Understandably, there has been a lot of information concerning the novel coronavirus and its impact on insurance, business and, of course, people.  However, there has not been much discussion on what happens if there is a cyber event over the next couple of weeks as the world deals with the COVID-19 pandemic.  A cyber security breach during the novel coronavirus pandemic could sever the one thread connecting remote employees to their place of work.

While it is still early, there should be little dispute that the current pandemic will have a profound impact on the workplace, which, in turn, will have a profound impact on the use of data. Commentators have already offered the following concerning the new workplace:

If the future of work requires restructured workplaces, redefined roles, rapid learning, and reserves of trust—and it does, organizations are being challenged to do all that and more as they address the coronavirus pandemic. While we have long spoken about VUCA (volatile, uncertain, complex, and ambiguous) environments, we are finally and undoubtedly facing one.  In the span of a few weeks, the world’s economy traveled a path from cautious observation and common-sense health advisories to massive cancelations, business shutdowns, and work from home mandates. JPMorgan, AT&T, Google, Amazon, Nike, Facebook, among many, many more are hustling to virtualize business operations as social distancing continues to be the best practice to “flatten the curve” of contagion. 

Coronavirus, it turns out, might be the great catalyst for business transformation. 

Without a doubt, once we get through this pandemic, we will need to address how the new workplace impacts privacy.  The two most immediate concerns may be the opportunities for hackers and how regulations will be impacted by the overwhelming health and economic concerns.

1. The Pandemic May Provide Opportunities For Hackers

While there are a number of uncertainties during this unprecedented situation, we have been able to piece together some information concerning our world in March of 2020:

• We are in pandemic caused by the novel coronavirus;
• In response to the pandemic, people are working from home transferring information without the security measures found in the workplace;
• The pandemic has created turmoil in the world’s financial and employment markets; and
• Workers are feeling not secure, which may lead to snap decisions.

Unfortunately, these four factors give rise to the perfect environment for opportunistic hackers.  Data collectors may want to take the following approach in the coming weeks:

• Protect data transfers. In the coming weeks, as the pandemic unfolds, employee training or discussions on data safety will be key.  Data collectors should remind their new remote workforce of the emerging risks they face in transferring data.

• Prepare for outages. There are new limitations on communicating with a remote workforce.  Data collectors should consider what their business may look like if there is an international, national or local outage that would cut this limited access even further.

• Think about permanent solutions for the new workplace. The remote workforce will be able to return to their traditional workplaces at some point.  Data collectors should think about what safeguards should be put into place if workers start working remotely more frequently.

Not surprisingly, we have already seen hackers target vital businesses that are essential during the coronavirus pandemic.  German newspapers have reported that “Cyber criminals have launched a distributed denial-of-service (DDoS) attack against German food delivery service Takeaway.com (Liefrando.de), demanding two bitcoins (about $11,000) to stop the flood of traffic.”  Commentators warn this may not be the end of cyber attacks:

Security experts anticipate these types of acts, intended to exploit essential services in times of crisis, will continue as restrictions due to COVID-19 remain in place. “Deplorably, we will likely see a further avalanche of cyberattacks targeting most susceptible online businesses,” says ImmuniWeb founder and CEO Ilia Kolochenko. As a result, many organizations may be forced to pay cybercriminals or invest in DDoS protection services to defend against advanced attacks.

Clearly, this will be a continuing threat over the next few weeks.

2. The Pandemic May Cause Privacy Regulations To Get Dialed Back.

A couple of months ago, business, insurers and governments were starting to get the hang of this privacy thing.  Previously, the biggest concern was compliance with privacy regulations such as the California Consumer Privacy Act (“CCPA”).  (By the way, a number of organizations are now calling for the delay of the enforcement of the CCPA: https://www.ciodive.com/news/CCPA-coronavirus-extension/574547/)  That was, of course, until the coronavirus pandemic sent workers home.

Being just a few weeks into the pandemic, we can be sure that privacy law will be profoundly impacted when deadlines are extended and the data is used by millions of workers that have moved offsite.  After the pandemic, we will need to watch deadlines and be ready to modify compliance with privacy law.

If the adoption or enforcement of privacy regulations is delayed by the coronavirus pandemic, we may see data collectors struggle to find guidance for proper data and storage and collection.  Looking at case law may fill this void left by relaxed deadlines and requirements.  For example, data collectors may look to decisions such as the March 26, 2018 opinion in Hopper v. Schletter Inc., 17-cv-01, 2018 WL 1472485 (W.D. North Carolina 2018) as an example where a court was prepared to hold employers liable if they disclose their employees’ information by mistake. And, if courts around the country adopt the reasoning in Hopper, employers can expect to have their cyber security protocols closely scrutinized after the coronavirus pandemic.

Further, the facts giving rise to the incident in Hopper are instructive to remote workplaces.  On April 19, 2016, the defendant in Hopper, Schletter Group, sent a letter advising its employees and former employees that Schletter had sent its employees’ W-2 forms by mistake to a third-party after it fell prey to a phishing scam. Schletter offered credit monitoring and identity theft protection to those impacted. After the plaintiffs filed a lawsuit seeking alleged damages as a result of this incident, Schletter filed a motion to dismiss the complaint. The District Court denied Schletter’s motion to dismiss the plaintiffs’ claims for negligence and breach of implied contract, invasion of privacy and violations of North Carolina’s Unfair Trade Practices and Privacy Acts. The District Court, however, dismissed the breach of fiduciary duty claim.

As an initial step, the District Court discussed all the warnings it believed Schletter had about phishing scams before it fell prey. In finding Schletter had ample notice of the potential for an incident, the District Court listed various FBI warnings, IRS alerts, articles and examples available of emails used in similar scams that it believed Schletter should have been aware of before the incident. After discussing all the ways the District Court believed the Defendant should have been aware of this scam, the District Court stated that “[d]espite the widespread prevalence of spoofing aimed at obtaining confidential information from employers and despite the warnings of the 2016 tax season W-2 email scam, [Schletter] provided its employees with unreasonably deficient training on cyber security and information transfer protocols prior to the Data Disclosure.” The District Court called Schletter’s preparation and response into question.

The District Court provided the following examples of how it believed Schletter failed to properly train its employees:

• How to detect phishing and spoofing emails and other scams including providing employees examples of these scams and guidance on how to verify if emails are legitimate;
• Effective password management and encryption protocols for internal and external emails;
• Avoidance of responding to emails that are suspicious or from unknown sources;
• Locking, encrypting and limiting access to computers and files containing sensitive information;
• Implementing guidelines for maintaining and communicating sensitive data; and
• Protecting sensitive employee information, including personal and financial information, by implementing protocols on how to request and respond to requests for the transfer of such information and how to securely send such information through a secure file transfer system to only known recipients.

Based on this reasoning, the District Court concluded “[t]he Data Disclosure was caused by the Defendant’s failure to abide by best practices and industry standards concerning the security of its computer and payroll processing systems.” In further support of its conclusion, the District Court listed the various ways it found Schletter had failed to implement the proper security measures to protect the W-2s.

It will be interesting to see if courts are going to give data collectors a “pass” for lapses in cyber security once the coronavirus pandemic has come to an end.  Even though cyber security may be in flux, there is still a significant amount of guidance for data collectors.

The post Where Do We Begin? Two Immediate Threats to Cyber Security During the Coronavirus Pandemic appeared first on Privacy Risk Report.

While some courts have found coverage for data breach claims under CGL policies, there should be little dispute that the best way to limit risk is to obtain a cyber policy rather than hoping for coverage under a CGL policy.

The decision in St. Paul Fire & Marine Ins. Co. v. Rossen Millennium, Inc., case no. 17-cv-540, provides the latest example of a court finding no coverage for a data breach under a commercial general liability insurance policy (“CGL”).  In Rosen Millennium, the Federal District Court for the Middle District of Florida issued an order on September 28, 2018, finding no coverage for a data breach under two CGL policies issued to defendant, Rosen Millennium (“Rosen”).

Rosen was providing data security services to Rosen Hotels & Resorts (“RHR”) when they discovered a potential breach of credit cards at a hotel in February of 2016.  The forensic investigator determined information related to the credit cards provided by hotel patrons was breached and RHR took steps to notify the patrons in March of 2016.

Rosen submitted a notice of claim to its insurer, St. Paul Fire & Marine (“Travelers”) in December of 2016, which stated RHR claimed the breach was the result of Rosen’s negligence. Travelers issued a reservation of rights denying coverage and requesting Rosen provide any information it believes may impact St. Paul’s coverage determination. Shortly thereafter, Travelers filed this declaratory seeking a determination of its duty to defend Millennium against RHR’s negligence claims.  Even though RHR did not file suit, they claimed a demand letter from RHR and Millennium’s Notice of Claim and created a controversy as to Traveler’s duty to defend Millennium under the CGL policies.

• The Allegations Against Rosen Did Not Constitute “Property Damage” Under the CGL Policies

In granting Traveler’s motion for summary judgment, the District Court first opined that the Notice of Claim (which contained only the relevant dates of the breach) and demand letter (which provided only that Rosen exposed private information to third parties) did not trigger Traveler’s defense obligation under the policy.  In particular, the District Court found these documents “make no mention of, let alone a claim for, property damage or the costs incurred from complying with notification statutes.”  Consequently, the District Court found Rosen’s claims for coverage not ripe and held Travelers had no “duty to defend a hypothetical claim.”

• The Allegations Against Rosen Did Not Constitute “Personal Injury” Under the CGL Policies

The District also rejected Rosen’s assertion that RHR’s allegations constituted “personal injury” as that term is defined under the CGL Policies.  In particular, the CGL Policies defined personal injury as “injury, other than bodily injury or advertising injury, that’s caused by a personal injury offense.”  And, the CGL policies defined “personal injury offense” as “[m]aking known to any person or organization covered material that violates a person’s right of privacy.” The central question in the District Court’s analysis is whether the material, or personal information, was “made known” by Rosen and, therefore, constitutes a personal injury offense.  Both parties agreed “making known” “is synonymous with ‘publication.’”

In addressing this question, Travelers argued that the allegations against Rosen do not constitute publication because “third-party data breaches are not covered under” CGL policies. That is, there is no coverage because the alleged injuries do not result from Rosen’s “business activities but rather the actions of third parties.”  In other words, there is no coverage for these claims because, if there was a publication, the publication was not done by the insured, Rosen.

This decision serves as another reminder that only a sliver of the data breach cases even arguably trigger coverage under a CGL policy. On the other hand, the insurance marketplace has solved the problem Rosen faced in this matter by offering cyber insurance policies that are specifically designed to provide cyber coverage.

Please contact Todd M. Rowe (trowe@tresslerllp.com) for additional questions or for a copy of this decision.

The post Another Court Finds No Coverage Under CGL Insurance Policy for Data Breach appeared first on Privacy Risk Report.

On June 27, 2017, the law firm DLA Piper (“law firm”) found itself to be one of many of targets of a recent global cyber attack. The attack reportedly did not compromise any client data.  Reports indicate that, even though email service was disrupted by the attack, lawyers were still able to communicate through text messaging and telephone calls. This attack on the law firm, which by all accounts was aptly prepared for a cyber attack, demonstrates that no business is completely safe and incident response preparation will continue to be a key element in cyber security.

This cyber attack was discussed in a recent decision and provides further proof that data breaches should not be the only concern when considering cyber security.  In Cone et. al. v. Hankook Tire Co., 2017 WL 3446295 (Aug. 10, 2017 W.D. Tenn.), the District Court for the Western District of Tennessee heard arguments during a show cause hearing on questions whether certain attorneys at the law firm, as counsel for the defendant, Hankook Tire (“Hankook”), should be held in contempt after jurors were mistakenly contacted after trial without the District Court’s permission.  While the attorney at the law firm was not held in contempt of court, the District Court made clear that cyber incident, which limited email communications, did not excuse the improper contact of jurors.

The conduct giving rise to the show cause hearing took place after a verdict was returned in favor of Hankook on June 30, 2017. At some point shortly after the case reached a verdict, the court clerk was informed that a “jury researcher” had contact with some of the jurors.  This contact violated the local rules because the parties did not have permission from the District Court to contact jurors to discuss the case.  On July 20, 2017, the District Court issued an order requiring the parties provide information on the jury researcher.

In response to the order seeking information on the jury researcher, counsel for Hankook filed a statement confirming they hired the jury researcher that followed up with the jurors. However, the response filed by Hankook made clear that one of its attorneys (“Sender Attorney”) put into motion a “series of mistaken assumptions” that resulted in the jurors being contacted without the District Court’s permission.  The response indicated the jurors were contacted under the following circumstances:

• On June 27, 2017, prior to the conclusion of the trial, the law firm suffered a cyber attack, disabling the firm’s email.
• On July 3, 2017, Sender Attorney emailed the jury researcher to inform them that a favorable verdict was returned for Hankook. Sender Attorney copied another attorney at his firm (“Copied Attorney”) on this email. The jury researcher responded on the same day asking whether they could contact the jurors. Sender Attorney stated that he thought the jury should be contacted unless the Copied Attorney disagreed.
• On the day after the trial ended, the Copied Attorney was traveling to South Korea and never saw the emails discussing whether the jury researcher should contact the jurors.  The Copied Attorney’s email was not restored until some point after Sender Attorney’s email had been sent.

Based on this timeline, Copied Attorney was not aware of Sender Attorney’s email until some point after the District Court issued the order seeking information on how jurors were contacted after the trial. Copied Attorney further stated that if he would have seen the emails, he would have instructed Sender Attorney to reach out to the other attorneys working on Hankook’s defense to determine if the jurors could be contacted by the jury researcher.  Unfortunately, with Copied Attorney silent on the issue, Sender Attorney and the jury researcher “mistakenly assumed” there was no reason to hold off on contacting the jurors.

The District Court found that Sender Attorney’s violation of the local rules was the result of “a series of questionable assumptions,” but did not rise to the level of contempt of court. While the holding in Cone may have little or no impact on the overall case, the District Court’s finding that there was a series of mistaken assumptions illustrates the impact that a cyber incident may have on the daily operations of any business.  In short, this cyber attack is further proof that we will likely continue to see cyber incidents causing communication disruptions in a variety of businesses.

The post Law Firm Cyber Attack Is Involved In A “Series Of Mistaken Assumptions” appeared first on Privacy Risk Report.

The Privacy Risk Report has previously reported on the necessity to safeguard personal information such as names, addresses, social security numbers and credit card information to avoid risk resulting from data breaches. The latest trend we are seeing now involves a push by state legislatures to enact new laws that also protect biometric data, such as the Illinois Biometric Information Privacy Act (BIPA).

“Biometrics” defines “the field of science relating to the identification of humans based upon unique biological traits, such as fingerprints, DNA, and retinas” and recently “has produced new ways of conducting commercial transactions.” In particular, the protection of biometrics is a growing concern as this technology is turning up in everything from watches that may collect health data, finger-scanners at grocery stores and gas stations to retina scanners for financial transactions. Not only is this technology is here to stay, but it is already involved in litigation across the country.

For example, in Vigil v. Take-Two Interactive Software, Inc., the U.S. District Court for the Southern District of New York found class action plaintiffs lacked standing to bring suit under BIPA for claims related to how their faces were used to create personalized avatars in a video game.

Illinois Biometric Information Privacy Act

The Illinois legislature enacted BIPA (740 Ill. Comp. Stat. 14/1 et seq.), “which sets forth disclosure, consent, and retention requirements for private entities that collect, store, and disseminate biometric data.”

Before reaching its decision to grant Take-Two’s motion to dismiss, the District Court provided the following exhaustive background on BIPA:

As the Illinois legislature observed, biometric data are by definition unique, and thus—unlike a credit card number—cannot realistically be changed if they are subject to identity theft. See 740 Ill. Comp. Stat. 14/5(c). The Illinois legislature was concerned that the failure of businesses to implement reasonable safeguards for such data would deter Illinois citizens from “partaking in biometric identifier-facilitated transactions” in the first place, and would thus discourage the proliferation of such transactions as a form of engaging in commerce. 740 Ill. Comp. Stat. 14/5(e). The BIPA represents the Illinois legislature’s judgment that the collection and storage of biometrics to facilitate financial transactions is not in-of-itself undesirable or impermissible; instead, the purpose of the BIPA is to ensure that, when an individual engages in a biometric-facilitated transaction, the private entity protects the individual’s biometric data, and does not use that data for an improper purpose, especially a purpose not contemplated by the underlying transaction. See 740 Ill. Comp. Stat. 14/5(a–g).

Under the BIPA, a “biometric identifier” is “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” while “biometric information” is information based on “biometric identifiers.” 740 Ill. Comp. Stat. 14/10.

Take-Two’s Video Game — NBA 2K16

The defendant, Take-Two, collects and uses biometric data for its video games, including NBA 2K16. The plaintiffs allege that they used a feature in the video game “to scan their respective faces to create personalized virtual basketball players, exclusively for in-game play.” The plaintiffs did not allege the images of their faces were used for anything beyond use in their own games. The “MyPlayer” feature was specifically at issue, “which allows a gamer to create a ‘personalized basketball avatar’ based on a three-dimensional rendition of the gamer’s face.”

Plaintiffs’ Claims of BIPA Violations

Plaintiffs claimed that Take-Two’s violations of BIPA included the following:

• Take-Two did not publicly provide “a retention schedule or guidelines for permanently destroying biometric identifiers;”
• Take-Two failed to inform the plaintiffs in writing that their biometric information was being collected;
• Take-Two collected biometric information without obtaining a proper release from the plaintiffs;
• Take-Two disclosed and disseminated plaintiffs’ biometric information without adequate consent;
• Take-Two did not employ “industry-standard reasonable care;” and,
• Take-Two profited from plaintiffs’ biometric information.

Dismissal of Plaintiffs’ Complaint

Unconvinced by the plaintiffs’ arguments, the District Court granted Take-Two’s motion to dismiss the plaintiffs’ second amended complaint based on a finding that plaintiffs’ lacked standing to bring suit against Take-Two. As with many data storage cases, plaintiffs’ had to demonstrate they had standing to bring suit. In order to avoid Take-Two’s motion to dismiss, the plaintiffs attempted to support their claims with allegations of procedural violations of BIPA, without any allegations of additional harm in order to establish standing.

The District Court rejected the plaintiffs’ position because “[n]one of the plaintiffs’ allegations of procedural violations, on their own, demonstrate a material risk of harm to BIPA’s concrete data protection interest because there is no plausible allegation that there is a material risk that plaintiffs’ biometrics may be used in a way not contemplated by the underlying use of the MyPlayer feature.

Additionally, the District Court held the plaintiffs failed to establish that there was “an imminent risk of harm that Take-Two’s storage and dissemination of their facial scans could compromise the data protection interest of the BIPA.” The District Court held the allegations that Take-Two’s practices may have subjected plaintiffs’ facial scans to an “‘enhanced risk of harm’ of somehow falling into the ‘wrong hands’” was too speculative to demonstrate plaintiffs had standing to sue Take-Two.

The District Court also rejected the plaintiffs’ argument that their damages were more than merely “speculative and abstract” by arguing that “face scans are relatively immutable, and, unlike (for example) passwords, cannot be changed.”

Initial Impact of this Decision

One fundamental principle in each section of the District Court’s lengthy opinion is that the plaintiffs scan their own faces in order to create avatars for the video game. And, the plaintiffs failed to allege that the biometric information was used for any purpose other than what plaintiffs had consented. That being said, this will not be the last time a court will be called on to interpret BIPA or similar statutes across the country. It is only a matter of time before data collectors find other uses for biometric information.

The post Use of Biometric Data Enters the Courts appeared first on Privacy Risk Report.

It is evident that password security is one economical way to decrease the chances of a cyber incident, but recent litigation sheds light on a situation involving a password having too much protection. The American College of Education (ACE), which provides professional development programs for educators, filed suit against its former systems administrator because he would not provide the password for a student email system. The former employee, Triano Williams, filed his own discrimination lawsuit alleging, among many other accusations, that the passwords were stored on a laptop he returned to ACE, and that he offered to help them find the password for a fee.

The first lawsuit was initiated on July 19, 2016, when ACE filed suit against Williams, in Marian County, Indiana, based on allegations that Williams would not provide the password for a Google account that held e-mail and course materials for 2,000 students after ACE fired him from his position as Systems Administrator. When ACE contacted Williams after he was terminated about gaining access to the Google account, Williams stated he would provide the passwords for $200,000.

ACE’s complaint (Paragraph 2) contained the following allegations containing Williams’ employment and termination:

• “As the Systems Administrator for ACE, Mr. Williams had access to ACE’s confidential information and trade secrets.”
• “Following his termination, Mr. Williams returned the company-issued computer which he had been using to perform his work duties.”
• “The computer had been wiped of all information, included information needed by ACE to conduct its business. Specifically, at the time his employment with ACE ended, Mr. Williams was the sole administrator of ACE’s email account (hosted by Google), which is used by its students to communicate with the college and conduct their coursework.”
• “Mr. Williams claims the login and administrator password to access ACE’s email was “autosaved” on his work laptop, but because Mr. Williams wiped his hard drive before returning to ACE, the administrator login information was lost.”
• “The college has been unable to access its email account.”
• “Without access to its email system, ACE is unable to administer its email account, without the administrator username and password which is causing immeasurable harm to the College’s reputation as its students are unable to access their email and coursework.”
• “ACE has also requested the login information multiple times from Mr. Williams, but he has refused to provide that information without ACE paying him $200,000.”

Based on these general allegations, ACE claims it suffered harm from Williams’ actions and sought recovery under theories of: (1) intentional interference with a contractual relationships and business relationships, (2) violation of the Indiana Uniform Trade Secret Act, (3) conversion, (4) offense against intellectual property, (5) breach of fiduciary duty, and (6) criminal mischief. ACE further sought a restraining order requiring Williams to immediately provide the password for ACE’s Google-hosted student e-mail account.

On December 30, 2016, Williams struck back when he filed a complaint in the U.S. District Court for the Northern District of Illinois alleging he was subjected to a hostile work environment and disparate treatment prior to and when ACE fired him. The complaint filed in Williams’ discrimination action sheds some light on Williams’ side of this story. In particular, Williams claims that he “was the sole remaining administrator when ACE decided to terminate him and lock him out of ACE’s Google email system.” Williams refused to assist ACE in retrieving the password because he was no longer an employee at the time and ACE was not offering any compensation for his work. Further, Williams’ complaint alleges that ACE had faced a similar situation with another employee and “paid…a sizable consultant fee to perform the task needed by ACE.”

In discussing this situation, cyber security experts warn that “[a] lot of organizations are using cloud-based services and online services like this [and] [e]ven under a good situation, somebody could leave and then you find out the cloud service you depend on gets canceled because maybe the bill didn’t get paid.” Further, this situation shows the important role employees play in cyber security. While it has always been clear that employees can supplement the technological safeguards put in place, this litigation shows how the technology ACE relied on may have actually made ACE’s life more difficult. Regardless of whether ACE or Williams prevails in their competing lawsuits, the takeaway here is that the dispute may have been defused to some extent if ACE had stored the passwords in multiple (and safe) places.

The post Recent Litigation Provides Example of Password Being Possibly Too Safe appeared first on Privacy Risk Report.

This article originally appeared on November 3, 2016 in the Horton Group’s newsletter.

The term “Internet of Things” (IoT) refers to networks of “smart” devices (including appliances, vehicles, watches and toys) that collect and exchange data over the internet. In the last few years we have started to see these devices become part of our homes and personal lives. And, unfortunately, we have seen hackers gain more access to our homes and personal lives through these interconnected devices.

While the IoT is not a new concept for many insurance or technology professionals, manufacturers and smaller businesses have recently seen how interconnected devices, such as video cameras or computers, can give their businesses an edge over the competition. These devices are improving productivity by allowing remote access, by automatically checking in with the manufacturer for software updates and by allowing data storage. And, as seen in our homes and personal lives, these devices are unfortunately allowing hackers more access to our workplaces and giving hackers more unguarded devices that can be used in their attacks on society. While the full extent as to how much access hackers will have is still unknown, a glimpse at these issues makes clear that the best strategy includes integrating cyber insurance with its other safeguards.

The Good:  The Industrial Internet of Things Can Improve Productivity

It is not difficult to see how the interconnectivity offered by these IoT devices can improve the workplace. For example, the October 25, 2016 issue of the Chicago Business Journal describes what is commonly referred to as “the industrial internet of things” (IIoT). Similar to that seen in the technology showing up in our homes, the technology giving rise to the IIoT connects industrial machinery “to enhance functionality and improve operational efficiency in industrial settings, ultimately making manufacturing more flexible, efficient and profitable and better able to serve their customers.” The IIoT is being credited with increasing efficiency in factory processes, energy usage and transportation. In particular, the Chicago Business Journal discusses how IIoT provides “real-time data,” methods for “better asset use,” and the ability to fix problems quicker by using “predictive diagnostics.” At this early stage, the IIoT is a method worth exploring to increase productivity.

The Bad:  IIoT Gives Hackers Access to the Workplace

While the overall impact of the IIoT on industry is considered positive, there should be no question that, as seen with any technological advance, there are some drawbacks. Specifically, the one trait that allows the IIoT to be useful, interconnectivity, has allowed hackers and criminals to gain access to interconnected industrial networks. For example, in 2008, hackers shut down a Turkish oil pipeline which resulted in a massive explosion. The hackers, believed to be Russian, compromised the pipeline’s surveillance camera software and infiltrated the pipeline’s internal network. After gaining access, the hackers shut down alarms, cut off communications and caused the crude oil in the line to over-pressurize to cause the explosion. Without setting off a single alarm, the explosion shut the pipeline down and caused large financial losses for the private companies and governments with interests in the pipeline.

A second example was seen in 2004 when a German steel factory was attacked by hackers who gained control of a blast furnace. According to reports, the factory suffered massive damage when hackers managed to access the factory’s production networks and tampered with the controls of a blast furnace. After the system was compromised, individual system components began to fail. As a result of the failures, one of the plant’s blast furnaces could not be shut down, resulting in extensive damage to the plant.

These attacks on the Turkish oil pipeline and the German blast furnace demonstrate the damage when hackers are given the opportunity. More troubling is the fact that these two incidents occurred before the interconnected devices were even remotely common in the workplace. That is, hackers will have more opportunity in the coming years. As businesses continue to adopt interconnected technology, we can expect hackers to have increased access to industrial systems. And, in turn, we can expect more security issues to impact industrial systems, networks and systems.

The Ugly:  The Influx Of Devices Used in the IIoT Also Increases the Number of Devices Available for Hackers’ Attacks

Unfortunately, the increase in interconnected devices translates into more devices available for hackers to hijack and use in cyber attacks. For example, internet-connected surveillance cameras and other unprotected IoT-connected devices were used by hackers to cause massive internet disruptions on October 21, 2016. This recent attack is generally blamed on the “Mirai botnet” which used unprotected IoT devices to launch a Distributed Denial of Service (DDoS) attack on at least 80 major websites. While it is still early in the investigation, it appears many interconnected devices were hijacked to take part in this attack.

Thus, the devices giving rise to the IIoT do not just merely increase the number of devices available for hackers to infiltrate individual networks. In simple terms, the chances of large-scale cyber attacks increase as the number of unprotected devices increase which can be used in such attacks. And, while many businesses understand the importance of cyber security for computers in the workplace and at home, cyber security for other interconnected devices can be easily overlooked. Consequently, we can expect to see internet connected devices used in the workplace to be used in many DDoS attacks in the near future. And, those attacks, which shut down websites and other computer systems, could easily cut into the productivity in a number of industries.

Cyber Insurance Available to Address IIoT

While it may be unclear what technological safeguards are worth the investment, businesses can be certain that cyber insurance provides a cost-effective and simple method to decrease the risks associated with the IIoT. In particular, first party insurance policies with the following coverages are essential for any business attempting to limit the possible harm created by interconnected devices:

• Loss or damage to digital assets: This coverage may include loss or damage to data or software programs, resulting in costs incurred through restoring, updating, recreating or replacing devices to the same condition they were in prior to the loss or damage. For example, this coverage may cover the costs to repair software used in the workplace which has been lost to a virus or otherwise compromised by hackers.
• Business interruption from network downtime: This coverage may include costs related to interruption, degradation in service, or failure of the network, resulting in loss of income, increased cost of operation and/or costs incurred by mitigating and investigating the loss. For example, one factor that did not become clear until recently is the fact that while the property damage in the Turkish oil pipeline and German blast furnace incidents was expensive, a company that suffers such a loss would also have to stop their assembly lines or other industrial processes while clean-up and repairs/replacement are completed.
• Cyber extortion: This coverage may include costs related to attempts to extort money by threatening to damage or restrict the network, release data obtained from the network, and/or communicate with the customer base under false pretenses to obtain personal information. This coverage becomes more important everyday as businesses are increasingly targeted for “ransomware.” As seen in our homes, businesses will get the most out of IIoT-connected technology by understanding and preparing for unforeseen risks. The threat from the increasing number of interconnected devices is two-pronged: first, hackers have more access to the individual networks and systems; and, potential losses related to shutdowns caused by DDoS or similar attacks can disrupt productivity and vendor productivity. Therefore, it will be become increasingly clear that obtaining cyber insurance is part of any reasonable strategy to handle the unforeseen risks related to the IIoT.

The post Industrial Internet of Things: The Good, The Bad And The Ugly appeared first on Privacy Risk Report.

In January 2016, Affinity Gaming (Affinity), the owner of several casinos, filed a complaint in the District Court of Nevada against Trustwave Holdings, Inc. (Trustwave), a data security investigator, for Trustwave’s work in securing data after Affinity suffered a data breach.

Affinity’s Complaint contained allegations that after learning of the breach involving the use of stolen credit cards, Affinity contacted its cyber insurer, ACE, and was provided a list of data security investigators. Affinity contacted Trustwave, one of the firms on the list, to investigate and remedy the data breach. Affinity’s Complaint further alleged that after investigating the breach, Trustwave “represented to Affinity that the data breach was ‘contained’ and purported to provide recommendations for Affinity to implement that would help fend off future data attacks.” However, after Trustwave completed its work, Affinity learned that it suffered an ongoing breach and hired a second data security consulting firm, Mandiant.

Trustwave filed a Motion to Dismiss Affinity’s Complaint, arguing that it “agreed to investigate certain specific cardholder data components of Affinity’s network; not Affinity’s entire network.” Regardless of whether the allegations against Trustwave are proven, this case provides further evidence that not hiring a breach response team isn’t worth the gamble.

On September 30, 2016, the District Court  of Nevada dismissed in part and granted in part Trustwave’s Motion to Dismiss. The District Court’s Order provided the following reasoning for allowing Affinity to continue to pursue its claims for breach of contract, fraud and deceptive trade practices:

Motion to Dismiss Denied

• Breach of Contract: Regardless of whether Delaware or Nevada law is applied, the District Court held Affinity sufficiently alleged a breach of contract claim. In particular, the court found Affinity alleged that Trustwave breached its contract by failing to “perform a forensic investigation to identify, and remedy or contain, the causes of [Plaintiff’s] data breach, and to issue recommendations for measures [Plaintiff] would undertake to prevent further breaches in the future.”
• Fraud Counts: The District Court examined Affinity’s tort claims in the context of the economic loss doctrine, which “allows a party to recover in tort only if losses are accompanied by bodily harm or property damage; in other words, the doctrine prevents plaintiffs from recovering in tort for losses suffered that are solely economic in nature.” First, the court held Affinity had sufficiently pled its fraudulent inducement claim. Next, it found Affinity’s allegations that Trustwave “misrepresented its ‘capabilities and experience as a data security service provider,’ ‘that it had undertaken a proper investigation,’ that the breach had been secured, and that its recommendations ‘would help to prevent…further data breaches from occurring.’” Further, Affinity alleged these representations were untrue and it relied on these representations which, in turn, provided sufficient support for this cause of action.
• Deceptive Trade Practices: Affinity pled a claim under Nevada’s Deceptive Trade Practices Act, which prohibits a seller from making false statements or misrepresentations about his or her goods or services, or failing to disclose material facts about his or her goods or services. Here, Affinity alleged that Trustwave “engaged in deceptive trade practices by falsely representing that [Trustwave] had the capabilities to perform the obligations under the Agreement, that [Truswave] undertook a proper investigation to determine the cause of the data breach, that the data breach was “contained” and the backdoor was “inert,” when it was not, and that [Trustwave’s] recommendations would prevent further data breaches.” The District Court was not prepared to dismiss this claim because it could still be viable if the court found the contract between the parties was invalid.

Motion to Dismiss Granted

• Breach of Implied Duty of Good Faith and Fair Dealing: The District Court opined that to successfully plead a breach of an implied covenant of good faith and fair dealing, “a plaintiff must allege ‘a specific implied contractual obligation, a breach of that obligation by the defendant, and resulting damage to the plaintiff.’” The court also held Affinity’s cause of action should be dismissed because it failed to allege facts demonstrating a specific implied contractual obligation as required under controlling law.
• Gross Negligence: Affinity claimed Trustwave owed it a “duty of care in performing its data security services, and in providing information that was truthful and accurate regarding Trustwave’s investigation, the causes of Affinity’s data breach, and the remediation or containment of that breach.” Under controlling law, Affinity was required to establish that Trustwave failed “to exercise even the slightest degree of care” in its conduct. The court granted Trustwave’s motion because Affinity’s complaint failed to allege Trustwave breached any duty independent of its contractual duties.
• Negligent Representation: Affinity claims that Trustwave misrepresented its capabilities to protect against a breach. The District Court found this claim should be dismissed to the extent the complaint failed to allege that Trustwave’s alleged misrepresentation was made in the course of Trustwave’s business or “or that these representations were ‘for the guidance of others in their business transactions.’”

This litigation demonstrates the high stakes involved in responding to a data breach even for highly-sophisticated companies with a developed expertise in data security. That is, if Affinity is able to support its allegations against Trustwave, the scenario of hackers outmaneuvering the “good guys” would exist. Therefore, it is easy to see how the cards are stacked against those companies whose breach response team doesn’t include the expertise of a data consulting firm or other such professionals.

The post Casino’s Lawsuit Shows High Stakes for Breach Response appeared first on Privacy Risk Report.

While the dispute between Apple and the Department of Justice over terrorists’ iPhones appears to have come to a conclusion, it is clear that we can expect to see privacy issues continue to develop between the government and private sector. While the privacy issues between Apple and the DOJ received significant media attention, another matter between the government and Mozilla, a “free software community” that created the Firefox web browser, provides further insight into privacy concerns arising out of criminal investigations.

On July 10, 2015, the U.S. government filed a criminal complaint in Washington state alleging Jay Michaud possessed child pornography. The criminal complaint contained a number of allegations related to the FBI’s investigation of Michaud, including his extensive use of computer equipment to access child pornography. In particular, the criminal complaint discussed Michaud’s use of software that allowed him to anonymously use the Internet.

The criminal complaint describes a process where “software protects users’ privacy online by bouncing their communications around a distributed network of relay computers run by volunteers around the world, thereby masking the users’ IP address which could otherwise be used to identify a user.” In an effort to make sure the government met its burden, Michaud filed a motion seeking information on the government’s investigation which, in turn, could publicly disclose Firefox’s code.

Mozilla was concerned that this anonymity was created by an altered form of its Firefox browser, and, on May 11, 2016, filed a motion to allow it to enter into the criminal child pornography case. In its Motion to Intervene or Appear As Amicus Curiae in Relation to Government’s Motion for Reconsideration of Court’s Order on the Third Motion to Compel, Mozilla sought to intervene “for the purpose of requesting that this court modify its order to require the government to disclose the vulnerability to Mozilla prior to disclosing it to the defendant.”

In its motion, Mozilla argued “[a]bsent great care, the security of millions of individuals using Mozilla’s Firefox Internet browser could be put at risk by a premature disclosure of its vulnerability.” Mozilla asserted Firefox’s source code “is continuously developed” and is “publicly available for developers to view, modify, share, and reuse to make other products….” And, in the case of the government’s investigation, it became clear that Michaud used a modified version of Firefox that provided him the anonymity necessary to access child pornography.

Mozilla further argued that, while it is not opposed to disclosure, “any disclosure without advance notice to Mozilla will inevitably increase the likelihood the exploit will become public before Mozilla can fix any associated Firefox vulnerability.” Consequently, Mozilla requested the court modify its prior orders to require the government to disclose how it accessed Michaud’s browser at least 14 days prior to disclosure to Michaud in order to allow Mozilla to “analyze the vulnerability, create a fix, and update its products before the vulnerability can be used to compromise the security of its users’ systems by nefarious actors.”

On May 11, 2016, Michaud filed his response to Mozilla’s motion where he stated “Mr. Michaud has no stake in Mozilla’s dispute with the government. Further, the defense has no intention of disclosing any NIT discovery to Mozilla, a third party, or the public in general under any circumstances….”

After hearing the motion (and the related motion for reconsideration of order, granting defendant’s motion to compel) on May 12, 2016, the court held, after an In Camera presentation (closed chambers meeting) on the topics included in Mozilla’s motion, that the government was not required to produce the information related to Mozilla’s code.

While the information in the court’s May 12 order is limited, it is clear that the parties and the court made the security of Firefox’s code a priority. That is, the In Camera inspection allowed the parties to determine the security issues without disclosing Mozilla’s code to the public (“Following the conclusion of the In Camera hearing, the Court finds the Pltf is not required to produce requested discovery.”)

Interestingly, the security and privacy issues could not be ignored when Mozilla’s motion papers pointed out the fact that even government workers used the Firefox browser and public disclosure could put them at risk. While the Apple/DOJ privacy dispute was heated, it appears a result was achieved in this matter that all the parties could work with: Mozilla’s code was protected; Michaud was able to see if the government met its burden; and the government was given the opportunity to show how it intended to meet its burden.

The post Mozilla’s Firefox Browser Code Creates Privacy Issues in Criminal Proceeding appeared first on Privacy Risk Report.

Super Bowl 50 kicks off this Sunday, February 7 at Levi’s Stadium, Silicon Valley’s high-tech stadium in Santa Clara, CA. Super Bowl fans will be pleasantly surprised to find they are able to tweet, text and e-mail without any problems, thanks to the 13,000 Wi-Fi access points throughout the stadium, ensuring no fan is more than 10 feet away from Wi-Fi.

While Wi-Fi access won’t be a problem, security risks created by the number of high-value targets using the wireless network might be. The Atlantic reports  “[t]he stadium is likely to be packed with wealthy corporate executives and sponsors, politicians, and celebrities, many of whom carry around mobile devices brimming with sensitive information and valuable contacts.” Based on discussions with Carl Herberger, a security expert, The Atlantic describes the threat as follows:

Herberger estimates that between fans’ mobile devices and the stadium’s built-in connections, there will be somewhere around 100,000 devices connected to the stadium this weekend. In one potential attack, hackers could infiltrate attendees’ phones through a security hole in stadium infrastructure—its wi-fi network, for example, or its official app. By infecting a large group of devices, the hacker could establish a botnet, a network of connected devices that work together to complete larger-scale attacks like sending spam or flooding a server with requests in a denial-of-service attack. The huge network “becomes a gigantic single point of failure, like the Death Star, for a bot,” Herberger said. “It’s a nice, juicy target to conscribe into your botted army.”

Security experts also warn fans that hackers could trick them into connecting to the wrong wireless network “[b]ut once they’re on the network, a man-in-the-middle attack can intercept unencrypted web traffic, or inject malicious code and infect the connected device.”

These security concerns come on the heels of investigations of attacks on fiber optic cable systems in the Bay Area that have been thought to be connected to a “more complex plot against the game.” Further, CBS San Francisco reports the FBI has issued a warning regarding a Wi-Fi hack at the Super Bowl. While no specific threat has been identified, the FBI, in collaboration with the Northern California Intelligence Center, states they expect cyber criminals will try to take advantage of these targets collected at the Super Bowl.

These concerns demonstrate that cyber security should be a priority for business owners regardless of safeguards they have put in place and further stresses the importance of cyber insurance. Businesses must be cognizant of the fact that even with cutting edge safeguards in place, employees will connect company devices to Wi-Fi in airports, hotels or if they are lucky enough, the Super Bowl. While businesses cannot control the networks employees are using in public, businesses can obtain cyber insurance for any incident caused inside or outside the walls of their facilities.

The post Cyber Risk: Hackers May Score Big at Super Bowl appeared first on Privacy Risk Report.

This article was originally published in Advisen’s Front Page News on January 20, 2016.

A recently filed lawsuit by a casino will place a spotlight on the services provided by data security investigators and the expectations of those looking to secure data.

On October 24, 2013, Affinity Gaming, the owner of several casinos, learned it suffered a data breach involving the fraudulent use of stolen credit card information. After learning of the breach, Affinity contacted its cyber insurer, ACE, and was provided a list of data security investigators. Affinity contacted one of the firms on the list, Trustwave Holdings, Inc., to investigate and remedy the data breach.

After investigating the breach, Affinity alleges that Trustwave “represented to Affinity Gaming that the data breach was ‘contained’ and purported to provide recommendations for Affinity Gaming to implement that would help fend off future data attacks.” However, after Trustwave completed its work, Affinity learned that it suffered an ongoing breach and hired a second data security consulting firm, Mandiant.

After Mandiant completed its investigation, Affinity alleged the following concerning Trustwave’s work:

Mandiant’s forthright and thorough investigation concluded that Trustwave’s representations were untrue, and Trustwave’s prior work was woefully inadequate. In reality, Trustwave lied when it claimed that its so-called investigation would diagnose and help remedy the data breach, when it represented that the data breach was “contained,” and when it claimed that the recommendations it was offering would address the data breach. Trustwave knew (or recklessly disregarded) that it was going to, and did, examine only a small subset of Affinity Gaming’s data systems, and had failed to identify the means by which the attacker had breached Affinity Gaming’s data security. Thus, Trustwave could not in good faith have made the foregoing representations to Affinity Gaming.

Mandiant stated it found two malware programs not identified by Trustwave that gathered information before, during and after Trustwave’s engagement with Affinity. The report also found Trustwave’s recommendations to improve Affinity’s data security “were pointless” because “none addressed the source of the data breach, and none would have prevented the attacker from again accessing Affinity Gaming’s data systems (for instance, through the backdoors that Trustwave failed to find and close).”

In its complaint, Affinity claims Trustwave caused it significant damages including costs for Mandiant to investigate Affinity’s data security issues after Trustwave’s investigation. Affinity also claims it had to pay costs to credit card companies to replace stolen cards as well as information and costs related to provide notification of a second breach at its casinos.

Based on these allegations, Affinity’s complaint asserts the following causes of action:

• Fraudulent Inducement: Affinity claims Trustwave made certain misrepresentations and omissions of material information “with the intent to induce Affinity Gaming to enter into a contract with Trustwave.”
• Fraud: Affinity claims Trustwave misrepresented it was capable of diagnosing Affinity’s security issues and that it could contain any breach at Affinity. The complaint alleges that Trustwave falsely represented that it had contained the malware and fixed the security problems.
• Constructive/Equitable Fraud: Affinity claims Trustwave had a special relationship with Affinity to the extent Trustwave indicated it had specialized knowledge concerning data security.

In addition to the fraud counts, Affinity also claims Trustwave acted with gross negligence in providing recommendations to fix Affinity’s issues and future security concerns. The complaint also contains causes of action for a violation of NRS 598 (Fraud), negligent misrepresentation and breach of contract. Finally, in addition to monetary damages, the complaint seeks punitive damages against Trustwave.

While it has not filed a response to Affinity’s allegations, reports indicate Trustwave denies any negligence on its part, and further states that “we dispute and disagree with the allegations in the lawsuit and we will defend ourselves vigorously in court.”

This litigation will place data investigators under the microscope where all parties involved will need to rely on highly-technical information to prove their cases. This litigation will undoubtedly make data investigators consider what services they are offering and how they provide those services. Likewise, it will make consumers of these services consider their expectations for these services.

The post Place Your Bets: Casino Sues Data Security Investigator After Breach appeared first on Privacy Risk Report.