The SEC Takes Action to Protect Retail Investors

In recent years, retail data breaches have become the norm. The news is filled with stories of nefarious hackers, identity theft, and credit monitoring. A topic that we rarely hear about, however, is the impact a data breach event can have on retail investors. Data breaches can have catastrophic consequences for retailers and, by extension, their investors, as a result of both decreased profits and increased expenses. To address this issue, the SEC has established two new initiatives specifically targeted at protecting retail investors from cybersecurity risks. To learn more, check out the SEC’s September 25, 2017 Press Release, available here.

The Equifax Mass Hack Serves as a Reminder for All to Take Action

Equifax, one of the “big three” credit-reporting agencies and a broker in personal-identifying data, announced September 7 “a cybersecurity incident,” as stated in a mea culpa by its Chairman and CEO Richard Smith.

Smith explained that hackers gained access to the names, dates of birth, SSN, addresses, and in some cases, driver’s license and credit card numbers of 143 million Americans. That is nearly half the United States’ population, many of which were unaware Equifax had their information to begin with. Equifax gets this data from creditors who report credit activity on individuals, rather than from the individuals themselves.

In response, the financial institutions reporting to Equifax, and the individuals about whom it tracks and rates will be filing lawsuits across the country. Two such lawsuits sprung up within hours of Equifax’s announcement. The complaints were filed in federals courts in Portland and Atlanta on behalf of nationwide classes. Large-scale litigation such as this is par for the course in the aftermath of high-profile data breaches, which can result in settlement payments up to hundreds of millions of dollars.

Just recently, Target agreed to payout over $39 million to settle litigation with banks and another $18.5 with consumers over a 2013 breach that exposed 40 million credit and debit cards and the personal information of about 60 million customers. Heartland, a credit card processing company, paid out over $110 million to credit card companies and individuals for a 2008 breach that exposed about 130 million credit and debit cards. And in June of this year, Anthem agreed to pay $115 million to settle litigation over a 2015 hacking that compromised about 79 million people’s personal information.

Equifax appears to have been bracing for such litigation during the five weeks between its discovery of the breach on July 29, and its disclosure to the public on September 7. During that time, it created a website that in theory allows individuals to check whether they are among the 44% of Americans affected by the breach. The website invites those affected to “Click the button below to continue your enrollment in TrustedID Premier”—an Equifax security monitoring service that is free, but only for one year. Notably, enrollment requires that you accept Equifax’s Terms of Use. Those terms seemingly required arbitration of all disputes, and waiver of the ability to bring or participate in a class action lawsuit, such as those filed in Portland and Atlanta.

That arbitration provision and class action waiver received heavy criticism and sparked an investigation by New York Attorney General Eric Schneiderman who called the provision “unacceptable and unenforceable.” Equifax subsequently updated its terms to remove the provision.

The website had other problems, however, that have not been resolved. It has been described as a marketing funnel for Equifax’s own credit protection service, the value of which is in serious question. Moreover, the website does not work.

It gives inconsistent reports to people, myself included. On September 7, the website stated that my information was not impacted. On September 8, it said it was. Others have experienced the same, or received “System Unavailable” messages. One has to question whether Equifax even knows the full extent of its breach.

As an individual, this is a reminder to protect yourself to the extent possible by creating strong passwords unique to each website, take advantage of advanced security features like two-step authentication, and consider ending relationships with businesses that do not offer advanced security options. If you believe you were affected by the Equifax breach, and there is nearly a 50/50 chance you were, consider instituting a credit freeze.

As a holder of consumer information, this is a reminder of the incredible focus that must be paid to securing your customers’ privacy. It is also a reminder to review your own customer agreements. Equifax was in a unique position because it did not have an agreement with the people whose information it carried. If you do, this is a good time to consider consulting with a lawyer as to whether you need an arbitration provision and class action waiver or, if such provisions are already in your agreements, whether they are legally current and, thus, enforceable.

SEC Study Shows Improved Cybersecurity Preparedness in the Investment Industry, But Improvement Still Needed

On August 7, 2017, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert that summarized the OCIE Staff’s “observations from the Cybersecurity 2 Initiative examinations,” which involved validation and testing of procedures and controls of 75 broker-dealers, investment advisers, and investment companies.  The staff noted that a majority of firms’ policies and procedures “appeared to have issues.”  For more information, please see the Risk Alert, which is available here.

Recent Study Reveals Interesting Trends in Cyber Attacks in First Quarter of 2017

A recent study issued by Navigant Global Technology Solutions has indicated that “2017 is poised to be a year of significant awareness and development in the area of cybersecurity regulation.” The study indicates that the ferocity of cybersecurity attacks has continued unabated since 2016 and that 2017 is shaping up to be another “watershed year” for cybersecurity threats and attacks.

Statistics (Q1 2017):

  • The overall average breach size decreased from 58,882 records in Q3 2016 to 49,877 in Q4 2016.
  • Healthcare accounted for the largest percentage of reported data breaches (42.77%).
  • Hacking incidents were the most common type of breach.
  • An average of more than 4,000 ransomware attacks occurred per day.
  • 73% of IT security professionals at critical infrastructure utilities say their organizations have suffered a breach.

Additionally, there has been a significant increase in the number of security incidents caused by remote desktop protocol (“RDP”) hacking in the first quarter of 2017. Not surprising in light of the increasing “work-from-home” trend, this hacking technique involves technology to allow users and system administrators to remotely access computers that they are not physically able to access. The attackers gain access to the network through phishing emails or other social engineering techniques. The study also noted that TeamViewer, a major RDP provider, has also seen a spike in the number of RDP security breaches. However, TeamViewer and Navigant both note that the exposure is not due to a “flaw” in the technology, but rather the usage of poor password policies by users. Once again, the findings indicate that human error appears to be one of the most difficult problems to safeguard against.

The second quarter of 2017 is poised to be no exception to the spike in cybersecurity breaches. The 2016 tax year is coming to a close and a plethora of sensitive personal information is available to hackers across multiple platforms. Recognizing that a majority of cyber attacks are the result of the usage of poor/duplicative passwords by users, the use of “two-factor authentication” on all account logins continues to be a focus in designing effective cyber security programs.

Two-factor authentication (also referred to as “2FA”) is a process requiring two different authentication methods to prevent unauthorized access of private and sensitive information. The three main categories of authentication factors are: something you know (password, pin code, social security number); something you have (USB security token, bank card, key); and something you are (fingerprint, eye, voice, face). The two-factor authentication process requires two of these factors.

According to Symantec’s 2016 Internet Security Threat Report, 80% of breaches can be prevented by using multi-factor authentication. Thus, by using basic, two-factor authentication, an organization can immediately reduce its cybersecurity threat profile in a fast and meaningful way.

As we continue in 2017, these statistics and studies must inform the development of practical, effective means of combating countless threats to cyber security. Being attacked is only a question of when, not if. In cyber security, the best offense is a strong defense, including accommodations for the likelihood of human error.

‘The Dark Overlord’ Places Healthcare Databases on Dark Web

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however,  is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?

Addressing the Wendy’s Data Breach Proves Difficult Due to Size of Breach and Company’s Structure

As discussed earlier, Wendy’s announced that it was investigating a possible breach of its point of sale systems (“POS”), after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. An earlier Wendy’s press release stated “[b]ased on the preliminary findings of the investigation and other information, the Company believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system at fewer than 300 of approximately 5,500 franchised North America Wendy’s restaurants, starting in the fall of 2015.”

It has been reported by Security expert Brian Krebs that “some breached Wendy’s locations were ‘still leaking’ customer card data at the end of March 2016 and into early April.” A statement by Wendy’s spokesman Bob Bertini said, in response to questions about the duration of the breach at some stores, “[a]s you are aware, our investigator is required to follow certain protocols in this type of comprehensive investigation and this takes time. Adding to the complexity is the fact that most Wendy’s restaurants are owned and operated by independent franchisees.”

It has been opined that the extent and duration of the breach was a result of its size. Specifically, Tod Beardsley, security research manager at cybersecurity specialist Rapid 7, stated that the “fact that the breach affected only 5 percent of Wendy’s locations was likely a contributing factor to its success. A small footprint is much more difficult to detect, since the patterns resulting from the fraud take longer to materialize.” Unfortunately, the detection time allows the individuals involved to go on spending sprees comprised of unauthorized purchases well after the breach took place.

At this time it seems investigators are still trying to wrap their arms around the problem so we may not know the extent and duration of this breach for some time.

FBI’s Demand for an Apple iPhone Hack Could be Turning Point for Business

We’ve all heard of Apple’s refusal to provide a “back-door” to bypass the security features on an iPhone belonging to the perpetrator of the terrible terrorist attack in California. That law enforcement wants to investigate the data does not concern me. But the subpoena directs Apple to create a program that will bypass its own security to unlock the phone to retrieve data not captured in the last iCloud backup.

Many think the government’s actions are justified, and see no reason why the data on this phone should be protected. The FBI is proceeding pursuant to a lawfully obtained court order, and therefore argues that its request will only effect this one investigation, into this one phone and could save additional lives. But where will government’s ability to reach into a private business lead?

Although Apple has cooperated with law enforcement on numerous occasions in the past, for a myriad of reasons, Apple refuses to create this “hack” of its own software. I find it troubling that the subpoena requires Apple to affirmatively build a new program. This is not a case where the technology is available, and they just need Apple to access or apply it. How far may the government go in requiring a business to devote time, resources and expertise to developing a technology for use in a “single” investigation?

And that begs the question is this really a single use instance? A program that would be able to crack open this phone, will also able to open all phones running the same operating system. Will law enforcement then regularly issues subpoenas to Apple to hack other phones, in less compelling circumstances? Or will they subpoena other businesses, directing them to devote their assets to assist in investigations, arguing that the precedent is set.

Once created, it will be virtually impossible to prevent unauthorized access or prohibit inappropriate use of the hacking tool. Anything used in the cyberworld is at risk. As we have seen time and again, even the most sophisticated corporations are breached by talented hackers looking for a way in. The fact of a lawfully ordered subpoena in this case is of little consequence. China is Apple’s second largest market.  Will the Chinese government seek a Court order from an American Court, consistent with due process principles before demanding that Apple provide access to iPhone there?  Doubtful.

The government has a compelling argument that they are acting for the safety of the American people. Apple has a legitimate interest in protecting its technology, the privacy of its customers, and its ability to do business in other countries, all to preserve its bottom line. It will be interesting to see which market powerhouse – the U.S. Government or the world’s richest company – prevails.

Wendy’s May Face Liability for Failing to Upgrade Payment Systems

As was previously reported, October 1, 2015 signaled a fraud “liability shift” between credit card issuers and merchants, in which liability for fraudulent credit card transactions began falling on whichever party used the lower level of security and compliance with EMV standards. While merchants are not required to adopt EMV technology (which reads chip cards, as opposed to the less secure magnetic strip cards), in the event of a data breach, their failure to do so can now render them responsible for the costs associated with the fraudulent use of stolen credit card information. This liability shift has created a very strong incentive for merchants to implement EMV chip card readers.

For companies that have not opted to make the EMV transition, lawsuits may begin to abound. One of the first suits targeting a retailer for its failure to keep up with industry standards was filed on February 8, 2016, in the wake of a possible data breach at the nationwide fast food chain, Wendy’s.

On January 27, 2016, Wendy’s announced that it was investigating a possible breach of its point of sale systems, after the company was alerted of “unusual activity” involving customers’ credit or debit cards at some of its locations. Wendy’s hired a cybersecurity firm to investigate the potential breach – which involved transactions in late 2015 – who discovered malware designed to steal customer payment data on computers that operate Wendy’s payment processing systems in certain locations.

An Orlando, Florida man purporting to be a victim of the Wendy’s breach initiated a class action lawsuit against the company on February 8, 2016, claiming that Wendy’s “lackadaisical” and “cavalier” security measures allowed his debit card data to be stolen and used to purchase nearly $600.00 of merchandise from various retailers. The lawsuit alleges that Wendy’s could have prevented the breach, yet maintained a system that was insufficient and inadequate to protect customers’ data. An attorney representing the plaintiff suggested that Wendy’s failed to incorporate technology allowing for use of chip-enabled cards, and that the lawsuit may expose the danger of failing to adopt such a system.

The threat of similar class action litigation may serve as a wake-up call for retailers who have failed or otherwise delayed in implementing up-to-date security measures. The suit, Jonathan Torres vs. The Wendy’s Company, can be found here.

EMV Chip Cards – Falling Behind the Curve Could Mean Liability for Merchants and Card Issuers Alike

During the holiday season, stores throughout the United States process millions of credit card transactions per day. Although this flurry of sales activity is good for business, it also comes with a potential risk of liability if the credit cards used in those transactions are equipped with the chip-card technology that the merchants’ payment processing machines are not capable of handling.

12-14During the past year, credit card issuers have been transitioning to the Europay, Mastercard, Visa (“EMV”) chip cards, which contain smart microprocessor chip technology. Using the chip reader in the credit card payment terminal, the chip serves as the communication conduit between the card issuer and the merchant’s bank to authenticate the card and complete the sales transaction. Unlike magnetic stripe credit cards, chip cards generate a unique transaction code that cannot be reused. This “dynamic” data technology helps to guard against credit card fraud arising out of data or security breaches where the credit card information is compromised. For some chip cards, the users may also be required to enter a PIN. This new chip card technology requires new payment processing terminals that many merchants have not yet implemented.

Although the card issuers themselves have not completed their issuance of EMV chip cards to replace existing magnetic stripe cards, the issuers imposed an October 2015 deadline on merchants and card payment processors to become EMV-ready. After October 2015, under the modified terms of their agreements with the credit card payment processors or networks (e.g., VISA, MasterCard, American Express, Discover), merchants who accept credit cards and who are not EMV-ready may be liable for any fraudulent transactions and possibly fined and/or sanctioned by the Payment Card Industry Security Standards Council, an industry organization that promulgates data and cybersecurity standards for the credit card sector. Liability will be shifted to the party who used the lower level of security and compliance with the EMV standards. This means that, for example, a merchant may be assigned liability for the fraudulent transaction if the purchase was made with a chip card but the merchant was not capable of processing the chip card payment, using instead the magnetic stripe method. Conversely, the card issuer may be assigned liability if the merchant was EMV-capable but the card issuer has not issued a chip card to the consumer.

Notably, the EMV standards do not apply to purchases where the cards are not physically presented, including online and telephone transactions.

Although they impose increased liability and breed disputes between potentially liable parties, EMV chip cards and their attendant standards and rules are intended to provide more consumer protection and create an incentive for merchants, card issuers, and payment processors alike to conform with best practices in an ever-evolving world of data and cybersecurity challenges.

Insurance industry takes protective stance against constant threat of data breaches

Over 1,000 Medicaid identification numbers may have been compromised in a recent breach of security protocol in North Carolina. An employee of the North Carolina Department of Health and Human Services inadvertently sent an email without first encrypting it, which contained protected health information for Medicaid recipients, including the individual’s first and last name, Medicaid identification number, provider name, and provider identification number. While the Department has no reason to believe that any information was compromised, the Department advised affected patients to take steps to protect themselves, such as putting a fraud alert on their credit files and monitoring their financial statements for unauthorized activity.

Individual insurance companies have also fallen victim to cyberattacks. The National Association of Insurance Commissioners (NAIC) has made efforts to strengthen the insurance industry’s security position by launching the Cybersecurity Task Force, which is creating a framework for insurance companies to follow in the event of a security breach. The NAIC recently proposed a Cybersecurity Bill of Rights, which outlines the expectations of insurers when a data breach occurs and remedies for consumers who have suffered harm due to a breach. Consumer advocates, as well as insurance groups representing life, health, and property/casualty carriers, support the Cybersecurity Bill of Rights, but are pushing for changes, arguing that the document may create confusion for consumers because currently it implies that certain rights, which are not contained in all applicable state and federal laws, exist for all consumers. While the Cybersecurity Bill of Rights will not likely become a binding document, the Cybersecurity Task Force has been working alongside state insurance regulators, conducting examinations of insurance carrier’s protocols to determine whether sensitive data and confidential information are properly protected. One thing is for certain – the increase in data breaches nationwide will lead to more regulations affecting all areas of industry and eventually leading to additional lawsuits in compliance with said regulations.