by the company that there was a likelihood that their customers’ information would be used for fraudulent purposes.

Ultimately, this decision may serve to soften the blow dealt by Clapper to data breach plaintiffs.  Specifically, based on this ruling, plaintiffs who have not incurred any fraudulent charges, but have purchased credit monitoring services, or have spent time and money protecting themselves against potential fraud may argue that they have standing.

PREVENTING A CYBERATTACK (Part 2)

This is the second installment in a six-part discussion on the best practices to prevent a cyberattack.  The first part discussed four critical steps to prepare a business in the case of a cyberattack.  These included: (1) identifying the crucial assets and functions a business, (2) creating an Response Plan, (3) installing the appropriate technology, and (4) obtaining authority for network monitoring.  This article builds on those steps by suggesting further best practices in order to prevent a cyberattack.

5. Align Business Policies with the Response Plan

When an organization creates an Response Plan in the event of a cyberattack, it must ensure that the plan is cohesive with preexisting business policies within the organization.  In order for the Response Plan to be implemented effectively, it cannot clash with any of the business’ standard operating procedures.  For example, if the Response Plan states that whoever discovers the cyberattack must alert the entire organization, but the organization’s policy prevents an employee from emailing the entire company, there is a problem.  By testing the Response Plan, organizations can locate these potential problems before a credible cyberattack occurs.  Another important practice is to suspend the network access of former employees as soon as they are terminated.  This practice guards against the liability of an angry employee seeking revenge via a cyberattack.

6. Ensure Legal Counsel Understands the Legal Response to Cyber Incidents

Cyberattacks create unique legal situations that may be unfamiliar to a business’ legal counsel.  An organization should rely on its legal counsel for assistance in creating its Response Plan.  A legal counsel’s understanding of its client’s Response Plan can save valuable time and resources in the event of a cyberattack.  Legal counsel can instruct a business on its obligations to report breaches to customers, its ability to terminate employees based on cyber incidents, and its privacy concerns associated with network monitoring.  A business should also ensure that its legal counsel understands possible legal action that it can take, both in the short term and the long term, in the event of a cyberattack.  Legal counsels that are familiar with cyber security laws will be better equipped to immediately assist clients if a cyberattack occurs.

7. Cultivate Relationships with Cyber Incident Information Centers

Access to a network of cyber intrusion news and information can be a valuable resource for a business in order to keep ahead of the latest threats.  Organizations that collect and disseminate cyber security information exist in every market sector and are commonly referred to as ISACs (Information Sharing and Analysis Centers).  A business that is committed to maintaining a strong cyber security network should subscribe to the appropriate ISACs for its market sector.  This will enable the business to prepare for possible threats and share helpful information. Businesses in niche sectors can rely on government created ISAOs (Information Sharing and Analysis Organizations) for their cyber security information.

8. Establish Connections with the Appropriate Authorities

Businesses should establish a working relationship with local law enforcement and cybercrime units before a cyberattack occurs.  Familiarity between law enforcement and a business will allow for a more accurate and efficient response in the event of a cyberattack.  On the federal level, the Federal Bureau of Investigation and the U.S. Secret Service frequently deal with cyberattacks. Each agency has a department that conducts outreach to private businesses. The departments are the FBI’s Cyber Task Force and the Secret Service’s Electronic Crimes Task Force.  A business should contact these agencies to review its Response Plan and seek support prior to a cyberattack.