Cyber criminals’ entire business model is based on developing threats faster than the public can develop safeguards.  Privacy laws are fast becoming the first place data collectors look for guidance when they have suffered a cyber attack.  Unfortunately, the legislatures that develop privacy laws are not known for their efficient work.  For example, the Illinois Information Protection Act is one of the most comprehensive data laws found in the United States and provides the model for many states.  PIPA provides guidelines for data collectors, including how to properly respond to a breach of personal information.  However, even though it is generally considered to be on the cutting edge, PIPA still has trouble keeping up with technological developments created by criminals.

Is Ransomware An “Acquisition” Of Data Under The Illinois Information Protection Act?

As it stands, PIPA does not expressly state that it applies to data collectors that are attacked with ransomware.  Of course, ransomware has been a threat for a while and this threat appears to be on the increase. For example, a new strain of ransomware nicknamed “Bad Rabbit” is reportedly spreading in Russia, Ukraine and moving into other parts of the world. This new threat appears to be related to the WannaCry and Petya ransomware attacks that caused problems earlier this year. At present, this malware is not being detected by anti-virus programs.

While the extent of the damage caused by Bad Rabbit is still unknown, the threat created by ransomware is clear. Reports indicate the total value of ransomware sales on the dark web has rapidly increased from $250,000 to over $6m in just a year. The growth of ransomware will continue as criminals get more access to the malware and victims are resigned to the fact that they have no choice but to pay to regain access to their systems. The only hurdle for ransomware at this point appears to be an increased number of amateur criminals using malicious software and potentially not releasing encrypted files to victims.  These amateurs may destroy the credibility of the ransomware criminal enterprise.

For our purposes though, this is not a good environment for PIPA to have any ambiguity concerning whether it applies to ransomware attacks.   PIPA addresses a data collector’s obligations if they sustain a “breach.”  Specifically, PIPA requires that a data collector notify Illinois residents that their personal information has been involved in a “breach.” Of course, the ransomware threat is different than the threat created by a disclosure of personal information through a classic system breach or a disclosure caused by a phishing scam.  PIPA defines “breach” as:

Breach of the security of the system data” or “breach” means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector. “Breach of the security of the system data” does not include good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, provided that the personal information is not used for a purpose unrelated to the data collector’s business or subject to further unauthorized disclosure.

While PIPA does not mention ransomware by name, it does create a question as to whether ransomware falls under the definition of “breach of the security of the system data.” Oftentimes, ransomware may not arguably involve the “acquisition” of data and may be limited to the encryption of data until a ransom is paid. That is, there may be no “acquisition” of the data in a ransomware attack.  Therefore, a data collector may struggle with determining whether ransomware constitutes a “breach” under PIPA.

Based on this ambiguity, if a data collector is hit with ransomware, the most prudent course may involve notifying all Illinois residents of the incident.

Is It A Good Idea To Send People To Equifax In Notification Letters?

PIPA also provides notification requirements if a data collector experiences a breach.   Specifically, if a data collector breaches the personal information of an Illinois resident, the data collector must send a “disclosure notification” which provides “the toll-free numbers and addresses for consumer reporting agencies.” After the recent breach at Equifax, a consumer reporting agency, data collectors may be hesitant to tell people involved in an incident to contact Equifax. Further, even if Equifax’s information is provided merely to comply with this requirement, Illinois residents may not be willing to reach out to Equifax. As we see recent events make this requirement useless, the Illinois legislature may want to amend PIPA to remove this requirement for notification letters.

Even if Bad Rabbit does not develop into a major threat in the United States, we can be certain that criminals are already working on their next crime involving our home, government and business computer systems.   Therefore, the Bad Rabbit outbreak provides the perfect opportunity to take a look at a data collector’s responsibilities if they are hit with ransomware or some cyber crime that may not even be in the news at this time.

Even though there may be some uncertainty, privacy laws are still the first place data collectors should still go if they are involved in an incident.  At this point, it may be slightly unrealistic to expect legislatures to create privacy laws that move as quickly as the criminals that we are trying to protect ourselves against.  Further, most criminals will have moved on from ransomware to the next threat by the time the legislature is able to pass laws addressing ransomware.  Data collectors may need to look to the intent behind privacy laws and notify impacted individuals if there is a chance that their information has been exposed to another person without authorization, regardless of whether information was compromised through employee negligence, a classic breach, ransomware or some threat presently unknown.

The post It May Be Time To Admit That Criminals Will Outpace Privacy Laws appeared first on Privacy Risk Report.

Less than 24 hours after the Islamic State in Iraq and Syria (ISIS) killed more than 100 people in Paris, the hacking group Anonymous used an unverified video declaring war on ISIS. In a video posted to YouTube, an Anonymous spokesperson warned ISIS that “war is declared” and to expect “major cyberattacks.” Speaking in French, the spokesperson stated, “Anonymous from all over the world will hunt you down. You should know that we will find you and we will not let you go. We will launch the biggest operation ever against you.”  The “Islamic Cyber Army” has already responded with its own threats against Anonymous.

ISIS claims to have 71 trained soldiers in 15 different American states. If Anonymous is serious about hunting down ISIS, it is highly likely that the hacking group will infiltrate hundreds, if not thousands, of computer systems in search of ISIS jihadists. With little knowledge of these 71 trained soldiers, a broad search by Anonymous could breach government agencies, private companies and individual computer users.

Anonymous’ current threats against ISIS may be welcomed by many people. However, it is important to keep in perspective that the impact of the actions taken by Anonymous and other hacking groups may not be limited to ISIS.

• Cybersecurity Regulation: Recently, many state and federal government agencies have taken steps to regulate cybersecurity. While ISIS may not have a formal cybersecurity protocol, it is small and should be able to control and secure its data and information better than a legitimate government.  If Anonymous is able to breach and attack ISIS’ small network at will, many state and local governments may need to look at the impact laws and regulations that it may have on hacktivists that are set on getting information or data.
• Corporations and Businesses: While Anonymous’ heart may be in the right place, its declaration of war on ISIS should be a consideration for any business or corporation. All business owners must account for the possibility that hacker groups, perhaps less organized than Anonymous but just as damaging, may take aim at their business. In additional to ISIS, Anonymous has called for attacks on other organizations ranging from the Epilepsy Foundation of America to Sony.  While your business may not necessarily be a target, a corporation your business depends on may be a target.
• Insurance: Insurers have been on the cutting edge of addressing the risks posed by cybersecurity. However, damage by “hacktivists” may be excluded under terrorism exclusions in traditional insurance policies. Policy language found in cyber insurance policies addressing acts of war or terrorism is still being developed and may be subject to interpretation. Further, there are questions as to whether damage would be covered and to what extent if hacktivist groups are classified as terrorist organizations. Therefore, potential targets of hacktivist groups may find coverage under traditional insurance and cyber insurance is not available or too costly to be worthwhile.

Nevertheless, while there may be questions as to whether hacker groups can fulfill their threats, these threats will require legislatures, businesses and insurers to closely examine a number of emerging threats related to cybersecurity.

The post Anonymous and Other Hackers vs. ISIS: Cyber Security Implications appeared first on Privacy Risk Report.

While large cyber attacks and data breaches may get the headlines, a recent study prepared by the Ponemon Institute and Hewlett-Packard and a recent criminal conviction of a Los Angeles Times reporter that disclosed corporate passwords on a hacker website serve as additional reminders that “malicious insiders” still pose the largest security threat to an organization.

Ponemon Institute/Hewlett-Packard Study: Malicious Insiders Can Cause the Most Serious Cyber Incidents

The Ponemon Institute and Hewlett-Packard (HP) published the study, “2015 Cost of Cyber Crime Study: Global,” which provides insight into the increasing frequency and costs of cyber attacks against governments and businesses around the world. Specifically, the study examines the “economic impact of cyber attacks and observes cost trends over time” and relies on data taken from 252 organizations in seven countries. Most importantly, the study finds that the most costly cyber crimes are caused by “malicious insiders,” people from within an organization.

For example, the study found cyber attacks committed by malicious insiders cost the responding organizations, on average, $144,542 to resolve. The costs related to malicious insiders exceeded costs related to denial of service attacks, phishing scams and stolen devices. Further, the study found the time required to resolve issues created by malicious insiders greatly exceeded the time to resolve issues related to other attacks. Specifically, time to resolve issues related to malicious insiders (54 days) exceeded web-based attacks (28 days) and denial of service attacks (19 days). While the threat created by malicious insiders has been understood for some time, this study puts these threats into context when measured against other cybersecurity threats.

Matthew Keys’ Conviction Demonstrates Real World Dangers Associated with Malicious Insiders

The findings in the Ponemon/HP Study related to the malicious insiders threat were further supported when earlier this month a former Los Angeles Times reporter was convicted under the Computer Abuse and Fraud Act (CFAA). Matthew Keys was convicted of posting confidential server passwords on a hacker website and urged hackers to “go [expletive] some [expletive] up” on websites maintained by his employer, the Tribune Company. Keys had access to the passwords during his employment. After Keys posted the passwords, a hacker gained access to the Los Angeles Times website and created a fake headline for a story.

While there may be questions as to whether Keys was properly charged and convicted under the CFAA, another important consideration is the fact that he does not fit the mold of a “traditional” hacker. During the criminal trial it became clear that Keys had nothing more than a basic working knowledge of computers and no experience as a “hacktivist.” Costs related to the investigation of the hacks, related vandalism, security issues repairs and lost employee productivity were estimated to be nearly $1 million.

The Greatest Threat Comes from Inside an Organization

The Ponemon/HP Study and Keys’ conviction demonstrate that while large-scale hacks from foreign countries make news, employees continually prove to be the greatest threat to cybersecurity. Monitoring the conduct of employees and former employees continues to be just as important as maintaining cutting-edge technology in order to safeguard data or other valuable information. Further, the difficult question related to the amount of damages Keys actually caused leads into an interesting issue related to cyber insurance.

For example, while Keys’ employer claimed it suffered $1 million in damages, this amount was called into question by Keys because many of the hours logged to fix the damage caused by leaked passwords were attributed to journalists and executives rather than technical staff. This dispute over what costs were justified and attributable to Keys’ conduct illustrates the importance that insurers and insureds have a complete understanding prior to a cyber incident of the costs and damages covered under cyber policies.

The post New Study and Recent Criminal Conviction Sheds Light on the “Malicious Insiders” Threat appeared first on Privacy Risk Report.

Cybersecurity concerns are no longer just for large retailers, state and local governments are the latest victims in these attacks. A new survey of government security professionals indicates their concern is warranted. MeriTalk, Inc., a company specializing in IT issues for governments, released a survey of 302 security professionals from Federal, state and local governments. The purpose of the survey was to measure “the current state of cybersecurity” and to “empower risk management and improve security outcomes.” The results provide a glimpse into the various cybersecurity issues facing Federal, state and local governments.

One interesting aspect of this survey is that Federal government respondents had different concerns than their counterparts in state and local governments. For example, the survey concluded that “Federal agencies are more likely to struggle with data volume, while state and local organizations are more likely to face a resources gap.” Specifically, MeriTalk found that:

• 41% of Federal respondents believed they lacked skilled personnel for cybersecurity compared to 54% of state and local respondents.
• 29% of Federal respondents stated they would not be able to justify the expense of cybersecurity versus 46% of state and local respondents.

The survey also found governments of all sizes face a number of similar issues. The respondents estimated cyber threats were on their networks for an average of 16 days before the threats were identified. Additionally, 76% of the respondents reported that their security teams were “often reactive instead of proactive.” The survey found that “9 out of 10 cyber pros say they cannot tell a ‘complete story’ with cybersecurity data.” Another point that Federal and state/local governments could completely agree upon was that both believe they have a “lack of management support” (Federal 40% and state/local 41%) to properly address cyber security.

MeriTalk’s survey demonstrates that regardless of the cause of their cybersecurity issues (resource gap or data volume), the result is the same for all governments – Cybersecurity is a major threat. This survey also shows there are a number of variables to account for when devising a strategy to protect against these threats.

These issues and more will be addressed in-depth at the Governing With Confidence 2015 workshop, hosted by Tressler’s Government Law Group, in Chicago on May 28, 2015. For more information on this complimentary workshop, please contact Liz Ashline at lashline@tresslerllp.com.

The post New Survey Indicates State/Local Governments Have Different Cybersecurity Concerns Than The Federal Government appeared first on Privacy Risk Report.

On March 23, 2015, Marsh and the United Kingdom Government released a Report titled: UK Cyber Security: The Role of Insurance in Managing and Mitigating the Risk. The Marsh Report is stated to be “the result of close working between the Government and the insurance sector” in the UK and is intended to address the role insurers can play in reducing cyber risk.

This Report lends a unique perspective on how the insurance industry can help mitigate cyber threats and risks. It provides further guidance as the US Government and insurance industry struggle with insurance coverage for cyber threats and risks. For example, on March 19, 2015, the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security held a hearing titled, “Examining the Evolving Cyber Insurance Marketplace” examining the insurance industry’s response to cyber threats.

The Marsh Report first examines legitimate concerns over estimates that cyber insurance costs approximately three times more than general liability and six times more than property insurance. While acknowledging costs may be higher for cyber insurance as research and modeling develops, the Report addresses other economic benefits provided by cyber insurance, which include:

• Insurance creates incentives to create safeguards against cyber threats.“Insurance places a cost on firms’ cyber risk through the premium they pay, and the prospect of a reduced premium then encourages firms to take steps to mitigate the risk.”
• Insurers gather information and gain a better understanding of cyber threats.“Insurance goes arm-in-arm with loss prevention. Insurers will help firms reduce their losses by providing insight from claims and near misses across their client base.”
• Insurers offer their collective experience to combat cyber threats.“Insurers bring their knowledge and experience of more established risks that can be applied to cyber.”

The Marsh Report also provides another interesting perspective on differences between the insurance markets in the US and the UK. “Insurers tend to conflate cyber with data breach given the well-developed demand for that coverage driven by US regulation.” Commentators are already suggesting that the partnership between the Government and UK insurance companies may fill a gap caused by the lack of the public breach notification system found in the US. Further, the Report indicates there are “broader concerns” in the UK including business interruption, damage to property and theft of intellectual property, which the US system does not properly address.

The Marsh Report concludes with the suggestion that cyber risk management may provide “an export opportunity for London.” Specifically, the Report states that “[t]he London market is well positioned to compete for large and complex risks, and over time has provided innovative solutions for new threats.” Therefore, the Report concludes that “the sector is demonstrating that the UK is the natural home for a growing global cyber insurance market.”

The volatility in pricing in 2014 for cyber insurance is expected to continue in 2015. Since cyber insurance is still in the emerging stages, it is easy to question whether it is necessary. Some are already dismissing cyber insurance merely because there was no need, thankfully, for Y2K insurance. However, as the Marsh Report demonstrates, the UK is taking cyber insurance seriously and is hoping to make London the “global center” for cyber risk management. It will be important to monitor developments in the UK and question whether our system, driven by breach notification laws, is developing at a pace sufficient to respond to this risk.

The post LONDON CALLING: New Report from Marsh and UK Government Outlines Differences in Approach to Cyber Threats in UK and US appeared first on Privacy Risk Report.

Last week, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) released its examination priorities for 2015. One area of focus will be assessing cybersecurity controls. TheOCIE’s letter to national exchanges sets out its examination approach for the coming year.

The OCIE’s focus on cybersecurity compliance and controls tracks similar plans released January 6, 2015 by the Financial Industry Regulatory Authority (“FINRA”) in its annual Regulatory and Examinations Priorities Letter.

FINRA reports it will review firms’ approaches to cybersecurity risk management, including their governance structures and processes for conducting risk assessments and addressing the output of those assessments.

In January 2014, FINRA initiated a sweep to better understand the types of threats its member firms are subject to, as well as their responses to those threats. It expects to publish the results of that sweep early this year. That report will contain best practices firms should consider in developing and implementing their cyber-security programs including the use of frameworks and standards, the role of risk assessments, the identification of critical assets, and the implementation of controls to protect assets.

With heightened scrutiny on cybersecurity over the coming year by regulatory bodies such as the SEC and FINRA, executives and corporate boards should be reminded of the importance of implementing and maintaining adequate cybersecurity controls.

The post Cyber-Security Included as a Priority for Securities and Exchange Commission appeared first on Privacy Risk Report.