Security Posts (57)
The use of third parties is nothing new — companies have worked with suppliers, outsourcers, licensees, agents, and the like for years. What has changed, however, is the frequency and scale of third-party use and the regulatory focus on how organizations are managing third parties to address the inherent risks.
Kristian Park, partner and leader of the Contract Risk and Compliance practice of Deloitte LLP in the United Kingdom, discusses the escalation in third-party risk and the ways organizations should be mitigating it — but often aren’t
Q: Why is third-party risk escalating?
A: A few factors are in play. First, volume. During the recession, we saw many organizations push more of their business out to third parties in an effort to reduce internal costs across the extended enterprise. Higher volume, of course, can mean higher risk. Second: scrutiny. Regulators have become more focused on how companies are managing outsourcing and third-party risk in general, and the fines for violations have reached hundreds of millions of dollars. With those fines has come a third escalating factor: reputational impact. When millions of consumers are personally affected by a third-party system failure or security breach, or when a well-known company is heavily fined or repeatedly called out with regulatory MRAs (matters requiring attention), the reputation of the involved organizations can suffer. The free-flowing nature of information also plays a role here: decades ago, a disruption in a local country would likely have stayed local; today it can quickly become a global issue. As a result of the escalating risk — and the escalating fallout when risk becomes reality — boards are paying more attention and asking more questions. The fact that in most cases, even in leading global organizations, it’s rare for someone in the organization to have an overarching view of who the company is doing business with or the risks these third parties impose on the business is a tremendous concern. Today, like never before, boards are considering thirdparty risk a top strategic risk. However, that hasn’t yet translated into clear accountability for third-party risk oversight, either from a single owner or a function. The Chief Procurement Officer has frequently been asked to lead this role, but that can lead to skewed emphasis on supply, rather than a broader enterprise-wide view considering alliance relationships, distribution partners, and the like.
Q: What’s been the traditional approach to managing third-party risk and where is there room for improvement?
A: Third-party risk has typically been addressed in a siloed fashion, with individuals in the organization looking at specific risks, usually within the supply chain. For example, in the banking sector, the focus might be on the IT department and the data protection issues and risks of sharing data with third parties. In the consumer products sector, the focus might be on risks to product quality and safety, with an eye to both protecting end users and safeguarding the company’s reputation. While organizations have been right to be proactive in managing risks to certain functions or aspects of the business, many haven’t pulled back from this narrow view to examine the broader business exposure — the holistic view that’s essential to understanding overall risk exposure resulting from third parties and managing it enterprise-wide. It’s interesting to see how different levels of management within the organization have differing perspectives. For example, Chief Procurement Officers will often tell me third-party risk is being managed and is under control. Managers below them will likely say they’re not 100% sure, but they know that certain risk areas are covered. Leaders above, such as others in the C-suite and the board, are usually much less optimistic and perceive third-party risk as a serious problem that’s not being properly addressed.
Q: What are leading companies doing to manage third-party risk?
A: Many companies are on a journey, and while some are further down the path toward robust third-party risk management, there are many that have not yet arrived. The first step is often the biggest stumbling block — getting visibility into who the company is doing business with. Once companies have some visibility, they start to think about how to manage the risk associated with these third parties they’ve identified, concentrating their efforts on those that pose the highest risk. It’s more of a proportional response rather than a holistic one. A thorough approach typically includes a framework and defined process for assessing third-party risk, such as a questionnaire that goes out to third parties and a means to score potential risks based on their responses. There would be strong governance in place to define next steps once a risk is identified, including guidance not only for remediating it but also deciding if it should be accepted and how to properly manage it if it is. There would be clear ownership of third-party risk, and people in the organization with a risk management background. We see organizations who have taken many of these steps, but what typically holds them back from fully implementing them enterprise-wide are technology limitations. As a result, we see even very large global companies trying to manage this with spreadsheets. It’s not that the technology solutions don’t exist; it’s the effort and cost required to deploy them that’s holding many companies back.
I n 2014, it became official: There now are more active mobile devices in the world than people, according to data compiled by GSMA Intelligence and the U.S. Census Bureau.
The rise in mobile devices is not confined to personal use; mobile devices increasingly play an integral role in many business operations. We rely on mobile devices to communicate with clients, frequently using them to exchange sensitive data. Health care professionals use mobile technology when interacting with and treating patients. Countless workplaces expect employees to be available on-demand via mobile devices. Mobile devices transmit, receive and store a treasure trove of valuable data, which, if compromised, can be used by bad actors to steal identities, access bank accounts, file false tax returns, misappropriate trade secrets and more. Safeguarding this sensitive data is important to all businesses, both to ensure client confidence and to comply with a complex patchwork of legal obligations. Therefore, businesses, including law firms and attorneys, must be cognizant of the risks involved in using mobile devices and vigilant about following best practices for mobile data security.
Mobile Data Security Risks
Mobile devices, and by extension the data stored on and transmitted by them, are uniquely vulnerable. First, by their very nature, mobile devices are more easily lost or stolen than computers. Second, because they rely on wireless connections, data transmitted by mobile devices is more vulnerable to undetected interception while in transit.
Thefts of mobile devices are on the rise. According to Federal Communications Commission Commissioner Jessica Rosenworcel, one in three robberies includes the theft of a mobile device. Moreover, it is all too easy to lose a mobile device, especially if an employee uses one device for both business and personal use, carrying it virtually everywhere he or she goes. If a mobile device is lost and not properly secured, it is relatively easy for bad actors to gain access to the device and the data stored on it, including emails and their attachments. Depending on whether employees store sensitive information like passwords and access information for other services or sites in their email folders, a thief can find a gold mine of data from just one device.
Additionally, scams to intercept wireless data transmissions are all too common. In one classic scheme—far from the only one—a bad actor will set up a free public WiFi hotspot, give it an appealing name, and simply pull down all the data that unsuspecting users transmit across it. If that data is unencrypted and includes sensitive information, the trick has been a success.
The Legal Landscape
Persons and entities that handle or store sensitive data, especially data containing clients’ financial, health or other identifying information, are subject to an ever-evolving patchwork of state and federal regulation regarding protecting this data. For example, many states, including Pennsylvania, require these entities to inform customers in the event of a breach. Pennsylvania’s Breach of Personal Information Notification Act imposes notification obligations on “any entity that maintains, stores or manages computerized data that includes personal information” in the case of a data breach. Generally, if the personal information was unencrypted, the entity must notify customers if their personal information “was or is reasonably believed to have been accessed and acquired by an unauthorized person.” However, if the data was encrypted, then notification is required only if the data was accessed in unencrypted form or if the breach involved the encryption’s security.
Currently there is no general federal data breach notification law, although several recently have been proposed. However, the Health Insurance Portability and Accountability Act of 1996 imposes a notification requirement when unsecured protected health information, like individually identifiable health information, “has been, or is reasonably believed ... to have been, accessed, acquired or disclosed.” This obligation is imposed not only on health care providers and insurers, but also on their business associates that receive, handle or use protected health information.
Other federal laws also address data security and the protection of personal information. For example, the Federal Trade Commission uses its broad consumer-protection authority to protect consumer privacy and personal data from improper disclosure. The FTC enforces the Gramm-Leach-Bliley Act, which protects nonpublic personal information from unauthorized disclosure by financial institutions. Financial institutions also must comply with the FTC’s red flags rule, which obligates them to undertake periodic risk assessments to determine whether they are required to implement a written identity-theft prevention program. Finally, the FTC also brings enforcement actions against individuals and entities that have misused or improperly disclosed consumer data, or failed to take “reasonable” precautions to protect it. According to reported enforcement actions, violators frequently are required to revise or implement comprehensive privacy and data security programs, delete illegally obtained consumer information, and notify consumers whose data has been improperly disclosed.
Best Practices to Safeguard
This combination of factors— countless devices storing and transmitting vast and valuable data, vulnerability to infiltration, and a mosaic of regulation—makes mobile device security a crucial area for any business. To protect data stored on mobile devices, consider implementing the following recommendations:
- Physically encrypt mobile devices.
Device encryption and SIM card encryption are available on almost all smartphones and other mobile devices, and prevent bad actors from accessing stored data even if the device is physically dismantled. Physical encryption is stronger than simple password protection because it cannot be defeated with specialized software.
- Strong passwords still are important.
Require mobile devices to be passwordprotected, and consider requiring alphanumeric passwords or passwords longer than four characters. Discourage employees from using easy-to-guess passwords.
- Have a plan for lost devices.
Install software capable of remotely wiping data from the mobile device if it has been lost or stolen. Also train employees to notify information technology staff immediately in the event of a loss.
- Separate personal from work.
If employees are permitted to bring their own devices to work, ensure that business data is segregated and cannot be downloaded or locally saved onto the personal device. Readily available software can assist with this.
- Maintain control of settings.
Ensure that devices used for work, whether provided by the company or employees’ own devices, cannot install applications that can modify key security settings, and ensure that employees cannot modify security configurations without information technology authorization.
- Train employees to minimize risk of physical loss.
Train employees to be mindful of their devices’ security, including safeguarding them while traveling. To protect data transmitted by mobile devices, consider implementing the following recommendations:
- Do not use free public WiFi.
Data transmitted over wireless connections can be seen by the provider. Scammers frequently set up free public hotspots and intercept data transmitted by unsuspecting users.
- Encrypt email.
Many companies encrypt their email, as do major free email providers like Gmail. If not automatically encrypted, encrypt emails containing sensitive financial or protected health information. When exchanging sensitive information with business partners, determine whether they encrypt email.
- Do not text sensitive data.
Texts are the most easily intercepted messages and generally are not encrypted, making their content easily accessible by bad actors.
ABRAHAM J. REIN is an associate in Post & Schell’s data protection/breach and internal investigations and white-collar defense practice groups in Philadelphia. He counsels corporate enterprises and individuals on the prevention of data security breaches and compliance with related state and federal regulations, and defends them in related investigations and criminal proceedings.
CAROLYN H. KENDALL is an associate in the firm’s data protection/breach and internal investigations and whitecollar defense practice groups in Philadelphia. She conducts internal investigations and defends corporations, officers and other individuals facing criminal and civil investigation, as well as counsels them on the prevention of data security breaches, and compliance with related state and federal regulations
As anyone with a Facebook account knows, many people use their accounts to broadcast personal information to their Friends.
A Basic Guide To Conducting a Threat Assessment For Your Small Business
How does the small business owner detect and prevent physical and cyber threats to the enterprise? Is it necessary, worthwhile or should anyone really care? With everything else for the shopkeeper to do, between ordering and inventorying merchandise, training employees and trying to increase sales, who has time? Won’t the police respond or protect the facility?
The bottom line is a business must be proactive and take definitive steps-tried and true measures-to reduce the likelihood of losses due to physical injury, theft, reputation damage and the insider threat. Your local police department is a great resource for handy and free publications on enhancing site safety and providing updated intelligence. However, the fact of the matter is an imminent threat to life and other violent or potentially violent crimes must take priority over hardening the security perimeter and environment of a private enterprise. You must take responsibility by identifying and mitigating-if not neutralizing-the most significant threats in your operating environment.
What does all this mean? Well, a comprehensive vulnerability study or analysis must address the elements of the micro threat environment primarily, while taking into consideration the larger, or macro issues, where possible. For example, your micro environment are those particular characteristics, conditions and hazards that are on your property, in your store or warehouse or that affect your employees as they travel from point A to B in furtherance of official business. Consider the physical condition of your structure, remembering to:
- remove debris from interior hallways, storage facilities and keep passageways and emergency exits clear; exterior walkways and appurtenances are also your responsibility in many cases to maintain;
- ensure that there are CCTV cameras-preferably digital and with a 90 day loop-to record events both within the structure and outside;
- conduct a positive ID check on all persons seeking to make deliveries or to engage in a sales presentation. A common scam is for a potential thief to pose as a vendor in to gain entry to sensitive areas of your business. Once inside, the offender scopes out security measures only to subsequently return to defeat them and perpetrate a robbery. Ensure that vehicles entering driveways and garage space are photographed and that the license plate is readable. Commercial license plate readers are available through security equipment vendors.
- keep as little cash as possible on premises. Make frequent, accompanied trips to the bank to make deposits and vary the timings of bank runs so as not to establish a detectable pattern;
spend the time and the money to conduct a background investigation on your new hires or potential employees. Most law enforcement agencies will provide you with public records if you can identify a report or incident number. Others may run a name check to locate a report if one exists (at times, the requestor must pay a fee for records reproduction and sensitive personal information may be redacted).
a great source of information that should not be overlooked is the employee’s social media profile. What info does he or she put out there for all to see? If the profile contains extreme writings on animal rights and the applicant is applying for a job at SeaWorld, you may be heading for trouble. Check Facebook, Twitter, My Space, Instagram, etc. The insider threat is a huge issue and refers to the threat to your enterprise that emanates from employees or contract employees. Although theft of merchandise or embezzlement of funds by employees without question hurts the bottom line, be mindful of the fact that if you make use of proprietary algorithms, formulas, designs or techniques, these items of intellectual property may also be at risk from disgruntled teammates and could end up in the hands of your competitors.
Don’t Forget The Big Picture:
Although the micro threats are those which require your immediate and continued, regular attention, the larger threat environment also can impact your operations, including employee safety. Engage with your local FBI office and police department. Time permitting, an agent or officer is happy to visit your establishment and brief your management and employees on major, macro issues affecting their area of responsibility, whether it be a city, county or state. These are big picture items and may touch on terrorism, intelligence trends, homeland security in general and city or state crime statistics. Check their websites as well for publicly available safety publications with valuable tips and attend a city counsel meeting when your local chief is scheduled to review the department’s performance and annual plan. It helps to educate yourself on these issues.
Although it may sound like a lot, you can take these measures in stages and delegate some of the responsibility to your trusted assistants or number two in charge. He or she can also offer you alternate points of view or draw on experience from previous jobs on what worked and what didn’t. There does not have to be a huge expenditure of funds, either.
Finally, Security Strategies Today offers a comprehensive threat and vulnerability assessment for the small business. We visit your premises, interview management, talk to employees, engage with the local police and assess your practices. Thereafter, we present you with our findings and offer a mitigation strategy, all for one low cost. Give us a call to find out more or to schedule an appointment.
The author is a former Assistant Special Agent in Charge with the Federal Bureau of Investigation and currently is employed as a security consultant.
DOJ Further Delays Release of Highly Anticipated Proposed Website Accessibility Regulations for Public Accommodations
For those who have been eagerly anticipating the release of the U.S. Department of Justice’s proposed website accessibility regulations for public accommodations under Title III of the ADA (the “Public Accommodation Website Regulations”), the wait just got even longer. The recently released Spring 2015 Unified Agenda of Federal Regulatory and Deregulatory Actions reveals that DOJ’s Public Accommodation Website Regulations are now not expected until April 2016. This delay moves back the release date nearly a year from what most had previously anticipated; this summer in advance of July’s 25thAnniversary of the ADA. While there was no public statement explaining the release, most insiders believe it has to do with the difficulty of appropriately quantifying the costs and benefits of complying with any promulgated regulations – a necessary step by DOJ for such a rulemaking.
Unfortunately for businesses across virtually all industries – including retail, hospitality & lodging, sports & entertainment, financial services, healthcare, and academia – places of public accommodation remain left to confront the issue of website accessibility without definitive standards adopted by the regulators. This development is particularly frustrating because despite this delay, regulators at the federal and state level, advocacy groups, and private plaintiffs continue to aggressively pursue claims alleging that inaccessible websites violate Title III of the ADA and equivalent state accessibility laws. Indeed, recent settlement agreements with DOJ have seen an increased focus on website accessibility (as well as the addition of mobile applications) and at the state level regulators are increasingly pursuing self-initiated compliance actions focused on allegations of inaccessible technology (including websites).
Despite the lack of formal regulations, companies seeking to assess the accessibility of their websites do have guidelines to look to that have obtained near-universal support. Regulatory efforts to date (e.g., this past winter’s Notice of Proposed Rulemaking to revise and update Section 508 of the Rehabilitation Act), recent settlements with DOJ and state regulators, and testimony during various stages of recent rulemaking efforts all point to the World Wide Web Consortium’s Web Content Accessibility Guidelines 2.0 (at the Level A and AA) as the appropriate measure of an accessible website. Indeed, this sentiment was expressly echoed by DOJ during a presentation last month at the National ADA Symposium in Atlanta, Georgia.
For companies looking to explore this issue, assess their risk of exposure, and take steps to minimize their susceptibility to investigations or litigations there are clear steps to take. First, websites should be audited – preferably under the protection of privilege – for compliance with WCAG 2.0 Level A and AA using both a user-based and programming-based dual approach. Automated tools, in and of themselves, are insufficient. Second, website accessibility policies – and practice and procedures to assist in their implementation – should be drafted and adopted to help manage the issue in the present and on a going forward basis. Third, the necessary parties should be trained on these policies, practices, and procedures. Finally, accessibility needs to become an integrated part of each company’s infrastructure and decision-making processes. While these concepts may seem novel in the context of accessibility, most companies have already confronted analogous issues in the context of data privacy and security issues over the past decade.
Recent Development in FTC vs. Wyndham Underscore Importance of Cybersecurity Vigilance in the Hospitality Industry
On Friday, March 27, the parties in FTC vs. Wyndham – a key data security case with the potential to deeply impact the hospitality industry’s cybersecurity practices – filed special supplemental briefs that the Third Circuit Court of Appeals requested during oral arguments earlier in the month. A key question at issue in the case: is the industry on proper notice of the particular cybersecurity standards that the Federal Trade Commission (FTC) considers sufficient, such that corporations may be subject to FTC sanctions for non-compliance?
- At oral argument, Defendant-Appellants Wyndham Hotels and Resorts, LLC (“Wyndham”) argued strenuously that businesses have essentiallyno guidance as to what specific cybersecurity practices are required to avoid an enforcement action by the FTC. Wyndham argues that an FTC enforcement action under these circumstances violates constitutional notice principles.
- Plaintiff-Appellees FTC argued, just as emphatically, that the business community is in fact on notice of the FTC’s cybersecurity requirements by virtue of a variety of complaints that the FTC has filed alleging data privacy failures.
- The court, in detailed questioning during argument, probed whether federal court is the proper forum for the case. Ultimately, the judges requested briefing on whether the matter warrants “detailed administrative consideration,” requiring it to be sent instead to an internal FTC proceeding.
Although the case has not yet been decided on the merits – the court is considering Wyndham’s motion to dismiss – the potential impact is extreme: this is the first time the FTC has asked a federal court to allow it to interpret its statutory authority to enjoin “unfair” business practices to extend to data security failures.
WYNDHAM'S ALLEGED DATA BREACHES AND SECURITY FAILURES
According to the FTC’s complaint, Wyndham and the Wyndham-branded hotels to which the Wyndham name is licensed – whose property management systems link to Wyndham’s corporate network – suffered three intrusions into their computer networks between April 2008 and January 2010. In each case, hackers were allegedly able to access sensitive consumer data by compromising the Wyndham data center in Phoenix, Arizona. Ultimately, the breaches allegedly led to “fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia.”
The FTC’s complaint catalogs the following alleged security failures that purportedly allowed the breaches to occur and which “taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft:”
- Failure to take appropriate steps – such as employing firewalls – to limit access between and among the Wyndham corporate network, the Wyndham-branded hotels’ property management systems, and the internet;
- Allowing Wyndham-branded hotels to store credit card information in an unencrypted format;
- Not ensuring that Wyndham-branded hotels implemented adequate information security practices before connecting their networks to Wyndham’s;
- Not remedying “known security vulnerabilities,” including permitting the branded hotels to connect to Wyndham’s network with servers whose operating systems could not receive security updates;
- Allowing hotels’ servers to connect to Wyndham’s network despite the fact that the servers’ default user IDs and passwords had never been changed;
- Not doing enough to require strong user IDs and passwords;
- Not adequately inventorying computers connected to Wyndham’s network;
- Not taking “reasonable measures” to prevent unauthorized access to Wyndham’s network;
- Not following “proper incident response procedures,” including failing to monitor Wyndham’s network for malware used in a previous intrusion; and
- Not adequately restricting third-party vendors’ access to the networks by, e.g., restricting connections to specified IP addresses.
WYNDHAM'S MOTION TO DISMISS AND APPEAL
Wyndham moved to dismiss the FTC’s complaint in the District of New Jersey, arguing, among other things, that (a) the FTC’s statutory authority to take action to enjoin and remedy “unfair” commercial practices does not cover data security failures that are negligent at worst, in which the company itself was a victim of a third party’s crime; and (b) the FTC has never put companies on notice of what cybersecurity practices would be sufficient to avoid an enforcement action, raising constitutional concerns.
The district court denied the motion to dismiss, but granted Wyndham’s request to allow the denial to be immediately appealed to the Third Circuit. The district court noted pointedly that “the Court does not render a decision on liability today. . . . And this decision does not give the FTC a blank check to sustain a lawsuit against every business that has been hacked. Instead, the Court denies a motion to dismiss given the allegations in this complaint – which must be taken as true at this stage[.]” In allowing Wyndham to appeal the decision, the court pointed to the “novel, complex statutory interpretation issues” in the case, and acknowledged that those issues “give rise to a substantial ground for difference of opinion.”
THE ISSUES ARRIVE IN THE THIRD CIRCUIT
The Third Circuit briefing has been extensive and intense. Eleven days prior to arguments, after some 400 pages of merits briefing (including six friend-of-the-court or amicus briefs), the court issued a letter instructing the parties to come to argument prepared to discuss, in essence, whether the FTC must more fully address the application of its “unfairness” authority to cybersecurity issues via administrative rulemaking or internal administrative proceedings, before a federal court can pass on it at all.
The court’s question flows from a statutory provision allowing the FTC to seek a permanent injunction only in a “proper case.” The meaning of that term is ambiguous, but legislative history could be read to suggest that the provision should only be applied where the FTC “does not desire to further expand upon” its statutory authority, because the case presents no issues “warranting detailed administrative consideration.” The court’s letter, and the judges at argument, probed whether the question of appropriate cybersecurity practices warrants such administrative consideration.
At oral argument, the FTC responded essentially that (a) the Commission has already given the issue its due consideration, both in a recent ruling on a motion to dismiss an administrative proceeding as well as by virtue of filing administrative complaints in “fifty data security cases brought at the administrative level;” and (b) the specific measures that are required to satisfy the FTC’s “unfairness” analysis can be established in court on a case-by-case basis as a factual matter, relying on expert testimony and the like. (Wyndham, while emphatically maintaining that the FTC had offered the business community insufficient cybersecurity guidance, opted to “ke[ep its] powder dry” on the question of forum, in large part because “[we] like [our] chances better” in federal court than in an administrative proceeding.)
After oral arguments lasting twice as long as the allotted time, the judges closed the session with a request that the parties brief the forum question.
THE PARTIES' POSITION ON FORUM
On March 27, the parties filed the court’s requested briefs. Predictably, the FTC’s brief reiterated its oral argument position that federal court is an appropriate forum in part because data-security complaints and consent decrees filed administratively by the Commission constitute whatever “detailed administrative consideration” is required. The FTC’s brief also emphasized that Wyndham had never challenged federal courts’ ability to hear the case.
In its brief, Wyndham managed to maintain its dry-powder stance. It agreed with the FTC that the court need not, and should not, reach the question of forum because neither party had raised it, arguing that the issue “is not a jurisdictional matter the Court is obligated to address sua sponte.” It went on to argue, among other things, that the case presents a “particularly poor vehicle” to address the issue, in part “because the problems with the FTC’s case run far deeper than the form of relief the Commission is seeking or the forum in which it has chosen to proceed.” As an example of the issues with the FTC’s case, Wyndham cited again its allegation that the industry has never been put on notice of what cybersecurity practices the FTC would accept. Finally, Wyndham’s brief contended that, should the court nonetheless determine to find that federal court is an inappropriate forum for the case, it would be doubly unfair to allow the FTC – after a two-year investigation and nearly three years of federal court litigation – to simply start afresh in its administrative forum. Rather, Wyndham asked the court to dismiss with prejudice, or alternatively to require the FTC to go through a formal rulemaking process to set out clearly-defined cybersecurity standards to which it will hold the industry.
POTENTIAL IMPLICATIONS FOR THE HOSPITALITY INDUSTRY
In this case, the FTC has articulated the position that businesses like Wyndham are on notice of required cybersecurity practices, because the FTC has filed complaints laying out practices which, “taken together,” it claims violate the prohibition on “unfair” business practices.
At oral argument, the judges questioned whether businesses could be expected to monitor the FTC’s dockets – indeed, it appears that the FTC announced an average of approximately fifteen new complaints each month in 2014 – to ensure compliance with its standards. The FTC replied that “any careful general counsel would be looking at what the FTC is doing,” because the FTC “has broad-ranging jurisdiction and undertakes frequent actions against all manner of practices and all manner of businesses.”
Although the Third Circuit need not follow the district court in accepting that argument, it may. Additionally, the court appears to be considering turning the case away on improper-forum grounds, meaning that a federal court will have no occasion to consider the FTC’s position. If that happens, or if the Third Circuit affirms the court below, the FTC will likely continue to maintain that its filing of complaints laying out cybersecurity practices that it considers “unfair” puts businesses and their counsel on notice of the minimum practices they must follow.
In any event, this litigation places the hospitality industry on notice that an investment in uncovering and filling cybersecurity gaps now may prevent FTC sanctions downstream. To this end, monitoring the FTC’s complaints and working with IT staff in making judgments about whether the organization’s data security practices sufficiently cover those gaps about which the FTC is complaining is important. This will require attention to detail, an excellent IT staff, and inside and/or outside counsel with a strong working knowledge of cybersecurity principals, both legal and technical.
About the Authors:
Marc H. Perry is a Principal and Co-Chair of Post & Schell’s Hospitality Practice Group. He is an experienced trial lawyer and has successfully represented members of the hospitality industry in litigation in state and federal courts. He has tried and litigated complex premises liability, catastrophic injury and wrongful death claims on behalf of hospitality clients, including claims of criminal conduct of third parties on the premises and negligent security.
Abraham J. Rein is an Associate in Post & Schell’s Internal Investigations & White Collar Defense, Data Breach/Protection/Breach and Hospitality Practice Groups. Mr. Rein's national practice focuses on representing individuals and businesses in complex litigation settings, ranging in scope from consumer fraud to securities, civil rights, antitrust and government regulation.
Republished with permission of Practical Law.
As large-scale security breaches at major companies captured headlines in 2014, lawmakers in the US and abroad remain active on both the regulatory and enforcement fronts. Large-scale security breaches involving national retailers commanded the headlines and spurred private litigation over when an individual has standing to bring a lawsuit following a data breach. Privacy and data security issues are also becoming increasingly relevant beyond web browsing as mobile device adoption accelerates, smart technologies are deployed in more everyday devices and the data collected for targeted advertising moves past browser cookies to allow for tracking across multiple devices and platforms.
Recognizing the need to ensure that privacy and data security protections remain effective as data collection capabilities evolve, lawmakers in the US and abroad have been active on both the regulatory and enforcement fronts. This trend is likely to continue as technology and consumer behavior combine to enable the collection and analysis of increasing amounts of detailed information about individuals.
Companies must understand how the dynamic legal framework governing this area applies to their businesses and ensure their policies and procedures are compliant. This article will address:
- The regulatory framework governing privacy and data security in the US.
- Federal Trade Commission (FTC) and other federal and state regulatory activity.
- The advertising industry’s efforts to self-regulate online behavioral advertising activities.
- High-profile privacy and data security litigation.
- Recent and proposed federal and state legislation.
- Noteworthy cybersecurity developments from regulatory authorities and the private sector.
- Selected international developments that may be significant for US companies.
To download the Trends in Privacy and Data Security article, click here.
Current generation multifunction printer/scanner/copier devices are convenient, inexpensive, and very popular. Often overlooked is the fact that most modern printers, copiers, and scanners have many of the same attributes of computers, and are just as vulnerable to the same kind of cyber exploits and attacks as computers. A truly comprehensive data security and privacy risk management approach requires that these commonplace devices be viewed as an integral part of an enterprise’s IT systems, and that device-specific measures be taken to secure them. The National Institute of Standards and Technology (“NIST”) last month published a report on risk management practices for “replication devices,” The NIST report identifies risks associated with such devices, and provides guidance on protecting the confidentiality and integrity of information processed, stored, or transmitted on them.
- Default administration/configuration passwords: Many devices have default passwords which can be easily obtained and used to access stored data, or to control the device.
- Data capture: Unless encrypted, data transmitted or stored, including passwords, configuration settings, and data from stored jobs, is vulnerable to interception or modification.
- Spam: Unless properly configured and without proper access control, many devices will process any job submitted, which could waste paper, toner, and ink, and tie up the device.
- Alteration/corruption of data: If passwords or configurations are changed, denials of service for authorized purposes or potential damage to the device could result.
- Outdated and/or unpatched operating systems and firmware: Many devices run an embedded operating system, making them subject to the same threats as any other computer running those operating systems. Also, older devices may have embedded versions of operating systems no longer supported by the manufacturer, which may leave “unpatched” security issues.
- Open ports/protocols: For devices that can connect to local networks or the Internet via wireless or ports, open ports and protocols allow data to flow to and from a device. Through open ports, attackers may gain undetected access, and data tampering, unauthorized access, and denial of service can result.
The Report identified several signs indicating that the security of such a device may be compromised:
- Display malfunctions or shows incorrect information;
- Materials (ink, paper, or other supplies) run out faster than usual;
- Increased number of failed or timed-out jobs;
- Unexplained/unauthorized changes in configuration settings;
- Device completes processes slower than expected;
- Device uses more network time/bandwidth than usual;
- Time stamps do not align or make logical sense;
- Communications with unknown IP or email addresses increase; and
- Markings indicating tampering around key areas of the device (e.g., hard drive or SSD compartment, display area).
An Appendix to the Report provides a very useful device risk assessment template and checklist. It gives practical guidance on best security practices, across the entire lifecycle of the device. Examples of some countermeasures include:
- At acquisition, or in third party supply and support contracts, ensure that the device meets common data security standards, is capable of operating in a secure mode, and that the OS is actively supported by the OEM;
- At deployment, change vendor default passwords, and configure the device to operate in a secure mode;
- During operation, control device access through PINS and passwords, control physical access to the device itself and its components, such as the SSD or hard drive, and track usage, ensure that stored and transmitted data are encrypted, and timely implement OEM security “patches” and fixes;
- During operation, control network access using standard organization practices, close unused open ports and protocols, disable wireless identifier broadcasting, and configure the device to prevent communications to and from unknown and unwanted addresses (blacklist/whitelist); and
- When taking the device out of service, change all passwords and PINS to vendor defaults, and remove or sanitize all hard drives and SSDs on which data may be stored.
Once data is held for ransom, there’s no guaranteed way to reclaim it — not even payment. Ransomware’s victims typically are those with the least protection. To avoid becoming a target, install strong security tools on your computer and mobile devices, back up data to a reliable cloud service, keep passwords in a secure location, and exercise caution when clicking on links or opening attachments.
Malware is running rampant on the Internet, affecting smartphones, tablets and personal computers. Relatively new malware
allows bad guys to encrypt devices until a ransom is paid. Usually the ransom is required in bitcoin, rather than U.S. currency, as it cannot be traced.
What are the legal and other risks associated with ransomware?
Ransomware is largely directed at personal devices and small businesses, particularly since larger companies tend to have better Internet hygiene for their devices — like regular backups and requiring that passwords be stored in a safe place rather than on a device.
Following are just a few examples of the data at risk from ransomware, which can plague you if you cannot immediately cleanse your device, or set up a new one and restore your data with an up-to-date backup:
- Tax information. What if you keep all of your tax records on your hard drive using Quicken or another program? Losingtax records and financial information will make it very difficult to do your taxes, or prove expenses if you are audited.
- Client work. If you are relatively paperless and store your work on the computer, you may lose valuable time or work.
- Passwords. If you are locked out of your bank accounts and other sites, it will take time to restore access, or you may lose access altogether.
How Can You Protect Yourself?
First, take steps to avoid ransomware in the first place. It is, after all, malware. So, do not click on attachments or go to websites if you are not sure of the sources.
Second, get a good app for your smartphone or tablet, and a software program to protect your personal computer in real time. Be good to your devices: Install security tools and regularly run scans. If you think your smartphone or tablet has been infected with malware, think twice about plugging it into your computer.
Third, back up your hard drives to the cloud or to a portable hard drive. Of course, cloud storage has its own set of risks. For example, when you use a free cloud service, you run the risk that your data may not be available when you need it.
What Exactly Is Ransomware?
Ransomware is specialized malware that “immediately makes its presence known by encrypting files and demanding payment for
the keys to unlock them.” The Department of Homeland Security (DHS) issued an alert last fall that includes this description:
“Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This
type of malware, which has now been observed for several years, attempts to extort money from victims by displaying
an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been
encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of [100-300 US
dollars], and is sometimes demanded in virtual currency, such as Bitcoin.
“Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by
downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is
downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically
spread through similar methods, and has been spread through Web-based instant messaging applications.”DHS discourages paying the ransom:
“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious
actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not
mean the malware infection itself has been removed.”
Notwithstanding DHS’ advice, the Dickson County (Tennessee) Sheriff subsequently paid a $500 bitcoin ransom to get back files on a corrupted computer, after consulting the Tennessee Bureau of Investigation and the FBI. Paying the ransom, they concluded, was the best way to deal with the problem at hand.
Dell SecureWorks last summer issued a report about CryptoWall Ransomware.
Between March and August 2014, “nearly 625,000 systems were infected with CryptoWall. In that timeframe, CryptoWall encrypted more than 5.25 billion files,” it states.
This type of ransomware is run by botnet operators, so there is no pattern to suggest which victims might be targeted for attacks.The report notes the following:
“Ransoms ranging from $200 to $2,000 have been demanded at various times by CryptoWall’s operators. The larger
ransoms are typically reserved for victims who do not pay within the allotted time (usually 4 to 7 days). In one case,
a victim paid $10,000 for the release of their files.”
Bromium recently released a report entitled “Understanding Crypto-Ransomware — In- Depth Analysis of the Most Popular
Malware Families.” Its introduction makes the following observation:
“This threat is called crypto-ransomware (ransomware) and includes at least a half-dozen variants, including
CryptoLocker and CryptoWall. Ransomware shows no sign of abating since traditional detection-based protection,
such as antivirus, has proven ineffective at preventing the attack. In fact, ransomware has been increasing in
sophistication since it first appeared in September 2013, leveraging new attack vectors, incorporating advanced
encryption algorithms and expanding the number of file types it targets.”
Ransomware is a rapidly growing problem, and there is not yet a solution.
Until a solution to fully protect against malware is found, traditional advice still applies: Protect your computers and other devices with antimalware apps and software, back up regularly, and store your passwords in a safe place.