CCPA Is Here – Is Your Security “Reasonable”?

Romaine MarshallBy Romaine Marshall on Posted in ePrivacy, Privacy, Security, Uncategorized

Under the California Consumer Privacy Act, any California consumer whose personal information is compromised “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices … may institute a civil action.”[1]

Consumers can initiate this private right of action right now, whereas other consumer rights can only be enforced by the Attorney General beginning in July.[2]

Why This Matters

Most civil actions filed against companies during the last decade were dismissed. Why? Consumers were unable to demonstrate a suitable harm. Sure, cybersecurity incidents are a hassle for consumers to deal with, but that alone was not enough. Recently, however, courts have said “the hassle” is enough, at least for cases to proceed past their initial stages. This has led to a steady rise in both the number of cases that are settled and their dollar amounts.

Complicating things further, under the CCPA proving harm doesn’t necessarily matter. If personal information is compromised because of a failure to implement and maintain reasonable security, the CCPA quantifies harm to be “not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident” or an amount higher if proven.[3] What matters is whether your security is reasonable.

Google’s search engine defines reasonable as “as much is appropriate or fair.” For those who reminisce about how they spent three years in law school learning the many ways “reasonable” can be interpreted, the CCPA may trigger déjà vu; neither the CCPA nor its proposed regulations defines “reasonable security.” But reliable guidance is available. Continue Reading

CCPA is Here – Are Your Agreements Ready?

Romaine MarshallBy Romaine Marshall on Posted in ePrivacy, Privacy, Security

On January 1, 2020, if your company sells goods or services to California consumers and meets certain criteria,[1] the agreements you have with companies that handle personal information on your behalf should be analyzed and, if necessary, updated just as your privacy notices should be updated.[2]

Examples of companies that handle personal information on a company’s behalf include marketing companies, managed security service providers (MSSP), and software-as-a-service (SaaS) providers such as payment processing, document and email management, and customer analytics companies.

Why this Matters

Under the California Consumer Privacy Act (“CCPA”), companies that handle consumer information on behalf of a company are “service providers.”[3] The CCPA requires that a company enter into an agreement with a service provider that

prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business … [4]

This is important because the CCPA exempts a company for any violation of the CCPA if its service providers have executed an agreement and they, not the company providing the personal information, violates any of the rights given to California consumers under the CCPA.[5] Continue Reading

CCPA is Here – Is Your Privacy Notice Ready?

Romaine MarshallBy Romaine Marshall on Posted in ePrivacy, Privacy, Security

Last year towards the end of May, a barrage of emails and pop-ups informed online users about how companies use cookies – small bits of software that track website activity – in accordance with a requirement under the European Union’s General Data Protection Regulation.

On January 1, 2020, many companies will inform consumers about updates to their privacy notices – agreements between companies and their consumers about how personal information is processed – in accordance with a requirement under the California Consumer Privacy Act (“CCPA”).

Why this Matters

A privacy notice (aka privacy policy or privacy statement) is typically the first place a company explains its practices for handling the personal information it collects.  Privacy notices have received considerable attention this year, not all of it positive.  You do not have to read all of the New York Times article, “We Read 150 Privacy Policies. They Were an Incomprehensible Disaster,” to know what it concluded.[1]  Similarly, an article titled “Are Organizations Ready for New Privacy Regulations?” summarizes the Online Trust Alliance’s analysis of 1,200 privacy statements and its view that many of these privacy notices could result in penalties for failing to follow new laws such as the CCPA.[2]  In addition, privacy notices have been the subject of litigation in cases asserting that the sale of customer information to non-affiliated entities for marketing purposes,[3] and the transfer of customer data in a merger, asset sale, or sale of customer information, were all improper because they violated companies’ privacy notices.[4] Continue Reading

Trickbot and Emotet Financial Malware Now Attacking the Healthcare Industry

Jon WashburnBy Jon Washburn on Posted in Announcements, Cyber Attack, Cyber Crime, HIPAA, Security

In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge.

Used primarily as ’banking Trojans” to steal credentials and financial information, these intrusive, fast-replicating Trojans spread quickly. Emotet is polymorphic, which makes it difficult for traditional antivirus solutions to detect.  It worms its way through a network, generally using phishing emails from compromised systems to spread as quickly as possible. Once it’s infected enough computers, it will “drop” (install) other malicious programs, especially TrickBot, which has all sorts of modular, built-in tools to discover system information, compromise that system and steal data.

The presence of either of these Trojans on a network is a serious threat. Both of these Trojans are closely related; where you see one, you often see the other. To help visualize how they work, think about them like a team of professional robbers:

  • Emotet is the ‘strike team’ hired to get Trickbot through as many doors as possible, by exploiting vulnerabilities or by stealing keys
  • Trickbot is the professional ‘safe-cracking team’ the Emotet strike team gets in the door
  • Trickbot might install ransomware to collect a ransom, or maybe just cover their tracks when they’re done. When it installs ransomware, it’s often Ryuk.

Healthcare continues to be a prime target of scammers, as:

  • The industry has known weaknesses, primarily due to the proliferation of connected but vulnerable devices. For example, it’s not practical to throw away a multi-million dollar MRI machine that still works just because it runs an outdated operating system
  • Healthcare organizations have a significant amount of valuable Personally Identifiable Information (PII) such as SSNs, dates of birth, drivers licenses, etc. Of course, they also possess Protected Health Information (PHI) such as blood test results, genetic history, diagnoses, etc. – data that is difficult to come by elsewhere, and can be used to fake medical claims and purchase controlled substances
  • If malicious actors can cripple a healthcare organization with ransomware, the victim may not be able to provide care. Creating a crisis that threatens lives can be a strong motivator to pay a ransom

Criminals are likely re-purposing Emotet and Trickbot in response to improved cybersecurity controls and awareness programs more successfully blocking and repelling their attacks. To keep pace with their attackers, healthcare organizations should:

  • Ensure budgeting for a strong cybersecurity program is a priority, not an afterthought
  • Conduct regular training to help avoid phishing and social engineering attacks
  • In a Windows environment, use Microsoft User Account Control to require that all personnel log in as “users” and not “administrators” of their workstations, and that applications run in the “user context” as often as possible
  • Consider adding application white-listing to their arsenal of cybersecurity defenses

The privacy team and  health care lawyers at Stoel Rives are prepared to help you minimize risks and mitigate losses posed by internal and external threats. Give us a call to learn more about how we can help you protect your business.

Cyber Risk Update for Construction Companies

Tamara BoeckJon WashburnBy Tamara Boeck and Jon Washburn on Posted in Cyber Attack, Cyber Crime, Data Breach, Fraud, Privacy

Scammers are always seeking new ways to target victims for Business Email Compromise (BEC) scams, where they leverage email to try to convince you to give them credentials, send them confidential information like W2s, send them money by changing things like direct deposit instructions, or give any other data that can help them profit from committing fraud.  They are getting more and more sophisticated in their deceptions, and targeting those areas they see as ‘weak links.’

Construction companies however face a particular threat, as there are a number of services and private and government web sites to which companies can subscribe to learn about construction projects that are open to bid. Often, the winning bidder ends up becoming public knowledge – either because that information is posted publicly, or because the contract company advertises they were awarded the project. And of course, these contracts always carry a price tag that is attractive to scammers.

Fraudsters can use information from these same web sites along with other research to learn which construction companies have applied for and ultimately won bids. The higher the price tag, the bigger the target. Once the scammers get their fake web site set up (they can use tools to copy the real contractor’s web site almost exactly), they’ll then send an email to the victim posing as the contractor, including a direct deposit form (likely doctored with the contractor’s logo) and instructions to change payment information to a new account controlled by the scammers.  They might even try to play this trick on the construction company and pose as a vendor the construction company regularly pays. Once the money is transferred, it can be difficult – and often impossible – to recover.  Even if the victim has cyber insurance, whether or not any losses are covered depends on the policy.  Any access and information they obtain can also compromise the construction company’s information security, potentially increasing the likelihood of privacy breaches, ransomware attacks, or other serious security risks.

Awareness and good financial and technical controls are key to protecting against this threat.  Here are some steps your organization should consider including in your cyber security plan:

  • Establish direct deposit instructions at the start of the contract, and ensure your customers know exactly how you would change them.  For example, let them know any instructions would come only from your organization via a specific email address or phone number.
  • Also ensure your customers know how they can verify those instructions, as email addresses and phone numbers can be faked.  Have your customers confirm any changes by using the alternate communication method.  For example, if they ever get an email with new instructions, they are to call the phone number sent in the original instructions (not reply to the email, or call any phone number in the email) to confirm, and vice-versa. Scammers will do everything they can to get you to contact them for ‘verification’, so clear direction at the start of the process is important.
  • Carefully scrutinize all requests for transfer of funds. Expect secure processes and procedures from your vendors or anyone you have to transfer money to. If they don’t have a good process in place, at least have them follow yours.
  • Always ensure two people have to sign off on any changes.  At least one of them should be in management.
  • Train your company on how to spot fakes.  Consider phish-testing your own company regularly (there are subscription solutions out there that can help you manage this.)
  • If you have trouble detecting external emails, consider setting up an ‘external’ tag so your own staff can more easily catch if a scammer is trying to impersonate someone in your organization.
  • Consider subscribing to a secure email gateway to help protect your organization from phishing and scams.

Ultimately, the adage ‘an ounce of prevention is worth a pound of cure’ is borne out in cyber and financial security breaches. Take proactive steps to protect your organization, your trades and vendors, and your own clients and customers.

The privacy team and construction lawyers at Stoel Rives are prepared to help you minimize risks and mitigate losses posed by internal and external threats. Give us a call to learn more about how we can help you protect your business.

Achieving Industry Standards

Romaine MarshallBy Romaine Marshall on Posted in Cyber Attack, Cyber Crime, Data Breach, Privacy, Security

For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?”

These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a “culture of change” that better protects consumers – were part of separate meetings with each of the five FTC commissioners last month. On the heels of these meetings, Senator Ron Wyden (D-OR) proposed federal legislation that would give the FTC new powers and incarceration for executives who fail to meet industry standards.

With the FTC already requiring at least one CEO to verify that a company is meeting industry standards for privacy, the question of what industry standards apply is more important than ever. Since 2010 the FTC has resolved about 50 cases involving alleged cybersecurity incidents and privacy violations (mostly the latter). In 12 of these the FTC named directors and officers and their organizations. In four of these the FTC negotiated settlements requiring organizations to establish and implement written cybersecurity and privacy programs. As noted previously, the FTC has been on a tear”[1] and recently mandated that Equifax implement a comprehensive cybersecurity program that included, “at a minimum,” 26 requirements.

Which brings us back to Chairman Simons’ questions and what constitutes “industry standards.” Some laws and commonly used contract terms define industry standards as “the usual and customary practices in the delivery of products or services within a particular business sector.”[2] Industry standards can also refer to a standard adopted by a Standards Setting Organization. Establishing such standards takes time as they must be tested to ensure broad application. Enter NIST – the National Institute of Standards and Technologies.[3]

In February 2013, an executive order was issued requiring government and private sector organizations to collaborate on how “to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”[4] A year later the NIST Cybersecurity Framework (“CSF”) was published and last year on April 16 it was updated. The Organization of American States and Amazon Web Services recently described it as:

[U]ndoubtedly a tool for cybersecurity risk management, which enables technological innovation while adjusting to all types of organizations (regardless of category or size) … [and is] a simple-approach to strategy to cybersecurity governance, to make it possible to easily transfer technical notions to the business objectives and needs.[5]

The CSF can be found here: https://www.nist.gov/cyberframework.

Continue Reading

Is your organization ready for global privacy regulations?

Jon WashburnBy Jon Washburn on Posted in ePrivacy, Privacy

The Internet Society’s Online Trust Alliance (OTA) released a report this week that measured 1200 U.S.-based organizations’ readiness for three major global privacy regulations: the General Data Protection Regulation (GDPR) in the European Union,  the California Consumer Privacy Act (CCPA) in the United States that goes into effect January 1, 2020, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. The assessment, the OTA’s 10th Online Trust Audit, reviewed 29 variables in the publicly-posted privacy statements from each organization.

While privacy statements are only one outwardly-facing piece of a larger information privacy management program, they are also subject to requirements defined in these privacy laws, with the goal that they accurately reflect the organizations’ privacy practices as thoroughly and clearly as possible, so that users can make an informed decision about whether or not to share their information with the organization.

Since this assessment was limited to only these posted policies it is limited in context – for example, just because only 57% of the organizations stated that they hold third parties to the same standard, that doesn’t mean 43% of organizations aren’t doing it. Nevertheless the criteria highlighted in this report are all important considerations to include when reviewing your organization’s privacy program.

A copy of the full report can be downloaded here.

Recent FTC Enforcement Actions

Romaine MarshallBy Romaine Marshall on Posted in Privacy

What the FTC Wants, the FTC (Mostly) Gets

In recent weeks the Federal Trade Commission has been on a tear. As one example, on July 22 it announced a $700 million settlement with Equifax for “the 2017 data breach that jeopardized the personal data of a staggering 147 million people.” But it is a decision earlier this year that is perhaps more ominous, at least regarding personal liability for directors and officers (“D&Os”).

On February 27, 2019, after announcing a $5.7 million settlement with TikTok for various privacy violations relating to its lip-syncing app, two of the five FTC commissioners, Rebecca Kelly Slaughter and Rohit Chopra, issued this joint statement:

When any company appears to have made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.

This approach appears to have some traction with the current FTC Chairman, Joe Simons, and the Bureau of Consumer Protection Director, Andrew Smith, who both discussed Slaughter and Chopra’s statement at the 2019 International Association of Privacy Professionals Global Privacy Summit. Smith described naming D&Os as a “way to make companies take notice that [the FTC] is serious about compliance.” Continue Reading

CCPA is Coming – Is Your Business Prepared For The Data Requests & Lawsuits?

Hunter FergusonBy Hunter Ferguson on Posted in Law/Regulation Update, Privacy

Does your business collect personal information from residents in California? Does it monitor user activity on its website? If so, there is a good chance it will need to comply with the California Consumer Privacy Act (“CCPA”), which takes effect January 1, 2020.

Following the European Union’s implementation of GDPR, California adopted the CCPA, which imposes significant new privacy obligations on businesses that collect information from California residents, including the collection of internet browsing activity on business websites. Under the CCPA, businesses must disclose the types of personal information they collect, sell, or share about California residents. Among other rights recognized by the law, consumers will have the right to request reports on the information collected about them and deletion of their information. The California Attorney General will have general enforcement power, and consumers will have a right to bring lawsuits for certain matters, including potentially class actions.

The CCPA is far-reaching and imposes significant compliance duties on businesses in all industries doing business with California residents. It will transform how companies collect and use personal information. It is also stands to increase the risk of consumer lawsuits, including class actions, against businesses covered by the CCPA.

CLICK HERE to continue reading about the scope and effects of the CCPA. If you would like information specifically tailored to the impact of CCPA on your business, please feel free to contact Hunter Ferguson at (206) 386-7514 and Romaine Marshall at (801) 578-6905 or your primary Stoel Rives contact.

Privacy Attorney Dustin Berger Achieves (ISC)2 CISSP Certification

Hunter FergusonBy Hunter Ferguson on Posted in Announcements

Stoel Rives LLP is pleased to announce that information privacy & data security attorney Dustin Berger has been recognized as an (ISC)2 Certified Information Systems Security Professional (CISSP). This certification demonstrates an individual’s understanding of cybersecurity strategy and its hands-on implementation. It also confirms that the holder has the advanced knowledge and technical skills to design, develop, and manage an organization’s overall security program.

Berger is an attorney in Stoel Rives’ Seattle office, where he counsels clients nationwide on data security, privacy, and employment matters. He also has represented clients in a variety of civil litigation matters in trial and appellate courts as well as before state and federal administrative agencies. Berger has been recognized by the International Association of Privacy Professionals (IAPP) as a Fellow of Information Privacy, Certified Information Privacy Professional/United States and Europe, and Certified Information Privacy Technologist. In addition, he holds the CompTIA: Security+ Certification. Prior to entering the practice of law, he served as the Chief Technology Officer for a Denver-area suburban city.

Berger joined Stoel Rives in 2018 in part to add further knowledge and experience to the firm’s Privacy & Data Security practice group. This cross-industry team includes attorneys who help clients adopt systems and processes to protect their business and personal data and comply with data security and privacy laws worldwide. Team members counsel clients across a wide range of industries, including health care, education, manufacturing, technology, retail, defense, and financial services, regarding their specific needs for policy development, program management, personnel training, forensic audits, breach response, customer notification, insurance coverage, third-party risk management, and transactional due diligence, among other matters.

(ISC)² is a leading, international cybersecurity and IT security professional organization with more than 140,000 certified members. To qualify as a CISSP, candidates must pass an exam and have at least five years of work experience in two or more of the examination’s eight subject matter areas.

(The Supreme Court of Washington does not recognize certification of specialties in the practice of law and none of the certifications, awards, or recognitions mentioned here are requirements to practice law in the state of Washington. Likewise, Colorado does not certify lawyers as specialists in any field.)

LexBlog