Cyber criminals’ entire business model is based on developing threats faster than the public can develop safeguards.  Privacy laws are fast becoming the first place data collectors look for guidance when they have suffered a cyber attack.  Unfortunately, the legislatures that develop privacy laws are not known for their efficient work.  For example, the Illinois Information Protection Act is one of the most comprehensive data laws found in the United States and provides the model for many states.  PIPA provides guidelines for data collectors, including how to properly respond to a breach of personal information.  However, even though it is generally considered to be on the cutting edge, PIPA still has trouble keeping up with technological developments created by criminals.

Is Ransomware An “Acquisition” Of Data Under The Illinois Information Protection Act?

As it stands, PIPA does not expressly state that it applies to data collectors that are attacked with ransomware.  Of course, ransomware has been a threat for a while and this threat appears to be on the increase. For example, a new strain of ransomware nicknamed “Bad Rabbit” is reportedly spreading in Russia, Ukraine and moving into other parts of the world. This new threat appears to be related to the WannaCry and Petya ransomware attacks that caused problems earlier this year. At present, this malware is not being detected by anti-virus programs.

While the extent of the damage caused by Bad Rabbit is still unknown, the threat created by ransomware is clear. Reports indicate the total value of ransomware sales on the dark web has rapidly increased from $250,000 to over $6m in just a year. The growth of ransomware will continue as criminals get more access to the malware and victims are resigned to the fact that they have no choice but to pay to regain access to their systems. The only hurdle for ransomware at this point appears to be an increased number of amateur criminals using malicious software and potentially not releasing encrypted files to victims.  These amateurs may destroy the credibility of the ransomware criminal enterprise.

For our purposes though, this is not a good environment for PIPA to have any ambiguity concerning whether it applies to ransomware attacks.   PIPA addresses a data collector’s obligations if they sustain a “breach.”  Specifically, PIPA requires that a data collector notify Illinois residents that their personal information has been involved in a “breach.” Of course, the ransomware threat is different than the threat created by a disclosure of personal information through a classic system breach or a disclosure caused by a phishing scam.  PIPA defines “breach” as:

Breach of the security of the system data” or “breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. “Breach of the security of the system data” does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

While PIPA does not mention ransomware by name, it does create a question as to whether ransomware falls under the definition of “breach of the security of the system data.” Oftentimes, ransomware may not arguably involve the “acquisition” of data and may be limited to the encryption of data until a ransom is paid. That is, there may be no “acquisition” of the data in a ransomware attack.  Therefore, a data collector may struggle with determining whether ransomware constitutes a “breach” under PIPA.

Based on this ambiguity, if a data collector is hit with ransomware, the most prudent course may involve notifying all Illinois residents of the incident.

Is It A Good Idea To Send People To Equifax In Notification Letters?

PIPA also provides notification requirements if a data collector experiences a breach.   Specifically, if a data collector breaches the personal information of an Illinois resident, the data collector must send a “disclosure notification” which provides “the toll-free numbers and addresses for consumer reporting agencies.” After the recent breach at Equifax, a consumer reporting agency, data collectors may be hesitant to tell people involved in an incident to contact Equifax. Further, even if Equifax’s information is provided merely to comply with this requirement, Illinois residents may not be willing to reach out to Equifax. As we see recent events make this requirement useless, the Illinois legislature may want to amend PIPA to remove this requirement for notification letters.

Even if Bad Rabbit does not develop into a major threat in the United States, we can be certain that criminals are already working on their next crime involving our home, government and business computer systems.   Therefore, the Bad Rabbit outbreak provides the perfect opportunity to take a look at a data collector’s responsibilities if they are hit with ransomware or some cyber crime that may not even be in the news at this time.

Even though there may be some uncertainty, privacy laws are still the first place data collectors should still go if they are involved in an incident.  At this point, it may be slightly unrealistic to expect legislatures to create privacy laws that move as quickly as the criminals that we are trying to protect ourselves against.  Further, most criminals will have moved on from ransomware to the next threat by the time the legislature is able to pass laws addressing ransomware.  Data collectors may need to look to the intent behind privacy laws and notify impacted individuals if there is a chance that their information has been exposed to another person without authorization, regardless of whether information was compromised through employee negligence, a classic breach, ransomware or some threat presently unknown.

The post It May Be Time To Admit That Criminals Will Outpace Privacy Laws appeared first on Privacy Risk Report.

On February 10, 2017, Midwest America Federal Credit Union (Midwest America) filed a class action complaint in the U.S. District Court for the Northern District of Georgia against Arby’s Restaurant Group, Inc. Midwest America’s complaint alleges that defendants failed to comply with Card Operating Regulations issued by the payment card industry (MasterCard, VISA, Discover, and American Express), allowing a major data breach to occur between October 25, 2016, to January 19, 2017. Midwest America’s complaint alleges that this breach affected thousands of issuers of credit and debit cards nationwide.

The data breach was first reported last week by cyber security expert Brian Krebs, who said in an online report that he was alerted to problems by banks and credit unions affected. Arby’s subsequently acknowledged the breach, telling him it involved malware on payment systems of its restaurants. In a statement on its website, Arby’s said it immediately notified law enforcement when it become aware of the breach and removed the malware.

The class action complaint alleges that the payment card industry issued Card Operating Regulations that mandate that Arby’s comply with industry standards. These standards require that all businesses upgrade to new card readers that accept EVM chip technology. EVM chip technology uses embedded computer chips to store payment card data. Every time an EVM card is used, the chip creates a unique transaction code that cannot be duplicated.

EVM technology increases payment card security, because, if stolen, the unique number cannot be used by hackers. The deadline for the installation of such systems was October 1, 2015. The class action alleges that Arby’s did not meet this deadline, as it has not installed chip card readers in its stores. The Card Operating Regulations dictate that businesses that continue to accept payment cards without chip readers will be liable for any damages as a result of data breaches.

The complaint alleges that Arby’s knew of the danger of not safeguarding its terminal network because Target, Home Depot and Wendy’s suffered similar data breaches. In 2015, Target agreed to pay $39.4 million to banks and credit unions in a suit relating to a 2013 data breach. Proposed class actions by banks and credit unions over Home Depot’s 2014 breach and Wendy’s 2015 breach are still pending in federal courts.

This recent breach demonstrates how difficult cyber security can be for large businesses that have seen a number of their competitors deal with large breaches and may have the resources to properly address cyber security concerns. This case, and other large scale breaches, may explain why smaller targets may dismiss cyber security safeguards based on the misconception that breaches only take place when there is a large amount of data at risk. However, it is important to keep in mind that many hackers have found smaller targets have lighter security than larger targets. Therefore, while large scale breaches are still taking place, there have been a number of recent examples of why smaller targets should continue to prepare for a cyber incident.

The post Class Action Suit Filed by Credit Union over Arby’s Data Breach appeared first on Privacy Risk Report.

Ransomware attacks are on the rise and appear to be a long-term problem. For example, last February in California, the Orange County Transportation Authority (OCTA) suffered a ransomware attack that shut down a number of its computers, causing more than $600,000 in damages. Specifically, the OCTA reportedly paid nearly $330,000 in labor costs and $218,000 for emergency contracts for technical assistance with the incident. The attack is said to have cut off access to 88 OCTA servers that limited access to a number of programs including e-mail, voicemail, intranet, employee assignments and payroll. Rather than pay the requested $8,500 ransom, OCTA worked for days to restore the servers, find the malware and secure the servers against future attacks. OCTA officers stated that services were uninterrupted and no credit card or other personal information was compromised during the attack. This ransomware attack and the OCTA response provide a great opportunity to analyze the response in the hours, days and months after a ransomware attack.

Hours After Cyber Attack: Pay $8,500 Ransom or $600,000 to Fight the Hackers

In defending the decision to not pay the ransom, the OCTA spokesperson stated, “[t]he FBI opposes paying ransom for cyber attacks, and so does [the Transportation Authority]. If we pay ransom to a criminal, there is no guarantee that our servers would be released, and the agency would likely be a target again because the attackers know they pay up.”

Regardless of whether this decision was correct or not, it’s clear that victims will have to make the tough decision on whether to pay the ransom or fight their attackers in the first few hours after an attack. While there is no information about when OCTA made this decision, the best strategy includes considering the potential for an attack and having a plan prior to an attack. Here, OCTA adopted a philosophy not to pay the ransom. While there are valid arguments to both situations, there is no question that the best time to make this decision is before a ransomware attack.

Days After Cyber Attack: Violation of California’s Open Meetings Law?

Since the attack, people have started to question whether OCTA complied with California’s Open Meetings Law, which requires governmental entities to make information available to the public. The OCTA’s board members were not notified about the attack until it had been resolved and the public received no information beyond statements that OCTA was experiencing technical problems. Now that the attack has been disclosed, some opponents are questioning the OCTA’s $218,000 payment for security because it “was not on the agenda and it was authorized in an unlawful closed session.” The OCTA spokesperson reasoned that, “[t]he last thing we want to do is make a public announcement…why would you let people know that your systems are compromised? It would invite, potentially, other people to hit you.”

In the days after a cyber attack, the key for any organization will be to determine its obligations under various state and federal laws. One important question will be whether the private information of others was compromised in the attack. In this situation, OCTA stated “…in this crime against OCTA, information wasn’t lost or stolen and service wasn’t disrupted. If that had been the case, those impacted would have been notified…”

Therefore, the ransomware incident at OCTA demonstrates that different types of cyber crimes will give rise to different obligations for the victim. Further, this attack demonstrates the importance that an organization must consider all the various local, state and federal regulations that may apply given certain scenarios before an incident occurs.

Months After Cyber Attack: Providing Notice and Protecting Against Future Attacks

The OCTA ransomware incident was not publicly disclosed until the first week of August, nearly six months after the incident. While OCTA claims it waited to disclose this incident until it was certain that its systems were safe from further attacks, there is growing concern that a number of cyber incidents are not being reported for reasons other than safety. In fact, there may be a number of reasons to not disclose an incident. For example, there is significant evidence that the underreporting of these incidents by government and corporate leaders comes from their worry about the impact an incident could have on their careers. Also, the risk that an entity’s reputation will be tarnished is another reason cyber incidents go unreported.

In the end, it is easy to second guess some of OCTA’s decisions in the time after the ransomware attack; anyone responsible for cyber security should assume their actions will be questioned after a cyber incident. However, the best way to survive this scrutiny is to consider as many cyber security issues before an incident ever happens.

The post Step By Step Analysis of a Response to Recent Ransomware Attack appeared first on Privacy Risk Report.

At the height of the Internet of Things, a new technology craze has thrown the insurance industry for another loop as “augmented reality” takes hold. On July 6, 2016, Pokémon Go, an interactive app-based game, is on pace to have more downloads than Twitter has users. This recent Pokémon Go phenomenon has been described as follows:

In simple terms, Pokémon Go uses your phone’s GPS and clock to detect where and when you are in the game and make Pokémon “appear” around you (on your phone screen) so you can go and catch them. As you move around, different and more types of Pokémon will appear depending on where you are and what time it is. The idea is to encourage you to travel around the real world to catch Pokémon in the game.

Pokémon Go uses technology generally referred to as augmented reality:

On the spectrum between virtual reality, which creates immersive, computer-generated environments, and the real world, augmented reality is closer to the real world. Augmented reality adds graphics, sounds, haptic feedback and smell to the natural world as it exists.

As seen with other technological developments, the consequences on the insurance industry are not entirely understood at this time. However, it is clear that this technology will impact the insurance industry in some manner, as we have already seen the following situations:

• Private Property Turned Into “Pokémon Gyms:” The Pokémon characters will gather at what the app refers to as a “Gym.” In the days since the release, a number of private property owners have found their property identified as “Gyms,” which results in a steady stream of players being sent to their private property. One homeowner has recently found his home, which was once a church building, the gathering place for a number of players. The homeowner notes “that the problems could easily lead to the value of his house going down and issues with his neighbours.”
• Bodily Injury to Players: While the dangers of having people looking at their phones as they move through city streets is easily seen, a number of reports indicate that criminals are using the game to commit their crimes. On the evening of July 9, 2016, police in O’Fallon, Mo. received reports that criminals were using the app by adding “a beacon to a PokeStop” that brought more players to the area. Reports indicate a number of armed robberies took place near this beacon.
• Malware Spreading Through App: As expected, hackers have already attempted to capitalize on the popularity of this app. In the few short days since the app has been available there have been a number of reports that phones are downloading compromised versions of the app which could allow unauthorized access to the users’ phones.

Insureds have only been able to download Pokémon Go for less than a week and this technology has already made an impact that should get the insurance industries’ attention. This technology, which has caught many people completely off guard, has already shown the potential to cause damage to private property, cause bodily injury and provide hackers access to insureds’ devices. Therefore, even if Pokémon Go does not have a significant impact to the insurance industry, this app is a good indicator of the technology advances to come.

The post Pokémon Go Provides Opportunity for Insurers to Start Considering New Technology appeared first on Privacy Risk Report.

The post Following 2014’s “Year of the Breach,” 2015 is Shaping Up to Be the “Year of Data Breach Litigation” appeared first on Privacy Risk Report.

In a recent interview, California Attorney General Kamala D. Harris quoted the following statistics from her “California Data Breach Report,” published in October:

• In 2013, there were more than 167 data breaches reported in California. This represents an increase of 28% from the 131 data breaches reported in 2012.
• The majority of these breaches involved malware and hacking. While a minority of the breaches resulted from the physical loss of a device.
• The retail industry was the biggest target for hackers with financial institutions running a close second.
• Social Security numbers were the most frequently compromised piece of personal information.

The Report also includes the following recommendations for data storage:

• Update point-of-sale terminals and necessary software to include chip-enabled technology.
• Encrypt payment card data in order to make information less valuable to hackers.
• Respond promptly to data breaches and notify affected individuals in the most expedient time possible.

This Report and the Attorney General’s comments are further evidence that companies may face liability if they have a data breach while using an antiquated storage system. While the costs to protect private information may be difficult to initially justify to a company’s bottom line, we are fast approaching a time where it may be more expensive to use an old, insecure data storage system in the long run. A number of states are already considering legislation which will make new safeguards mandatory. Moreover, companies may face additional liability if a data breach occurs at a point when a company has failed to make basic upgrades to its system.

The post California Attorney General Provides Sage Advice Regarding Data Breach Protection appeared first on Privacy Risk Report.

In First Commonwealth Bank v. St. Paul Mercury Ins. Co., No. 2:14-cv-00019-MPK (W.D. Pa.), St. Paul, the insurer for a bank, First Commonwealth, filed a motion to dismiss First Commonwealth’s breach of contract claim which sought coverage under a professional liability policy. St. Paul asserted First Commonwealth’s lawsuit should be dismissed as a matter of law because First Commonwealth reimbursed a customer for amounts lost in a fraudulent transaction without first notifying St. Paul as required under the policy.

Commonwealth sought coverage under its professional liability insurance policy issued by St. Paul for amounts it paid to reimburse one of its customers that became a victim of “malware” (malicious software installed without permission). After being installed on the customer’s computer, the malware allowed hackers to access the customer’s password and username for the customer’s account with Commonwealth. After gaining access, hackers completed multiple wire transfers totaling more than $3 million dollars to banks in Krasnodor, Russia, Pennsylvania and Belarus. Once the fraud was uncovered, Commonwealth immediately reimbursed its customer.

In its motion to dismiss, St. Paul took the position that Commonwealth’s coverage action should be dismissed because the bank’s payment violated the “voluntary payment” provision under the professional liability policy. This provision precluded coverage for any amounts Commonwealth paid to third-parties without first obtaining St. Paul’s consent.

On October 6, 2014, the District Court issued its Opinion and Order denying St. Paul’s motion to dismiss. The District Court reasoned that the reimbursement of the customer’s account for the fraudulent wire transfers was not voluntary when Pennsylvania law required the bank reimburse the customer for the fraudulent wire transfers. Specifically, the Pennsylvania Uniform Commercial Code requires all banks refund any funds paid without the customer’s authorization. Therefore, in light of the bank’s statutory obligation to reimburse the customer for the fraudulent wire transfers, the District Court held the payments could not be “voluntary.”

This decision demonstrates how the rapid development of malware and hackers’ techniques can outpace the development of certain laws. Here, we see a situation where the legislators may not have been able to consider the impact of malware when they drafted provisions of the Commercial Code. Likewise, we also see a court finding the terms and conditions of an insurance policy potentially conflict with an insured’s obligations under the Commercial Code. Consequently, this decision is further evidence of the need to obtain counsel that understands the intersection of malware, statutory obligations as well as obligations under insurance policies.

The post Insured’s Attempt to Establish Coverage Under Professional Liability Policy Survives Motion to Dismiss Based on Voluntary Payments Clause appeared first on Privacy Risk Report.