Privacy and Data Security
Check out this article I was interviewed for in Database Trends and Applications regarding the challenges of protecting data and ensuring its proper use. Here’s one of several of my quotes included in it:
“Done right, adherence to data compliance benefits your bottom line,” Quinn said. “Regular assessments of your data protection and privacy measures ensure minimal waste of resources while giving you peace of mind.”
I recently contributed to an article sponsored by Selman Breitman LLP and published in the CLM here. The focus of the article was on cyberattack trends and how companies can prepare to respond, or at least what they should be considering. Now is as good as time as any to start preparing your business for the inevitable attack. Make sure you have a plan in place so you know where to start when you become a target!
Here is your friendly reminder to take a few minutes and perform your annual privacy/data security checkup. If you haven’t done one before, now is as good of time as any to start. The more things you check on the better, but here are a few ideas of places to start:
There are other things you can do too, but this will give you a good start on making sure your data is protected.
By the time you realize that you have been the victim of a data breach, it’s too late to take proactive steps to deal with that breach. From that moment, you are left reacting to the facts as the situation unfolds. The breach could have happened months or years ago and the damage has been done. Anything you do now is remediation or preventative steps against future breaches. The problem with this is that it is often hard to fully understand what this could mean for you when a breach does happen. The best you can do at that point is assess the situation and try to avoid similar issues in the future.
We can see this playing out right in news that is breaking about a SolarWinds breach. You can get up to speed on it at ZDNet. The SolarWinds breach is already being identified as one of the most significant breaches because of who and what it targeted. The Wall Street Journal wrote, “One person familiar with the matter said the campaign was a “10” on a scale of one to 10, in terms of its likely severity and national-security implications.” It looks like Russian foreign intelligence may have been behind the breach and that they may have had access to sensitive information for months. Of course, we will continue to get a better picture of what happened and what the damages are, but right now it looks like this breach was well planned ahead of time and planted in the supply chain. In other words, someone got a backdoor into some otherwise trusted security software and then waited for it to be in place before exploiting it. As the government and security professionals scramble to assess the situation, there is not much, if anything, that can be done to reverse the damage.
It is an unfortunate reminder that even when you plan ahead to defend against a breach, you will never be invulnerable. Keep watching this developing story to see how bad things can get and what type of contingencies you may need to be planning for in the future.
If you have been paying any attention to headlines about cyber attacks, you have seen an uptick in stories about ransomware. Just last week, there were stories about Universal Health Services being hit by one and another story about how CCSD had personal information released after refusing to pay in a ransomware attack. While it was already a difficult business decision to decide (even life or death in some situations) whether to pay up when hackers hold your system or information hostage, a new advisory from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) makes it even trickier. (You can read a short summary of it at ZDNet.)
Here’s what you need to know from the new guidance issued by OFAC. First, “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” Translation: If you are involved in any way in paying a ransom, you increase the chance of future ransom demands and you risk violating OFAC rules. This means if you are not the one making the payment, but are merely facilitating the payment (financially, technologically, etc, you could still be violating OFAC’s rules.
Second, under the authority of various laws (including IEEPA and TWEA), “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities” designated by OFAC. “OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC.” Translation: There are laws that say you can’t give money to certain individuals on OFAC’s naughty list and if you violate those laws, you can be be hit with fines even if you didn’t know you were breaking those laws. The fact that OFAC is mentioning strict liability in this advisory is fair warning that we can expect to see examples made of someone who unknowingly breaks the law by paying parties to which is payment is prhobiited.
Third, “Under OFAC’s Enforcement Guidelines, OFAC will also consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus. OFAC will also consider a company’s full and timely cooperation with law enforcement both during and after a ransomware attack to be a significant mitigating factor when evaluating a possible enforcement outcome.” Translation: If you do break the rules, you may get a lesser punishment if you contact and work with law enforcement. It’s important to note that it says the cooperation must be self-initiated–which means that if your friendly neighborhood cybersecurity researcher or tech reporter notifies you about an incident involving you, but you don’t do anything until they’ve turned it into a headline, you may not get the full benefit of cooperating with law enforcement.
Finally, “Ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial.” Translation: If your data is held hostage by someone on the OFAC naughty list, you can still ask OFAC for permission to pay the ransom, but OFAC will start from a position of saying no. If you know that the party seeking a ransom payment is subject to sanctions and you still want to pay it, you’re probably better off getting permission from OFAC rather than seeking forgiveness later. However, as has always been the case with ransomware payments, this is ultimately a business decision that you and your company will have to make in your own best interest. Now, at least, you have some guidance from OFAC to help you weigh the consequences of making a ransomware payment.
For many of us, the idea of a cyberattack is something we associate with the risk of a data breach, identity theft, financial fraud, etc. One thing we don’t usually consider being a consequence of a cyberattack is death. Unfortunately, it appears that someone may have died, in part, due to a cyberattack on a hospital. You can get more details from this article at ZDNet, but essentially, a woman in need of emergency medical care had to be rerouted to a different hospital because the nearest hospital was in the middle of dealing with a ransomware attack. German police say that if it is found that her death was directly attributable to the delay caused by the ransomware attack, they will turn it into a murder investigation.
Cyberattacks on hospitals are not a new concept. They were making headlines last year. But, even the best planning may not prevent you from having to pay as was the case for one hospital mentioned in these article from Absolute.com and CNBC.
While ransomware attacks on any business can be problematic, the fact that they can create a life or death scenario for hospitals means serious preparation is needed to avoid a crisis. Doctors/medical providers are necessarily concerned about the care of their patients and their own reputations. While a doctor does not absolutely need medical records to be able to treat a patient, there is a great deal of risk involved trying to treat someone without knowing all the facts. There is also a risk that patients will suffer if the doctors wait until the records are available to treat. Time-sensitive health issues further complicate this for doctors. From a patient’s perspective, this causes them concern about whether they are going to get proper treatment, it also causes them stress wondering if they will be able to get timely treatment, and whether they can trust the providers and hospital with their life. All of this means more healthcare costs as hospitals and providers finds way to address the issue.
This should serve as a reminder to all businesses about the importance of cybersecurity. Have you thought about the worst-case scenario if your business gets hit? Do you have a plan in place for dealing with the inevitable cyberattack? If not, there’s no time like the present to create a cybersecurity incident response plan. A small investment now could save you big time down the road and may even save a life.
Last summer, Capital One made headlines when it came to light that a data breach it experienced affected over 106 million customers. This summer, Capital One is in the headlines again for the fine associated with that breach. In a news release issued last week (that I read about in this ZD Net article), the Office of the Comptroller of the Currency assessed an $80 million fine (payable to the U.S. Treasury) and explained that it was
“based on the bank’s failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank’s failure to correct the deficiencies in a timely manner. In taking this action, the OCC positively considered the bank’s customer notification and remediation efforts.”
In other words, Capital One didn’t have proper risk assessment processes in place before it started storing information in the Amazon Web Services cloud. Moreover, Capital One didn’t correct the deficiencies fast enough in the opinion of the OCC. This is a great reminder that agencies tasked with ensuring compliance with financial, privacy, and cybersecurity regulations are still on the job even in the midst of a pandemic.
If you are using the cloud to store customer or client information, or even your own company’s information for that matter, you want to make sure that you have taken all possible steps to secure your data and prevent you or your company from experiencing something similar to what Capital One experienced.
Earlier this year, it was reported that MGM Resorts experienced a data breach last summer that affected some 10.6 million people. Now, ZDNet is reporting that the breach was much larger than originally reported and implicated the data of over 142 million hotel guests. Hackers are trying to sell that data on the dark web. While it is not surprising that hackers are selling the data, it is surprising that is appears to include information from over 14 times the amount of affected individuals reported earlier this year.
What is particularly interesting is that while MGM Resorts claims to have notified all affected parties as required by law, a spokesperson confirmed to ZDNet that it knew about the scope of the breach earlier this year. What does that mean exactly? For one thing, it means that MGM Resorts does not appear to have corrected the reported impact earlier this year even though it publicly acknowledged the breach and knew it was larger than what was being reported. MGM Resorts’ decision about what it disclosed is a business decision for which we on the outside don’t have all the facts. While this could be beneficial for the company’s bottom line by avoiding the added publicity, it could be a disservice for the 142 million guests whose data was breached. Even if it was disclosed to each individual, it is easy for something like that to get lost in the noise of life. With news of breaches surfacing every week, what really makes the difference is when media coverage amplifies that signal so those affected can realize what may have happened.
Two takeaways from this news at this point: if your business experiences a breach, you should think about what you disclose to whom and why and when. There are disclosures that are required and disclosures that just make sense. MGM Resorts made a business decision here and only time will tell whether it was the right decision. You should watch this and see whether they it ends up being the right choice. The other takeaway is that if you have been a guest at any MGM Resorts property in the past, you should take this opportunity to make sure you check on your credit for any unusual activity and change any passwords you may have used relative to MGM Resorts.
The June 2020 issue of Nevada Lawyer includes an article entitled: Doubling Down or Folding on Privacy Concerns: How New Technology in Casinos May Require Policy Changes. Written by Sandra Douglass Morgan, a lawyer and chairwoman of the Nevada Gaming Control Board, and Steve Yeager, also a lawyer and state assemblyman, the article offers some insight to some aspects of privacy in Nevada’s casinos and why the next legislative session may need to address this topic.
You can read the article for specifics, but it gets into what kind of biometric data that casinos may be collecting on its customers, including an example of using AI to identify what kind of clothes a person is wearing to track them throughout a property if they are deemed suspicious characters worth watching. While anyone who knows anything about Vegas knows the casinos are full of eyes-in-the-sky cameras watching our every move, few of us probably give it a whole lot of thought when we head out for a night on the town. More importantly, the article identifies the issue of whether customers are getting proper notice about the incursions into what limited privacy rights they might have when entering a private casino. While the article discusses how some states have addressed the sale of biometric data with legislative action, it does not clearly suggest what the Nevada Legislature should do, if anything, with regard to this topic. However, given that these two particular authors broached the topic, you should expect to see more on this toward the end of year as Nevada prepares for the 2021 legislative session.
Early in 2019, I wrote about a massive data breach called Collection 1 and why it meant you needed to change your password, again. That breach included over 2.6 billion usernames and passwords according to Troy Hunt. Basically, anyone with access to the collection could use it for credential stuffing attacks where they use combinations of the usernames and passwords to try and force their way into various accounts. If your username or password was anywhere in that collection, it was safe to assume you could be compromised and needed to update your passwords.
Yesterday, as reported by ZDNet, it was announced that Europol arrested 5 hackers from the Infinity Black group behind Collection 1 and other collections of hacked data. While there is not a great deal of information about everything they did yet, it appears they would use credentials to gain access to loyalty accounts and sell those to other criminal gangs.
While this news does not undo the damage they caused, it is nice to see law enforcement at work trying to protect you on the web. You can help them out by making sure you are smart about how you use and store your online credentials.