Cybersecurity Archives - Page 8 of 17

Cybersecurity

States Respond to Recent Breaches with Encryption Legislation

by Scott Weinstein | Feb 25, 2015 | Consumer Protection, Cybersecurity, General Interest

In the wake of recent breaches of personally identifiable information (PII) suffered by health insurance companies located in their states, the New Jersey Legislature passed, and the Connecticut General Assembly will consider legislation that requires health insurance companies offering health benefits within these states to encrypt certain types of PII, including social security numbers, addresses and health information. New Jersey joins a growing number of states (including California (e.g., 1798.81.5), Massachusetts (e.g., 17.03) and Nevada (e.g., 603A.215)) that require organizations that store and transmit PII to implement data security safeguards. Massachusetts’ data security law, for example, requires any person or entity that owns or licenses certain PII about a resident of the Commonwealth to, if “technically feasible” (i.e., a reasonable technological means is available), encrypt information stored on laptops and other portable devices and encrypt transmitted records and files that will travel over public networks. Unlike Massachusetts’ law New Jersey’s new encryption law only applies to health insurance carriers that are authorized to issue health benefits in New Jersey (N.J. Stat. Ann. § 56:8-196) but requires health insurance carriers to encrypt records with the PII protected by the statute when stored on any end-user systems and devices, and when transmitted electronically over public networks (e.g., N.J. Stat. Ann. § 56.8-197).

At the federal level, the Health Insurance Portability and Accountability Act (HIPAA) already requires health plans, as well as other “covered entities” (i.e., health providers) and their “business associates” (i.e., service providers who need access to a covered entity’s health information to perform their services), to encrypt stored health information or health information transmitted electronically if “reasonable and appropriate” for them to do so (45 C.F.R. §§ 164.306; 164.312). According to the U.S. Department of Health and Human Services, health plans and other covered entities and their business associates should consider a variety factors to determine whether a security safeguard is reasonable and appropriate, including: (1) the covered entity or business associate’s risk analysis; (2) the security measures the covered entity or business associate already has in place; and (3) the costs of implementation (68 Fed. Reg. 8336). If the covered entity or business associate determines that encryption of stored health information or transmitted information is not reasonable and appropriate, however, the covered entity or business associate may instead elect to document its determination and implement an equivalent safeguard.

The New Jersey law and the Connecticut proposal appear to reflect a legislative determination that encryption of stored or transmitted health information is always reasonable and appropriate for health plans to implement, regardless of the other safeguards that the health plan may already have in place. As hackers become more sophisticated and breaches more prevalent in the health care industry, other states may follow New Jersey and Connecticut by expressly requiring health plans and other holders of health care information to implement encryption and other security safeguards, such as multifactor authentication or minimum password complexity requirements. In fact, Connecticut’s Senate [...]

Continue Reading

Employers with Group Health Plans: Have You Notified State Regulators of the Breach?

by McDermott Will & Emery and Amy C. Pimentel | Feb 20, 2015 | Consumer Protection, Cybersecurity, Data Privacy, General Interest

Data security breaches affecting large segments of the U.S. population continue to dominate the news. Over the past few years, there has been considerable confusion among employers with group health plans regarding the extent of their responsibility to notify state agencies of security breaches when a vendor or other third party with access to participant information suffers a breach. This On the Subject provides answers to several frequently asked questions to help employers with group health plans navigate the challenging regulatory maze.

Read the full article.

Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data

by McDermott Will & Emery | Feb 17, 2015 | Consumer Protection, Cybersecurity, Data Privacy, Ecommerce

On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherence weaknesses within the protocol” and, because of the weaknesses, “no version of SSL meets PCI SSC’s definition of ‘strong cryptography.’” The bulletin does not offer an alternative means that would be acceptable, but rather “urges organizations to work with [their] IT departments and/or partners to understand if [they] are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.” The Council reports that it intends to publish soon an updated version of PCI-DSS and the related PA-DSS that will address this issue. These developments follow news of the Heartbleed and POODLE attacks from 2014 that exposed SSL vulnerabilities.

Although the PCI standards only apply to merchants and other companies involved in the payment processing ecosystem, the Council’s public pronouncement that SSL is vulnerable and weak is a wakeup call to any organization that still uses an older version of SSL to encrypt its data, regardless of whether these standards apply.

As a result, every company should consider taking the following immediate action:

Work with your IT stakeholders and those responsible for website operation to determine if your organization or a vendor for your organization uses SSL v. 3.0 (or any earlier version);
If it does, evaluate with those stakeholders how to best disable these older versions, while immediately upgrading to an acceptable strong cryptographic protocol as needed;
Review vendor obligations to ensure compliance with a stronger encryption protocol is mandated and audit vendors to ensure the vendor is implementing greater protection;
If needed, consider retaining a reputable security firm to audit or evaluate your and your vendors’ encryption protocols and ensure vulnerabilities are properly remediated; and
Ensure proper testing prior to rollout of any new protocol.

Additional resources and materials:

NIST SP 800-57: Recommendation for Key Management – Part 1: General (Revision 3)
NIST SP 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations (Revision 1)

Pressure Points: OCR Enforcement Activity in 2014

by Amanda Enyeart | Feb 9, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest

During 2014, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services initiated six enforcement actions in response to security breaches reported by entities covered by the Health Insurance Portability and Accountability Act (HIPAA) (covered entities), five of which involved electronic protected health information (EPHI). The resolution agreements and corrective action plans resolving the enforcement actions highlight key areas of concern for OCR and provide the following important reminders to covered entities and business associates regarding effective data protection programs.

Security risk assessment is key.

OCR noted in the resolution agreements related to three of the five security incidents, involving QCA Health Plan, Inc., New York and Presbyterian Hospital (NYP) and Columbia University (Columbia), and Anchorage Community Mental Health Services (Anchorage), that each entity failed to conduct an accurate and thorough assessment of the risks and vulnerabilities to the entity’s EPHI and to implement security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level. In each case, the final corrective action plan required submission of a recent risk assessment and corresponding risk management plan to OCR within a relatively short period after the effective date of the resolution agreement.

2. A risk assessment is not enough – entities must follow through with remediation of identified threats and vulnerabilities.

In the resolution agreement related to Concentra Health Services (CHS), OCR noted that although CHS had conducted multiple risk assessments that recognized a lack of encryption on its devices containing EPHI, CHS failed to thoroughly implement remediation of the issue for over 3-1/2 years.

3. System changes and data relocation can lead to unintended consequences.

In two of the cases, the underlying cause of the security breach was a technological change that led to the public availability of EPHI. A press release on the Skagit County incident notes that Skagit County inadvertently moved EPHI related to 1,581 individuals to a publicly accessible server and initially reported a security breach with respect to only seven individuals, evidentially failing at first to identify the larger security breach. According to a press release related to the NYP/Columbia security breach, the breach was caused when a Columbia physician attempted to deactivate a personally-owned computer server on the network, which, due to lack of technological safeguards, led to the public availability of certain of NYP’s EPHI on internet search engines.

4. Patch management and software upgrades are basic, but essential, defenses against system intrusion.

OCR noted in its December 2014 bulletin on the Anchorage security breach (2014 Bulletin) that the breach was a direct result of Anchorage’s failure to identify and address basic security risks. For example, OCR noted that Anchorage did not regularly update IT resources with available patches [...]

Continue Reading

C-Suite – Changing Tack on the Sea of Data Breach?

by McDermott Will & Emery | Feb 6, 2015 | Big Data, Consumer Protection, Cybersecurity, Data Privacy, General Interest

The country awoke to what seems to be a common occurrence now: another corporation struck by a massive data breach. This time it was Anthem, the country’s second largest health insurer, in a breach initially estimated to involve eighty million individuals. Both individuals’ and employees’ personal information is at issue, in a breach instigated by hackers.

Early reports, however, indicated that this breach might be subtly different than those faced by other corporations in recent years. The difference isn’t in the breach itself, but in the immediate, transparent and proactive actions that the C-Suite took.

Unlike many breaches in recent history, this attack was discovered internally through corporate investigative and management processes already in place. Further, the C-Suite took an immediate, proactive and transparent stance: just as the investigative process was launching in earnest within the corporation, the C-Suite took steps to fully advise its customers, its regulators and the public at-large, of the breach.

Anthem’s chief executive officer, Joseph Swedish, sent a personal, detailed e-mail to all customers. An identical message appeared in a widely broadcast press statement. Swedish outlined the magnitude of the breach, and that the Federal Bureau of Investigation and other investigative and regulatory bodies had already been advised and were working in earnest to stem the breach and its fallout. He advised that each customer or employee with data at risk was being personally and individually notified. In a humanizing touch, he admitted that the breach involved his own personal data.

What some data privacy and information security advocates noted was different: The proactive internal measures that discovered the breach before outsiders did; the early decision to cooperate with authorities and press, and the involvement of the corporate C-Suite in notifying the individuals at risk and the public at-large.

The rapid and detailed disclosure could indicate a changing attitude among the American corporate leadership. Regulators have encouraged transparency and cooperation among Corporate America, the public and regulators as part of an effort to stem the tide of cyber-attacks. As some regulators and information security experts reason, the criminals are cooperating, so we should as well – we are all in this together.

Will the proactive, transparent and cooperative stance make a difference in the aftermath of such a breach? Only time will tell but we will be certain to watch with interest.

FTC Releases Extensive Report on the “Internet of Things”

by McDermott Will & Emery | Jan 28, 2015 | Cybersecurity, Data Privacy

On January 27, 2015, U.S. Federal Trade Commission (FTC) staff released an extensive report on the “Internet of Things” (IoT). The report, based in part on input the FTC received at its November 2013 workshop on the subject, discusses the benefits and risks of IoT products to consumers and offers best practices for IoT manufacturers to integrate the principles of security, data minimization, notice and choice into the development of IoT devices. While the FTC staff’s report does not call for IoT specific legislation at this time, given the rapidly evolving nature of the technology, it reiterates the FTC’s earlier recommendation to Congress to enact strong federal data security and breach notification legislation.

The report also describes the tools the FTC will use to ensure that IoT manufacturers consider privacy and security issues as they develop new devices. These tools include:

Enforcement actions under such laws as the FTC Act, the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA), as applicable;
Developing consumer and business education materials in the IoT area;
Participation in multi-stakeholder groups considering guidelines related to IoT; and
Advocacy to other agencies, state legislatures and courts to promote protections in this area.

In furtherance of its initiative to provide educational materials on IoT for businesses, the FTC also announced the publication of “Careful Connections: Building Security in the Internet of Things”. This site provides a wealth of advice and resources for businesses on how they can go about meeting the concept of “security by design” and consider issues of security at every stage of the product development lifecycle for internet-connected devices and things.

This week’s report is one more sign pointing toward our prediction regarding the FTC’s increased activity in the IoT space in 2015.

In with the New: Expect FTC Activity on IoT in 2015

by McDermott Will & Emery | Jan 26, 2015 | Big Data, Cybersecurity, Data Privacy, General Interest

The “Internet of Things” (IoT) continues to grow. (IoT refers to the ability of everyday objects to connect to the Internet and one another.) It is estimated that there will be 4.9 billion connected appliances, devices and other “things” in use worldwide by the end of 2015, an increase of 30 percent from 2014. The global market for IoT products is expected to reach $7.1 trillion by 2020.

Proponents of IoT believe that the data generated and shared by connected objects can provide tremendous benefits for individuals, businesses and society as a whole. For example, IoT devices could be used to alert a person of an impending heart attack, improve a business’ manufacturing processes and reduce vehicle traffic congestion. While IoT can provide many benefits, it also poses privacy and security challenges. Internet connected devices, especially when used in an individual’s home or on his or her body, can generate voluminous amounts of highly personal and sensitive data about that individual, including information about physical activity, existing health conditions, energy consumption and entertainment choices. Many users of these devices are unclear about how this data is being used and shared with others. Moreover, the sheer amount and sensitivity of the data collected and transmitted by many IoT products make them an appealing target for hackers.

The Federal Trade Commission (FTC) did not file an enforcement action against a manufacturer of IoT products for inadequate data privacy and security practices in 2014, as it had in 2013. Nonetheless, the privacy and security challenges associated with the massive collection of consumer data by IoT products still are on the FTC’s radar. Commissioner Julie Brill has written extensively about the need to weave in privacy principles to IoT. While IoT products ranging from automated door locks to internet connected pet trackers dominated this year’s International Consumer Electronics Show (CES), Chairwoman Edith Ramirez’s keynote address at the CES outlined several concerns about IoT, including ubiquitous data collection, the ability of IoT devices to capture sensitive personal information about consumers, unexpected uses of consumer data and data security concerns.

Since IoT is on the FTC’s radar, I predict that the FTC will carefully scrutinize manufacturers of IoT products during 2015 and perhaps bring another action against a maker of IoT products for inadequate data privacy or security practices.

In with the New: 2015 Privacy, Advertising and Digital Media Predictions – Part II

by McDermott Will & Emery | Jan 14, 2015 | Consumer Protection, Cybersecurity, Data Privacy, General Interest, Social Media

More predictions about privacy, advertising and digital media trends making headlines in 2015 from Of Digital Interest editor Bridget O’Connell and predictions from our London office by Rob Lister:

Employee Social Media Accounts Garner Increased Attention
by Bridget K. O’Connell, Associate

In 2015, I predict an increased focus on employees’ rights regarding their personal social media accounts. Since 2012, individual states have enacted laws prohibiting employers from requesting access to their employees’ (or job applicants’) personal social media accounts. In 2014 alone, six states enacted such laws, bringing the total number of states with this type of legislation to 18. (Click here for additional analysis of the impact of these laws on employers.)

In addition to individual states’ laws, I expect clarification on a national level regarding employer policies and actions related to employees’ personal social media accounts. In the past year, the National Labor Relations Board (NLRB) has started to focus on whether employer policies regarding employee social media accounts are consistent with the National Labor Relations Act (“Act”). The Act prohibits employers from interfering with employees who come together to discuss their employment for the purpose of collective bargaining or other mutual aid or protection. According to the NLRB, employees’ comments on their personal social media accounts can constitute protected activity under the Act. One recent NLRB case involved two employees who posted on their Facebook accounts about the employers’ alleged failure to correctly withhold taxes from their paychecks. The employer terminated the employees because of their comments on their personal social media accounts. The NLRB found that the employee’s comments were protected under the Act, ordered the employer to reinstate the employees, and ordered the employer to clarify its social media policy. The employer is now appealing the NLRB’s determination in court.

I predict not only that more states will enact employee social media account legislation, but also that the NLRB and the courts will provide more guidance on employer restrictions or sanctions related to employee social media use.

Cybersecurity Predictions from London
by Rob Lister, Associate

With fines for security breaches expected to rise dramatically under the proposed Data Protection Regulation and recent cybercrime/cyberterrorism looking to be an increasingly effective and efficient weapon across all industry sectors, we can expect companies to pay more attention to how they protect their personal data. In addition, we can expect to see more frequent and sophisticated attacks with a view to exposing personal data (or at least holding it for ransom), requiring increased security measures as a matter of course. We may also see increased difficulty in obtaining insurance coverage protecting against such attacks unless companies implement specific risk controls.

An Update on the Cybersecurity Framework and Action Items for NIST

by Amy C. Pimentel | Dec 16, 2014 | Cybersecurity

The National Institute of Standards and Technology (NIST) recently released an update on its Framework for Improving Critical Infrastructure Cybersecurity (The Framework). The Framework was first issued in February 2014 as a voluntary risk-based program to enable owners and operators of U.S. critical infrastructure to assess and remediate their cybersecurity risks. For more detail on The Framework, see our previous blog post, “Trendy “Cybersecurity” Versus Traditional “Information Security” Two Sides of the Same Security Coin,” and article, “The Cybersecurity Framework’s Components,” Privacy and Data Protection 2014 Year in Review at 32-34.

Industry Feedback

The NIST update provides a summary of feedback concerning industry’s initial use of the Framework. NIST reports that many users have found the Framework helpful in improving communication within and across organizations, assessing risks of current practices, and as a tool to demonstrate alignment with standards, best practices and, in some cases, regulatory requirements.

Certain users expressed concerns about the Framework. Among the critiques offered by industry members are the following: (1) The Tiers appear to be the least-used part of the Framework, likely because of their enterprise-level scope; (2) Examples are needed to demonstrate practical and applied uses of the Framework; (3) Some of the terminology is confusing and needs clarification; (4) Health care providers, other covered entities and business associates need practical and detailed guidance on moving from a HIPAA compliance-only strategy to a focus on being cyber secure; (5) NIST should advise as to how an organization can integrate cybersecurity into budget planning and master planning; and (6) Global alignment is important to avoid confusion and duplication of effort by other governments.

Regulatory Concerns

Concerns were raised as to whether regulating agencies or Congress will make the Framework mandatory, transforming it from a voluntary mechanism to a compliance requirement. NIST does not answer industry’s concern that the Framework could become a de facto standard for cybersecurity or may impact legal definitions or enforcement guidelines for cybersecurity. It merely reports that industry concern was expressed.

NIST Action Items

NIST makes clear that it will not be updating the Framework within the next year. It stressed that more time is needed for industry to understand and use the current version of the Framework. Toward that end, it has assigned itself certain action items in response to the industry feedback. To continue to promote use of the Framework, NIST agrees to complete the following tasks:

Increase efforts to raise awareness of the Framework in the same open and collaborative manner (i.e., working with industry, academia and government at multiple levels) in which the Framework was developed;
Develop an outreach effort to include small- and medium-sized businesses, state and local governments, and international organizations;
Develop and disseminate information and training materials that include actual examples of how organizations can employ the Framework in a practical and meaningful manner;
Develop advice on how to integrate cybersecurity risk management with broader enterprise risk management;
Explore options for making Framework reference materials available in a common publicly-available [...]

Continue Reading

Just in Time for the Holidays: Another HIPAA Settlement

by Edward G. Zacharias | Dec 12, 2014 | Consumer Protection, Cybersecurity, Data Privacy

Following an Office for Civil Rights investigation, Anchorage Community Mental Health Services, Inc., agreed to pay $150,000 and comply with a two-year Corrective Action Plan to settle allegations that it violated the HIPAA Security Rule. This settlement is another reminder that covered entities and business associates should take the necessary steps to ensure compliance with HIPAA and to reasonably and appropriately safeguard the electronic protected health information in their possession.

Read the full article.