Digital Transformation – Regulator Issues $80 Million Penalty for Not Doing It Right

Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive.  The main driver of this process is often data.  For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.

While executing digital transformation the right way can lead to great success (think Google, Facebook, and Amazon), overlooking pitfalls associated with potential legal obligations – most notably, cybersecurity and data privacy – can have the opposite effect, harming an organization’s reputation and its balance sheet.

On August 6, 2020, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million penalty against bank Capital One for what it determined was a failure to implement effective cybersecurity prior to migrating information technology to the cloud.  This failure was exposed in July 2019 when Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.

Why This Penalty Is Important

While $80 million may not be a significant hit to Capital One’s balance sheet, the accompanying consent order is notable for pointing out the bank’s failure to

[E]stablish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The OCC also highlighted the bank’s failure to “identify numerous control weaknesses and gaps in the cloud operating environment” and the bank’s failure to correct the deficiencies in a timely manner.

The OCC then singled out the Board of Directors for failing “to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses.”  This focus on a board’s knowledge of cybersecurity issues is not new.  The Federal Trade Commission (“FTC”) focused on this last year. 

Maintain a Strong Risk Management Program

Last year, the FTC also mandated that as an industry standard, organizations that collect and handle consumer data must implement a comprehensive written information security program. The OCC seems to agree, requiring Capital One to implement a risk management program that at least includes:

  1. A continuous risk management process that helps identify “reasonably foreseeable internal and external threats” to the confidentiality, integrity and availability of information assets and systems.
  2. The right framework for determining the likelihood and potential impact of one of these threats on the information being protected.
  3. Reasonable policies and procedures and adequate technical controls to address these risks.

What Organizations Should Do

Before, during, and after any aspect of digital transformation, organizations should consider doing the following:

  1. Obtaining the support of executive leadership to ensure that risk management is a priority for your organization.
  2. Adopting an established framework such as the NIST RMF, COSO ERM or the ISO 31000 standard.
  3. Maintaining a Risk Register and revisiting risk treatment on a regular basis – not just once a year – to ensure your organization is mitigating risk to an acceptable level.

Even if you are a novice, any reasonable effort to identify, assess, treat and monitor risks to your organization should result in heightened awareness of threats and an improvement in policies, processes, and controls.

As for migrating information technology operations to the cloud, this digital transformation process is not just for sophisticated banks.  A day after the OCC assessed its $80 million penalty, Utah Governor Gary R. Herbert announced a statewide initiative to train and certify 5000 residents in cloud computing.

If you have any questions about cybersecurity and data privacy legal obligations that your organization should be considering in connection with its digital transformation processes, please reach out to Romaine Marshall, Jon Washburn, or Jose Abarca.

Securing Online Shopping has Never Been More Important

In the wake of the COVID-19 pandemic, more consumers than ever before are shopping online – and they’re not likely to be very forgiving to any retailer that breaches their personal information. According to this recent survey from payment solutions provider PCIPal, 64% of people in the US would avoid a business following a COVID-19 related breach, and 17% would never return. While I imagine this sentiment would apply to any breach of personal information and not just one related to the current crisis, these numbers are a sharp step up from the estimated average customer turnover rate of 3.9% in last year’s 2019 IBM/Ponemon Cost of a Data Breach Report. While it’s just one survey, the significant increase in expected customer turnover rate in such a short time-period may represent a rapidly diminishing level of tolerance for websites that leak valuable personal information.

In order to remain in business, many retailers had to rush to upgrade their online presence in order to compensate for store closures and reduced foot traffic in locations that were able to remain open; or for the more fortunate retailers, to simply manage an unprecedented increase in online purchasing. As we balance security risk against the need to maintain the health of the business, it would not be surprising if ‘speed to market’ concerns took priority over rigorous application security review in some of these instances – after all, a strong cybersecurity program is meaningless if there’s no organization left to protect. Nevertheless, it is still critical to complete the cycle of secure software development and thoroughly test any changes and integration of new solutions to verify they are secure.

If you are a retailer that has had to prioritize retooling your online presence over everything else, please be sure to circle back around and undertake these important tasks:

  • Conduct a code review that focuses on verifying that your site is not vulnerable to web application security risks, such as those included in the OWASP Top 10
  • Validate that any integration of new technology – such as payment processing, customer experience or even anti-fraud solutions – is still properly managing personal information in line with your security and privacy policies
  • If you don’t already offer it, consider offering two-factor authentication to your online customers
  • Confirm your web servers are still using strong security certificates and aren’t allowing weak protocols.  You can check this for free at ssllabs.com
  • Ensure everything is still running using the Principle of Least Privilege

Coast to Coast and Back Again – Cybersecurity and Data Privacy Rules

March 2020 will long be remembered as the month and year of en masse shutdowns.  But the pandemic has done little if anything to slow new cybersecurity and data privacy laws.  As highlighted below, regulations for one have been submitted (CA), another has gone into effect (NY), and yet another has been proposed (CA).

California Consumer Privacy Act (“CCPA”) Gets Confirmed by State Attorney General

After nine months, a lot of public input, and three proposed drafts, the regulations for enforcement of the CCPA have been submitted for approval.  The final text of the regulations demonstrates how granular enforcement could be.  Here are five examples:

  1.  A business’s required privacy policy must include the date it was last updated.
  2. A business must provide at least two methods for consumers to send requests for deletion of their information.
  3. A service provider can retain, use, or disclose information in certain circumstances, such as to detect security incidents even after a deletion request.
  4. A business must confirm within 10 days that it has received a request to know what it has collected from consumers.
  5. A business must have a documented policy for verifying the identity of a person making a request related to their personal information.

Continue Reading

Court Orders Disclosure of Capital One’s Incident Report

Last July, Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.[1]  Within days, lawsuits were filed nationwide asserting an assortment of claims relating to the data breach.

Last week, in a class action filed in Virginia a federal magistrate ordered Capital One to provide its incident report for the data breach to counsel for the plaintiffs.  Capital One had contended that the report is protected attorney work product and that it shouldn’t have to.  The Virginia court disagreed, for reasons that are instructive.

When an Incident Report Is Not Attorney Work Product

Since 2015, Capital One had retained Mandiant to provide various cybersecurity services.  The data breach occurred in March 2019, but it was not confirmed until July 19 of that year.  A day later Capital One retained outside counsel which then retained Mandiant to assist with its investigation on July 24.  Then, on July 29 the public was notified about the data breach.

The issue the court decided last week was whether the Mandiant incident report was privileged and therefore protected from disclosure by the work product doctrine.[2]  This doctrine generally preserves the privacy of attorneys’ case materials, but it has limits.  To guide its decision in Capital One the court stated:

In order to be entitled to protection, a document must be prepared “because of” the prospect of litigation and the court must determine “the driving force behind the preparation of each requested document” in resolving a work product immunity question.[3]

Applying this standard, the court believed the incident report would have been prepared anyway even if the data breach had not occurred and determined that it needed to be disclosed.  In reaching this conclusion, after “considering the totality of the circumstances,” the court found these facts compelling: Continue Reading

Is Your Incident Response Plan Ready for Novel Computer Viruses?

A “novel” virus is one that has not been previously identified, according to the Centers for Disease Control and Prevention.[1]  In 2000, like the COVID-19 virus that was officially named on February 11, 2020, the ILOVEYOU virus became a global pandemic for data systems.  Within days, millions of computers were infected as the virus compromised files and caused widespread email outages.  The virus appeared in inboxes as fake messages with infected attachments:

Since then, scores of novel viruses have been deployed as destructive malware.  The ILOVEYOU virus, MyDoom worm, SOBig spam, and WannaCry ransomware alone are said to be responsible for $95 billion in financial damages.  As a result, anti-virus software has become a multi-billion-dollar, must-have computer program, and cybersecurity has become a multidisciplinary industry fighting an evolving threatscape. Continue Reading

Working from Home? Here are 12 Steps to Reduce Data Privacy and Security Risk

Businesses are instituting widespread remote work policies and procedures to facilitate social distancing and “flatten the curve.” Enterprises simultaneously need to be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to well-intentioned employee shortcuts. Hackers will try to take advantage of uncertain and sometimes chaotic circumstances.

Below is a checklist of fundamental measures businesses and employees should implement to mitigate the data privacy and security risks associated with working remotely. Most of these measures require an investment of time, not money, through adoption of sound policies and behavior adjustment. You can maintain good privacy and security as we respond to COVID-19. Here’s how:

  1. Turn on Multi-Factor Authentication Immediately. Implement MFA to ensure no unauthorized party is remotely accessing the company’s networks or user accounts. The popular Microsoft Office 365 service includes MFA for free.
  2. Develop and Follow Sound Data and Funds Transfer Procedures. Implement two-step verification for wire transfers or other transfers of data. For example, if you get an email with an invoice, verify the request by placing a phone call to a known individual (not just a number in the email) to confirm and obtain authorization. Work with business partners to send and receive test transfer payments of small amounts (a few cents or a dollar) before transferring substantial sums.
  3. Maintain Confidentiality. Employees should be instructed that confidential conversations should take place in private and relatively secluded areas. Such conversations should not occur within range of virtual assistants or other IoT listening devices. For example, the Office of Civil Rights for the Department of Health and Human Services has relaxed certain rules to make it easier to use technology to facilitate remote services, but requirements of privacy and security must still be met.
  4. Use Secure Workspaces. Employees should have a secure workspace with reliable connectivity. Remote workspaces should be secure from eavesdropping. Employees should not leave work computers unattended to reduce the risk of theft, and unsecured (“public”) wireless networks should be avoided, such as free wi-fi at coffee shops. If there is no other option, ensure employees are trained to first connect using their VPN client before doing anything else.
  5. Distribute Tech Support Contact Info. Employees should readily have access to company IT policies, procedures, and contact information of critical IT personnel to whom security incidents can be reported and who can assist with technical issues.
  6. Avoid Storing Data Locally. Employees should avoid saving data locally on their computers and instead utilize on company-approved network and cloud storage locations – the ones your company backs up regularly – as much as possible to store data. For convenience and perceived efficiency, employees might be tempted to save data locally or on machines that are not business-issued devices. Remote workers and businesses should resist this temptation as much as possible and adjust expectations and deliverable timing to promote sound practices as we adjust to new realities.
  7. Make Sure You Have Appropriate Insurance. Companies should review the scope of their insurance policies and coverage limitations to ensure their policies cover incidents stemming from employees working remotely.
  8. Stay Connected While Staying Distant. Companies should adopt and implement policies for supervising remote employees, such as instituting frequent team calls to facilitate transparent communication, encouraging employees to report security incidents and risks, learn from experience, and provide tips and training for secure work from home, etc.
  9. Don’t Get Hooked – Beware of Phishing Attacks. When employees receive emails or other electronic communication, they should be trained to identify potential phishing emails. Specifically, employees should be educated and reminded to (1) verify that the sender’s email address matches the address of a known contact (especially on mobile devices, select the sender to see the real address); (2) hover over any link before clicking it to identify the destination; (3) be wary of emails that are unusually brief, unexpected, or out of character; and (4) refrain from opening suspicious attachments. If a seemingly normal email or communication is from an unverifiable or suspicious sender, then employees must be trained to report such phishing incidents to the company. Taking these precautions can reduce the effectiveness of phishing attacks.
  10. Minimize Printing Confidential Information. Employees should not print confidential information, including protected health information, at home. If such information must be printed, then the paper copies of such information should be properly secured until they are properly disposed – for example, by using a level P-4 or better cross-cut shredder.
  11. Use Appropriate Encryption. Employees should not share protected health information or other types of information requiring elevated protection via email or other unsecured modes of electronic transmission. Such information should be shared only by using transmission technology that provides guaranteed end-to-end encryption.
  12. Share These Tips and Other Useful Insight. Share this announcement and other resources discussing data privacy and security measures with all employees, team members, business partners, clients, customers, suppliers, vendors, etc. We are all in this together!

Stoel Rives’ Privacy and Data Security team is prepared to address your COVID-19 related or other data privacy and security questions and concerns. If you have any questions, please ask your primary Stoel Rives contact or reach out to Hunter Ferguson at 206.386.7514 or hunter.ferguson@stoel.com for more information.

Soon, All Ransomware Attacks May Be Data Breaches

As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has been released when the victim doesn’t pay up. If this becomes the norm – and it looks like it will – victims will need to consider all ransomware attacks as possible data breaches.

Ever since the Maze ransomware operators realized they could increase the odds of collecting the ransom by leaking data, many other ransomware groups have started following suit.  In the latest variant to be seen using this tactic, the attackers basically guarantee they can decrypt the files if you pay (proof provided on two random files.) But at that point, the data is already stolen.

While the attackers will only steal a segment of the data they encrypt – a few GB, random emails, etc. – the victim will likely have no idea which portion of the encrypted files were stolen and will have to consider all data that was accessed as “breached”, unless they can assess that there is a reasonably low risk that certain data was not extracted.

As security professionals we strive to prevent the attackers from compromising our organizations in the first place.  But in the event they are successful, following is a sample of additional controls that can be implemented to better detect data exfiltration:

  • Content filters: filters on outgoing traffic can be configured with white-listing/black-listing rules to restrict traffic to known bad (by reputation or by content) sites/IP addresses. They can watch common exfiltration channels such as DNS tunneling, FTP and HTTP and can be configured to alert on and/or automatically stop unusual patterns of data transfer. Content filtering is offered as a standalone service, but it is also a feature included with many secure gateway solutions.
  • SIEM: Security Information and Event Management solutions act as centralized collectors of logs from multiple sources. Consider deploying a SIEM inside your organization and feeding it as many logs as are useful. In order to get the value out of a log collection/analysis solution it must be monitored 24/7/365 by qualified personnel.  Unless your organization is large enough to employ its own security team, consider a managed solution from a reputable service provider.
  • Endpoint Detection and Response (EDR) solutions: These solutions are designed to stop attackers in the first place, but they also alert on potentially malicious activity with continuous monitoring. For example, if your EDR solution lights up because it sees a number of nodes being hit with Emotet – a malware precursor to a ransomware attack that generally steals credentials, but can also steal email – you could be under attack, and should check all endpoints to confirm you don’t have one that might be leaking data (like the “road warrior” salesperson whose laptop is rarely on the network, and always seems to be behind a little on updates…)
  • Deep Packet Inspection (DPI) and Watermarking: For the more advanced organizations out there, you can embed a watermark or ‘digital signature’ that can alert a packet-inspection solution that certain files are being sent out of the organization. In order for this to have value you’d want to be selective and/or have various different watermark labels (for example “internal confidential”, “PII”, etc.) and ensure your watermarks are “permanent.”
  • Honeytokens: similar to the honeypot concept, a honeytoken is the same concept, but as a URL. You can implement honeytokens for free at https://canarytokens.org; some cool tricks for using them in a honeyfile (a file that appears to be highly valuable, but is in fact deceptive bait), databases, links and other traps can be found here.  While honeypots/files/tokens are primarily an intrusion detection tool, if the target can be accessed then it – and anything else at that access level/in that container – can likely also be exfiltrated.

In addition to these controls, as noted in this blog post last month, organizations that fall victim to ransomware should engage experienced outside counsel to commence an internal investigation and to:

  • Retain technical consultants to engage with the threat actors as necessary, determine what data was exfiltrated, manage the decryption process, recover and remediate impacted systems, and eliminate the risk of reinfection.
  • Leverage relationships with law enforcement to cross-reference elements of the ransomware with databases and obtain helpful information.
  • Work with insurers to determine whether and how coverage applies (i.e., cyber risk, kidnap and ransom, cyber extortion, or various other cybercrime policies).
  • Establish separate lines of communication for key personnel in case normal lines of communication are compromised during negotiation, decryption and/or recovery phases.
  • Provide advice relating to what, if any, legal obligations have been triggered by the exfiltration of data and the deployment of ransomware.

Family Educational Rights and Privacy Act in the Age of COVID-19

The U.S. Department of Education released some FAQs related to the Family Educational Rights and Privacy Act (FERPA) and corona virus. The Department’s Student Privacy Policy Office prepared the FAQs to assist officials in educational agencies and institutions such as school districts, schools, colleges and universities in managing public health issues related to COVID-19 while protecting the privacy of students. Below is a summary:

  • A parent or eligible student must provide written consent before an educational agency or institution discloses personally identifiable information (PII) from a student’s education records, unless one of the exceptions to FERPA’s general consent rule applies.
  • FERPA permits educational agencies and institutions to disclose, without prior consent, PII from student education records to appropriate parties in connection with an emergency, if knowledge of that information is necessary to protect the health and safety of a student (or other individuals.)
  • If an educational agency or institution, taking into account the totality of the circumstances, determines that a significant threat exists to the health or safety of a student in attendance at the agency or institution (or another individual at the agency or institution) as a result of the virus that causes COVID-19, it may disclose, without prior written consent, PII from student education records to appropriate officials at a public health department who need the information to protect the health or safety of the student (or another individual.)
  • If an educational agency or institution learns that student(s) in attendance at the school are out sick due to COVID-19, it may disclose information about the student’s illness under FERPA to other students and their parents in the school community without prior written parental or eligible student consent; but, it must make a reasonable determination that a student’s identity is not personally identifiable, whether through single or multiple releases, and while taking into account other reasonably available information.
  • FERPA permits educational agencies and institutions to non-consensually disclose PII from education records in the form of contact information of absent students to the public health department in specific circumstances, such as in connection with a health or safety emergency.
  • If an educational agency or institution determines that a health or safety emergency exists, it may NOT disclose, without consent, PII from student education records to the media.
  • In most cases, it is sufficient to report the fact that an individual in the school has been determined to have COVID-19, rather than specifically identifying the student who is infected.
  • Nothing in FERPA prevents schools from telling parents and students that a specific teacher or other school official has COVID-19 because FERPA applies to students’ education records, not records on school officials. However, there may be State laws that apply in these situations.
  • An educational agency or institution may disclose PII from an eligible student’s education records to the student’s parents if the eligible student has been determined to have COVID-19, generally without obtaining written consent.
  • FERPA permits educational agencies and institutions to release information from education records without consent after the removal of all PII, provided that the agency or institution has made a reasonable determination that a student’s identity is not personally identifiable, whether through single or multiple releases, and while taking into account other reasonably available information.
  • FERPA generally requires educational agencies and institutions to maintain a record of each request for access to, and each disclosure of PII from, the education records of each student.

For specific questions on how FERPA applies to your institution in relation to the COVID-19 pandemic, please contact Hunter Ferguson or Alisha Kormondy.

Your Security Program Must Think Beyond Malware Protection

According to Crowdstrike’s most recent Global Threat Report, in 2019 they observed that malware-free attacks – attacks  where malicious files are not written to disk – outpaced malware attacks by 51% to 49%. In Malware-free attacks, the attackers leverage Tactics, Techniques and Procedures (TTPs) that are less likely to be detected by traditional anti-malware solutions.  For example, attackers can use stolen administrator credentials to roam virtually unchecked if the victim does not have a method of detecting that the authorized person the account is really assigned to isn’t the one behind the activity. More complex techniques like macro-based scripting attacks or attacks where code only executes in memory may go undetected as well, as they require a much more sophisticated approach to identify and contain than traditional attacks that can be intercepted by detecting the execution of malicious software or the use of malicious files.

While organizations with sufficient resources may pivot fairly quickly to combat malware-free attacks, it’s not easy for organizations with limited budgets and no security staff.  Even if you’ve invested in a reputable anti-malware solution and have restricted users from installing software – even if you’ve employed white-listing – you could still be at risk.

Below are three recommendations organizations should consider adding to their arsenal to help combat this rise in malware-free attacks:

  • Subscribe to robust “next-generation” endpoint cybersecurity solutions that are capable of analyzing behavior patterns in real time. Good solutions are anchored in the cloud, run 24/7, and are rapidly scalable.  They are usually managed by the solution provider, are relatively affordable, and are designed to be easily deployed in any environment – even without skilled IT staff.
  • Collect and monitor as much network and application traffic as possible. Unless you’re a large organization that can afford to maintain a Security Operations Centers (SOC) to analyze the data in real time, you will likely be looking at outsourcing this workload to a Managed Security Service Provider (“MSSP”) who collects it in a SIEM. Collecting and monitoring log data in as close to real-time as possible is critical to detecting adversarial behavior on your network. While 24/7 continuous monitoring is not an inexpensive service, outsourcing this will likely be less expensive than managing it yourself. The value of having this level visibility in your environment cannot be understated.
  • Control the use of scripting, and secure the scripts you need to use as much as possible.  For example, sophisticated attackers may send you documents embedded with malicious macros that, when enabled, leverage allowed command-line shells such as PowerShell to execute the attack using only scripts. PowerShell can be made more secure, but these measures alone will not be enough to prevent a script-based attack; this is merely another layer in the onion.  While PowerShell is limited to Microsoft systems, that doesn’t mean Mac users aren’t at risk; AppleScript and Python can be used in malware-free attacks as well.

As the cyber threat landscape evolves, so must our security plans. The risks we remediate today may end up being risks again tomorrow!

Utah Considers a Cybersecurity Safe Harbor as Ransomware Runs Riot

Last year the FTC mandated what an organization’s written cybersecurity program should include to avoid being deemed “unfair and deceptive” to consumers,[1] and this year California consumers whose personal information is compromised may file lawsuits against organizations that failed to implement “reasonable security.”[2]

But several states provide legal safe harbors to organizations with written cybersecurity programs. Now, Utah is considering joining them. Under House Bill 158, referred to as the Cybersecurity Affirmative Defense Act (the “Proposed Act”),[3] if at the time of a data breach a covered entity has created, maintained, and complied with a written cybersecurity program it has an affirmative defense to a civil tort claim. Continue Reading

LexBlog