TK Data Privacy and Cybersecurity Blog

Posted by Michael Titens

Ransomware attackers are concentrating their efforts on hospitals and other health care providers according to a warning issued by the FBI and other government agencies on October 28.  Attackers know that prolonged computer shutdowns in hospitals can be catastrophic and that hospital administrators may have few viable alternatives to making a ransom payment, making hospitals desirable targets.  Numerous hospitals have already been hit, leading to postponed procedures and at least one patient death reported by the Washington Post. 

Ransomware is not new but attackers have adapted their methods to increase the pressure on victims.  In addition to blocking access to computer system and encrypting data, modern ransomware attackers also attempt to encrypt data backups, making it far more difficult for a victim to recover its files without paying the ransom.  Furthermore, researchers have found that in nearly half of all ransomware attacks, attackers exfiltrate data from a victim’s network, including personal information of customers and employees.  The attackers then threaten to release the data publicly on “walls of shame” unless the ransom is paid.  Delays in payment result in partial data releases and threats to release more.  As a result, even when a victim can rebuild its network and recover its files without agreeing to attacker demands, the threat of public data disclosure often compels the victim to pay the ransom.

Ransomware responders have adapted to this new environment.  In addition to restoring a victim’s network, some forensics firms and cyber insurance providers assist with ransom negotiations and, if necessary, facilitate ransom payments. With more cyber insurance policies providing coverage for ransom payments, cost is less of an impediment to payment.  And as ransom payments become more routine, attackers expand their criminal activities.

Counteracting this trend, and increasing the risks for ransomware victims, U.S. government agencies issued advisories last month warning that ransomware payments to certain attackers could violate U.S. sanctions laws.  The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued its advisory “to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities.”  OFAC has already imposed sanctions on organizations and individuals located in Russia, North Korea, and Iran and plans to continue adding other cyber actors to its list of specially designated nationals.  Under U.S. sanctions law, making or facilitating payments, directly or indirectly, with specially designated nationals is prohibited.  A party making such a payment, as well as others involved in the process such as forensics firms and insurance providers, can be held civilly liable even if they did not know they were dealing with a sanctioned group or individual at the time the payment was made.

As part of its strategy to deter ransom payments, the government is also targeting other potential participants in a ransomware transaction.  The OFAC warning specifically identifies financial institutions, cyber insurance carriers, and incident response firms that facilitate ransom payments as potential violators of U.S. sanctions laws.  Furthermore, at the same time OFAC issued its warning, the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued an advisory to banks and other financial intermediaries that they should file Suspicious Activity Reports and comply with related regulations whenever they participate in any aspect of a ransom transaction.  Not only ransomware victims, but also the firms they choose to assist them in responding to an attack, must now reevaluate the costs and benefits of making a ransom payment, particularly where the attacker’s identity is unknown or the attacker is suspected to have already been designated by OFAC for sanctions.

The new guidance bolsters law enforcement’s view that victims should promptly report cyber incidents to the proper authorities (typically the FBI or Secret Service) and should not make ransomware payments.  According to the OFAC advisory, “OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.”

While we anticipate that victims will still give serious consideration to making ransom payments, reasonable compliance procedures of forensics firms and financial intermediaries, including a possible requirement to involve law enforcement, may complicate any response.  Furthermore, cyber insurance carriers may be reluctant to provide coverage for certain ransom payments.  We have even heard that some insurance carriers may attempt to deny coverage for notification, legal, and other expenses related to a ransomware attack perpetrated by a sanctioned group.

So what can a business do in light of these increasing costs and risks associated with ransomware?  Companies should take steps to minimize the likelihood and impact of any potential attack.  For example, phishing e-mails are one of the most common attack vectors for ransomware.  Network users should be trained to identify and avoid malicious e-mail and in particular, malicious e-mail attachments such as those masquerading as Google Docs or .pdf attachments.  Also, businesses should maintain off-line back-ups of their network data and should consider segmenting their networks to restrict the ability of an intruder to move laterally within the network.  Other suggestions can be found in the recent advisory from the Cybersecurity and Infrastructure Agency and in this update from our friends at Stroz Friedberg.

Ransomware remains a threat to businesses large and small.  Recent attacks in the healthcare industry illustrate the potentially dire consequences of a network disruption.  For advice and assistance preparing for, or responding to, a ransomware attack, please contact any member of the Thompson & Knight cybersecurity team.

Posted by Stephen Stein

Proposition 24, the California Privacy Rights Act (or “CPRA”), was passed by California voters on November 3.

Both modifying and enhancing aspects of the California Consumer Privacy Protection Act (“CCPA”) which became effective January 1 of 2020, the CPRA provisions will go into effect on January 1, 2023.

Why a new Act passed so soon after CCPA? Proponents felt that in many respects CCPA did not go far enough toward protecting personal data.  Proponents successfully argued that the state should adopt privacy protections comparable to those found in the European General Data Protection Regulation (“GDPR”).

What’s New?  Key provisions of the CPRA include:

• New Enforcement Agency: CPRA creates the California Privacy Protection Agency (beginning July 2023) which will take over responsibility from the state attorney general for enforcement of privacy obligations. In theory, this will allow greater resources to be dedicated to privacy enforcement.
• Liability for Violations by Service Providers: Collectors of Data who share a resident’s data will be responsible for compliance by any service providers with whom they share data.
• CCPA Clarifications: CPRA would clarify some of the issues raised with CCPA, including, (i) confirming that loyalty and discount programs would not be prohibited under CPRA, (ii) extending the moratorium on B2B and employee data, and (iii) removing “devices” from the determination of the thresholds of when a business would be subject to CPRA.
• Sensitive Personal Information: Consistent with GDPR, sensitive personal information is now defined and subject to more rigorous security requirements.
• New Consumer Rights: Consumers will have the right to update personal information already collected by companies.

Why Should I Care?

• As with the CCPA, companies that collect data on California residents (including via a website accessible to a California resident) will be subject to the law.
• California has been the bellwether state for a number of laws in the past. California privacy law, including the CPRA, can be expected to influence other states considering privacy legislation.
• Texas is among those states considering consumer data privacy legislation (see the September 2020 Report of the Texas Privacy Protection Advisory Council here. While aiming to meet public expectations concerning data privacy, the Legislature is also likely to seek to avoid some of the costly results of the CCRA and the GDPR. Progress on these matters may, however, be delayed by limitations on the scope of what the Legislature will undertake in a session constrained by COVID-19.

Posted by Craig Carpenter

On July 16, 2020, Europe’s top court invalidated the EU-US Privacy Shield program, finding that it did not provide an “essential equivalence” with European data privacy laws (GDPR).

The EU-US Privacy Shield program was a popular way for U.S. companies to comply with the restrictions on cross-border data transfers set forth in GDPR (Article 44). Since the U.S. does not have an adequacy decision under European privacy laws, the Privacy Shield Program was the most efficient way for many U.S.-based companies to lawfully move data to the U.S. from Europe under GDPR.

This decision largely centered on European concerns for U.S. surveillance programs and the ability for private data to end up with public authorities. The Court found that “the requirements of US national security, public interest and law enforcement have primacy [over individual data rights], thus condoning interference with the fundamental rights of persons whose data are transferred to that third country.”[1]

The Court also called in to question the efficacy of the “standard data protection clauses” as a means of cross-border data transfer, particularly in countries like the Unites States where public authorities have significant data access. The court stopped short of invalidating the standard clauses as a lawful means of transfer altogether, but the court emphasized the need to consider the practices of the countries in which the standard clauses are used, seemingly inferring that they might not be appropriate in places like the United States.

We do not yet know the U.S. response to this decision; however, without Privacy Shield, U.S. companies will have to rely on a different means of lawful data transfer. Examples include Standard Contractual Clauses discussed in Article 46 (subject to the comments above), Binding Corporate Rules (Articles 46 and 47), explicit consent (Article 49), necessity for performance of a contract (Article 49), exercise or defense of legal claims (Article 49), or the other “derogations for specific situations” identified in Article 49 of GDPR.

[1] CJEU Press Release, available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf (July 16, 2020).

Posted by Michael Titens and Vlad Markovic - IS Security Manager

Over the last few months, many of us have been adapting to new work environments featuring less reliable wifi, videoconference cameos by our children and pets, and more casual dress codes.  At the same time, cyber criminals have been adapting their methods to target us in our new environs.  Here are a few of the latest threats:

Videoconference Vulnerabilities.

• There has been an increase in phishing e-mails and social engineering attacks, especially related to Zoom and other videoconference credentials.  Beware of any email containing links and stating you missed your meeting, need to activate your account again, or that your web conferencing software is vulnerable. 
• Malicious software can be sent using fake web conferencing invitations.  The emails may appear to be coming from a potential client or other contact claiming to be available for a call via one of the popular videoconference services.  In many cases, the invitation will contain a malicious Excel file supposedly containing the sender’s schedule.
• Cyber criminals are also registering look-alike domains to phish for videoconference credentials. Recommended precautions include only joining meetings from known contact, that you are expecting, and scrutinizing the videoconference link in your invitation – for example, a Zoom link should send you to zoom.us not zoom-meeting [dot] org or any other “strange” site.

Business Email Compromise (BEC) Scams

BEC scams include altering wire transfer and direct deposit instructions and efforts to divert escrow or other payments.  Recently, BEC Scams have been incorporating COVID-19 into their fraudulent appeals.  Some examples to look out for include:

• Using COVID-19 as an excuse to request a fraudulent switch or rescheduling of payments or a change to other business or government plans
  • Fraudsters posing as clients requesting that all invoices be changed to a different bank account due to “Corona Virus audits”
  • Attempts to exploit federal government stimulus plans and payment options
  • Posing as a CEO asking to switch payments “due to the Coronavirus outbreak and quarantine processes and precautions.”
• Scammers using claims of positive COVID-19 cases in their area to start an “urgent” email conversation

If you receive a payment or other request that appears to be out of the ordinary, take additional steps (including a confirmation phone call to a person you know on a number you have used before) before making any payment.  More generally, it is a good time to review existing relationships that provide for payment or receipt of funds by wire transfer to ensure multi-factor authentication is in place, identify which party is responsible for wire transfer fraud, and clarify insurance coverage for misdirected funds.

Other Malicious Activity

We have seen a spike in emails with malicious attachments that are disguised as invoices, purchase contracts, wire confirmations, and other documents that one would be inclined to open. One example of this type of a threat was a cleverly obfuscated document that stated it was a wire confirmation. In reality it was a new variant of a crypto-locker that at the time was undetectable by most antivirus tools.

The Weakest Link

Our home networks are only as strong as the weakest link.  Potential attack vectors include ancillary devices, such as printers, and other devices (like routers) that still use the manufacturer’s default login (e.g., “admin”) and password.  To strengthen cyber defense of routers, use strong passwords and select WPA-2 encryption.  Also, disable UPnP (universal plug and play) and keep your firmware up to date (some routers can be set to allow for automatic firmware updates).

Other computers on your home network might also be the weakest link.  All family members should be reminded to follow sound practices and view with suspicion any unexpected emails, attachments, or links.  Also, all computers should be updated with the latest security patches to protect against newly-discovered vulnerabilities.

Based on reports from some large employers, a full-time return to the office may be weeks or months away for many of us.  Maintaining good security practices and remaining vigilant will help protect our computers and networks from being compromised.

Posted by Justin Cohen, Craig Carpenter, and Vlad Markovic - IS Security Manager

When we think about cybersecurity, we often focus on our own people and systems. However, our vendors play a critical part of cybersecurity given how often we share data and integrate our IT systems with others. The 2018 Ponemon statistics estimated that over 50% of organizations have experienced a data breach due to a vendor’s security shortcomings. Here are some recent examples of breaches caused by third parties:

-        Hanna Anderson (over 10,000 California customers affected due to alleged malware in Salesforce Commerce Cloud’s e-commerce platform)(2019)

-         Quest Diagnostics (11.9M records via American Medial Collection Agency)(2019)

-         Target (at least 41M customer payment card accounts accessed via HVAC vendor; $18.5M settlement)(2013)

-         US Customs and Border Protection (Lost 100,000 records via a subcontractor network)(2019)

-         FBI (Lost 3 terabytes of confidential information – including FBI investigation records, millions of department files, personal data, system credentials, and even internal communication records)(2019)

So what should we do first?

Ensure you have a risk assessment and mitigation plan in place for managing vendors. Some may categorize vendors by risk and develop specific policies, procedures, and technical measures to reduce cyber risks for categories of vendors.

Then what?

Ensure proper vetting to understand the risk posed by new and existing vendors. Such vetting can be done in-house through cybersecurity and data privacy questionnaires, or via legal counsel and/or other third parties that assess cyber risks posed by vendors. While initial vetting is critical, routine vendor audits are recommended to ensure that each continues complying with your company’s policies, processes, procedures, and technical measures deployed for purposes of safeguarding their data.

What about their contracts?

Like anything else, if it’s important, put it in writing. Ensure that each vendor contract specifically addresses and allocates the costs and risks associated with that engagement. Common contractual provisions include representations and warranties to abide by your company’s cyber and data privacy policies and procedures. Depending on the circumstances, a warranty regarding compliance with industry standards (e.g. SOC2 or PCI-DSS) with data security audit rights and certifications may be appropriate. Depending on the circumstances, you should also consider including prompt notice provisions when a breach involving your company’s data is suspected. You may also want to allocate the costs of a data breach investigation and remediation in the agreement to avoid unknowns if an incident occurs, including which party should be responsible for the fees and costs associated incident investigation and remediation. If this engagement poses a significant data privacy risk (e.g., your company’s most sensitive data is involved), you should consider requiring that a vendor maintain a certain level of cyber insurance that covers your costs should a breach investigation take place. Finally, specifying the procedures for handling a suspected data privacy or cyber breach in your vendor contracts can save valuable time when an incident occurs.