Cyber Risk Update for Construction Companies

Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from committing fraud.  They are getting more and more sophisticated in their deceptions, and targeting those areas they see as ‘weak links.’

Construction companies however face a particular threat, as there are a number of services and private and government web sites to which companies can subscribe to learn about construction projects that are open to bid. Often, the winning bidder ends up becoming public knowledge – either because that information is posted publicly, or because the contract company advertises they were awarded the project. And of course, these contracts always carry a price tag that is attractive to scammers.

Fraudsters can use information from these same web sites along with other research to learn which construction companies have applied for and ultimately won bids. The higher the price tag, the bigger the target. Once the scammers get their fake web site set up (they can use tools to copy the real contractor’s web site almost exactly), they’ll then send an email to the victim posing as the contractor, including a direct deposit form (likely doctored with the contractor’s logo) and instructions to change payment information to a new account controlled by the scammers.  They might even try to play this trick on the construction company and pose as a vendor the construction company regularly pays. Once the money is transferred, it can be difficult – and often impossible – to recover.  Even if the victim has cyber insurance, whether or not any losses are covered depends on the policy.  Any access and information they obtain can also compromise the construction company’s information security, potentially increasing the likelihood of privacy breaches, ransomware attacks, or other serious security risks.

Awareness and good financial and technical controls are key to protecting against this threat.  Here are some steps your organization should consider including in your cyber security plan:

  • Establish direct deposit instructions at the start of the contract, and ensure your customers know exactly how you would change them.  For example, let them know any instructions would come only from your organization via a specific email address or phone number.
  • Also ensure your customers know how they can verify those instructions, as email addresses and phone numbers can be faked.  Have your customers confirm any changes by using the alternate communication method.  For example, if they ever get an email with new instructions, they are to call the phone number sent in the original instructions (not reply to the email, or call any phone number in the email) to confirm, and vice-versa. Scammers will do everything they can to get you to contact them for ‘verification’, so clear direction at the start of the process is important.
  • Carefully scrutinize all requests for transfer of funds. Expect secure processes and procedures from your vendors or anyone you have to transfer money to. If they don’t have a good process in place, at least have them follow yours.
  • Always ensure two people have to sign off on any changes.  At least one of them should be in management.
  • Train your company on how to spot fakes.  Consider phish-testing your own company regularly (there are subscription solutions out there that can help you manage this.)
  • If you have trouble detecting external emails, consider setting up an ‘external’ tag so your own staff can more easily catch if a scammer is trying to impersonate someone in your organization.
  • Consider subscribing to a secure email gateway to help protect your organization from phishing and scams.

Ultimately, the adage ‘an ounce of prevention is worth a pound of cure’ is borne out in cyber and financial security breaches. Take proactive steps to protect your organization, your trades and vendors, and your own clients and customers.

The privacy team and construction lawyers at Stoel Rives are prepared to help you minimize risks and mitigate losses posed by internal and external threats. Give us a call to learn more about how we can help you protect your business.

Achieving Industry Standards

For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?”

These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a “culture of change” that better protects consumers – were part of separate meetings with each of the five FTC commissioners last month. On the heels of these meetings, Senator Ron Wyden (D-OR) proposed federal legislation that would give the FTC new powers and incarceration for executives who fail to meet industry standards.

With the FTC already requiring at least one CEO to verify that a company is meeting industry standards for privacy, the question of what industry standards apply is more important than ever. Since 2010 the FTC has resolved about 50 cases involving alleged cybersecurity incidents and privacy violations (mostly the latter). In 12 of these the FTC named directors and officers and their organizations. In four of these the FTC negotiated settlements requiring organizations to establish and implement written cybersecurity and privacy programs. As noted previously, the FTC has been on a tear”[1] and recently mandated that Equifax implement a comprehensive cybersecurity program that included, “at a minimum,” 26 requirements.

Which brings us back to Chairman Simons’ questions and what constitutes “industry standards.” Some laws and commonly used contract terms define industry standards as “the usual and customary practices in the delivery of products or services within a particular business sector.”[2] Industry standards can also refer to a standard adopted by a Standards Setting Organization. Establishing such standards takes time as they must be tested to ensure broad application. Enter NIST – the National Institute of Standards and Technologies.[3]

In February 2013, an executive order was issued requiring government and private sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”[4] A year later the NIST Cybersecurity Framework (“CSF”) was published and last year on April 16 it was updated. The Organization of American States and Amazon Web Services recently described it as:

[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach to strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs.[5]

The CSF can be found here: https://www.nist.gov/cyberframework.

Continue Reading

Is your organization ready for global privacy regulations?

The Internet Society’s Online Trust Alliance (OTA) released a report this week that measured 1200 U.S.-based organizations’ readiness for three major global privacy regulations: the General Data Protection Regulation (GDPR) in the European Union,  the California Consumer Privacy Act (CCPA) in the United States that goes into effect January 1, 2020, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. The assessment, the OTA’s 10th Online Trust Audit, reviewed 29 variables in the publicly-posted privacy statements from each organization.

While privacy statements are only one outwardly-facing piece of a larger information privacy management program, they are also subject to requirements defined in these privacy laws, with the goal that they accurately reflect the organizations’ privacy practices as thoroughly and clearly as possible, so that users can make an informed decision about whether or not to share their information with the organization.

Since this assessment was limited to only these posted policies it is limited in context – for example, just because only 57% of the organizations stated that they hold third parties to the same standard, that doesn’t mean 43% of organizations aren’t doing it. Nevertheless the criteria highlighted in this report are all important considerations to include when reviewing your organization’s privacy program.

A copy of the full report can be downloaded here.

Recent FTC Enforcement Actions

What the FTC Wants, the FTC (Mostly) Gets

In recent weeks the Federal Trade Commission has been on a tear. As one example, on July 22 it announced a $700 million settlement with Equifax for “the 2017 data breach that jeopardized the personal data of a staggering 147 million people.” But it is a decision earlier this year that is perhaps more ominous, at least regarding personal liability for directors and officers (“D&Os”).

On February 27, 2019, after announcing a $5.7 million settlement with TikTok for various privacy violations relating to its lip-syncing app, two of the five FTC commissioners, Rebecca Kelly Slaughter and Rohit Chopra, issued this joint statement:

When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.

This approach appears to have some traction with the current FTC Chairman, Joe Simons, and the Bureau of Consumer Protection Director, Andrew Smith, who both discussed Slaughter and Chopra’s statement at the 2019 International Association of Privacy Professionals Global Privacy Summit. Smith described naming D&Os as a “way to make companies take notice that [the FTC] is serious about compliance.” Continue Reading

CCPA is Coming – Is Your Business Prepared For The Data Requests & Lawsuits?

Does your business collect personal information from residents in California? Does it monitor user activity on its website? If so, there is a good chance it will need to comply with the California Consumer Privacy Act (“CCPA”), which takes effect January 1, 2020.

Following the European Union’s implementation of GDPR, California adopted the CCPA, which imposes significant new privacy obligations on businesses that collect information from California residents, including the collection of internet browsing activity on business websites. Under the CCPA, businesses must disclose the types of personal information they collect, sell, or share about California residents. Among other rights recognized by the law, consumers will have the right to request reports on the information collected about them and deletion of their information. The California Attorney General will have general enforcement power, and consumers will have a right to bring lawsuits for certain matters, including potentially class actions.

The CCPA is far-reaching and imposes significant compliance duties on businesses in all industries doing business with California residents. It will transform how companies collect and use personal information. It is also stands to increase the risk of consumer lawsuits, including class actions, against businesses covered by the CCPA.

CLICK HERE to continue reading about the scope and effects of the CCPA. If you would like information specifically tailored to the impact of CCPA on your business, please feel free to contact Hunter Ferguson at (206) 386-7514 and Romaine Marshall at (801) 578-6905 or your primary Stoel Rives contact.

Privacy Attorney Dustin Berger Achieves (ISC)2 CISSP Certification

Stoel Rives LLP is pleased to announce that information privacy & data security attorney Dustin Berger has been recognized as an (ISC)2 Certified Information Systems Security Professional (CISSP). This certification demonstrates an individual’s understanding of cybersecurity strategy and its hands-on implementation. It also confirms that the holder has the advanced knowledge and technical skills to design, develop, and manage an organization’s overall security program.

Berger is an attorney in Stoel Rives’ Seattle office, where he counsels clients nationwide on data security, privacy, and employment matters. He also has represented clients in a variety of civil litigation matters in trial and appellate courts as well as before state and federal administrative agencies. Berger has been recognized by the International Association of Privacy Professionals (IAPP) as a Fellow of Information Privacy, Certified Information Privacy Professional/United States and Europe, and Certified Information Privacy Technologist. In addition, he holds the CompTIA: Security+ Certification. Prior to entering the practice of law, he served as the Chief Technology Officer for a Denver-area suburban city.

Berger joined Stoel Rives in 2018 in part to add further knowledge and experience to the firm’s Privacy & Data Security practice group. This cross-industry team includes attorneys who help clients adopt systems and processes to protect their business and personal data and comply with data security and privacy laws worldwide. Team members counsel clients across a wide range of industries, including health care, education, manufacturing, technology, retail, defense, and financial services, regarding their specific needs for policy development, program management, personnel training, forensic audits, breach response, customer notification, insurance coverage, third-party risk management, and transactional due diligence, among other matters.

(ISC)² is a leading, international cybersecurity and IT security professional organization with more than 140,000 certified members. To qualify as a CISSP, candidates must pass an exam and have at least five years of work experience in two or more of the examination’s eight subject matter areas.

(The Supreme Court of Washington does not recognize certification of specialties in the practice of law and none of the certifications, awards, or recognitions mentioned here are requirements to practice law in the state of Washington. Likewise, Colorado does not certify lawyers as specialists in any field.)

HHS Issues Practical New Cybersecurity Guidance for Healthcare Businesses of all Sizes

In late January, the U.S. Department of Health and Human Services’ Healthcare & Public Health Sector Coordinating Council issued a new cybersecurity guidance document for healthcare businesses of all sizes. The guidance document, entitled “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” available at https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx, provides concrete and practical guidance for addressing what the Council has identified as the “most impactful threats . . . within the industry” and serves as a renewed call to action for implementation of appropriate cybersecurity practices. This document is critical reading for healthcare business managers faced with ever-increasing cybersecurity risks and the attending risks to patient safety and operational continuity, business reputation, financial stability, and regulatory compliance.
Continue Reading

New tool released that may allow bad actors with almost any skill set to bypass many implementations of Two-Factor Authentication (2FA)

Until recently, hackers have had limited success stealing Two-Factor Authentication (2FA) PIN and token information.  Unfortunately, a tool has been released that will now make it much easier for practically any bad actor to bypass many implementations of 2FA:

https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/

This does not mean we should stop using Two-Factor Authentication (2FA). We should still use 2FA, or Multi-Factor Authentication (MFA) wherever possible. What it does mean is that we need to be even more careful about checking to see that we’re on the correct web site before logging in.

Even with this tool, the most impressive fake site still cannot use the real site’s URL, so please ensure your organization’s cybersecurity training and awareness plan regularly highlights the ever-important task of checking the URL in your browser before inputting any credentials.  Of course, tactics like punycode attacks and typosquatting can also be used to complicate verifying the URL; to help ensure your users access safe web sites, consider bookmarking those sites and training your users to only initiate a session with each site by clicking on that bookmark, and not links via other mediums, such as SMS text, other web pages or email.

Yahoo! Breach Class Action Poised to Settle

The Yahoo! class action over the 2013-2014 hacks, affecting 1 billion (later updated to 3 billion) accounts, is poised to settle for $85 million – and the provision of free credit monitoring services for 200 million account holders for 2 years.

While $85 million may seem like a relative bargain compared to the $350 million Verizon knocked of the sale price during the purchase of Yahoo!, the real cost is likely in the credit monitoring service. As this article notes, the current market rate for a credit monitoring subscription is about $14.95/month, or $359 per person for 2 years. Multiply $359 by 200 million people, and at full retail price they’d be looking at a $71.8 billion price tag! Of course Yahoo! won’t pay anywhere near that rate. Plus, many of the ~200 million people that held those 1 billion accounts may already have credit monitoring, and may not elect to opt in.

The settlement didn’t disclose how much Yahoo! would be paying for the credit monitoring service. Nevertheless, as an exercise let’s say Yahoo! gets a 95% discount on the rates (down to about $17.95 per person for 2 years) and only 25% of the 200 million people opt in. That would still be an $897.5 million expense over 2 years. Considering they’re willing to settle, and experts were estimating the average value of each account at $1 and $8 each – for 1 billion accounts – the total cost of this should be somewhere south of $1 billion. However much it ends up being, this is yet another illustration of the significant impact data breaches can have on expenses and value.

A link to the filed settlement agreement can be found here.

Anthem Pays OCR $16 Million in Record-Breaking HIPAA Data Breach Settlement

The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement is the largest in HIPAA-enforcement history, far exceeding the previous record of $5.5 million paid by Memorial Healthcare in 2017.

OCR investigated Anthem following its report that a series of cyber attacks in 2014 and 2015 resulted in theft of the electronic protected health information (ePHI) of nearly 79 million members of  its affiliated and other covered entity health plans. In addition to Anthem’s failure to implement sufficient safeguards to prevent and detect the inappropriate access to its systems, OCR also found that Anthem had:

  • Failed to conduct an enterprise-wide risk analysis
  • Insufficient procedures to regularly review records of information system activity
  • Failed to identify and respond to suspected or known security incidents
  • Failed to implement adequate minimum access controls to prevent unauthorized access to ePHI

A link to the Resolution Agreement between Anthem and OCR is available here.

It is not surprising that the largest HIPAA breach to date would result in the largest settlement to date, and this is a strong signal of this administration’s interest in leveraging its penalty authority to make an example of organizations that have large data breaches. Organizations of all sizes should take note, however.  While penalties are imposed in only a small fraction of the incidents reported to OCR, any significant data breach will result in an OCR investigation that may bring inadequacies of privacy and security safeguards to light.

If you have questions or concerns about your HIPAA compliance posture or your information security and governance plans, we are ready to help.

 

 

LexBlog