SEC Study Shows Improved Cybersecurity Preparedness in the Investment Industry, But Improvement Still Needed

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert that summarized the OCIE Staff’s “observations from the Cybersecurity 2 Initiative examinations,” which involved validation and testing of procedures and controls of 75 broker-dealers, investment advisers, and investment companies.  The staff noted that a majority of firms’ policies and procedures “appeared to have issues.”  For more information, please see the Risk Alert, which is available here.

Questions Remain as to Extent of HBO Cyberattack

On Monday, HBO acknowledged that it had been the victim of a cyberattack. The hacker(s) claiming responsibility use the alias “little.finger66,” a reference to HBO’s hit show, Game of Thrones.

The hackers accessed an estimated 1.5 terabytes of data. They have leaked full episodes of Ballers and Room 104, as well as a script from the upcoming episode of Game of Thrones. They promise that more is to come. HBO is working with law enforcement and private security firms to examine the extent of the breach and to protect its data.

HBO has expressed an intent to offer its employees credit monitoring, which raises questions as to whether human resources records were accessed. Thankfully for subscribers, at this time, there is no indication that the hackers accessed subscribers’ login credentials or payment information.

Also, luckily for HBO, it appears that HBO’s email system was not compromised in its entirety, unlike with the Sony Entertainment breach in 2014. The release of confidential and proprietary information following the Sony breach – such as executives’ salaries and embarrassing email communications – sent ripples through the entertainment industry and led Sony’s then co-chairman to resign. It also resulted in a class action lawsuit brought by certain Sony employees.

We will continue to monitor this story as it unfolds.

Updated HIPAA Breach Reporting Tool Launched by HHS

“…a more positive, relevant resource of information for concerned consumers.”

On July 25, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), unveiled a revised Health Insurance Portability and Accountability Act (HIPAA) Breach Reporting Tool (HBRT) that provides consumers improved access to information on breach data, and also provides greater ease-of-use for organizations reporting incidents. The HBRT makes required reporting information public, such as name of the entity suffering the breach; state where the breach occurred; number of individuals affected; date of the breach; type of breach (e.g. hacking/IT incident, theft, loss, unauthorized access or disclosure); and the location of the breached information (e.g. laptop, paper records, desktop computer). HIPAA also requires health care providers and other covered entities to promptly notify individuals of a breach and, in some cases, notify the media.

HHS Secretary Tom Price, M.D., explained, “HHS heard from the public. . . .To that end, we have taken steps to make this website, which features only larger breaches, a more positive, relevant source of information for concerned citizens.”

The HRBT may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

DLA Piper Falls Victim to Latest Cyberattack

After last month’s WannaCry ransomware attack infected thousands of businesses and individuals across the globe, law firms were identified as likely targets of future, similar attacks. On Tuesday, multinational firm DLA Piper became the latest victim of a major cyber hack.

The Petrwrap/Petya attack, which was found to have originated in the firm’s office in Spain, caused DLA’s network and phone system to be shut down. Employees were instructed to turn off their computers and to unplug their laptops from the network as a precaution. During the shutdown, a DLA Piper spokesperson said in a statement: “The firm, like many other reported companies, has experienced issues with some of its systems due to suspected malware. We are taking steps to remedy the issue as quickly as possible.” DLA worked with external forensic experts, including the FBI and UK National Crime Agency, to get its systems back online and recover from the attack. Nonetheless, the firm’s lawyers were without access to company phones and email due to the lockdown.

In addition to DLA Piper, other large companies were hit, including Russian oil producer Rosneft and Danish shipping company Maersk. Though first reported in the Ukraine, where the most severe damage has been sustained, the virus quickly spread to the United States and Europe. United States-based pharmaceutical company Merck was also infected. DLA Piper has experienced effects of the attack in its offices globally.

While DLA Piper is the only law firm that has been reportedly attacked by the Petrwrap/Petya ransomware thus far, experts have indicated that law firms, generally, are attractive targets for hackers, as they maintain an abundance of highly-sensitive client information on their systems. Many smaller firms are vulnerable and easily exploited because they do not have the infrastructure to protect themselves against cyber threats. Yet, as can be seen, these increasingly pervasive attacks can cripple even the most prepared companies. In fact, DLA Piper, a firm with a global cybersecurity team, published an article in the wake of the WannaCry, titled “9 Things You Should Know to Protect Your Company from the Next Attack.”

Details about the Petrwrap/Petya ransomware, including how it is spread, are still being investigated. Researchers have reported that it is both similar to and different from WannaCry in various ways. Needless to say, in the face of another widespread attack, it is more important than ever for law firms to be vigilant against cyber threats.

 

SCOTUS to Address Whether There is a Reasonable Expectation of Privacy in Mobile Phone Location Data

On June 5, 2017, the United States Supreme Court granted a petition for a writ of certiorari in Carpenter v. United States, from the Sixth Circuit Court of Appeals. The Supreme Court will have to address whether or not the Fourth Amendment protects government access to historical cellular phonesite records. In Carpenter, the government seized several months’ worth of cell phone location records from robbery suspects without obtaining a probable cause warrant. For one suspect, Timothy Carpenter, the records revealed 12,898 separate points of location data. For another suspect, Timothy Sanders, the records revealed 23,034 separate points of location data.

FBI agent Christopher Hess offered expert testimony explaining that the cell phone data acquired under the  Stored Communications Act (“SCA”)(18 U.S.C. Chapter 121 §§ 2701–2712) indicated that Carpenter and Sanders’ phones were within one-half mile to two miles of the location of each of the robberies around the time the event occurred. Carpenter and Sanders sought to suppress this evidence under the Fourth Amendment, but the district court denied their motion.

The SCA permits the government to obtain records where “specific and articulable facts show that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation”—a much lower bar than the probable cause needed to obtain a run-of-the-mill search warrant.

A divided panel of the Sixth Circuit stated that, “although the content of personal communications is private, the information necessary to get those communications from point A to point B is not.” For example, while individuals may enjoy a reasonable expectation of privacy regarding the content of their telephone calls, they do not have the same expectation for the numbers dialed. The court concluded that, “[t]oday, the same distinction applies to internet communications,” i.e., while the Fourth Amendment protects the contents of an email, it does not protect metadata. The Sixth Circuit joins the Fourth, Fifth, and Eleventh Circuits in holding that there is no reasonable expectation of privacy in historical cell site location information under the Fourth Amendment, and therefore no warrant is required.

Numerous lower court judges encountering the issue have followed the Supreme Court’s third-party-doctrine cases, which hold that a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties. However, this line of thinking has been deemed antiquated by some in light of the vast amounts of data that are collected on a daily basis. Justice Sotomayor noted in United States v. Jones, that it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties and that this approach is ill-suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. 132 S. Ct. 945, 957 (2012).

In recognition of this changing tide, and relevant to the issue presented in Carpenter, some courts have concluded that individuals have a reasonable expectation of privacy in their location. For example, in United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), aff’d on other grounds sub nom. Jones, 132 S. Ct. 945, the D.C. Circuit held that using a GPS device to surreptitiously track a car over the course of 28 days violated reasonable expectations of privacy and was therefore a Fourth Amendment search. Id. at 563. The court explained that “[p]rolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than any individual trip viewed in isolation.” Id. at 562. Therefore, people have a reasonable expectation of privacy in the intimate and private information.

Collecting and analyzing cell phone records can, and often does, reveal extraordinarily sensitive details about a person’s life. This case will have an enormous impact on the Fourth Amendment in connection with data collected and an individual’s expectation of privacy in the ever progressing digital age.

The Border Search Exception to the Warrant Requirement

You are sitting in O’Hare airport or in a Starbucks in Tucson, Arizona skyping with a friend when an ICE agent approaches you, asks you to produce evidence of your legal presence, and demands that you hand over your laptop and cell phone and give him the passcodes. You refuse. Can he detain you or confiscate your devices? Maybe.

The Supreme Court has long recognized that the “border search exception to the warrant requirement” allows the government to conduct search and seizure in proximity to the international border without reasonable suspicion. United States v. Martinez-Fuerte, 428 U.S. 561-61 (1976). This allows the government to conduct warrantless searches of laptop computers and cell phones at the border without reasonable suspicion of illegal content. United States v. Arnold, 533 F.3d 1003 (9th Cir. 2008). Albeit, an agent must have “reasonable suspicion” (but still not a probable cause warrant) to conduct an extensive forensic search of a laptop. United States v. Cotterman, 709 F.3d 952, 957 (9th Cir. 2013).

The border search exception applies well beyond geographic borders. It applies anywhere within a zone extending 100 miles from such borders and from all ports of entry. See 8 CFR § 287.1 (a). About 2/3 of the US population lives within this zone. Thus, without reasonable suspicion, ICE agents can stop you throughout much of the USA and inquire as to your immigration status. If they do, you would be subject to immediate deportation, without getting the opportunity to go before a judge, unless you can establish your legal presence in the country. See M. Shear & R. Nixon, “New Trump deportation Rules Allow Far More Expulsions,” New York Times (Feb. 21, 2017) (available online at https://www.nytimes.com/2017/02/21/us/politics/dhs-immigration-trump.html).

Arguably, if you were overheard conversing in Spanish or a foreign language unintelligible to the agent (Arabic?) and aggressively objected to the agent’s demands, the agent could determine reasonable suspicion and, on that basis, could confiscate your devices and conduct an extensive forensic search. If you did not have identification establishing legal presence, the agent could detain you until you can provide such proof. Happy travels.

Blockchain Technology: Balancing Benefits & Evolving Risks

The “blockchain” has the potential to transform the way financial institutions process transactions and corporations conduct business. While first introduced as the technology underlying cryptocurrencies such as bitcoin, financial institutions have partnered to apply the blockchain to streamline cross-border payment settlement and interbank settlement solutions. Implementing blockchain technology in pursuit of these types of efficiencies may fundamentally change how financial institutions conduct business and alter the risks banks face.

Fundamentally, the blockchain stores data about individual financial transactions in a decentralized way that should, in theory, provide greater security and limit the risk of fraud. It relies on cutting-edge cryptography to secure the authentication process. Before recording a block of transactions, “miners” authenticate them by applying a mathematical formula that results in a seemingly random sequence of letters and numbers known as a hash. The hash is produced using the hash of the preceding block, in a math problem. Although the math is difficult to solve, the solution is easy to verify.

The hash becomes the digital version of a wax seal. After using this process to authenticate a transaction, miners store the “block,” along with its hash, in a unique “chain.” If you change just one character in a block, its hash will change completely. The ramification for security is that if someone tampers with the block, the change becomes public.

A blockchain documents each transaction’s details, identifying the sender, recipient, input amount, and output amount. Only the parties to a transaction can unlock the contents of the block because only they hold the private key necessary to open the data. But since each entry bears a hash, anyone can verify the existence of a transaction within the block.

The application of blockchain technology could potentially increase the risk of fraud. That’s because a comprehensive review of fraud, alteration, and forgery may not occur in a blockchain transaction. The participating financial institutions may not receive the transaction’s original documents, on which the transaction is based, and thus may not have an opportunity to analyze those documents for fraud. Since parties using blockchain for transactions appear to be moving towards competing blockchain-based platforms, there is a potential for assets to be double-pledged or for conflicting financial transactions to be entered into on different platforms.

As financial institutions and their corporate clients move forward into the brave new world of blockchain technology, they must remain mindful of the fact that this is just another means of conducting business transactions, and the time honored principle of caveat emptor still applies. Parties entering into blockchain transactions should ensure that they are doing their due diligence on the representations underlying those transactions. This includes, when applicable, examining original documents on which transactions are based. Also, participants should be mindful that there may be multiple blockchain-based platforms on which business is conducted, meaning that the lack of a conflict on the platform in which the transaction is entered into does not mean that a competing or conflicting transaction will not be entered into on another platform.

Target Settlement a First Step for Companies Looking to Avoid Data Breach Litigation

Target ends its multi-state data breach litigation over its 2013 data breach with an $18.5 million settlement to 47 states. While the settlement outlines the type of security measures companies should employ in order to not be found negligent with customer data, it doesn’t go far enough to improve organizational security. The bulk of the settlement terms are still defensive in nature when it comes to data breaches. As such, companies looking to follow the terms of Target’s settlement should be cautioned to use offensive tactics to prevent such attacks if they want to avoid litigation.

In 2013, while Target’s security systems had detected the breach, no one understood the significance of, or acted upon, the alerts, resulting in the massive data breach given the delay in response time. Target has since toughened its security systems and made significant improvements. The terms of the settlement give Target 180 days to develop, implement, and maintain a comprehensive security program. However, this requirement refers to the changes the retailer has already implemented. While the settlement reiterates some of the basics, such as having a comprehensive security program, segmenting the network, and implementing stricter access control policies to sensitive networks and data, future data breach lawsuits may use the Target settlement to try to prove an organization did not go far enough in protecting personal information and other sensitive data. As such, abiding by the terms of the Target settlement is a first step for companies looking to avoid data breach litigation, but further tactics will be required for companies to go on the offensive to prevent breaches as the plaintiffs’ bar will try to use the Target settlement as a varying degree of negligence in pushing forward with future litigation.

Recent Massive Ransomware Attack Underscores Importance of Keeping Operating System Software Updated and Vigilance Against Suspicious Emails

On May 12, 2017, countless individuals and businesses worldwide were the targets of what experts deem the largest ransomware attack in history. In this attack, hackers sent emails containing encrypted .zip file attachments, which, when downloaded by the email recipient, infected the recipient’s computer with ransomware that commandeered and locked the computer’s files. The files were rendered inaccessible and released only upon payment of a bitcoin ransom to the hacker. According to reports, over 74 countries were hit by the attack, and hospitals and government agencies were among the victims. The damage, monetary or otherwise, resulting from the attack remains to be determined.

“Wannacry,” the name of the ransomware variant used in this attack, is reportedly derived from a stolen NSA hacking tool. The ransomware exploited Windows-based operating system vulnerabilities in computers that were not patched with the latest software update from Microsoft.

Although individuals and businesses in the United States remained largely unaffected, many experts say that this recent attack merely foreshadows future attacks of this scale that may potentially reach users stateside. As hackers become more sophisticated, attacks of this type may become the new normal. Given this new reality in the world of computing, it is increasingly important that computer users, particularly organizational users with databases and systems that house confidential and sensitive information, such as personally identifiable information (“PII”) or protected health information (“PHI”), ensure that computer systems are regularly updated with operating system software and security patches. Equally important is implementing organizational policies and procedures that require and encourage users to be vigilant against indiscriminate accessing and opening of suspicious emails with infected attachments and links.

Recent Study Reveals Interesting Trends in Cyber Attacks in First Quarter of 2017

A recent study issued by Navigant Global Technology Solutions has indicated that “2017 is poised to be a year of significant awareness and development in the area of cybersecurity regulation.” The study indicates that the ferocity of cybersecurity attacks has continued unabated since 2016 and that 2017 is shaping up to be another “watershed year” for cybersecurity threats and attacks.

Statistics (Q1 2017):

  • The overall average breach size decreased from 58,882 records in Q3 2016 to 49,877 in Q4 2016.
  • Healthcare accounted for the largest percentage of reported data breaches (42.77%).
  • Hacking incidents were the most common type of breach.
  • An average of more than 4,000 ransomware attacks occurred per day.
  • 73% of IT security professionals at critical infrastructure utilities say their organizations have suffered a breach.

Additionally, there has been a significant increase in the number of security incidents caused by remote desktop protocol (“RDP”) hacking in the first quarter of 2017. Not surprising in light of the increasing “work-from-home” trend, this hacking technique involves technology to allow users and system administrators to remotely access computers that they are not physically able to access. The attackers gain access to the network through phishing emails or other social engineering techniques. The study also noted that TeamViewer, a major RDP provider, has also seen a spike in the number of RDP security breaches. However, TeamViewer and Navigant both note that the exposure is not due to a “flaw” in the technology, but rather the usage of poor password policies by users. Once again, the findings indicate that human error appears to be one of the most difficult problems to safeguard against.

The second quarter of 2017 is poised to be no exception to the spike in cybersecurity breaches. The 2016 tax year is coming to a close and a plethora of sensitive personal information is available to hackers across multiple platforms. Recognizing that a majority of cyber attacks are the result of the usage of poor/duplicative passwords by users, the use of “two-factor authentication” on all account logins continues to be a focus in designing effective cyber security programs.

Two-factor authentication (also referred to as “2FA”) is a process requiring two different authentication methods to prevent unauthorized access of private and sensitive information. The three main categories of authentication factors are: something you know (password, pin code, social security number); something you have (USB security token, bank card, key); and something you are (fingerprint, eye, voice, face). The two-factor authentication process requires two of these factors.

According to Symantec’s 2016 Internet Security Threat Report, 80% of breaches can be prevented by using multi-factor authentication. Thus, by using basic, two-factor authentication, an organization can immediately reduce its cybersecurity threat profile in a fast and meaningful way.

As we continue in 2017, these statistics and studies must inform the development of practical, effective means of combating countless threats to cyber security. Being attacked is only a question of when, not if. In cyber security, the best offense is a strong defense, including accommodations for the likelihood of human error.