TK Data Privacy and Cybersecurity Blog

August 06, 2020

Cyber Coverage Considerations

Posted by Shelley Glazer and Brandon King

Cyber attacks are on the rise; this is especially the case during the COVID-19 pandemic. And the stakes are high; Target’s 2013 data breach, for example, gave rise to $248 million in remediation expenses. Of course, Target’s breach isn’t an isolated incident, just ask Sony, Home Depot, Yahoo!, and the World Health Organization. See WHO reports fivefold increase in cyber attacks, urges vigilance, World Health Organization (“Since the start of the COVID-19 pandemic, WHO has seen a dramatic increase in the number of cyber attacks directed at its staff, and email scams targeting the public at large.”).

So, are you covered by insurance? CGL policies generally don’t cover damages arising from cyber attacks and related data breaches; those policies usually cover damage to tangible property, not intangible property, like electronic data. In fact, recent CGL policies contain exclusions for loss of or damage to electronic data. Business-interruption and E&O policies may provide coverage, and the same is true of commercial-crime policies. Of course, whether any particular policy provides coverage in the event of a cyber attack turns on the policy’s language. However, given the trend towards cyber-specific policies, coverage under traditional policies is becoming less common. See Jes Alexander, Anatomy of a Data Breach—What Cyber Policies Should Cover, 13 J. Tex. Ins. L. 5 (2015) (“Those companies that rely solely upon CGL or other general policies do so at great peril.”). Companies should, as a matter of prudence, engage counsel to ascertain whether and to what extent they are covered in the event of a data breach.

When evaluating a cyber-insurance policy, companies should pay particular attention to whether the policy’s coverage is first party, third party, or both. First-party coverage will deal with the insured’s own losses resulting from a cyber attack, while third-party coverage concerns the insured’s liability to others resulting from breach or cyber event. Given the complex nature of cyber breaches and the often sensitive nature of information at issue, companies should ensure their policies contain both coverage sections (and this is usually the case).

Additionally, many companies confident in the strength of their cybersecurity infrastructure might be unaware that an increasing number of cyber attacks are aimed at third-party vendors. For this reason, companies should engage in a thorough vetting of any particular vendor’s cybersecurity practices, consult with counsel to strength indemnity resulting from a vendor breach and, most importantly, ensure that both the company’s and the vendor’s insurance policies cover losses stemming from a cyber attack.

There are a variety of cyber-related coverages to choose from; some are broad, cyber-liability polices—which address harm resulting from cyber activities (e.g., unauthorized disclosure of private information), as well as cyber infringement, injury or damage to information systems, notification expenses, e-theft, and cyber extortion. Then there’s event-management or breach-remediation coverage, which may cover costs related to managing a data breach (sometimes including a breach of a cloud service or other third party storing your data), such as costs associated with providing notification to compromised individuals, restoring lost data, and hiring legal counsel, public-relations consultants and forensic investigators. Crime-specific policies are also helpful, as they provide coverage for a variety of theft-based cybercrimes that may not be covered by your cyber policy. And what about business-interruption losses caused by a hacker-driven network failure (which would probably not be covered in your typical business-interruption policy)? Consider network-interruption coverage, which covers losses stemming from disruption of business activities caused by cybercriminals; this is often the case with distributed denial-of-service (DDoS) attacks. In sum, there exist myriad coverage options for those looking to ensure protection in the event of a cyber attack.

The current increase in work-from-home practices poses even greater risks of cyber-related breaches. See Danny Palmer, Cybersecurity: Half of employees admit they are cutting corners when working from home, ZDNet, (May 28, 2020 6:41 PM). So, now is the time for companies to consult with their counsel to reevaluate existing policies to determine the extent of coverage arising from a cyber-related event. If they do not have coverage, companies should strongly consider acquiring a cyber-insurance policy.

Posted at 03:35 PM in Cyber Insurance | Permalink | Comments (0)

July 16, 2020

U.S. Companies Lose Benefit of Popular EU-US Privacy Shield Program

Craig.Carpenter_linkedin

Posted by Craig Carpenter

On July 16, 2020, Europe’s top court invalidated the EU-US Privacy Shield program, finding that it did not provide an “essential equivalence” with European data privacy laws (GDPR).

The EU-US Privacy Shield program was a popular way for U.S. companies to comply with the restrictions on cross-border data transfers set forth in GDPR (Article 44). Since the U.S. does not have an adequacy decision under European privacy laws, the Privacy Shield Program was the most efficient way for many U.S.-based companies to lawfully move data to the U.S. from Europe under GDPR.

This decision largely centered on European concerns for U.S. surveillance programs and the ability for private data to end up with public authorities. The Court found that “the requirements of US national security, public interest and law enforcement have primacy [over individual data rights], thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”[1]

The Court also called in to question the efficacy of the “standard data protection clauses” as a means of cross-border data transfer, particularly in countries like the Unites States where public authorities have significant data access. The court stopped short of invalidating the standard clauses as a lawful means of transfer altogether, but the court emphasized the need to consider the practices of the countries in which the standard clauses are used, seemingly inferring that they might not be appropriate in places like the United States.

We do not yet know the U.S. response to this decision; however, without Privacy Shield, U.S. companies will have to rely on a different means of lawful data transfer. Examples include Standard Contractual Clauses discussed in Article 46 (subject to the comments above), Binding Corporate Rules (Articles 46 and 47), explicit consent (Article 49), necessity for performance of a contract (Article 49), exercise or defense of legal claims (Article 49), or the other “derogations for specific situations” identified in Article 49 of GDPR.

[1] CJEU Press Release, available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf (July 16, 2020).

Posted at 11:08 AM | Permalink | Comments (0)

July 13, 2020

Cyber Criminals Work From Home Too

Michael.Titens_linkedin Vlad.markovic_linkedin

Posted by Michael Titens and Vlad Markovic - IS Security Manager

Over the last few months, many of us have been adapting to new work environments featuring less reliable wifi, videoconference cameos by our children and pets, and more casual dress codes. At the same time, cyber criminals have been adapting their methods to target us in our new environs. Here are a few of the latest threats:

Videoconference Vulnerabilities.

There has been an increase in phishing e-mails and social engineering attacks, especially related to Zoom and other videoconference credentials. Beware of any email containing links and stating you missed your meeting, need to activate your account again, or that your web conferencing software is vulnerable.
Malicious software can be sent using fake web conferencing invitations. The emails may appear to be coming from a potential client or other contact claiming to be available for a call via one of the popular videoconference services. In many cases, the invitation will contain a malicious Excel file supposedly containing the sender’s schedule.
Cyber criminals are also registering look-alike domains to phish for videoconference credentials. Recommended precautions include only joining meetings from known contact, that you are expecting, and scrutinizing the videoconference link in your invitation – for example, a Zoom link should send you to zoom.us not zoom-meeting [dot] org or any other “strange” site.

Business Email Compromise (BEC) Scams

BEC scams include altering wire transfer and direct deposit instructions and efforts to divert escrow or other payments. Recently, BEC Scams have been incorporating COVID-19 into their fraudulent appeals. Some examples to look out for include:

Using COVID-19 as an excuse to request a fraudulent switch or rescheduling of payments or a change to other business or government plans
- Fraudsters posing as clients requesting that all invoices be changed to a different bank account due to “Corona Virus audits”
- Attempts to exploit federal government stimulus plans and payment options
- Posing as a CEO asking to switch payments “due to the Coronavirus outbreak and quarantine processes and precautions.”
Scammers using claims of positive COVID-19 cases in their area to start an “urgent” email conversation

If you receive a payment or other request that appears to be out of the ordinary, take additional steps (including a confirmation phone call to a person you know on a number you have used before) before making any payment. More generally, it is a good time to review existing relationships that provide for payment or receipt of funds by wire transfer to ensure multi-factor authentication is in place, identify which party is responsible for wire transfer fraud, and clarify insurance coverage for misdirected funds.

Other Malicious Activity

We have seen a spike in emails with malicious attachments that are disguised as invoices, purchase contracts, wire confirmations, and other documents that one would be inclined to open. One example of this type of a threat was a cleverly obfuscated document that stated it was a wire confirmation. In reality it was a new variant of a crypto-locker that at the time was undetectable by most antivirus tools.

The Weakest Link

Our home networks are only as strong as the weakest link. Potential attack vectors include ancillary devices, such as printers, and other devices (like routers) that still use the manufacturer’s default login (e.g., “admin”) and password. To strengthen cyber defense of routers, use strong passwords and select WPA-2 encryption. Also, disable UPnP (universal plug and play) and keep your firmware up to date (some routers can be set to allow for automatic firmware updates).

Other computers on your home network might also be the weakest link. All family members should be reminded to follow sound practices and view with suspicion any unexpected emails, attachments, or links. Also, all computers should be updated with the latest security patches to protect against newly-discovered vulnerabilities.

Based on reports from some large employers, a full-time return to the office may be weeks or months away for many of us. Maintaining good security practices and remaining vigilant will help protect our computers and networks from being compromised.

Posted at 10:06 AM | Permalink | Comments (0)

July 02, 2020

Reducing Cyber Risks Posed by Vendors

Justin.Cohen_linkedin Craig.Carpenter_linkedin Vlad.markovic_linkedin

Posted by Justin Cohen, Craig Carpenter, and Vlad Markovic - IS Security Manager

When we think about cybersecurity, we often focus on our own people and systems. However, our vendors play a critical part of cybersecurity given how often we share data and integrate our IT systems with others. The 2018 Ponemon statistics estimated that over 50% of organizations have experienced a data breach due to a vendor’s security shortcomings. Here are some recent examples of breaches caused by third parties:

- Hanna Anderson (over 10,000 California customers affected due to alleged malware in Salesforce Commerce Cloud’s e-commerce platform)(2019)

- Quest Diagnostics (11.9M records via American Medial Collection Agency)(2019)

- Target (at least 41M customer payment card accounts accessed via HVAC vendor; $18.5M settlement)(2013)

- US Customs and Border Protection (Lost 100,000 records via a subcontractor network)(2019)

- FBI (Lost 3 terabytes of confidential information – including FBI investigation records, millions of department files, personal data, system credentials, and even internal communication records)(2019)

So what should we do first?

Ensure you have a risk assessment and mitigation plan in place for managing vendors. Some may categorize vendors by risk and develop specific policies, procedures, and technical measures to reduce cyber risks for categories of vendors.

Then what?

Ensure proper vetting to understand the risk posed by new and existing vendors. Such vetting can be done in-house through cybersecurity and data privacy questionnaires, or via legal counsel and/or other third parties that assess cyber risks posed by vendors. While initial vetting is critical, routine vendor audits are recommended to ensure that each continues complying with your company’s policies, processes, procedures, and technical measures deployed for purposes of safeguarding their data.

What about their contracts?

Like anything else, if it’s important, put it in writing. Ensure that each vendor contract specifically addresses and allocates the costs and risks associated with that engagement. Common contractual provisions include representations and warranties to abide by your company’s cyber and data privacy policies and procedures. Depending on the circumstances, a warranty regarding compliance with industry standards (e.g. SOC2 or PCI-DSS) with data security audit rights and certifications may be appropriate. Depending on the circumstances, you should also consider including prompt notice provisions when a breach involving your company’s data is suspected. You may also want to allocate the costs of a data breach investigation and remediation in the agreement to avoid unknowns if an incident occurs, including which party should be responsible for the fees and costs associated incident investigation and remediation. If this engagement poses a significant data privacy risk (e.g., your company’s most sensitive data is involved), you should consider requiring that a vendor maintain a certain level of cyber insurance that covers your costs should a breach investigation take place. Finally, specifying the procedures for handling a suspected data privacy or cyber breach in your vendor contracts can save valuable time when an incident occurs.

Posted at 10:55 AM | Permalink | Comments (0)

March 27, 2020

Zoom Bombing: Steps to Prevent Disruption and Potential Data Security Breaches during WFH Virtual Meetings

Posted by Craig Carpenter

In the current environment where many employees are working from home under shelter-in-place or social distancing directives, virtual meetings and video conferencing services have become critical for continued operations. One video conferencing provider in particular, Zoom Video Communications, has become a popular platform for many businesses, schools, and individuals.

However, along with the increase in useful and productive video conferencing, there has also been in uptick in video conference hijacking—what is being referred to these days as “Zoom bombing.”

Zoom bombing occurs when unauthorized or uninvited individuals “gate-crash” Zoom video conferences, often sharing their screens to show disturbing imagery, playing loud and offensive sounds, or other general mayhem. This occurs most frequently due to publicly available Zoom (or other provider) meeting links. While the disruption caused by Zoom bombing can be embarrassing and disturbing, there are also concerns that video conference hijacking could be used for more sophisticated and nefarious purposes such as theft of intellectual property, misappropriation of sensitive or proprietary information, and/or personal data breach.

Fortunately, there are steps video conference users can take to help prevent Zoom bombing and video conference hijacking. Recently, Zoom Video Communications posted a blog post with helpful tips and best practices to secure your meetings on their platform. These tips include:

Be careful when posting your meeting links in a public forum
Avoid using your Personal Meeting ID (PMI) to host public events
As the host, use the host tools to manage the meeting and participants:
- Manage participant screen sharing
- Lock the meeting
- Consider using the virtual waiting room

Additionally, it is important to consider your legal and data security obligations when using Zoom or other video conferencing platforms, including:

Use caution when discussing sensitive or privileged information in a video conference, especially a virtual meeting room that has been publicly posted;
Consider whether the camera will display personal and confidential information on your desk or in the background;
Consider whether you have closed out all screens so that others can’t see what is on your computer if you use screen sharing; and
Consider your obligations regarding recording video conferences and where that recording will be stored.

These tips and suggestions not only apply to Zoom, but could also apply to any video conference platform.

As we all adjust to increased use of video conferencing while working remotely, these guidelines, along with the helpful tips from Zoom, should help users take control of their meetings and prevent unauthorized access and disruption.

For more information from Zoom Video Communications, see: https://blog.zoom.us/wordpress/2020/03/20/keep-the-party-crashers-from-crashing-your-zoom-event/

Posted at 11:07 AM in Data Breach Notification | Permalink | Comments (0)

October 10, 2019

FDA Releases Warning on Cybersecurity Threat to Connected Medical Devices and Healthcare Networks

Posted by Timothy E. Hudson and Madeline Tansey

In a recent press announcement, the U.S. Food and Drug Administration (FDA) released a statement informing healthcare providers, patients, and medical device manufacturers about a set of cybersecurity vulnerabilities that could expose medical devices and hospital networks to serious risks.^[1] This set of vulnerabilities, referred to as “URGENT/11,” consists of a set of 11 network flaws that researchers from the enterprise security firm Armis discovered.^[2] Though the FDA has not yet received any reports of hackers exploiting these vulnerabilities, it has begun efforts to proactively protect the public from the threats URGENT/11 poses to the healthcare system.

The problem dates back to the early 2000s, when software firms began implementing transmission control protocols and internet protocols (“TCP/IPs”), which are sets of rules and procedures that allow devices to connect to wireless networks. Around this time, Interpeak, a Swedish software firm, created its own TCP/IP network protocol called “IPnet” and sold it to a variety of customers that manage operating systems. These customers then incorporated the IPnet software into their operating systems, which enabled them to link medical devices to the internet and central device networks. Unfortunately, this integration occurred years before anyone discovered the flaws within IPnet that leave billions of medical devices susceptible to hacking.^[3]

The implications to the healthcare system of IPnet’s vulnerabilities are much broader—and more severe—than originally thought. According to Armis researchers, URGENT/11 can enable remote users to take down firewall protections and control devices connected to the internet or internal networks.^[4] Medical devices on an operating system that use IPnet are consequently vulnerable to these attacks, including MRI machines, patient monitors, anesthesia machines, and infusion pumps. For example, Becton Dickinson, a major medical device manufacturer, found its Alaris infusion pump was potentially vulnerable to hacker exploitation because it used the IPnet software.^[5] Researchers were able to exploit the infusion pump’s vulnerabilities, which caused it to crash and become unresponsive. This experiment demonstrated the critical nature of the URGENT/11 vulnerabilities and the direct impact on patient safety.

Though IPnet is an old protocol, many medical devices that still use the IPnet software “are critical devices, which go under a much longer period of development and approvals than consumer devices, and have significantly longer life cycles once in use,” said Ben Seri, Vice President of research at Armis. To combat this issue, the FDA has taken steps to disseminate information about which operating systems are affected and has made recommendations to ensure patient safety. Thus far, the agency has identified one or more versions of the following operating systems as vulnerable: VxWorks (by Wind River); Operating System Embedded (by ENEA); INTEGRITY (by GreenHills); ThreadX (by Microsoft); ITRON (by TRON); and ZebOS (by IP Infusion).^[6]

The FDA encourages medical device manufacturers to continue monitoring, reporting, and remediating the cybersecurity vulnerabilities. Medical device end users should contact manufacturers to determine whether their devices are impacted and whether those manufacturers have designed software patches to prevent device exploitation. For example, Armis and Wind River (a manufacturer for software used in medical devices) have worked to develop system patches for VxWorks versions that were released subsequent to version 6.5, such as VxWorks 653 and VxWorks Cert Edition.^[7] Additionally, device users can contact device manufacturers for mitigation techniques, such as the installation of a firewall recommended by Becton Dickinson to block remote attempts to exploit its devices.^[8]

While the FDA, Armis, and the Department of Homeland Security seek to resolve this issue, the FDA will continue to focus on informing those in the healthcare sphere about URGENT/11. As one FDA spokesperson noted, “Awareness is key because without it, industry cannot begin their risk assessment and mitigation activities.”

[1]See U.S. Food & Drug Admin., FDA informs patients, providers and manufacturers about potential cybersecurity vulnerabilities for connected medical devices and health care networks that use certain communication software (Oct. 1, 2019).

[2]Lily Hay Newman, Decades-Old Code Is Putting Millions of Critical Devices at Risk (Oct. 1, 2019).

[3]See Dennis Fisher, URGENT/11 flaws now affect broader range of medical, network devices (Oct. 3, 2019).

[4]See Armis, UPDATE: URGENT/11 affects additional RTOSs – Highlights Risks on Medical Devices (last visited Oct. 8, 2019).

[5]Fisher, supra.

[6]U.S. Food & Drug Admin., supra.

[7]Armis, supra.

[8]Newman, supra.

Posted at 03:34 PM in Regulatory Updates | Permalink | Comments (0)

August 22, 2019

Protect Yourself From Wire Transfer Fraud

Posted by Justin S. Cohen

Cyber criminals are targeting U.S. companies on a daily basis—many seeking to steal funds through fraudulent funds transfers. While the hackers’ methods are technically sophisticated, the plan is simple: a hacker takes control of a business email account, learns how the company moves money (such as through wire transfers), then sends an email to initiate a fraudulent transfer. Trend Micro reported that the average business email compromise (“BEC”) attack in 2016 cost the victim approximately $140,000. The FBI reported that BEC scams accounted for more than $12.5 billion in losses for U.S. companies in 2018, exceeding all expectations. We here at Thompson & Knight have seen an uptick in these attacks and their sophistication and have some suggestions on how companies can protect themselves.

The Problem: Business Email Compromise

Cyber criminals use BECs to steal from companies using fraudulent funds transfers, such as by changing direct deposit instructions, wire transfer instructions, or requesting business checks. A BEC begins with hackers gaining full control of a person’s email account so they can read that person’s emails, delete emails, re-direct emails using rules, and send emails as if they were that person. The hackers focus on the email accounts of C-suite executives, controllers, and those involved in funds transfers (e.g., direct deposit instructions, wire transfers, check writing). The identities of the right people can usually be deduced from a few LinkedIn searches. Hackers track out-of-office message and social media to determine when executives may be away from the office.

Once hackers gain control over a particular email account, they will study the company’s procedures and email traffic, sometimes for months. After learning about the company and how it handles wire transfer requests, they will begin their attack. Typically, they will write emails from the executive’s account requesting rush wire transfers to offshore accounts. Most are careful to make requests that will be acted upon quickly without raising too much suspicion (e.g., by crafting the email with a sense of urgency). These criminals often start small and then increase their activity and the wire transfer amounts until someone spots the theft. Some of these attacks can go on for months. Many target a one-month window to avoid detection.

We have also seen schemes where criminals impersonate suppliers or business partners and send new wire transfer instructions for upcoming payments. In other cases, criminals impersonate employees and send emails requesting changes to payroll direct-deposit instructions. Such criminals may also watch emails during the run-up to a merger or acquisition, then send fraudulent wire transfer instructions near the closing.

Compounding the problem is that when a BEC occurs, (1) the funds are rarely recoverable and (2) many crime and cyber insurance policies do not cover these sorts of losses.

The Solution: Be Aware and Implement Layered Security

Here are a few suggestions to protect your company from these threats:

Update your funds transfer policies to ensure that there are non-email confirmations/multi-factor authentication to confirm wiring/payment instructions for certain incoming and outgoing funds transfers. This can be as simple as requiring a phone call or video chat between people who know one another. Include a plan for handling suspicious funds transfer instructions.

Meet with your financial institutions to ensure everyone has a clear understanding of the protocols in place to handle wire transfers. If the protocol is simply “wire based on email instructions” the financial institution typically will claim no liability.

Review cyber insurance policies to ensure that these types of criminal events are covered, including coverage for the stolen funds.

Implement periodic cybersecurity training for executives and employees, especially those involved in funds transfers. Such training should include periodic test “phishing” emails from your IT department or a security vendor so people become accustomed to spotting suspicious emails.

Use multi-factor authentication for email accounts, especially email accounts like Office 365 that are accessible via the Internet.

Guarding against wire transfer fraud through business email compromise requires a layered approach. Companies should also prepare for a possible incident and ensure that their cybersecurity policy covers not only the cost of responding to an incident, but also the stolen funds.

Posted at 11:21 AM in Cyber Insurance, Data Breach Notification | Permalink | Comments (0)

July 08, 2019

Cybersecurity Training for Your Corporate Board

Posted by Alejandro A. Sánchez-Mújica A.

It seems that not a day goes by without news of significant cyberattacks or breaches. Cybersecurity failures and malware are no longer considered as something that might happen, but something that will happen. Businesses need to have the framework in place to act fast in a worst-case scenario to contain reputational and bottom-line damage.

Corporate boards have become integral to cyberdefense strategies. NYSE Governance Services^[1] recently surveyed nearly 200 directors of public companies representing a variety of industries to discover how they view cybersecurity in the boardroom. More than 80% of respondents said cybersecurity topics are discussed at nearly every meeting – although one in five indicated they are only discussed after an incident happens internally or in the same industry.

Directors are responsible for managing the business affairs of a corporation, and they are subject to fiduciary duties. In carrying out the responsibility of managing the corporation, directors owe fiduciary duties of care (care on an informed basis when taking actions) and loyalty (based on the best interests of the corporation and its stockholders, refraining from transactions motivated by personal interest).

Part of a director’s duty is to oversee the corporation’s operations. There must be procedures in place so that the appropriate information comes to the attention of the board in a timely manner as a matter of ordinary operations, which should include cybersecurity matters and breaches.

Directors should receive cybersecurity training on at least a yearly basis. This training should cover the measures necessary to maintain confidentiality of the matters placed before the board, cybersecurity matters related to the industry’s particular challenges, and best practices for the directors’ access and use of company networks and data.

Additionally, periodic presentations by the corporate executive in charge of information technology should be made before the board. These presentations should at least touch upon:

The latest developments in cybersecurity, including relevant breaches and practices;
Cybersecurity governance policies put in place, including IT systems use, remote work, and employee/contractor training policies;
Data privacy compliance;
Inventory of information assets, including descriptions of areas of potential vulnerabilities (e.g., personal data management, infrastructure);
The company’s cybersecurity insurance coverage; and
Incidents and failures in continuity planning.

Boards should also take the opportunity to ask questions regarding the readiness of the company to mitigate a cyberattack or breach, and should review the steps put in place to mitigate an incident. They should consider:

Who has access to the corporation’s information assets? How are privileges managed?
Which information assets would most likely be a target?
What type of damage would the company incur if the assets were targeted?
Which systems are crucial for business continuity?
What measures are in place to detect an incident?
What incident reporting procedures are in place?
Is there an effective hotline or emergency procedure in place in the event of a cyberattack or threat? Have these been communicated to employees, contractors, and service providers?
What employee, contractor, and service provider training procedures are in place?
What types of audits are run on the IT infrastructure?

Board members can play an instrumental role in monitoring and mitigating cybersecurity risks, serving as a conduit between all the different functions of the business and bringing a wealth of experience in crisis management.

^[1] https://www.nyse.com/publicdocs/VERACODE_Survey_Report.pdf

Posted at 02:39 PM in Data Breach Notification, Regulatory Updates | Permalink | Comments (0)

June 11, 2019

The Weakest Links – Vendors in the Spotlight, Again

Posted by Michael C. Titens

Last week brought news of two more companies reporting the potential compromise of financial and medical information of millions of Americans. The headlines sound familiar, as does the attack vector – compromise of a third-party vendor with access to patient information.

On June 3, Quest Diagnostics Incorporated reported that a breach at one of its vendors, American Medical Collection Agency (AMCA), may have compromised the personal information of approximately 11.9 million of its patients. The compromised information includes credit card numbers, bank account information, Social Security numbers, and unspecified medical information, among other things. Quest stated that it has not yet obtained detailed or complete information from AMCA and has not received a list of the affected individuals, but that according to AMCA, an unauthorized person had access to AMCA’s system for up to seven months.

On June 4, Laboratory Corporation of America Holdings reported that approximately 7.7 million of its patients were affected by the AMCA breach. For LabCorp patients, the compromised information includes credit card numbers and bank account information, but not Social Security numbers or lab test results. LabCorp is also awaiting more detailed information from AMCA but unlike Quest, LabCorp reported that AMCA is notifying some LabCorp patients directly.

News reports have already identified a third victim of this incident, and there could be more to come. According to its website, AMCA is “the leading recovery agency for patient collections,” and its clients include “Laboratories, Hospitals, Physician groups, Billing services and Medical providers all across the country.” AMCA also operates under the “Retrieval Masters” brand and services “Direct Marketers, Telecom, Toll Agencies, and Debt Buyers,” further expanding the scope of potential victims. Quest and LabCorp are both public companies that reported the breach in filings with the Securities and Exchange Commission, but many of AMCA’s other clients are not subject to SEC reporting requirements.

Quest and LabCorp now face the familiar dilemma of responding to a cyber event resulting not from a breach of their own systems, but from a breach at a third-party vendor. Vendor breaches raise different issues than other breaches, including the following:

Understanding what occurred, what information was compromised, and who must be notified: A company that obtains personal data from its customers is generally the party subject to notification and other obligations under applicable state and federal laws, even when the breach occurs in a vendor’s system. However, the ability of that company to obtain the information needed to provide notifications is often limited by the vendor’s ability and willingness to share information about the incident. For example, it was Quest, not AMCA, that received two separate letters from U.S. senators requiring the company to respond within 10-14 days to detailed questions regarding its cybersecurity policies and procedures and this breach in particular.
Compliance with privacy policies: Companies should ensure that they are complying with their privacy policies when they share information with vendors. For example, LabCorp’s privacy policy (as published on its website) states that it may share information with contractors, but Quest’s published policy promises that no information will be shared with vendors unless the patient has authorized Quest to do so. Presumably, Quest obtained patient consent in some other way, such as a consent formed signed when the patient visited the Quest facility.
Insurance coverage: Many cyber insurance policies cover notification costs and other losses only if the breach occurred in the insured’s systems. For losses arising from a vendor’s breach, a company often must rely on contractual indemnification rights, if any. Companies typically require their vendors to have certain levels of insurance coverage, but in many cases a vendor’s insurance policy will not cover the vendor’s contractual indemnification obligations to its customers. Indeed, contractually assumed indemnity is typically subject to a specific coverage exclusion.

Thompson & Knight’s Cybersecurity Practice Group routinely advises clients regarding vendor relationships. Some general suggestions include the following:

Legal review: Ask knowledgeable legal counsel to review contracts with vendors to identify cyber issues and conformity with market terms. Vendor contracts often include provisions regarding data protection requirements, reporting requirements in the event of a breach, insurance coverage, and other matters.
Data segregation: Limit the data shared with a vendor to just the information required for the vendor to fulfill its contract. For example, a medical collection agency might need information relating to the status of a patient’s account, but might not need the patient’s medical information.
Data access: In cases where the vendor has access to computer systems, ensure that the access is restricted to the data the vendor needs to fulfill its contract, and that the vendor does not have rights to move throughout a client’s network.
Monitoring of vendor activity: Where possible, employ tools to monitor vendor activity on your network. Earlier this year, criminals used phishing attacks to gain access to the computer networks of major IT outsourcing firms such as Wipro, and used that access to attack the networks of the IT firms’ customers. In many cases, the customers identified the rogue activity before significant damage could be done.

Comprehensive cybersecurity includes not only the integrity of your system, but also the integrity of any other system which may have access to your system or on which your data may be stored. Heightened diligence should be exercised whenever vendor relationships are established or evaluated.

Posted at 11:18 AM in Data Breach Notification | Permalink | Comments (0)

February 08, 2019

Rethinking Password Management

Posted by Justin Cohen

Hackers have compiled a database of over 2.2 billion records of our login credentials (i.e., usernames/email addresses and passwords) by cobbling together records taken from dozens of data breaches. And they are sharing these stolen credentials through various websites. Out of curiosity, I used the Hasso-Plattner Institut’s online tool to see whether my personal and work email addresses were included in the leaked databases. Guess what? They both were. I then used the “have i been pwned?” password search tool to see if one of my old passwords was exposed. Unsurprisingly, it was. If you have employees who have created online accounts with Facebook, Marriott, eBay, LinkedIn, Yahoo!, Orbitz, Quora, Reddit, or any number of other websites or systems, it’s likely that your employees’ credentials have also been exposed.

The problem we have today is that many people use the same or similar credentials (e.g., email address and password) for their personal websites as they do to log in to their company’s enterprise accounts. While your company’s systems may not have been breached, it is likely that at least some of your employees’ credentials have been. So even if your organization has complex password requirements—and requires users to change those complex passwords often—those requirements don’t prevent hackers from finding users’ credentials on other sites, or using those passwords to guess the password for a user’s enterprise account (since many only use slight variations).

To address this problem, Google has launched a new extension to its Chrome browser to tell you if your password has been exposed. But for many, that may not be enough to address the risk of exposed credentials.

It may be time to start encouraging employees to utilize a password management tool, like Keeper, LastPass, or 1Password. These tools store credentials for various websites, apps, and portals so users don’t have to memorize each one (or, as some unfortunately do, store credentials in documents or spreadsheets). A user of these tools creates one complex passphrase, which gives them access to an encrypted database of their stored credentials. These tools can also test your password strength, and give you a score on your password security. For example, LastPass will give you a lower overall score if you’re using the same or similar password across multiple websites.

For many of us who have used and re-used the same or similar passwords over dozens of websites for years, it may be time to allow the password manager both to create new complex passwords and to store all of those credentials. Many of these tools also allow users to share credentials, and allow emergency access to one’s “vault” of credentials. These features are useful for employees that may need to share access to third-party websites for work. The tools enable users to share credentials with other employees in a more secure manner than email or notes. Plus, once shared, if one user changes the password, the tools enable the updated password to be shared automatically. Some also offer “emergency access” to a user’s vault of credentials, which may help avoid business interruption if an employee becomes ill or leaves the company without providing all of their credentials to work-related websites.

Encouraging your employees to use distinct, complex passwords for each personal website, enterprise system, and work-related website can significantly reduce the risk to your organization posed by these exposed passwords. A password management tool can help your organization promote that type of behavior. And if none of those reasons is particularly persuasive, perhaps you may want to read about what happened when the only person with the password to a company’s Bitcoin wallet worth over $190 million died.

Posted at 11:08 AM in Data Breach Notification | Permalink | Comments (0)