Category Archives: Compliance

New EU Privacy Law Could Bankrupt Your Company

The European Union has passed a new privacy law called the General Data Protection Regulation and it goes into effect in May of 2018.

For companies that do not do business or have customers in Europe, this regulation may not effect you.   However, if you have customers in Europe, even if you do not have offices in Europe, you are still bound by the regulation.

There are a number of things about the regulation that are very different than the way U.S. companies treat your data and mine.

What is unclear is whether multi-national companies will operate differently in different countries.

For example under GDPR, a company has to get express permission to collect, store, use and transfer data that they have about you.  Will Facebook, for example, have a different user agreement for customers in Europe than in the United States?  This is still unclear, but given their appetite for stealing our data, it would not surprise me if they did treat the two groups of users differently.

On the other hand, for smaller companies who do not make a lot of money from your data, it may be easier to treat everyone uniformly.

Other requirements of the regulation include –

  • Companies must report breaches within 72 hours of realizing it.  In the U.S., things are much looser.  You must report breaches sorta, kinda, reasonably quickly.  In many states what that means is undefined.  In other states it might be 30 to 90 days.  It is not 72 hours in any state for a general business.  Effective January 1, 2018, defense contractors will have to report breaches to the DoD within 72 hours and financial institutions in New York will have the same reporting requirement with a bunch of exceptions, but those two groups represent a tiny percentage of the total population of businesses.
  • The definition of personal data is way broader than any definition in the U.S.  For example, the Internet address (IP address) you are using is considered personal data.  So is your genetics.
  • Probably the biggest change is the potential fines.  The EU could fine a company up to 20 million Euros or 4 percent of their annual global revenue, WHICHEVER IS GREATER.  For a large company, that could be billions of dollars.  For a small company, the fine alone could bankrupt the company.

In addition, there are a number of other conditions that the law requires.

There are plenty of businesses in the United States that have European customers and many of them will be totally unprepared for the changes that come about in less than a year.

Obviously, the place for all businesses to start is to inventory what data the company collects, where it is stored, what it is used for, how long it is kept and who it is shared with.  That, by itself, is a huge challenge for most businesses.  This does not just apply to “corporate”.  If some department collects data and doesn’t have the proper consent, the company could be fined.  If that department shares the data with a third party and that was not disclosed, again the company could be fined.

This would include data that is stored on laptops, in the cloud and on home PCs.  Most companies will not be able to figure that part out.

If you share data with a third party – a vendor or supplier, you have to be able to prove that they are following the rules as well.

For British citizens, even though Great Britain is leaving the E.U., the government says that they are going to implement the same law.

For businesses that are subject to this law and who have not already started planning for this, there is not a lot of time to get caught up.  There is a lot of work to be done.

Information for this post came from the BBC.

Facebooktwitterredditlinkedinmailby feather

More Healthcare Breaches, Record Fines and Other Issues

Another day, another healthcare ransomware attack.  Erie County Medical Center and Terrace View long term care in Buffalo, New York have been dealing with a ransomware attack for about 10 days now.  On April 9th, a Sunday, the computers got hit by what they are only calling a virus, but according to someone I talked to today, it is, in fact, a ransomware attack.  They have not paid the ransom and do not intend to, but from April 9th to the 15th, all systems were down.  They hoped to have the patient data part of their systems operational by the 15th at which point they would need to start entering the backlog of patient data and any data that was lost.

According to local media, the email system is also supposed to be up by that time.

After that is complete, they planned on working to restore systems such as payroll.

According to the person I talked to this morning, as of today, they are still working on recovering.

I am sure that they will complete a lessons learned exercise once people get some sleep, but from the outside, a couple of questions are obvious.  Their disaster recovery plan seems to be lacking if they are still recovering 10 days later.  We don’t know if their business continuity plan is sufficient.  They didn’t have to close the hospital, which is good, but what is the impact on patient care and staff workload.  Finally, how did this ransomware spread so widely in the organization that it is taking them more that 10 days to recover.

As a side note, the Beazley cyber insurance company says that ransomware attacks that were reported to them quadrupled in 2016 and they expect that to double again in 2017.  Half of the attacks were in healthcare.

The FDA is now shifting its focus to medical devices, like the ones from St. Judes, that the FDA slammed the firm over last month.

 

As if that wasn’t enough to worry about, Health and Human Services Office of Civil Rights levied more fines in 2016 than any other year to organizations that were breached.  They announced 12 settlements averaging $2 million in 2016 and three more in the first two months of 2017 PLUS a fourth case that had a fine of $3.2 million.

Some of these cases required the appointment of an external monitor or baby sitter, indicating that OCR didn’t trust those organizations to fix the problems without oversight.

These handful of cases, while significant, represent a fractional percentage of the roughly 17,000 cases a year that are filed with OCR.

In addition, OCR is finishing up a series of desk audits of covered entities and is about to start on auditing business associates.

While it is unclear what will happen under the Trump administration, OCR is funded mainly by the fines they levy, so it may well be the case that things run as they have for the last few years.  Stay tuned.

Putting all of this together should be a red flag to anyone in healthcare that they need to get very serious about cyber security.  It is not likely to get any better or easier any time soon.

 

Information for this post came from Disruptive Views and hrdailyadvisor.

Facebooktwitterredditlinkedinmailby feather

The General Counsel’s Job Just Got Harder

After Yahoo announced it’s mega breaches and it’s General Counsel was fired, this article is not much of a surprise.

John Reed Stark, head of his own consulting firm but formerly of the Chief of the SEC’s Office of Internet Enforcement and former Law professor at Georgetown Law and David Fontaine, CEO of the billion dollar risk mitigation firm Kroll, Yale Law graduate and partner at the law firm of Miller, Cassidy, Larroca  and Lewin wrote a great piece recently.

The basic premise is that the General Counsel is going to be the fall guy when there is a breach, so he or she might want to get ahead of that freight train and plan for dealing with it, like any other risk such as financial reporting, sexual harassment and insider trading.

I highly recommend that CEOs, CFOs and Board Members read the entire article because a summation is not going to do it justice, but they bring up three key points. First a little background.

If, after reading the article, you are more confused than when you started, please contact me.

From the Yahoo Board after action report:

Based on its investigation, the Independent Committee concluded that the Company’s information security team had contemporaneous knowledge of the 2014 compromise of user accounts, as well as incidents by the same attacker involving cookie forging in 2015 and 2016. In late 2014, senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool. The Company took certain remedial actions, notifying 26 specifically targeted users and consulting with law enforcement. While significant additional security measures were implemented in response to those incidents, it appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company’s information security team. …

Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. As a result, the 2014 Security Incident was not properly investigated and analyzed at the time, and the Company was not adequately advised with respect to the legal and business risks associated with the 2014 Security Incident.

Here are the three recommendations:

#1 – The GC has emerged as the most logical and effective quarterback of data breach response.

We agree with this completely with a few caveats.  Most GCs are not cyber security gurus.  The GC needs to work in both internal and external cyber security experts in order to make the right decisions about the risk.  While Fortune 500 firms have access to great cyber security teams, sometimes it is hard to be a prophet in your own land and outside expertise may be helpful.

In addition, based on precedent, to get the maximum benefit of attorney client privilege, engaging outside counsel may be mandatory.

#2 – Yahoo’s actions not only signal the evolution of a new standard of care for GCs when it comes to cybersecurity but also signal a vast expansion of GC oversight.

The article goes into great detail of what the GC should ensure is being done proactively.

Our takeaway is this.  It is only a matter of time before the lawsuits are successful and the cost to companies of inaction becomes dramatically more than the cost of action.  One strategy is to hide behind a boulder and hope the avalanche misses you, but based on experience here in Colorado, the avalanche usually wins.

Be prepared or be buried by the breach avalanche.

#3 – Cybersecurity presents every bit, if not more risk than financial reporting failure, and should receive the same level of oversight and audit.

I could not say this better myself and in fact, have been saying just this for years.

Cyber, for most companies, whether private or public, is a much more likely risk than financial reporting failure and one that the public understands much better.  If Target made errors in it’s financial reporting, most consumers would just shrug and move on.  Compromise 50 million consumer credit cards and it takes years for Target to recover its reputation.

Information for this post came from LinkedIn.

Facebooktwitterredditlinkedinmailby feather

Banks and Consumers Differ How Secure Their Data Is

According to a study by the mega-consulting firm Capgemini, only 21% of banking and insurance executives were highly confident in their ability to detect a breach, never mind defend against one.  On the other hand, 83% of consumers trust their bank’s and insurance company’s ability to protect their data.   So 4 out of 5 consumers think their bank has security handled, but only 1 out of 5  banks think their bank has security handled.

One out of four banks say that they have been hacked but only 3 percent of consumers think their bank has been hacked.  That is a pretty big gap.

In Europe, the general data protection regulation (GDPR) goes into effect next year.  At that point, banks will have 72 hours to disclose any breach.  That might change perception dramatically.

Almost half of consumers won’t use the online services that banks and insurance companies offer due to security fears.

Almost three-quarters of consumers would switch banks in the event of a data breach.

While reality might differ from how these people answered the survey, the fact that 47% of consumers say they won’t use low cost (to the banks and insurance companies) online services and 74% of them say they would switch providers if there was a breach should be a concern to service providers.

At least in Europe, service providers will soon have a lot less leeway to sweep breaches under the rug.  That means that they might want to consider “upping” their ability to both detect and defend from cyber attacks.

For U.S. entities, while they may not have the same “force of law” that GDPR will provide, at least some hackers seem to enjoy “outing” companies whom they have breached.  Sometimes that is preceded by attempting to extort money from the companies that they have breached, but sometimes the hackers are on a mission and just want to hurt the companies – that is the motivation for the hack in the first place.

U.S. entities that think that the soon to be in force GDPR regulations won’t effect them may be wrong.  According to the regulation, any bank (or other business) world wide that does business in the E.U. falls under this regulation.  That means that a U.S. based bank, for example, that has a branch in Munich or Paris, would need to disclose any breach within 72 hours.

At least for multinationals, the bar regarding cyber security is going to be raised next year.  A lot!

Under GDPR, the worst case maximum fine a company could face is 4% of their annual global turnover (AKA global revenue) or 20,000,000 Euros, WHICHEVER IS GREATER.  That should be a strong incentive for anyone who falls under the rule of GDPR.  Lets say that the authorities want to be nice and only fine a company 1% of their global revenue (remember this is revenue, not profit) or maybe 1,000,00 Euros.  Sounds like a bargain, huh?

Given that it will take most institutions have a long way to go to truly secure their enterprises, now would be a jolly good time to start that project.  May 2018, when GDPR goes into effect, is only 15 months away.

Information for this post came from Info Security Magazine.

 

Facebooktwitterredditlinkedinmailby feather

Trump Senior Staff Using Same Hackable Private Email as Hillary

I generally stay away from politics in this blog, but this item is an interesting intersection of security and politics. And, it is pretty unique.  Most non-public sector businesses don’t have to worry about this.  While they may or may not let employees use their business email for personal reasons, there are no laws or regulations governing that.  Which makes this situation unique.  And very interesting. Sooooo…..

Politicians are an interesting breed.

After Trump spent months on the campaign trail saying that Hillary Clinton was a criminal for using a private email server, that she risked state secrets and that she should be locked up, Newsweek is reporting that Kellyanne Conway, Jared Kushner, Sean Spicer and Steve Bannon have active email accounts on the private RNC email server.

This is the same email system that George W. Bush used and on which he misplaced 22 million emails.  You may remember that Trump also complained about some 30,000 emails on Hillary’s private email server that were deleted.

Politicians can talk out of one side of their mouth to complain about what an opponent does and then do it themselves.

Now that it has come to light, the staffers are no  longer using those accounts.

But, just like Trump complained about Hillary, we have no idea what the senior Trump staff may have used that server for.

We do believe that Bush used that very same server to evade transparency rules.

We have not yet heard from the White House that while they may no longer be using the RNC email server that they are not using any other private email servers.

This is the same kind of servers that Trump complained about on the campaign trail were not secure.  And, at least until yesterday, they, themselves, were using.

Of course we have no idea what they used those email accounts for – or didn’t.  The law does NOT prohibit them from using private email accounts for non-government business.  It does require them to forward any government business email that is received on a private account to the government within 20 days.

A former Obama White House official said that they were trained on the issue of using private emails from day 1 and a former Obama administration lawyer said that they did an enormous amount of training on compliance.

That being said, we likely will never know what is on these servers – those accounts were likely wiped within an inch of their life.

Part of the problem is that some White House staff work part time or in an unpaid capacity for the RNC.  As soon as that happens, mischief is almost certain to follow.

Since FBI Director Comey said that Hillary Clinton’s use of a personal email server was “extremely careless”, I assume he will come out as publicly and as vocally about the Trump team’s use of similar servers.

The RNC said that those email accounts were only used for email distribution lists.  Who knows.  That is certainly possible.  Or not.

Stay tuned.

We definitely live in interesting times.

Information for this post came from Newsweek.

Facebooktwitterredditlinkedinmailby feather

Symantec Issues More Unvalidated SSL Certificates

Symantec, who is already on probation for issuing inappropriate SSL certificates, issued more than a hundred additional “illegit” certificates.

SSL certificates – more technically TLS certificates – are the bits of technology required to make those “secure” web sites work.

Certificates are issued by certificate authorities (CAs) – organizations who have supposedly set up processes and controls to only issue certificates to, for example, the real owners of web sites, among many other rules.

There is a CA oversight board that actually has the authority to shut down CAs who do not follow the rules, but that almost never happens because it would put those companies out of business.

In this most recent case, Symantec was found to have issues at least 108 bogus certificates. 9 of the certificates were issued without the knowledge of the web site owner;  the rest were issued without proper validation.

Some of these bogus certificates were revoked quickly, but some were not.

Even after the certificates are revoked, there are many situations where the bogus certificates might still work in a browser.

This is the reason that there are many rules for CAs to follow.  Only, they don’t always do that.  It is highly unlikely that anything will happen to Symantec as a result of this second bogus certificate issue.  Last year, Symantec issued bogus certificates to Google, among other sites.  Those certificates would allow a hacker, for example, to create a fake GMail site and attract visitors to it.  Anyone who visited the fake site and logged in would have his or her GMail credentials compromised and give the attacker the ability to read all of his or her mail.

The Symantec owned CAs in question are Symantec Trust Network, GeoTrust and Thawte.

After Symantec’s mistake last year, Google required Symantec to log all certificates it issues in a “transparency log” – just so that researchers can check on them.  Whether all of the bogus certificates were caught or not is probably a subject to debate.  Google and the other major browser vendors that run the CA oversight board can dictate to the CAs what they have to do because the browsers have to accept the CA’s master key.  If Google or another browser vendor were to stop accepting Symantec’s master key – as they have done for the Chinese CA WoSign – then all of the certificates that they issue will generate an error message when a user tries to initiate an HTTPS session using that browser.

Given Symantec issues so many certificates, it could fall into the “too big to fail” category, making it hard for the CA oversight board (technically the CA/Browser Forum) to shut them down.

My suggestion is to use a different CA – there are lots of them.  Sending a message with your checkbook is always a prudent practice.

Information for this post came from Ars Technica.

Facebooktwitterredditlinkedinmailby feather