Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Report: Heartbleed to blame for Community Health Systems breach

If this report is true, the Community Health Systems data breach that affected 4.5M patients would be the first known exploit of the Heartbleed vulnerability. However, it is likely not the last. A report on the Errata Security blog in June noted that 300,000 vulnerable systems remained unpatched two months after the vulnerability was disclosed.

Here’s more from TrustedSec:

While no technical details of the attack had previously been disclosed, information security firm TrustedSec, citing sources familiar with the incident, said on Tuesday that the initial attack vector was through the infamous “
Heartbleed” vulnerability in OpenSSL, which provided the attackers a way in, eventually resulting in the compromise of patient data.

“This confirmation of the initial attack vector was obtained from a trusted and anonymous source close to the CHS investigation,” TrustedSec wrote in a
blog post. “Attackers were able to glean user credentials from memory on a CHS Juniper device via the heartbleed vulnerability (which was vulnerable at the time) and use them to login via a VPN.”

While TrustedSec did not share much on the source, the firm is reputable. As background, David Kennedy, TrustedSec's founder and Princial Consultant, formerly worked for the NSA and also served as Chief Security Officer at ATM maker Diebold. He is also founder of the
Derbycon conference.



Community Health Systems data breach affects 4.5M

Yesterday Community Health Systems filed a public report with the U.S. Securities and Exchange Commission (SEC) detailing a data breach that affects 4.5 million individuals. This is a serious breach, especially because Social Security numbers were stolen along with names and birth dates. Together, the three pieces of information are a jackpot for identity thieves because they cannot be changed as easily as a password or email address, and are often all that are needed to open a bank account or obtain a credit card.

In July 2014, Community Health Systems, Inc. (the “Company”) confirmed that its computer network was the target of an external, criminal cyber attack that the Company believes occurred in April and June, 2014. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack the Company’s systems. . .The Company has been informed by federal authorities and Mandiant that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance the data transferred was non-medical patient identification data related to the Company’s physician practice operations and affected approximately 4.5 million individuals who, in the last five years, were referred for or received services from physicians affiliated with the Company. The Company has confirmed that this data did not include patient credit card, medical or clinical information; the data is, however, considered protected under the Health Insurance Portability and Accountability Act (“HIPAA”) because it includes patient names, addresses, birthdates, telephone numbers and social security numbers.

With the current state of security in the healthcare industry I expect outside attacks on vulnerable providers and business associates will increase.


Target to book $148M in 2Q related to data breach expenses.

Target announced in a press release yesterday that the company will book $148 million in expenses in its second quarter results stemming from last year's massive data breach:

During fourth quarter 2013, Target experienced a data breach in which an intruder gained unauthorized access to its network and stole certain payment card and other guest information. In second quarter 2014, the Company expects to record gross breach-related expenses of $148 million, partially offset by the recognition of a $38 million insurance receivable. Expenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks.



Russian crime ring amasses over a Billion credentials

It is being reported that the USA and South Korea account for over 80% of the stolen credentials. Username and passwords are not enough to protect us.

According to Hold Security, the attackers used a botnet to hunt for sites vulnerable to SQL injection hacks. They compromised roughly 420,000 websites and lifted 4.5 billion username-password combinations in all; after eliminating duplicates, the number drops down to a no-less-impressive 1.2 billion unique login combos. Hold Security has not released the names of the victim sites.

Brian Krebs has provided an excellent Q&A on the topic.



NIST Guidelines on Security and Privacy in Public Cloud Computing

Last week I was asked if there was any law or regulation that would prevent a third party business associate (BA) from storing their customer’s Personal Health Information (PHI) in a cloud environment.

The short answer is no, but the more complex answer is that HIPAA holds BAs and their subcontractors to the same standards as the health care providers themselves. Thus it is critical that serious consideration is given to how the data is to be protected. In this case, the cloud provider would also be a BA and the agreement should reflect their responsibilities in securing the data and their duties if a breach does occur.

One source of guidance is
NIST 800-144: Guidelines on Security and Privacy in Public Cloud Computing. Here’s the abstract:

Cloud computing can and does mean different things to different people. The common characteristics most interpretations share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and displacement of data and services from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment.



Wireless Live CD Alternative: ZeusGard

Brian Krebs discusses ZeusGard, a little USB flash drive that boots into a usable browser within about 30 seconds after starting the machine to avoid potential issues with banking malware such as Zeus or its variants.

Zeusgard allows you to safely bank online from any machine — even from a system that is already riddled with malware. That’s because it lets you boot your existing PC into an entirely different operating system. Even better, it is capable of connecting to the wireless network.

Priced at $40 for both the flash drive and the wireless adapter, it
may be a perfect tool for small to medium-sized businesses who conduct online banking.


FRCP E-Discovery Amendments Expected To Go Into Effect 12/1/2015

Kroll Ontrack’s E-Discovery blog rounds up some of the Federal Rules of Civil Procedure changes related to e-discovery. While the rules package contains several important amendments, the most controversial proposal relates to the “failure to preserve” section in Rule 37(e). This language was the most hotly contested area throughout the public comment period.

The revised rule is designed to ensure a more uniform response from Federal Courts regarding the loss of Electronically Stored Information (ESI). The rule, broken into two sections, gives courts power to undertake “measures” – AKA sanctions and other similar procedures – when a party loses ESI because they failed to take “reasonable steps” to preserve it during the anticipation of impending litigation.

The first section, Section 37(e)(1), allows a court to take measures when a party is prejudiced by the opposing party’s loss of ESI. The court is permitted to take reasonable action that sufficiently cures the party’s prejudice even though the loss of the ESI may not have been the opposing party’s fault.

Similarly, the second section, Section 37(e)(2), authorizes a court to take measures when a party intentionally loses ESI.  However, it does not require a showing of prejudice to the adverse party. The court can assume that the ESI was unfavorable, instruct the jury that the ESI was unfavorable, or grant default judgment or dismiss the case.



Goldman says client data leaked, wants Google to delete email

Goldman Sachs has filed a lawsuit in the New York State Supreme Court to force Google to delete an email that was accidentally sent by a contractor.

Goldman said the contractor meant to email her report, which contained the client data, to a "gs.com" account, but instead sent it to a similarly named, unrelated "gmail.com" account.

The bank said it has been unable to retrieve the report or get a response from the Gmail account owner. It said a member of Google's "incident response team" reported on June 26 that the email cannot be deleted without a court order.

"Emergency relief is necessary to avoid the risk of inflicting a needless and massive privacy violation upon Goldman Sachs' clients, and to avoid the risk of unnecessary reputational damage to Goldman Sachs," the bank said.

"By contrast, Google faces little more than the minor inconvenience of intercepting a single email - an email that was indisputably sent in error," it added.

My questions are these: If losing the data would truly result in “a massive privacy violation” why wasn’t Goldman’s either encrypting the data itself or using software to encrypt their email (such as the freely available PGP)? And why should Google be legally responsible for cleaning up after companies who do not follow best (or even good) data protection practices?



Prepare yourself for high-stakes cyber ransom

Following the breach and extortion attempt that put Code Spaces out of business, we are finally seeing more attention paid to “cyber ransom”. InfoWorld security advisor Roger Grimes has published a high-level overview of how to prepare for this threat. Among his recommendations:

Prepare for the worst now

  • (1) Educate senior management about the threat of ransom-demanding cyber criminals (along with ransom-demanding malware, which they should already be familiar with). Let them know the threat is real, fairly easy to accomplish, and difficult to prevent. Do your research and put everything in a document, so they can't say you didn't warn them.

  • (2) Ask management how you should respond if a ransom incident occurs and you believe it to be a viable threat. Should your company ever pay ransom? If your company thinks paying the ransom is the appropriate response (at least in some scenarios), get a sense of what the upper limit might be to save the company. Management won't want to have this discussion, but it's a good way to start a dead-serious dialogue about risk management.

  • (3) Ask management if your current business interruption insurance covers data ransom scenarios. If so, to what level? If not, it's time to investigate insurance coverage for this type of event.



2014: The Year Extortion Went Mainstream

Screen Shot 2014-06-27 at 1.21.21 PM
Another must-read article from Brian Krebs. After discussing an ill-conceived and amateurish blackmail effort against restaurant owners, Krebs takes a closer look as to why we are seeing an increase in reported extortion attempts:

Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.

“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.”



US Supreme Court Rules Unanimously That Cellphone Searches Require A Warrant

This ruling has distinct implications on the concept of digital privacy if it signals that the Court will apply fundamentally different rules to searches of computers and cellular phones than the traditionally adhered to searches of other forms of personal property.

Chief Justice John Roberts delivered the opinion of the court. Roberts wrote that cellphones are powerful tools that are able to store a "digital record of nearly every aspect" of people's lives. Consequently, they are different from almost anything police find on a person upon arrest. A search of a person's cellphone is far more invasive to one's privacy, Roberts said, than a search of the person's wallet or purse.

"It is no exaggeration to say that many of the more than 90% of American adults who own a cellphone keep on their person a digital record of nearly every aspect of their lives — from the mundane to the intimate," Roberts wrote.

Read the full opinion here.


DDoS + Breach = End of Business

Reports of data breaches involving extortion attempts are literally becoming a daily occurrence. In this case it led to source code hosting firm Code Spaces shutting its doors:

“[T]he DDoS attack against its servers and unauthorized access into the company's cloud control panel resulted in most of its data, backups, machine configurations and offsite backups being partially or completely deleted.

"Code Spaces will not be able to operate beyond this point," the company says. "The cost of resolving this issue to date and the expected cost of refunding customers who have been without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility."

Link (and here and here).


$800,000 HIPAA Penalty for Leaving Boxes of Documents on Driveway

With all of the attention being paid to the Target and eBay breaches - justifiably - it is important to remember that data protection laws may extend to paper records as well.

Parkview employees, who had been notified that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue, according to the resolution agreement between OCR and Parkview.

"All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk," says Christina Heide, acting deputy director of health information privacy at OCR. "It is imperative that HIPAA covered entities and their
business associates protect patient information during its transfer and disposal."



Domino's Pizza data hackers demand ransom

Hackers have demanded a ransom of 30,000 euros ($40,706) from Domino's Pizza after stealing personal data on more than 600,000 customers in Belgium and France.

The hacker group, Rex Mundi, threatened that Domino's Pizza had until Monday at 8 p.m. to pay up, or the group would post all of the data — including customers' physical addresses — on the Internet. Domino's has not released on update on the breach, but a spokesperson said earlier this week that the company would not be paying the ransom and that financial data had not been stolen.

Unfortunately, this isn’t a new tactic and with the emergence of malware that encrypts the victim’s data it is only going to become more prevalent. I previously wrote about a $10 million ransom attempt against the Virginia Department of Health Professions that took place in 2009.



Nokia 'paid millions to software blackmailers six years ago'

Via Reuters:

MTV said that the blackmailers had acquired the encryption key for a core part of Nokia's Symbian software and threatened to make it public.

Had it done so anyone could then have written additional code for Symbian including possible malware which would have been indistinguishable from the legitimate part of the software, MTV said.

After the blackmail attempt Nokia contacted the police and agreed to deliver the cash to a parking lot in Tampere, central Finland. The money was picked up but the police lost track of the culprits, MTV said.



Ruling Raises Stakes for Cyberheist Victims

Small businesses take heed: Depending on the terms of your bank account you may be responsible for fraudulent ACH transfers. Background information is available here and here.

Regulatory agencies and courts need to start recognizing true two-factor authentication as more than mere guidance for high-risk transactions. Holding the plaintiffs responsible for the banks’ legal fees on top of losing their funds will have a chilling effect on future lawsuits.

BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

A trial court
was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.



P.F. Chang's Goes Manual After Card Breach

Restaurant chain P.F. Chang's China Bistro confirms it suffered a data breach that compromised credit and debt card numbers used by an unknown number of patrons. While the breach continues to be investigated, P.F. Chang’s has announced that they will use a manual imprinting system to process credit cards.

Some experts see a connection to last December’s Target breach:

But several security experts and cyber-intelligence researchers say they believe the chain suffered a malware attack similar to those that compromised the point-of-sale networks of U.S. retailers Target Corp., Neiman Marcus and Sally Beauty Holdings Corp.. Other experts, however, say it's too soon to tell what the cause of the latest breach was, and whether it was linked to any previous breaches.

But while the experts disagree about the details of this latest alleged breach, they agree it's time for retailers to tighten network security.

"It's really got the retail industry up in arms," says financial fraud expert
Avivah Litan, an analyst at the consultancy Gartner. "CISOs are scared of getting fired, they are afraid of the consumer reaction and they're just trying to get handle on all of this."


UPDATE (6/18/2014): Brian Krebs provides new information indicating that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn’t end until June 11. If true, the breach would predate the attack that compromised Target.

At nearly nine months, that’s slightly longer than the
average amount of time before a breach is detected.


Cyber Insurance May Assist in Addressing Risk Posed by OpenSSL Vulnerabilities and Malware

The Department of Justice estimates that the GameOver Zeus malware has infected between 500,000 and 1,000,000 computers and so far caused “direct and indirect losses to consumers and businesses exceeding $100 million.” Antivirus software alone does not always prevent such infection; a leading antivirus developer recently stated that, as a result of advances in malicious code, antivirus software is now “dead.”

With technology capable of providing only partial security solutions, a proactive approach to address cyber risk should include evaluation of risk transfer mechanisms, such as insurance. In April 2014, members of Hunton & Williams LLP’s
Insurance Counseling and Litigation and Global Privacy and Cybersecurity practices participated in a webinar regarding cyber insurance, discussing the nature of cyber risk and possible insurance solutions.

Listen to a recording of the seminar.


When Do Conduits Cross the HIPAA Business Associates Line?

The Legal Health Information Exchange has published a lengthy article that examines the boundaries of the HIPAA Conduit Exception as they apply to Business Associates (BAs) who also handle Personal Health Information (PHI). BAs were first explicitly brought under parts of HIPAA’s regulatory umbrella as a result of the 2009 HITECH Act, and more explicitly with the release of last year’s Omnibus Rule.

The Preamble to the Final HITECH Rule states:

“The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services [and their electronic equivalents.]  As we have stated in prior guidance, a conduit transports information, but does not access it other than on a random or infrequent basis as necessary to perform the transportation service or as required by other law.”

Here’s a summary of the author’s conclusion.

Therefore, a HIPAA BA relationship is generally not implicated by an HIO, HISP or similar entity simply performing just fully encrypted data routing or transmission activities for a covered entity.  A HIPAA BA relationship
will, however, be found where such HIO, HISP or similar entity performs more than such limited activities, such as, for example, data aggregation, processing, hosting and transmission (other than as a conduit), encryption/decryption functions/management, record locator/querying functions, auditing and other oversight and governance functions requiring access to PHI, and creating data sets of de-identified information.

Read the whole article here.

Peek Inside a Professional Carding Shop

Brian Krebs takes us into the world of the business that takes place after the credit card information has been stolen.

Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.

I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.

Full article here.


WV Supreme Court: Health Data Breach Victims Have Standing to Sue

If other states adopt this ruling it would represent a fundamental shift in the rights of patients who suffered a loss of personal data. It would also factor into the risk analysis for covered entities and their business associates.

The most frequently relied upon defense against suits for damages for a release of personal information is that the plaintiff or class of plaintiffs lack standing because the harm they suffered as a result of the breach is conjectural or speculative.

The Court’s
opinion held that representatives of the class of medical clinic patients whose names, contact details, social security numbers and medical information had been accidentally posted to a publicly accessible web site had standing to sue the clinic notwithstanding that no class representative had established that anyone had actually accessed the mistakenly released information and no one had suffered any quantifiable economic loss as a result.



Breaches take 7 months to detect; 67% of Companies Are Informed by 3rd party

Via CSO:

There is room for improvement – vast improvement – in the detection of breaches. A large majority of enterprises fail to detect breaches on their own – they find out about them from somebody else, as a couple of recent reports show.

The security firm Mandiant, now part of FireEye,
reported recently that while the average time it took to detect breaches declined slightly from 2012 to 2013, from 243 to 229 days (more than seven months), the number of firms that detected their own breaches actually dropped, from 37% to 33%.

The results in a
report from security firm Trustwave were more encouraging, at least for the time between intrusion and detection – it found the median was 87 days. But the ability of firms to detect malware in their systems on their own was only 29%, which Karl Sigler, Trustwave’s manager of threat intelligence called, “just a horrible statistic in general.”



Lawyers Are Failing At Secure File Sharing

According to the survey:

  • 77 percent include a confidentiality statement;
  • 22 percent encrypt emails;
  • 22 percent include a confidentiality statement in the subject line;
  • 17 percent require clients' written consent for transmission (compared to 13 percent that require oral consent);
  • 14 percent password protect documents;
  • 13 percent share links to documents shared on a secure site.

Why is this a problem? After all, it's not like clients' email accounts aren't password protected. You're not leaving the files on their door stoop, or on a table.

But in a way, you are. Take, for example, a family law dispute. You email important documents to a client. Her spouse, if he doesn't know her password already, probably knows the typical information required to gain access to the account (birth date, mother's maiden name, etc.). Or, even more simple: he's stopped by to pick up the kids and clicks around on her unattended computer.



Have a Reasonable Document Retention Policy? Then Follow it!

And if you don’t have a reasonable document retention policy, create one and follow it.

After finding out certain relevant e-mails had been deleted, PSC immediately motioned to compel discovery and impose sanctions on BIPI. The deleted e-mails were particularly relevant because they pertained to the drug-in-suit, Pradaxa, and were in the possession of an employee who supervised Pradaxa’s development. The Court even noted that “[t]here is no question that [the employee’s] custodial file would have included documents relevant to the instant litigation.

However, BIPI contended that because they followed their document retention policy, which was deemed reasonable, they should be able to escape fault. As it turns out, BIPI was correct. In an opinion dated September 25, 2013, the Southern District of Illinois held that because BIPI had a reasonable document retention policy, which they fully complied with, sanctions were not warranted. BIPI’s document retention policy called for leaving “all of the employee’s email, user share and hard drive documents in place until 30 days after the employee’s final day with BIPI. After those 30 days, the documents are deleted…Further, when a litigation hold is released, the document retention policy is to delete all documents maintained exclusively under the hold within 24 hours.”



‘Using TrueCrypt Is Not Secure’

TrueCrypt, a popular free open source encryption solution, is being abandoned and is considered "harmful and no longer secure" by its developers.

But is that really the case? There are many theories surrounding why the development team abruptly quit. Hopefully an ongoing audit of the code will provide answers:

TrueCrypt has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden...

Green last year helped spearhead dual crowdfunding efforts to raise money for a full-scale, professional security audit of the software. That effort ended up pulling in more than $70,000 (after counting the numerous Bitcoin donations) —  far exceeding the campaign’s goal and demonstrating strong interest and support from the user community. Earlier this year, security firm iSEC Partners completed the first component of the code review: an analysis of TrueCrypt’s bootloader (PDF).



eBay Demonstrates How Not to Respond to a Huge Data Breach

Companies need to have an incident response plan in place before the breach occurs. This kind of publicity only makes an already bad situation worse.

In the wake of eBay’s revelation earlier this week that it had lost as many as 145 million customers’ data, eBay users and security response professionals say they’ve been increasingly angered and amazed at the company’s ham-fisted public response to an incident that’s already sparked multiple government investigations. EBay’s mistakes include taking days to post a notice about the breach on eBay.com and confusing users as to whether their PayPal accounts had also been affected. As of Friday afternoon, many–if not the majority–of the site’s users still had received no email notification about the breach.

“It just seems like their response has been complete disarray and disorganization,” says Dave Kennedy, the CEO of security consultancy and breach response firm TrustedSec. “This is one of the worst responses I’ve seen in the past ten years from a company that’s experienced a breach.”



Network Engineer Sentenced to Four Years for Destroying Company Data

Having a written Employee Termination Checklist designed to flag the many operational issues involved in wrapping up an individual’s employment with the company is not only common sense, it’s an important part of a holistic data protection strategy.

Before his access to EnerVest was terminated, Mitchell went to the office after business hours, disconnected critical pieces of computer-network equipment and disabled the equipment's cooling system. EnerVest was unable to fully communicate or conduct business operations for nearly 30 days.

The company spent hundreds of thousands of dollars trying to recover historical data from its network servers. Some data was lost forever.



Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis

Companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.

When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.
You can download the complete report


The Target Breach: By the Numbers

46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.

200 Million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.

18.00 – 35.70 - The median price range (in dollars) per card stolen from Target and resold on the black market (range covers median card price on Feb. 19, 2014 vs. Dec. 19, 2013, respectively).

53.7 Million – The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70).

Check out more startling stats at
Krebs On Security.


Updated Mintz Matrix Detailing State Data Breach Notice Laws Available

Mintz has updated their “Mintz Matrix”, a tidy summary of the U.S. state data breach notification laws.

This update includes new information about Kentucky and Iowa laws.

Mintz Matrix is available here


2014 Verizon Data Breach Investigations Report

Verizon's annual data-breach investigations report makes a strong case for behavioral analytics technology that looks for anomalies among user activity to spot hackers.

Such technology could help detect the use of stolen credentials, which were one of two ways most Web applications were compromised, according to the report released Tuesday. The other way was exploiting a weakness in the application.

Read the full report


F5 Security Gurus Discuss Heartbleed

Many major corporations and banks use F5 Application Delivery Controllers in their data centers to provide various security and load balancing services to their mission critical sites.

Fortunately, it seems that because F5 uses a custom version of OpenSSL there are only a few configurations where F5 devices would expose the vulnerability to backend servers running affected versions of OpenSSL. This should give the network gurus some time to update the certificates on affected systems.

In this video the F5 security team discusses the vulnerability and takes live questions from an online forum. (F5 is a former employer).


Would a Proprietary OpenSSL Have Been More Secure than Open Source?

I’m a proponent of open-source software, but in the wake of Heartbleed this is an issue that should at least be revisited. I think the author takes an honest look at the questions that should be asked.

“The OpenSSL Heartbleed vulnerability has resurrected the age-old debate of whether or not open source code is more or less secure than proprietary code. Before putting on your open source or proprietary jerseys and launching into this (frankly not-very-productive) fight, first consider a few things.”

Read the whole article here:


Report: Healthcare has seen a 13 percent increase in botnet activity

Using real-world case studies and findings from over 3 billion analyzed attacks, the 2014 NTT Global Threat Intelligence Report (GTIR) demonstrates strategies to minimize threat impact and compress the threat mitigation timeline. Among key findings of the study:

* The cost for a "minor" SQL injection attack can exceed $196,000;
* Anti-virus applications fail to detect 54 percent of new malware;
* Healthcare has seen a 13 percent increase in botnet activity.

Read the full report


Stephen Colbert's Fantastic Take on the Heartbleed Vulnerability

Stephen should look into getting a new tech expert.



‘Heartbleed’ Bug Exposes Passwords, Web Site Encryption Keys

Oh my. The potential ramifications...

This vulnerability is particularly unique because the sequence of the fix is important. If the keys and certificates have to be replaced, folks must wait to change their passwords until they confirm that action has been taken. Otherwise the new password is vulnerable as well.

Jamie Blasco, director of AlienVault Labs, said this bug has “epic repercussions” because not only does it expose passwords and cryptographic keys, but in order to ensure that attackers won’t be able to use any data that does get compromised by this flaw, affected providers have to replace the private keys and certificates after patching the vulnerable OpenSSL service for each of the services that are using the OpenSSL library.



OCR Releases HIPAA Security Assessment Tool

Last week the Department of Health and Human Services released a tool to assist covered entities in complying with the HIPAA Security Rule requirement to conduct a risk assessment. The tool is aimed at small to medium health care providers, and was developed jointly by OCR and the HHS Office of the National Coordinator for Health Information Technology (“ONC”).

Security Rule applies to HIPAA “covered entities”—which include health plans, health care clearinghouses, and most health care providers—that handle electronic protected health information (ePHI).  The Security Rule also applies to “business associates” that perform functions or services on behalf of covered entities involving ePHI.  The Rule requires covered entities and business associates to conduct a risk assessment to identify possible gaps in their information security programs in order to help ensure that patient information is protected against data breaches or other security events.

It follows the National Institute of Standards and Technology’s development of a similar
toolkit, and contains 156 questions and resources that are designed to help health care providers.

More information and downloads are available


Minnesota School District To Pay $70,000 For Accessing Student's Facebook Account

This one seemed fairly obvious, and a settlement was likely the only course of action for the school.

Riley was 13, in sixth grade, when she posted on Facebook two years ago that she hated a school hall monitor because she was mean. After school officials called her in and leveled an in-school suspension for what she said on social media, she went back on Facebook and asked who snitched.

“I was a little mad at whoever turned me in ’cause it was outside school when it happened,” Riley said in a telephone interview from her central Minnesota home in Glenwood.


Court: Sony Insurer Has No Duty To Defend/Indemnify $2 Billion Breach

Companies maintaining personal data had better pay attention to the fine print of their insurance policies. Sony, three years after the breach and facing up to $2 billion in losses, is learning this the hard way.

From Insurance Journal:

“A New York trial court recently ruled in a commercial general liability (CGL) policy coverage case that Zurich American Insurance Co. has no duty to defend Sony Corp. of America and Sony Computer Entertainment America in litigation stemming from the April 2011 hacking of Sony Corp.’s PlayStation online services.

The data breach had exposed personal information of tens of millions of users, and Sony’s losses are estimated to be as high as $2 billion.

In his bench ruling last month, Justice Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.”



Are Credit Monitoring Services Worth It?

More interesting insights from Brian Krebs as he discusses the effectiveness of credit monitoring/protection services.

Having purchased credit monitoring/protection services for the past 24 months — and having been the target of multiple identity theft attempts — I feel somewhat qualified to share my experience with readers. The biggest takeaway for me has been that although these services may alert you when someone opens or attempts to open a new line of credit in your name, most will do little — if anything — to block that activity. My take: If you’re being offered free monitoring, it probably can’t hurt to sign up, but you shouldn’t expect the service to stop identity thieves from ruining your credit.

Read the whole article

Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records

Wow. Just wow.

Posing as a private investigator operating out of Singapore, Ngo contracted with Court Ventures, paying for his access to consumer records via regular cash wire transfers from a bank in Singapore. Through that contract, Ngo was able to make available to his clients access to the US Info Search database containing Social Security, date of birth and other records on more than 200 million Americans.

Experian came into the picture in March 2012, when it 
purchased Court Ventures (along with all of its customers — including Mr. Ngo). For almost ten months after Experian completed that acquisition, Ngo continued siphoning consumer data and making his wire transfers.

Until last week, the government had shared few details about the scope and the size of the data breach, such as how many Americans may have been targeted by thieves using Ngo’s identity theft service.  According to a transcript of Ngo’s guilty plea proceedings obtained by KrebsOnSecurity,
Ngo’s ID theft business attracted more than 1,300 customers who paid at least $1.9 million between 2007 and Feb. 2013 to look up Social Security numbers, dates of birth, addresses, previous addresses, phone numbers, email addresses and other sensitive data.

Much more here:


ABA asks NSA how it handles attorney-client privileged information in intelligence work

OK, NSA. It was all fun and games until the lawyers discovered that you were also spying on privileged attorney-client information.

Now it's fun and games with infinitely more paperwork.



Cryptolocker scambles U.S. law firm's entire cache of legal files

We are going to see more small and medium sized businesses with poor security/backup processes be affected by malware like this.

The email infected a company server holding thousands of important documents after an email with a malicious attachment was mistaken for a message sent from the firm's phone answering service.

That error left every single document used by firm on its main server in an encrypted state, including Word, WordPerfect and PDF files, said Goodson's owner, Paul M. Goodson.

"The virus also warned if you tried to tamper or decrypt anything, it was going to be permanently locked and you could never open it," Goodson said.

After IT staff were unable to make any headway against the malware's encryption, Goodson tried to pay the ransom but discovered that the grace period - another nasty aspect of Cryptolocker - had expired.

Read the full article

ABA survey: lawyers at most large firms unaware of data breaches

A recent American Bar Association survey, Security Snapshots: Threats and Opportunities, conducted by the ABA's Legal Technology Resource Center, asserts that "Fully 70% of large firm respondents reported that they didn't know if their firm had experienced a security breach." The survey findings also implied a systemic, widespread lack of information security best practices across the industry.

Because of the sensitive data handled by law firms, they're a critical and oft-overlooked weak link in the "Cybersecurity chain," according to Inside Cybersecurity.


SANS: The 6 Categories of Critical Log Information

To the network admins out there: Here’s a document from the esteemed Dr. Anton Chuvakin that is definitely worth looking at.

The document linked in the article can be used to figure out what to log, what to report on and what reports to review for various purposes. At its center are these top log report categories:

  • 1. Authentication and Authorization Reports
  • 2. Systems and Data Change Reports
  • 3. Network Activity Reports
  • 4. Resource Access Reports
  • 5. Malware Activity Reports
  • 6. Failure and Critical Error Reports
  • Link.


Doctor Sued for Posting Pictures of Drunk Model on Facebook

The reprehensible behavior displayed by this doctor violates basic human decency, and likely won’t be corrected by HIPAA laws or an employee training program.

A former Northwestern University student claims that after she was admitted to an Illinois hospital for extreme intoxication, a doctor there took photos of her and posted them to social media sites with commentary about her condition.
. . .
Approximately 15 minutes after she had regained consciousness, Puppala, who was on duty at the time and knew Chernyakova through a mutual friend, visited her hospital room, according to the complaint.

He allegedly asked to view her medical records, and returned several hours later to take photographs of her "while she was on the hospital bed, crying and attached to an IV," according to the complaint. He then posted these photographs on Instagram and Facebook, accompanied by "attached statements of commentary" about Chernyakova's condition, according to the complaint.

Puppala refused to delete the photographs when he was asked to do so by hospital security, according to the complaint.



A Sampling of HIPAA Fines and How They Could Have Been Avoided

Yesterday I posted a terrific article from Krystyna Monticello of Legal Health Information Exchange that discussed Affinity Health’s $1.2M settlement after improperly disposing of photocopiers that contained PHI.

At the bottom of that same article Krystyna summarizes a number of recent data breach settlements and the causes behind the breaches. It deserves its own post and should serve as a warning to any HIPAA covered entity or business associate responsible for storing or handling PHI.

  • How These Breaches and Fines Could Have Been Avoided:
  • (1) Address need for encryption for everything with PHI, (laptops, mobile devices, photocopiers.)
    • Idaho Hospice ($50K)
    • Providence Health ($100K)
    • Mass Eye/Ear ($1.5M)
    • Alaska DHSS ($1.7M)

  • (2) Dispose of ePHI properly
    • CVS ($2.25M)
    • Rite Aid ($1M)

  • (3) Do not remove PHI or ePHI from your facilities without assessing the risks and safeguarding it
    • Mass General ($1.5M)

  • (4) Choose your Business Associates' wisely (and have written BAAs with them)
    • BCBS Tennessee ($1.5M)
    • Arizona Cardiologists ($100K)

  • (5) Conduct COMPLETE risk assessments that address all ePHI no matter where it may be located (and update them as needed)
    • BCBS Tennessee ($1.5M)
    • Idaho State ($400K)
    • Arizona Cardiologists ($100K)
    • Wellpoint ($1.7M)

  • (6) Have written policies (and actually implement them)
    • Rite Aid ($1M)
    • CVS ($2.25M)
    • Cignet Maryland ($4.3M)
    • Mass General ($1.5M)

  • (7) COOPERATE with OCR!
    • Cignet Maryland ($4.3 million)


Copiers result in $1.2 million settlement and CAP for Affinity Health

More from the Legal Health Information Exchange:

Affinity had reported the breach after it was informed by CBS Evening News that confidential medical information was on the hard drive of a photocopier previously leased by Affinity.  Originally estimated at over 400,000 affected individuals, as reported by DataBreaches.net., OCR noted in its press release regarding the Resolution Agreement that up to 344,579 individuals were reported as potentially affected by the breach. 

CBS had purchased the copier along with three others as part of an investigatory report on digital photocopiers and identity theft.

The settlement includes a Corrective Action Plan (CAP) stating that Affinity must use "best efforts" to retrieve all photocopier hard drives that were previously leased and safeguard all ePHI maintained therein,
within five days.

Ouch. Read the full article here.


Document Disposal Company Responsible for old Patient Records found in Park

From the Legal Health Information Exchange:

Over 277,000 patients were notified by Texas Health Harris Methodist Hospital in Fort Worth ("Texas Health Fort Worth") earlier this month of a breach of their health information.  Only patients seen between 1980 and 1990 whose records were maintained on microfiche are affected or potentially affected by the breach.

Texas Health Fort Worth's business associate, document destruction company Shred-It, was contracted to dispose of the old microfiche records. As reported by the
Star-Telegram, because the microfiche could not be destroyed on-site, Shred-It was to transfer them to another facility for destruction.

Somehow "lost" or misdirected during transit, the records found themselves in a park where a concerned citizen found them and contacted the Dallas police.


Survey Reports High Percentage of Employee Misuse and Theft of Company Data

Littler Mendelson P.C. reminds us that data protection isn’t just about addressing external threats:

A recent study by independent data privacy research firm Ponemon Institute of 3,317 individuals in six industrialized countries found that employees are moving intellectual property, including trade secrets, outside their companies in all directions. 

Over half of those surveyed admitted they had emailed business documents to their personal email accounts; 41% said they do this at least once a week. The same percentage of respondents confessed they downloaded company IP to personally-owned tablets or smartphones. A majority of those surveyed did not believe this was “wrong.”