Spears Legal Technology


This blog is a resource guide for informational purposes only, and not the delivery of legal, technical or other professional advice. Using the information provided on this blog does not constitute an attorney-client relationship. If you need legal advice, please consult your lawyer.

Costs of a Data Breach

Target to book $148M in 2Q related to data breach expenses.

Target announced in a press release yesterday that the company will book $148 million in expenses in its second quarter results stemming from last year's massive data breach:

During fourth quarter 2013, Target experienced a data breach in which an intruder gained unauthorized access to its network and stole certain payment card and other guest information. In second quarter 2014, the Company expects to record gross breach-related expenses of $148 million, partially offset by the recognition of a $38 million insurance receivable. Expenses for the quarter include an increase to the accrual for estimated probable losses for what the Company believes to be the vast majority of actual and potential breach-related claims, including claims by payment card networks.



2014: The Year Extortion Went Mainstream

Screen Shot 2014-06-27 at 1.21.21 PM
Another must-read article from Brian Krebs. After discussing an ill-conceived and amateurish blackmail effort against restaurant owners, Krebs takes a closer look as to why we are seeing an increase in reported extortion attempts:

Fueled largely by the relative anonymity of cryptocurrencies like Bitcoin, extortion attacks are increasingly being incorporated into all manner of cyberattacks today. Today’s thieves are no longer content merely to hijack your computer and bandwidth and steal all of your personal and financial data; increasingly, these crooks are likely to hold all of your important documents for ransom as well.

“In the early days, they’d steal your credit card data and then threaten to disclose it only after they’d already sold it on the underground,” said Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training firm. “But today, extortion is the fastest way for the bad guys to make money, because it’s the shortest path from cybercrime to cash. It’s really a great crime for the criminals.”



DDoS + Breach = End of Business

Reports of data breaches involving extortion attempts are literally becoming a daily occurrence. In this case it led to source code hosting firm Code Spaces shutting its doors:

“[T]he DDoS attack against its servers and unauthorized access into the company's cloud control panel resulted in most of its data, backups, machine configurations and offsite backups being partially or completely deleted.

"Code Spaces will not be able to operate beyond this point," the company says. "The cost of resolving this issue to date and the expected cost of refunding customers who have been without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility."

Link (and here and here).


$800,000 HIPAA Penalty for Leaving Boxes of Documents on Driveway

With all of the attention being paid to the Target and eBay breaches - justifiably - it is important to remember that data protection laws may extend to paper records as well.

Parkview employees, who had been notified that the physician was not at home, left 71 cardboard boxes of these medical records unattended and accessible to unauthorized persons on the driveway of the physician's home, within 20 feet of the public road and a short distance away from a heavily trafficked public shopping venue, according to the resolution agreement between OCR and Parkview.

"All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk," says Christina Heide, acting deputy director of health information privacy at OCR. "It is imperative that HIPAA covered entities and their
business associates protect patient information during its transfer and disposal."



Domino's Pizza data hackers demand ransom

Hackers have demanded a ransom of 30,000 euros ($40,706) from Domino's Pizza after stealing personal data on more than 600,000 customers in Belgium and France.

The hacker group, Rex Mundi, threatened that Domino's Pizza had until Monday at 8 p.m. to pay up, or the group would post all of the data — including customers' physical addresses — on the Internet. Domino's has not released on update on the breach, but a spokesperson said earlier this week that the company would not be paying the ransom and that financial data had not been stolen.

Unfortunately, this isn’t a new tactic and with the emergence of malware that encrypts the victim’s data it is only going to become more prevalent. I previously wrote about a $10 million ransom attempt against the Virginia Department of Health Professions that took place in 2009.



Nokia 'paid millions to software blackmailers six years ago'

Via Reuters:

MTV said that the blackmailers had acquired the encryption key for a core part of Nokia's Symbian software and threatened to make it public.

Had it done so anyone could then have written additional code for Symbian including possible malware which would have been indistinguishable from the legitimate part of the software, MTV said.

After the blackmail attempt Nokia contacted the police and agreed to deliver the cash to a parking lot in Tampere, central Finland. The money was picked up but the police lost track of the culprits, MTV said.



Ruling Raises Stakes for Cyberheist Victims

Small businesses take heed: Depending on the terms of your bank account you may be responsible for fraudulent ACH transfers. Background information is available here and here.

Regulatory agencies and courts need to start recognizing true two-factor authentication as more than mere guidance for high-risk transactions. Holding the plaintiffs responsible for the banks’ legal fees on top of losing their funds will have a chilling effect on future lawsuits.

BancorpSouth’s most secure option for Internet-based authentication at the time was “dual control,” which required the customer to have one user ID and password to approve a wire transfer and another user ID and password to release the same wire transfer. The other option — if the customer chose not to use choose dual control — required one user ID and password to both approve and release a wire transfer.

Choice Escrow’s lawyers argued that because BancorpSouth allowed wire or funds transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC), which warned that single-factor authentication as the only control mechanism is inadequate for high-risk transactions involving the movement of funds to other parties.

A trial court
was unconvinced, and last week The 8th Circuit Court of Appeals found essentially the same thing, while leaning even more toward the defendants.



Cyber Insurance May Assist in Addressing Risk Posed by OpenSSL Vulnerabilities and Malware

The Department of Justice estimates that the GameOver Zeus malware has infected between 500,000 and 1,000,000 computers and so far caused “direct and indirect losses to consumers and businesses exceeding $100 million.” Antivirus software alone does not always prevent such infection; a leading antivirus developer recently stated that, as a result of advances in malicious code, antivirus software is now “dead.”

With technology capable of providing only partial security solutions, a proactive approach to address cyber risk should include evaluation of risk transfer mechanisms, such as insurance. In April 2014, members of Hunton & Williams LLP’s
Insurance Counseling and Litigation and Global Privacy and Cybersecurity practices participated in a webinar regarding cyber insurance, discussing the nature of cyber risk and possible insurance solutions.

Listen to a recording of the seminar.


Peek Inside a Professional Carding Shop

Brian Krebs takes us into the world of the business that takes place after the credit card information has been stolen.

Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.

I’ve put together a slideshow (below) that steps through many of the updates that have been added to this shop since its inception. One big takeaway from this slideshow is that many shops are now categorizing their goods for sale by the state or region of the victim company.

Full article here.


Breaches take 7 months to detect; 67% of Companies Are Informed by 3rd party

Via CSO:

There is room for improvement – vast improvement – in the detection of breaches. A large majority of enterprises fail to detect breaches on their own – they find out about them from somebody else, as a couple of recent reports show.

The security firm Mandiant, now part of FireEye,
reported recently that while the average time it took to detect breaches declined slightly from 2012 to 2013, from 243 to 229 days (more than seven months), the number of firms that detected their own breaches actually dropped, from 37% to 33%.

The results in a
report from security firm Trustwave were more encouraging, at least for the time between intrusion and detection – it found the median was 87 days. But the ability of firms to detect malware in their systems on their own was only 29%, which Karl Sigler, Trustwave’s manager of threat intelligence called, “just a horrible statistic in general.”



eBay Demonstrates How Not to Respond to a Huge Data Breach

Companies need to have an incident response plan in place before the breach occurs. This kind of publicity only makes an already bad situation worse.

In the wake of eBay’s revelation earlier this week that it had lost as many as 145 million customers’ data, eBay users and security response professionals say they’ve been increasingly angered and amazed at the company’s ham-fisted public response to an incident that’s already sparked multiple government investigations. EBay’s mistakes include taking days to post a notice about the breach on eBay.com and confusing users as to whether their PayPal accounts had also been affected. As of Friday afternoon, many–if not the majority–of the site’s users still had received no email notification about the breach.

“It just seems like their response has been complete disarray and disorganization,” says Dave Kennedy, the CEO of security consultancy and breach response firm TrustedSec. “This is one of the worst responses I’ve seen in the past ten years from a company that’s experienced a breach.”



Ponemon Institute Releases 2014 Cost of Data Breach: Global Analysis

Companies had to spend more on their investigations, notification and response when their sensitive and confidential information was lost or stolen. As revealed in the 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost to a company was $3.5 million in US dollars and 15 percent more than what it cost last year.

When asked about the level of investment in their organizations’ security strategy and mission, on average respondents would like to see it doubled from what they think will be spent—an average of $7 million to what they would like to spend—an average of $14 million. This may be a tough sell in many companies. However, our cost of data breach research can help IT security executives make the case that a strong security posture can result in a financially stronger company.
You can download the complete report


The Target Breach: By the Numbers

46 – The percentage drop in profits at Target in the fourth quarter of 2013, compared with the year before.

200 Million – Estimated dollar cost to credit unions and community banks for reissuing 21.8 million cards — about half of the total stolen in the Target breach.

18.00 – 35.70 - The median price range (in dollars) per card stolen from Target and resold on the black market (range covers median card price on Feb. 19, 2014 vs. Dec. 19, 2013, respectively).

53.7 Million – The income that hackers likely generated from the sale of 2 million cards stolen from Target and sold at the mid-range price of $26.85 (the median price between $18.00 and $35.70).

Check out more startling stats at
Krebs On Security.


Updated Mintz Matrix Detailing State Data Breach Notice Laws Available

Mintz has updated their “Mintz Matrix”, a tidy summary of the U.S. state data breach notification laws.

This update includes new information about Kentucky and Iowa laws.

Mintz Matrix is available here


Court: Sony Insurer Has No Duty To Defend/Indemnify $2 Billion Breach

Companies maintaining personal data had better pay attention to the fine print of their insurance policies. Sony, three years after the breach and facing up to $2 billion in losses, is learning this the hard way.

From Insurance Journal:

“A New York trial court recently ruled in a commercial general liability (CGL) policy coverage case that Zurich American Insurance Co. has no duty to defend Sony Corp. of America and Sony Computer Entertainment America in litigation stemming from the April 2011 hacking of Sony Corp.’s PlayStation online services.

The data breach had exposed personal information of tens of millions of users, and Sony’s losses are estimated to be as high as $2 billion.

In his bench ruling last month, Justice Oing said acts by third-party hackers do not constitute “oral or written publication in any manner of the material that violates a person’s right of privacy” in the Coverage B (personal and advertising injury coverage) under the CGL policy issued by Zurich.”



A Sampling of HIPAA Fines and How They Could Have Been Avoided

Yesterday I posted a terrific article from Krystyna Monticello of Legal Health Information Exchange that discussed Affinity Health’s $1.2M settlement after improperly disposing of photocopiers that contained PHI.

At the bottom of that same article Krystyna summarizes a number of recent data breach settlements and the causes behind the breaches. It deserves its own post and should serve as a warning to any HIPAA covered entity or business associate responsible for storing or handling PHI.

  • How These Breaches and Fines Could Have Been Avoided:
  • (1) Address need for encryption for everything with PHI, (laptops, mobile devices, photocopiers.)
    • Idaho Hospice ($50K)
    • Providence Health ($100K)
    • Mass Eye/Ear ($1.5M)
    • Alaska DHSS ($1.7M)

  • (2) Dispose of ePHI properly
    • CVS ($2.25M)
    • Rite Aid ($1M)

  • (3) Do not remove PHI or ePHI from your facilities without assessing the risks and safeguarding it
    • Mass General ($1.5M)

  • (4) Choose your Business Associates' wisely (and have written BAAs with them)
    • BCBS Tennessee ($1.5M)
    • Arizona Cardiologists ($100K)

  • (5) Conduct COMPLETE risk assessments that address all ePHI no matter where it may be located (and update them as needed)
    • BCBS Tennessee ($1.5M)
    • Idaho State ($400K)
    • Arizona Cardiologists ($100K)
    • Wellpoint ($1.7M)

  • (6) Have written policies (and actually implement them)
    • Rite Aid ($1M)
    • CVS ($2.25M)
    • Cignet Maryland ($4.3M)
    • Mass General ($1.5M)

  • (7) COOPERATE with OCR!
    • Cignet Maryland ($4.3 million)


Copiers result in $1.2 million settlement and CAP for Affinity Health

More from the Legal Health Information Exchange:

Affinity had reported the breach after it was informed by CBS Evening News that confidential medical information was on the hard drive of a photocopier previously leased by Affinity.  Originally estimated at over 400,000 affected individuals, as reported by DataBreaches.net., OCR noted in its press release regarding the Resolution Agreement that up to 344,579 individuals were reported as potentially affected by the breach. 

CBS had purchased the copier along with three others as part of an investigatory report on digital photocopiers and identity theft.

The settlement includes a Corrective Action Plan (CAP) stating that Affinity must use "best efforts" to retrieve all photocopier hard drives that were previously leased and safeguard all ePHI maintained therein,
within five days.

Ouch. Read the full article here.


U.K. fines Sony $400,000 for 2011 breach

I talked a bit about Sony’s breach here a couple of years ago. The company is still dealing with the repercussions, and the statement was rather damning.

"If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority. In this case that just didn't happen, and when the database was targeted - albeit in a determined criminal attack - the security measures in place were simply not good enough," David Smith, deputy information commissioner and director of data protection, said in a statement announcing the fine.



"ATTENTION VIRGINIA I have your sh**!"

In April of 2009 a hacker infiltrated the network of the Virginia Department of Health Professions and stole over eight million patient records and 35 million prescriptions. The hacker posted a note on another site which read:

"ATTENTION VIRGINIA I have your sh**! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh :("

The note went on to demand $10 million within seven days, after which he threatened to put the information up to the highest bidder. Virginia officials determined they did have a proper backup and did not pay the ransom. However, Virginia notified only the 530,000 individuals whose records were believed to contain social security numbers rather than all eight million patients affected by the breach. That means almost 7.5 million consumers were not alerted to the risk that their medical data may have been compromised.

In one way Virginia officials were lucky. Had the incident occurred just five months later - after HITECH's breach notification rule went into effect - the Virginia Department of Heath would have been required to notify all 8.2 million patients of the incident, and incur the associated costs. Those costs aren't trivial: 2011 estimates suggests a data breach costs $214 per compromised record and averages $7.2 million per data breach event.

Under the HITECH Act, covered entities and business associates must follow the data breach notification reporting obligations when there is a breach of unsecured personal health information (PHI). So what does "secured PHI" look like? The DHHS has issued guidance that amounts to a rather narrow window, as there are only two methods identified that would render patient data unusable, unreadable, and indecipherable:
encryption and destruction.

Or looking at this another way, covered entities and business associates that would otherwise be obligated to follow HITECH's breach notification requirements have two "safe harbors" available: encrypting or destroying the data prior to the breach.

Image by simonok at www.sxc.hu.


The Tornado That Ripped Through Sony

Sony recently announced that the company expects to spend at least $171 million as a result of the massive data breaches that have plagued it since April. As a point of comparison, the damage from last month's tornado that hit Minneapolis has been estimated at $166 million.

There is an analogy in there somewhere.

But unlike the good folks of North Minneapolis, many of whom lost everything, Sony had the ability to prevent the type of damage that resulted in the high costs. The hackers used a simple technique that has been around forever to gain access to the data, and security experts are suggesting that Sony didn't even meet the most basic security requirements such as encrypting user information. As the hackers who claimed responsibility for the attacks asked, "Why do you put such faith in a company that allows itself to become open to these simple attacks?"

Good question. Here's another:

What would the costs be if your organization suffered a data breach? For a quick and dirty estimate, try out the online Data Breach Calculator. If you want to take a more detailed look at the costs associated with data breaches, check out the Ponemon Institute's 2010 U.S. Cost of a Data Breach.