California Attorney General Releases Data Breach Report with Recommendations for Retailers and the Health Care Sector

By Jennifer Daniels

CC_swipe

On October 28, 2014, the California Attorney General (“AG”) released its second annual report detailing the security breaches reported to the AG’s office in 2013, and provided recommendations to both the industry and lawmakers to reduce security breaches and the harm caused by them. The AG called out the payment card industry, retailers, and the healthcare industry to make specific improvements.  Here is an outline of the recommendations made in the report:

  • Retailers should:
    • Update point of sale terminals so that they are chip-enabled, and install software necessary to operate this technology: The United States has been slow to adopt chip technology for payment cards.  When the United Kingdom adopted the technology, counterfeit card fraud losses reportedly fell by 34%. The technology reduces fraud tied to face-to-face transactions, which still account for the vast majority of payment card transactions. Retailers will play a significant role in the implementation of chip technology in the U.S., but the incentive is there—not only due to the massive retailer breaches in 2014, but also because, in 2015, the payment card networks will shift liability to retailers for counterfeit fraud resulting from transactions involving a chip card used at a terminal that is not chip-enabled.
    • Implement encryption solutions to devalue payment card data that falls into unauthorized hands: Encryption technology will help to reduce fraud not only in face-to-face transactions, but also in online and mobile transactions. Data should be encrypted by retailers from the point of capture until the completion of transaction authorization. So long as the decryption key is not stolen, the value of stolen encrypted card data is reduced because the data is not readable.
    • Implement tokenization solutions to devalue payment card data that falls into unauthorized hands:Tokenization differs from encryption because, with tokenization, payment card data is replaced with a random number (the “token”) rather than using a mathematically reversible algorithm. Tokenization is effective in securing online and mobile transactions because the data captured by a hacker is not usable. In addition, it limits the amount of cardholder data that is stored in the retailers’ payment environment, which also makes PCI compliance simpler for the retailers.
    • Respond promptly to data breaches and notify affected individuals in the most expedient time possible, without unreasonable delay: The report points to notification delays by companies that sometimes last months.
    • Improve substitute notices regarding payment card breaches: The AG explains that retailers often must use a substitute notice method because retailers do not have access to the home addresses of their customers. The AG recommends that substitute notices be made more conspicuous on retailer websites, and that notices remain available for at least 30 days. Retailers should also update the notice as more information is known about the incident. Also, the notice should tell individuals how to protect themselves, and the advice should differ based on the type of data involved. For example, credit monitoring is very useful for breaches involving SSNs, but the AG indicates that the best response to a breach involving a debit card number is to cancel the card immediately.
  • Retailers and financial institutions should:
    • Work together to protect debit card holders in retailer breaches of unencrypted payment card data: The AG explains in the report that the impact to victims of debit card fraud is particularly severe, and that credit monitoring and online account monitoring are not sufficient protection to the consumer. Rather, the best action is to promptly cancel the card. The AG acknowledges that this course of action may result in additional burdens on the issuing banks, but the AG encourages those involved in the payment card industry to work together to resolve that issue.
  • The healthcare sector should:
    • Consistently use strong encryption to protect medical information on laptops and on other portable devices, and should consider the same for desktop computers:The AG report calls out the healthcare industry for frequently being the victim of lost and stolen mobile devices (including laptops) that contain unencrypted sensitive healthcare information. There are technologies to prevent these breaches, in particular full disk strong encryption. The AG strongly encourages those in the healthcare industry to employ encryption technologies to prevent future breaches.
  • All industries should:
    • Conduct risk assessments at least annually: Organizations handling sensitive personal information should annually review and update their privacy and security practices and policies. Technologies and business practices evolve rapidly, and the industry must respond to the changes. In particular, the AG recommends annual training of employees and service providers who handle sensitive information.
    • Use strong encryption to protect personal information in transit:Many breaches can be prevented by the use of strong encryption of data sent by email stored on laptops or portable media.
  • California legislature should:
    • Consider legislation to amend breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers, and require a final breach report to the AG:The AG notes that in responding to breaches, data owners and their vendors have different responsibilities under state breach notice laws. However, their roles are not very clear under those laws. Accordingly, the AG recommends legislation to clarify which entity is responsible for what action in the event that a breach involves both a data owner and its vendor.
    • Consider legislation to provide funding to support system upgrades for small California retailers.

Verizon’s Data Breach Report Reveals The Nine Most Pressing Corporate Security Threats

By Jeffrey Rosenthal

VerizonreportAs April comes to a close, it’s time once again for Verizon Enterprise Solutions’ Data Breach Investigations Report to remind us just how important data security is to the corporate world.

Released Wednesday, the report, now in its tenth year, concluded that hackers and cybercriminals have gotten faster at breaching corporate website defenses than companies’ ability to detect attacks—meaning many attacks were already complete before victims could even respond.

Verizon, which received contributions from 50 organizations worldwide, recorded nearly 63,500 “security incidents”—i.e., any attempt to attack a corporate computer system, successful or not—as well as 1,300 confirmed data breaches.  According to Verizon, nine out of ten security incidents in 2013 fell within nine basic categories, as discussed below:

1. Point-Of-Sale Intrusions.

Despite the widespread-publicity of the recent Target Corp. breach (resulting in hackers gaining access to the credit card numbers of around 40 million customers), the occurrence of point-of-sale intrusions has actually been trending downward over the last several years, Verizon claims.  But retailers and hotel companies in particular still need to be concerned about this kind of intrusion, as even a single attack can be devastating.

2. Web App Attacks.

Described as the “proverbial punching bag of the Internet,” web application attacks are by far the most common type of breach.  Accomplished by phishing techniques, installing malware, and correctly guessing security questions, Verizon insists better protection for Internet-facing applications starts with stronger passwords and two-factor authentication.

3. Insider And Privilege Misuse.

Common examples of insider misuse include employees using forbidden devices/services to send intellectual property to personal accounts, or sending messages while posing as another employee to get that person fired.  Verizon observed that while many of the people committing these crimes are payment chain personnel and end users, C-suite managers were more to blame in prior years.

4. Physical Theft And Loss.

Corporate assets (phones, laptops etc.) are stolen from offices more often than from homes or vehicles.  The primary cause is simple carelessness.  To counter, Verizon suggests companies back up data, encrypt devices and encourage employees to closely guard devices.

5. Miscellaneous Errors.

Sending an email with sensitive information to the wrong recipient is the most common example of unintentional data disclosure.  Other examples include accidentally posting non-public information to a company’s web server, or mailing documents to the wrong physical address.  While some human error is unavoidable, Verizon says data loss prevention software and tighter processes around postings can reduce occurrences.

6. Crimeware.

Crimeware consists of any illicit activity that does not fall under espionage or point-of-sale.  Most crimeware occurs when users download malicious files.  But it can also happen via “drive-by infections,” whereby a virus is downloaded when a user unknowingly clicks a deceptive pop-up window.  Corporations’ best defense against crimeware is to maintain the most up-to-date browsers and software.

7. Payment Card Skimmers.

This type of attack is mainly directed at ATMs and gas pumps.  Because it requires a skimming device be physically added to a machine, it’s considered a relatively crude manner of intrusion.  According to Verizon, the most-recent development is that, rather than retrieve the skimming device itself, criminals can remotely collect data via wireless means, like Bluetooth.  Although modern ATMs are mostly tamper-free, this is still a concern in certain parts of the world.

8. Denial-Of-Service.

Commonly referred to as DDoS attacks, these threats include attacks aimed at compromising networks and systems availability to shut down corporate, consumer-facing websites.  Primarily directed at the financial, retail and public sectors, potential motives include extortion, protest, or simple amusement.

9. Cyber-Espionage.

Unauthorized network/system access associated with state-affiliated actors tripled from last year.  Espionage also had the widest variety of “threat actions”—meaning once intruders gain access, they are engaging in multiple types of illegal activities.  About 21% of reported incidents originated from Eastern Europe.

While, at first glance, the increasing volume of cyber attacks may seem disheartening, there is a silver-lining here.  Because most attacks tend to follow one of the above nine patterns, companies stand a better chance of resisting intrusions if they take steps to combat the type of attack most common to their industry.  Recognizing your company’s greatest vulnerability and prioritizing the most likely type of cyber attack can mean the difference between preventing the intrusion altogether, or becoming the next Target.

Once again: a little knowledge can be a powerful tool when defending against mounting cyber attacks.

A copy of Verizon’s complete 2014 Data Breach Investigations Report is available here, with the Executive Summary available here.

Kentucky Finally Jumps on the Breach Notice Bandwagon, and Adds a Cloud Computing Twist

By Jennifer Daniels

Security Breach Notice

Until last week, Kentucky was one of only four states that had not enacted a security breach notice law. On April 10, 2014, Kentucky adopted HB 232, a law that is pretty standard as it relates to security breach notice obligations. It applies to companies doing business in Kentucky, but includes an exception for information holders that have separate security breach notice obligations under Gramm Leach Bliley or HIPAA.  “Personally identifiable information” includes first name or initial and last name, in combination with social security number, drivers’ license number, or account number, credit or debit card number, in combination with any required access code. So, Kentucky has not gone so far as to include health information or generic password information as personal information. Under the statute, notice is triggered by an unauthorized acquisition of unencrypted and un-redacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained in a database regarding multiple individuals that actually causes “or leads the information holder to reasonably believe has caused or will cause” identity theft or fraud against any resident of Kentucky.  So, as with many other state security breach notice laws, businesses suffering a security incident will need to contemplate whether it is reasonable to believe that the incident could lead to identity theft or fraud. Keep in mind when evaluating a security incident and whether to notify individuals, that if your business determines that the incident will not likely result in identity theft or fraud, it is important to document your decision-making process.  Under the new law, Kentucky does not require notice of a breach within a specified timeframe, but rather requires notice in the most expedient time possible and without unreasonable delay.

Cloud Computing of Student Data

At the end of 2013, Fordham Law School published a study finding that the contracts that schools enter into with service providers are weak in terms of privacy protections for student information shared with such service providers. According to the study, many schools do not contractually prohibit their vendors from selling or using personal information about students for marketing purposes. Schools have begun to use more and more digital learning programs, and without prohibitions on the nonacademic use of the information collected through such programs, there is a concern that such information may be made available to colleges or future employers without the knowledge or consent of the student or the parents.

To address the concerns around the data-mining of student information, Kentucky has now made it illegal for a cloud services provider to process K-12 student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing service, unless the parent consents to such processing. Kentucky HB 252 providesA cloud computing service provider shall not in any case process student data to advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose, and shall not sell, disclose, or otherwise process student data for any commercial purpose.” The statute defines “student data” as “any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services.” The term includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student. Accordingly, the definition is very broad. It is not clear whether a cloud provider would run afoul of the Kentucky statute if it analyzed aggregate, de-identified information for use for marketing purposes, in particular because the act of creating aggregate data is a form of processing. In addition, the definition of a “cloud computing service provider” under the statute is broad, including any person that operates a service that provides an educational institution with account based access to online computing resources.

Cloud service providers must certify to Kentucky K-12 educational institutions that they will comply with the provisions of HB 252.

Breach by Dermatology Practice Results in Fine and Corrective Action Plan with HHS

By Jennifer Daniels

A dermatology practice called Adult & Pediatric Dermatology, P.C. (“Covered Entity”) reported a security breach as required by the Health Insurance Portability and Accountability Act (“HIPAA”) to the Department of Health and Human Services (“HHS”) on October 7, 2011.  The Covered Entity reported that an unencrypted thumb drive was stolen from the vehicle of a member of its workforce, and that the drive contained the protected health information (“PHI”) of approximately 2,200 individuals.  The thumb drive was never recovered.  The Covered Entity notified the impacted patients of the theft as required by applicable law, and provided notice to HHS in accordance with the breach notification rules under HIPAA / HITECH.

As is often the cast, HHS decided to investigate the Covered Entity following notice of the security breach.  The HHS investigation revealed:

  • The Covered Entity did not conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security process until October 2012.
  • The Covered Entity did not fully comply with the requirements of the HIPAA breach notification rules because it did not have written policies and procedures regarding its breach notification process, nor did it train members of its workforce regarding the breach notice requirements until February 2012.
  • On September 14, 2011, the Covered Entity impermissibly disclosed the PHI of 2,200 individuals by permitting an unauthorized individual access to the PHI for a purpose not permitted by the Privacy Rule when it did not reasonably safeguard an unencrypted thumb drive that was stolen from the unattended vehicle of one of its workforce members.

The Covered Entity agreed to pay HHS $150,000 to resolve the investigation, and agreed to enter into and comply with a Corrective Action Plan.

Sometimes, the fine is not as significant as the ongoing cost of the corrective actions required by the regulators.  Here, the agreed upon Corrective Action Plan gives the Covered Entity one year to conduct a comprehensive risk analysis of its security risks and vulnerabilities that incorporates all of the Covered Entity’s electronic media and systems, and to develop a risk management plan to address and mitigate the risks and vulnerabilities identified.  The risk analysis, risk management plan, and any revised policies and procedures must be forwarded to the HHS Office of Civil Rights (“OCR”) for review and approval within 60 days of the date completed by the Covered Entity.  OCR will review the submission and may require revisions.  Upon approval by OCR, the Covered Entity must train its workforce on the revised policies and procedures within 30 calendar days.   During the time period covered by the Corrective Action Plan, if any workforce member fails to comply with the policies and procedures, the Covered Entity must investigate and report such noncompliance to OCR, including any actions taken by the Covered Entity to mitigate the resulting harm and to prevent recurrence.

Ultimately, the Covered Entity must provide OCR with an Implementation Report describing how the Covered Entity implemented its security management process, and an attestation from an officer of the Covered Entity that any revisions required by OCR were fully implemented and its workforce members were completely trained.  An uncured breach of the Corrective Action Plan can lead to the imposition of Civil Monetary Penalties.