Many governments are following the European Union’s lead with GDPR by enacting privacy laws that place significant burdens on data collectors.  For example, on November 1, 2018, Canada enacted a new privacy law that makes companies responsible for any losses caused by exposing consumers’ private data.  While many countries are enacting comprehensive data protection laws, the United States currently has a patchwork of state, federal and industry data protection laws.

Even though the United States may not be any closer to adopting uniform data privacy laws, U.S. legislators are still trying to keep the discussion moving.  Just last week, Senator Ron Wyden of Oregon announced a discussion draft of the “Consumer Data Protection Act” (the “Act”) that would establish new privacy rules for large American corporations.  While the Act contains a number of provisions that will ultimately limit the chances it will become law (such as steep criminal penalties for corporate officers), there are a number of provisions in the Act that may be worth considering for privacy legislation in the future.

The overall purpose of the Discussion Draft for the Consumer Data Protection Act of 2018  is to end consumer data from being used without the consumers’ knowledge or consent and to return control of the data back to consumers.  To achieve this objective, the Discussion Draft gives the Federal Trade Commission a greater ability to address cyber and privacy threats.  The Discussion Draft creates mechanisms that would allow the FTC to become what it refers to as a credible deterrent against failing to protect consumer’s data and, in turn, increases the FTC’s resources to enforce current and proposed regulations.

If adopted as drafted, the Act would amend the Federal Trade Commission Act to “establish requirements and responsibilities for entities that use, store, or share personal information, to protect personal information…”  First, the Act would create deterrents for a corporation failing to bolster its security measures by issuing fines up to 4% of annual revenue and jail terms lasting anywhere from ten to twenty years for senior executives that fail to implement proper safeguards.  Additionally, the Act would increase the FTC’s staff and other resources to allow for the laws to be enforced.

Commentators have stated that the Act is unlikely to pass in its current format “given the extreme penalties [and] lobbying clout of big businesses.”  However, even though the Act may never become law, there are a number of concepts short of large fines and corporate officer jail time that we may see incorporated into future data protection laws in the U.S:

• Consumer Opt-Out: If the Act was adopted, the FTC would have two years to create a system that would allow consumers to “opt-out” from having their data gathered, stored and traded by prohibiting information to be shared with third parties.  The Act would allow consumers to waive their right to opt-out in order to use a specific product or services.  Additionally, the Act would require the company to offer an option for the consumer to pay an additional fee to use a similar service that is not conditioned on waiving the right to opt-out.

• Compliance Reporting: The Act would also require any company with at least $1 billion in revenue and more than 1 million consumers to file an annual report certifying compliance with the Act. The report would be certified by the company’s corporate officers that could result in a jail sentence for both intentional and unintentional violations.

Once again, the Draft Discussion as proposed will at least start a dialogue concerning the next steps for privacy law in the U.S.  At its most basic level, this discussion will address fundamental questions concerning U.S. privacy law including what federal agency should be responsible for enforcement of the new privacy laws and the resources that will make enforcement possible.

The post Can We Talk?  “Discussion Draft” of U.S. Privacy Protection Bill Sheds Light on the Future of American Privacy Law appeared first on Privacy Risk Report.

Last week, the parties in Remijas v. Neiman Marcus, Case No. 14-cv-1735, a class action lawsuit related to a data breach at retailer Neiman Marcus was settled in the Northern District of Illinois.  The Seventh Circuit’s reversal of the District Court’s decision to grant Neiman Marcus’ motion to dismiss was widely considered to be a favorable decision for data breach plaintiffs because it showed that plaintiffs may be able to adequately allege damages to demonstrate they had standing to bring suit.  Even though we may not get to see how discovery and further motion practice may play out, the settlement provides a significant amount of guidance on the value of damages for data breach cases and the securty measures companies are expected in the short time since this breach occurred.

In 2013, the credit card information of approximately 350,000 Neiman Marcus customers was stolen by hackers. Several affected customers filed a class action against under the Class Action Fairness Act, 28 U.S.C. §1332(d). The District Court dismissed the class action suit based on its finding that the individual plaintiffs and the class member lacked standing under Article III. The Seventh Circuit found the District Court erred and held the plaintiffs satisfied Article III requirements with allegations that the Neiman Marcus data breach inflicted concrete, particularized harm on them. The Seventh Circuit was persuaded that plaintiffs suffered injury when they lost time and money resolving fraudulent charges and protecting themselves against future identity theft as well as the financial loss suffered when they bought items at Neiman Marcus that they would not have purchased had they “known of the store’s careless approach to cybersecurity.”

In reversing the District Court, the Seventh Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the Seventh Circuit found the plaintiffs met the requirement under Clapper  “that injury either already [has] occurred or [was] ‘certainly impending.’”  After the Seventh Circuit reversed the District Court’s decision, the case was remanded back to the District Court for further proceedings before the parties settled the matter.

The Plaintiffs’ Amended Motion for Preliminary Approval of Class Action Settlement and Certification of Settlement Class (“Motion for Preliminary Approval”) filed with the District Court filed with the District Court last week indicates a Settlement Fund will be created in the amount of one million, six hundred thousand dollars $1,600,000 which will be used to pay “ eligible claimants who submit valid and timely Claims.”   The Motion for Preliminary Approval also includes statements that this settlement will allow “Settlement Class Members and other customers shopping at Defendant’s stores since this action was filed also benefit from changes to Defendant’s business practices designed to further strengthen its information technology security.”

Specifically, Neiman Marcus’ Memorandum filed in support of the settlement agreement states that in addition to the settlement amount, Neiman Marcus has taken the following security measures to protect customer information:

• Chief Information Security Officer. Neiman Marcus created and filled the position of Chief Information Security Officer (CISO), an executive position with responsibility to coordinate and be responsible for Neiman Marcus’s program(s) to protect the security of customers’ payment card data including account numbers, expiration dates, card verification values, and cardholder names;
• Information Security Organization. Neiman Marcus created a new organizational unit responsible for information security and has hired employees to fill the organization, including a Director of Security Operations and a Director of Security, Risk Management and Compliance;
• Senior Leadership Reporting. Neiman Marcus increased the frequency and depth of reporting to its executive team and members of its board of directors about its cybersecurity efforts and the cybersecurity threat landscape;
• Chip-Based Payment Card Infrastructure. Neiman Marcus equipped all of its stores with devices that allow customers to pay for purchases using payment cards containing embedded computer chips;
• Employee Education. Neiman Marcus expanded its program to educate and train its workforce on methods to protect the privacy and security of its customers’ information;
• Information Sharing. Neiman Marcus joined several public-private partnerships that facilitate information sharing concerning cybersecurity and threat awareness.

Even though it would have been interesting to see how the parties would have handled discovery and further motion practice, this settlement is still important for the following reasons:

First, the small settlement amount indicates that even if plaintiffs survive a motion to dismiss and a court is willing to find allegations may give rise to the potential for damages in data breach cases, plaintiffs still may have a substantial hurdle to show they are entitled to a substantial damage award. Here, with allegations of 350,000 customers being impacted the settlement amount of $1.6 million may not provide an incentive for plaintiffs to bring these actions.

Next, the non-monetary portion of the settlement agreement is worthy of examination because it shows the shift in how companies approach data protection since the breach at Neiman Marcus in 2013.  At the time of the breach in 2013, the fact that corporation did not have a Chief Security Information Officer and train employees on these issues may not have been surprising. Of course, a corporation that is not implementing such procedures today is operating at its own peril.

Finally, the Seventh Circuit’s reversal of the District Court’s decision granting Neiman Marcus’ motion to dismiss was often cited by plaintiffs attempting to demonstrate they had standing to bring these actions. The Neiman Marcus case could have provided even more solid ground for plaintiffs if the class action plaintiffs continued their success through discovery and into trial.  Of course, it could have also shown plaintiffs’ allegations may survive a motion to dismiss, but would struggle supporting those allegations as the case proceeded through discovery.

We will discuss this settlement and more at Horton Group’s Anatomy Of A Cyber Attack: Risks And Threat Mitigation this Thursday, April 6, 2017 at the Hilton Chicago/Oak Brook Hills Resort & Conference Center.

The post Neiman Marcus Case Settles After Years Of Haggling Over Price Of Data Breach Cases appeared first on Privacy Risk Report.

In March 2015, there was growing concern over privacy issues related to collecting data via “smart toys.” At that time, Mattel had just released its newest Barbie, “Hello Barbie,” which contained an embedded microphone in the doll’s belt to record a child’s response to the doll’s questions. The child’s responses were sent back to Mattel through the doll’s WiFi capabilities. Mattel claimed the voice-recognition software and recording capabilities would allow the doll to learn to respond to the child’s statements and even learn the family dog’s name or other topics a child would enjoy discussing. In explaining the doll’s capabilities, Mattel Senior Vice President of Global Communications stated “[t]he number one request we receive from girls globally is to have a conversation with Barbie, and with Hello Barbie we are making that request a reality.”

At the time, there were concerns regarding how Mattel and other toy manufacturers would use the data collected from their toys. Angela Campbell from Georgetown University’s Center on Privacy and Technology warned, “[i]f I had a young child, I would be very concerned that my child’s intimate conversations with her doll were being recorded and analyzed.”

There were also concerns beyond what the toy manufacturers would do with the information. This data held by toy manufacturers could be a prime target for hackers. Privacy concerns were based on the fact that children and adolescents are the fastest growing sector of identity fraud victims. It has been widely accepted that children are targeted because they have good credit reports and their credit histories may not be reviewed for years until they apply for student loans or their first loans.

Unfortunately, this concern has become a reality since the introduction of “Hello Barbie.” On December 1, 2015, VTech Holdings Ltd., a manufacturer of digital toys and telephones, reported it suffered a data breach on November 14, 2015. VTech reported this breach involved “child profile information,” including the name, gender and birth date of the child. The “unauthorized party” gained access to information stored as part of VTech’s “Learning Lodge” app store on the company’s website.

The concerns over “Hello Barbie” and other smart toys were further validated when on September 13, 2016, the New York State Attorney General settled matters with Viacom, Mattel, Hasbro and JumpStart related to the use of tracking technology on their toys and websites. The settlement included an agreement by the toymakers to pay a combined $835,000 in fines for tracking and collecting personal data of children online in violation of the Children’s Online Privacy Protection Act.

In response to the settlement, Hasbro’s spokesperson said, “[w]e are rolling out a new, stricter online privacy protection policy for our partners, and enacting new protocols and technology to scan our digital properties for any cookies, widgets or other applications that may violate our policy.” The settlement also included an agreement by the toy makers to routinely scan their websites and assess their data collection practices.

The early discussion concerning “smart toys,” which culminated in the NY Attorney General taking action, provides a great snapshot on the rapid development of these privacy issues. The landscape has changed dramatically in the last year and a half since the release of “Hello Barbie,” as more private information from children falls prey to hackers and other criminals. Eric Schneiderman, New York’s Attorney General, may have said it best, “[n]ow children live online and we have to police the internet as we seek to police our streets…I don’t want there to be a dossier on any child that can be used later to scam them.”

The post Barbie (Still) Can’t Keep a Secret: Toy Makers Enter Settlement Related to “Smart Toys” appeared first on Privacy Risk Report.

For years there has been a discussion over whether data breaches and cyber security can eventually be regulated by centralized laws rather than various state and federal laws and regulations. Even in October 2014, President Obama called upon Congress to pass data breach legislation because, “[t]he current patchwork of laws governing a company’s obligations in the event of a data breach is unsustainable, and helps no one.”

At present, almost two years down the road, we still do not have a single framework regulating cyber security and data breaches. A recent blog post by the Federal Trade Commission (FTC) addresses how its enforcement activities can be coordinated with data breach guidelines created by the Department of Commerce (DOC). However, there is still more work to be done to harmonize state and federal law.

Background On NIST Standards

On February 14, 2014, the DOC’s National Institute of Standards and Technology (NIST) set out “a set of industry standards and best practices to help organizations identify, assess and manage cybersecurity risks.” The DOC created these standards in response to Obama’s Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity.”

Specifically, this EO was intended “to enhance the security and resilience of the nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation and economic prosperity while promoting safety, security, business confidentiality, privacy and civil liberties.” The NIST Framework did not introduce or create new standards. Rather, it was intended to “leverage and integrate” practices that had already been in use by the NIST and similar organizations in 2014. The Framework provides general practices to approach a cyber security risk, referred to as the “Core,” which is composed of five “functions:” Identify, Protect, Detect, Respond and Recover. Based on these functions, the key elements of effective cybersecurity were summarized in the following manner:

1. Identify: helps organizations gain an understanding of how to manage cybersecurity risks to systems, assets, data and capabilities.
2. Protect: helps organizations develop the controls and safeguards necessary to protect against or deter cybersecurity threats.
3. Detect: are the steps organizations should consider taking to provide proactive and real-time alerts of cybersecurity-related events.
4. Respond: helps organizations develop effective incident response activities.
5. Recover: is the development of continuity plans so organizations can maintain resilience—and get back to business—after a breach.

Complying with the FTC via the NIST Framework

The FTC “is committed to protecting consumer privacy and promoting data security in the private sector.” Further, the FTC’s interest stems from Section 5 of the FTC Act, which is “the primary enforcement tool that the FTC relies on to prevent deceptive and unfair business practices in the area of data security.” Since 2001, the FTC has settled nearly 60 cases against companies that it believed failed to secure consumers’ personal information. Because of its enforcement in data security, the FTC is constantly asked “If I comply with the NIST Cybersecurity Framework, am I complying with what the FTC requires?”. FTC responds:

The Framework is not, and isn’t intended to be, a standard or checklist. It’s meant to be used by an organization to determine its current cybersecurity capabilities, set individual goals, and establish a plan for improving and maintaining a cybersecurity program, but it doesn’t include specific requirements or elements. In this respect, there’s really no such thing as “complying with the Framework.” Instead, it’s important to remember that the Framework is about risk assessment and mitigation. In this regard, the Framework and the FTC’s approach are fully consistent: The types of things the Framework calls for organizations to evaluate are the types of things the FTC has been evaluating for years in its Section 5 enforcement to determine whether a company’s data security and its processes are reasonable. By identifying different risk management practices and defining different levels of implementation, the NIST Framework takes a similar approach to the FTC’s long-standing Section 5 enforcement.

The FTC provides the following guidance concerning cyber security risks:

The Framework’s five Core functions can serve as a model for companies of all sizes to conduct risk assessments and mitigation, and can be used by companies to: (1) establish or improve a data security program; (2) review current data security practices; or (3) communicate data security requirements with stakeholders. And as the FTC’s enforcement actions show, companies could have better protected consumers’ information if they had followed fundamental security practices like those highlighted in the Framework.

Cyber Insurance’s Development Without Harmonized Laws and Regulations

 While the development of cyber security and data breaches measures may be stunted when there is little or no coordination between the laws and regulations, cyber insurance can continue to grow regardless of the actions of state, local and federal government. Rather than relying on government guidelines, the early stages of development of cyber insurance is supported by insurers, brokers and policyholders coordinating to make sure everyone understands a policyholder’s particular risks and the proper safeguards are put into place.

The post Cyber Insurance Can Develop Without Centralized Cyber Law appeared first on Privacy Risk Report.

On May 20, 2016, the U.S. Court of Appeals for the 8th Circuit affirmed a District Court decision finding coverage for a loss under a financial institution bond issued by BancInsure, Inc. (BancInsure) to the State Bank of Bellingham (Bellingham). Bellingham made a claim under the bond when one of its computers became infected with malware that allowed criminals to transfer $485,000 held at Bellingham to an account at a foreign bank. By the time the illegal transfer was discovered, the funds were not recoverable. The District Court granted Bellingham’s motion for summary judgment finding coverage under the financial bond.

Before reaching its decision, the 8th Circuit examined the “concurrent-causation doctrine” as adopted under Minnesota law, which holds that “[a]n insured is entitled to recover from an insurer when the cause of the loss is not excluded under the policy. This is true even though an excluded cause may have contributed to the loss.” In its decision, the 8th Circuit applied Minnesota’s concurrent-causation doctrine as follows:

[W]here an excluded peril “contributed to the loss,” an insured may recover if a peril is… “the efficient and proximate cause” of the loss.  Conversely, it follows that if an excluded peril is the efficient and proximate cause of the loss, the coverage is excluded.  An “efficient and proximate cause,” in other words, is an “overriding cause.” 

BancInsure first argued that the concurrent-causation doctrine does not apply to financial institution bonds. Specifically, BancInsure took the position that “despite the general applicability of the concurrent-causation doctrine to Minnesota insurance contracts, the doctrine is not similarly applicable to financial institution bonds because a financial institution bond requires the insured initially show that its loss directly and immediately resulted from dishonest, criminal, or malicious conduct.” In rejecting BancInsure’s argument, the 8th Circuit found “[n]o Minnesota case precludes application of the concurrent-causation doctrine to financial institution bonds.” Therefore, under Minnesota law, the 8th Circuit found no reason to treat financial bonds differently than any other insurance contract.

Next, BancInsure asserted the language in the bond “contracted around the doctrine.” In an argument relying heavily on the exclusions in the bond, BancInsure argued the policy language was intended to “contract[] around the concurrent-causation doctrine because [the] exclusions also apply to ‘indirect’ causation.” The 8th Circuit held the provisions BancInsure relied on for this argument were not sufficiently direct to get around the concurrent-causation doctrine. In acknowledging parties can contract around the doctrine, the 8th Circuit held that Minnesota law requires such language to be “clear and specific.” The court held there was no provision that was sufficiently clear or specific in the bond at issue in this case.

Finally, BancInsure claimed the trial court incorrectly held hacking by a criminal third party into the bank’s computer system was the overriding or efficient and proximate cause of the loss. Rather, BancInsure argues this question should have been resolved by a jury. In rejecting BancInsure’s argument, the 8th Circuit relied on its decision in Friedberg v. Chubb & Son, Inc., where Minnesota’s concurrent-causation doctrine was closely examined in a first-party property case where the insureds’ home suffered extensive water damage. During an investigation of the water intrusion, it was determined that defective construction of the home caused the water damage. In finding the policy in Friedberg did not provide coverage, the 8th Circuit held that “although the water intrusion played an essential role in the damage to the [] house, it was a foreseeable and natural consequence that water would enter.”

Based on the reasoning in Friedberg, the 8th Circuit held the trial court correctly opined that “the efficient and proximate cause of the loss in this situation was the illegal transfer of the money and not the employees’ violations of policies and procedures.” Specifically, the court held that “[u]nlike the water damage in Friedberg, an illegal wire transfer is not a ‘foreseeable and natural consequence’ of the bank employees’ failure to follow proper computer security policies, procedures, and protocols.” That is, even if the employee’s actions are found to have played an essential role in a virus attacking the bank’s system, “the intrusion and the ensuing loss…suffered remains the criminal activity of a third party.”

This decision demonstrates that courts are going to go back to the well-established concepts even when technology gives rises to new factual backgrounds and circumstances. For example, in this decision, the court goes back to fundamental first-party insurance concepts with the concurrent-causation doctrine. Consequently, while the facts are unique with technology, hacking and cyber claims, we can expect courts to first look to establish law to solve coverage issues.

The post Something Old, Something New: Well-Established First-Party Property Concepts Used in Computer Hacking Coverage Case appeared first on Privacy Risk Report.

As if rush hour traffic was not bad enough, last summer drivers learned that gadgets making life on the road easier could present cyber security concerns. Specifically, a lawsuit was filed against Jeep, based on allegations that Chrysler issued a software update only after a July 21, 2015, article published by Wired showed that security researchers could remotely hack a Jeep Cherokee while the vehicle was going down the road.

This study demonstrated the potential damage that could be done if hackers gained the same access to vehicles as the Wired researchers. It should be pointed out that this study only showed the cyber security concerns related to traditional human-driven vehicles. However, there is also growing concern over the damage hackers could potentially cause when driverless vehicles enter the marketplace.

On April 28, 2016, the Michigan Legislature took steps that would make Michigan the first state to penalize hacking motor vehicles. Senate Bill 927 states that “[a] person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter or gain unauthorized control of the motor vehicle.” Further, SB 927 would make hacking a motor vehicle a felony under Michigan law with the possibility of a life sentence.

Some commentators are questioning the effectiveness of the bill:

Language in the bill doesn’t delineate between independent cyber-security researchers and criminals who intend to inflict harm or havoc. Under its provisions, it’s possible…the researchers who demonstrated last summer that the Cherokee could be remotely commandeered and controlled, could face life behind bars. Provisions of the legislation that prevent a person from “altering” the motor vehicle could ensnare car enthusiasts or gearheads who tinker with electronic systems to boost performance, increase fuel efficiency or add aftermarket features.

Commentators further speculate that car manufacturers could be behind this proposed legislation because they “don’t like third parties poking around their electronic systems and would prefer the researchers not reveal security weaknesses.” For example, opponents of this legislation state the Wired researchers could have been charged if this law was in effect last summer merely for showing the flaws in  the “electronic systems” in vehicles.

While the impact of the law is still being debated, the proposed language would only penalize the “unauthorized control of the motor vehicle.” Consequently, it appears a researcher would be free to alter their own vehicle’s “electronic system.” Nonetheless, this debate shows how hackers have changed the landscape for auto manufacturers.

If passed, this bill may become the model — not just for hacking vehicles — but hacking other smart items collectively referred to as the “internet of things.” If passed, other states, not be as dependent on the auto industry, may adopt similar measures for all items included in the “internet of things,” since the potential danger of hacking into the “electronic system” of a home or business equals the danger presented by hacking into that of a motor vehicle.

The post Highway Robbery: Michigan Legislature Debates Penalties for Hacking Motor Vehicles appeared first on Privacy Risk Report.

Over the last few years, cyber security has focused on incidents where there is no contact with the criminal. That is, a data breach would occur and the criminal would be long gone before the victim knew there was an issue. Recently, we have seen cyber security incidents evolve to a point where the victim and criminal must confront each other in some manner. One example is the rise of ransomware, where the victim must negotiate with the criminal to regain access to their data. Some insurers have already responded to the ransomware risk by offering cyber extortion endorsements.

Another example where victims and criminals interact is cyberbullying, where the victim is harassed by a criminal via e-mail or social media. Recent statistics show many schools and households are struggling with cyberbullying. For example, the U.S. Department of Health and Human Services provides the following facts and statistics related to cyberbullying:

• Cyberbullying can happen 24 hours a day, 7 days a week, and reach a kid even when he or she is alone.
• Cyberbullying messages and images can be posted anonymously and distributed quickly to a very wide audience.
• It can be difficult and sometimes impossible to trace the source. Deleting inappropriate or harassing messages, texts and pictures is extremely difficult after they have been posted or sent.

Additionally, the 2013-2014 School Crime Supplement (National Center for Education Statistics and Bureau of Justice Statistics) indicates that 7% of students in grades 6–12 experience cyberbullying. The 2013 Youth Risk Behavior Surveillance Survey also finds that 15% of high school students (grades 9-12) were electronically bullied in the past year.

Last year, the Colorado legislature enacted “Kiana’s Law” to address cyberbullying. Kiana’s Law is named after Colorado teenager Kiana Arellano, who tried to commit suicide after receiving anonymous bullying text messages such as “you’re pathetic,” “nobody likes you at school” and telling Kiana she should kill herself. After attempting suicide, Kiana was left with a traumatic brain injury. The person that sent these messages was not prosecuted since there was no law prohibiting this conduct at the time.

Cyberbullying is not limited to children, as reports indicate that 73% of American adults online have seen someone be harassed online and 40% have personally experienced it. For example, musician Carrie Underwood was recently the target of cyberbullies who accused her of being “fake” and having plastic surgery.

Under Kiana’s Law, cyberbullying is now a misdemeanor form of harassment in Colorado, punishable by a fine of up to $750 and/or up to six months in jail.

In December 2015, Chubb Insurance began offering cyberbullying insurance coverage in the United Kingdom for cyberbullying victims, including counseling and lost income benefits for work missed due to harassment. Chubb’s policies define cyberbullying as “three or more acts by the same person or group to harass, threaten or intimidate a customer.” Last week, Chubb expanded it’s cyberbullying coverage outside of the U.K. to customers in Colorado, Illinois, Indiana and Wisconsin, which will provide $60,000 toward expenses caused by cyberbullying to its policyholders.

It is becoming increasingly clear that cyber crime is evolving to catch victims before they have the opportunity to put safeguards in place. For example, just as corporations and individuals started implementing plans and insuring against a data breach risk, criminals changed tactics and moved onto ransomware and cyberbullying. Therefore, the only way to implement proper technology and insurance safeguards is to vigilantly monitor cyber crime trends.

The post The Rise of Ransomware and Cyberbullying Insurance appeared first on Privacy Risk Report.

Super Bowl 50 kicks off this Sunday, February 7 at Levi’s Stadium, Silicon Valley’s high-tech stadium in Santa Clara, CA. Super Bowl fans will be pleasantly surprised to find they are able to tweet, text and e-mail without any problems, thanks to the 13,000 Wi-Fi access points throughout the stadium, ensuring no fan is more than 10 feet away from Wi-Fi.

While Wi-Fi access won’t be a problem, security risks created by the number of high-value targets using the wireless network might be. The Atlantic reports  “[t]he stadium is likely to be packed with wealthy corporate executives and sponsors, politicians, and celebrities, many of whom carry around mobile devices brimming with sensitive information and valuable contacts.” Based on discussions with Carl Herberger, a security expert, The Atlantic describes the threat as follows:

Herberger estimates that between fans’ mobile devices and the stadium’s built-in connections, there will be somewhere around 100,000 devices connected to the stadium this weekend. In one potential attack, hackers could infiltrate attendees’ phones through a security hole in stadium infrastructure—its wi-fi network, for example, or its official app. By infecting a large group of devices, the hacker could establish a botnet, a network of connected devices that work together to complete larger-scale attacks like sending spam or flooding a server with requests in a denial-of-service attack. The huge network “becomes a gigantic single point of failure, like the Death Star, for a bot,” Herberger said. “It’s a nice, juicy target to conscribe into your botted army.”

Security experts also warn fans that hackers could trick them into connecting to the wrong wireless network “[b]ut once they’re on the network, a man-in-the-middle attack can intercept unencrypted web traffic, or inject malicious code and infect the connected device.”

These security concerns come on the heels of investigations of attacks on fiber optic cable systems in the Bay Area that have been thought to be connected to a “more complex plot against the game.” Further, CBS San Francisco reports the FBI has issued a warning regarding a Wi-Fi hack at the Super Bowl. While no specific threat has been identified, the FBI, in collaboration with the Northern California Intelligence Center, states they expect cyber criminals will try to take advantage of these targets collected at the Super Bowl.

These concerns demonstrate that cyber security should be a priority for business owners regardless of safeguards they have put in place and further stresses the importance of cyber insurance. Businesses must be cognizant of the fact that even with cutting edge safeguards in place, employees will connect company devices to Wi-Fi in airports, hotels or if they are lucky enough, the Super Bowl. While businesses cannot control the networks employees are using in public, businesses can obtain cyber insurance for any incident caused inside or outside the walls of their facilities.

The post Cyber Risk: Hackers May Score Big at Super Bowl appeared first on Privacy Risk Report.

This article was originally published in Advisen’s Front Page News on January 20, 2016.

A recently filed lawsuit by a casino will place a spotlight on the services provided by data security investigators and the expectations of those looking to secure data.

On October 24, 2013, Affinity Gaming, the owner of several casinos, learned it suffered a data breach involving the fraudulent use of stolen credit card information. After learning of the breach, Affinity contacted its cyber insurer, ACE, and was provided a list of data security investigators. Affinity contacted one of the firms on the list, Trustwave Holdings, Inc., to investigate and remedy the data breach.

After investigating the breach, Affinity alleges that Trustwave “represented to Affinity Gaming that the data breach was ‘contained’ and purported to provide recommendations for Affinity Gaming to implement that would help fend off future data attacks.” However, after Trustwave completed its work, Affinity learned that it suffered an ongoing breach and hired a second data security consulting firm, Mandiant.

After Mandiant completed its investigation, Affinity alleged the following concerning Trustwave’s work:

Mandiant’s forthright and thorough investigation concluded that Trustwave’s representations were untrue, and Trustwave’s prior work was woefully inadequate. In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was “contained,” and when it claimed that the recommendations it was offering would address the data breach. Trustwave knew (or recklessly disregarded) that it was going to, and did, examine only a small subset of Affinity Gaming’s data systems, and had failed to identify the means by which the attacker had breached Affinity Gaming’s data security. Thus, Trustwave could not in good faith have made the foregoing representations to Affinity Gaming.

Mandiant stated it found two malware programs not identified by Trustwave that gathered information before, during and after Trustwave’s engagement with Affinity. The report also found Trustwave’s recommendations to improve Affinity’s data security “were pointless” because “none addressed the source of the data breach, and none would have prevented the attacker from again accessing Affinity Gaming’s data systems (for instance, through the backdoors that Trustwave failed to find and close).”

In its complaint, Affinity claims Trustwave caused it significant damages including costs for Mandiant to investigate Affinity’s data security issues after Trustwave’s investigation. Affinity also claims it had to pay costs to credit card companies to replace stolen cards as well as information and costs related to provide notification of a second breach at its casinos.

Based on these allegations, Affinity’s complaint asserts the following causes of action:

• Fraudulent Inducement: Affinity claims Trustwave made certain misrepresentations and omissions of material information “with the intent to induce Affinity Gaming to enter into a contract with Trustwave.”
• Fraud: Affinity claims Trustwave misrepresented it was capable of diagnosing Affinity’s security issues and that it could contain any breach at Affinity. The complaint alleges that Trustwave falsely represented that it had contained the malware and fixed the security problems.
• Constructive/Equitable Fraud: Affinity claims Trustwave had a special relationship with Affinity to the extent Trustwave indicated it had specialized knowledge concerning data security.

In addition to the fraud counts, Affinity also claims Trustwave acted with gross negligence in providing recommendations to fix Affinity’s issues and future security concerns. The complaint also contains causes of action for a violation of NRS 598 (Fraud), negligent misrepresentation and breach of contract. Finally, in addition to monetary damages, the complaint seeks punitive damages against Trustwave.

While it has not filed a response to Affinity’s allegations, reports indicate Trustwave denies any negligence on its part, and further states that “we dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.”

This litigation will place data investigators under the microscope where all parties involved will need to rely on highly-technical information to prove their cases. This litigation will undoubtedly make data investigators consider what services they are offering and how they provide those services. Likewise, it will make consumers of these services consider their expectations for these services.

The post Place Your Bets: Casino Sues Data Security Investigator After Breach appeared first on Privacy Risk Report.

As the number of hacks and breaches increase in the news, people are not just becoming more accepting of data breaches, they are expecting to see data breaches. Now businesses are also expecting to see their competitors attempt to hack them.

For example, in early 2014, Uber discovered a breach involving the names and license numbers of nearly 50,000 drivers. By March 2014, Uber filed a lawsuit in the U.S. District Court for the Northern District of California against an unknown party related to the breach. In its Complaint, Uber claimed a “security key” was used without its authorization to gain access to its list of drivers. Count One of Uber’s Complaint, based on a violation of the Computer Fraud and Abuse Act, seeks damages for the unauthorized access to Uber’s driver database. Count Two of Uber’s Complaint, based on alleged violations of California’s penal code, seeks damages for the theft of information from Uber’s proprietary database. As this case proceeds through court, the unknown defendant, identified as “Subscriber,” filed various documents under seal. It appears the litigation will continue for a while as the court recently held that it was “reasonably likely” that Uber’s investigation would uncover the identity of the party referred to as “Subscriber.” The court has set a case management hearing for January 28, 2016.

While the Uber litigation does not mention Lyft in the allegations, recent information indicates Uber expects to find Lyft to be the source of the hack. In addition to Uber’s lawsuit, this breach has also spurred a investigation by the U.S. Department of Justice (DOJ). The DOJ has found that the source of the breach may be traced back to Uber’s main competitor, Lyft. Access to the compromised driver database was found on GitHub, a code-development website. After being contacted by Uber, GitHub determined only one IP address associated with the Uber hack that did not belong. Specifically, Reuters reports that Lyft’s technology chief, Chris Lambert, may have had his internet address come up in the investigation of the breach.

This is not the first time these two companies have been found competing outside the car-service apps. For example, Uber’s “playbook” for sabotaging Lyft was published online in August 2014. Uber has been accused of having its employees order and cancel rides and recruiting Lyft drivers in an effort to slow Lyft’s growth in new markets.

Secondly, consumers are expecting to see more hacks from the businesses they deal with. In addition to the privacy issues created by this litigation related to Uber drivers, there are also questions as to whether hacks at Uber and Lyft are compromising the safety of customers. For example, it has been recently reported that a “Rogue Lyft Driver” became angry when a woman in Chicago refused a ride. In a recent Facebook post, a Lyft customer described the following incident:

My driver was supposed to be an older black woman in an SUV. I got the notification saying my driver arrived. Went up the car window to check that the driver matched the picture and saw it was a man in his 40s. Car was different too. As I turned away to go back inside, he said, “Brittany? Get in the car!” I said, “You’re not my driver. I’m going inside.” But he kept shouting that “it doesn’t matter” and to get in the car. “I can drive you.”

About 10 seconds later, my actual Lyft driver, the woman, pulls up and asks what’s going on and who he is. At that point, the man speeds away. I leave eventually with the original woman and the man comes back and follows us for two or three blocks before we lose him at a light.

The Lyft customer believes the “rogue” driver may have hacked into the Lyft app and saw she was looking for a driver. Denying a hack of its system, Lyft has responded that the “Rogue Driver” showed up because the Lyft customer cancelled the low-rated driver before placing an order for the second Lyft driver. Even if this incident turns out to be unrelated to a hack, it demonstrates that Lyft customers are considering hacks as part of the marketplace when using technology.

Consequently, cybersecurity is now a consideration in how businesses interact with competitors, as well as how they deal with customers. The Uber incident demonstrates that businesses expect competitors to attempt to hack them. Likewise, the “Rogue Driver” situation, even if it was not caused by a hack or a breach, shows that consumers are prepared and actually expect to see businesses hacked.

The post Uber and Lyft Demonstrate How Cybersecurity Changes the Way Businesses Deal With Each Other and Customers appeared first on Privacy Risk Report.