Don’t let Cyber Insurance be Your Cybersecurity Plan

In a recent letter to insurers, the New York State Department of Financial Services (“NYDFS”) acknowledged the key role cyber insurance plays in managing and reducing cyber risk – while also warning insurers that they could be writing policies that have the “perverse effect of increasing cyber risk.” If a cyber insurance policy does not incentivize the insured to maintain a robust cyber security program, the insurer can end up bearing excessive risk when the customer leans on the policy as their business continuity plan.

You may be wondering “What does this have to do with my business? I don’t do any business in NY state.” However, your insurer might be subject to the NYDFS cybersecurity regulation (23 NYCRR 500) and, if so, likely received this letter.

According to NYDFS, every cyber insurer should have a formal strategy that incentivizes their insureds – through more appropriately priced plans – to “create a financial incentive to fill [cybersecurity] gaps to reduce premiums.” Below is our take on five of the key practices outlined in the NYDFS letter that have potential implications for insureds.

  • Manage and Eliminate Exposure to Silent Cyber Insurance Risk. Up to now, many organizations have leveraged clauses in standard policies to cover ransomware attacks, such as those covering general liability, theft, malpractice and errors. NYDFS advises that “insurers should eliminate silent risk by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage for cyber-related losses.”  When you next renew your policy, read the fine print carefully to determine if there are any exemptions for cyber-related losses – even if you have a standalone cyber insurance policy. An insurer that was left ‘holding the bag’ for covering a ransomware attack under a policy that wasn’t priced to cover cyber losses is incentivized to update that policy language at the soonest opportunity.
  • Evaluate Systemic Risk. Here, insurers are being advised to “stress test” their coverage to ensure they would remain solvent while covering potentially “catastrophic” cyber events impacting multiple insureds. If you are a cloud or managed services provider and/or are part of other organizations’ supply chains, you should expect to receive more scrutiny from your insurer on the strength of your cyber security program.
  • Rigorously Measure Insured Risk. No surprises here, unless you haven’t been filling out detailed questionnaires about your cyber security program. Expect more scrutiny of your program, and possibly the involvement of auditors to validate your claims. Check your insurance policy to see if investing in a certification program – such as ISO 27001 or HITRUST – might improve your policy premium.
  • Educate Insureds and Insurance Providers. This practice states that “insurers should also incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.” Take advantage of any educational opportunities your provider offers on cybersecurity best practices and improvements. They might be trying to tell you how you can lower risk – and your rates.
  • Require Notice to Law Enforcement. While this is a best practice, NYDFS is recommending this be more formally required in the policy language.  Involving law enforcement is important when responding to cyber incidents, especially when it comes to investigating the incident and attempting to recover funds. Make sure you involve legal counsel and have a plan for engaging law enforcement in the event of a breach.

Even if your insurer hasn’t received this guidance, they are certainly aware that cyber risk, and the cost of underwriting cyber insurance, continue to increase.  With the cyber insurance market estimated to exceed $20 billion by 2025, and the risk that intermediaries – including insurers – can be liable for ransom payments made to entities sanctioned by the Office of Foreign Assets Control, business leaders should expect that their insurers will be more closely scrutinizing their cyber security plans and controls. Rebuilding encrypted systems and restoring from backup, as opposed to paying ransoms, will need to be the first plan of action.

If your organization is still struggling with the decision whether to invest more in IT security and architecture improvements or continue to rely on insurance as your cyber security plan, the guidance in the NYDFS Cyber Insurance Risk Framework merits a closer look.

While cyber insurance can be essential to helping your organization recover from a data breach, it should not take the place of a strong cyber security program.  At minimum your cyber security program should include a Cyber Security Plan, Business Continuity and Disaster Recovery Plan and an Incident Response Plan. These plans should be tested, reviewed and updated at least annually, preferably in conjunction with a penetration test and vulnerability assessment from a qualified third party.

If you have any questions or would like any additional information about the topics raised in this post, please contact Hunter Ferguson, Jeff Jones or Jon Washburn.

Portland’s New Facial Recognition Ban Increases Litigation Risk, Creates Uncertainty

Is your business using or thinking of using facial recognition technology for activities in Portland, Oregon? Think again.

That’s the message to businesses operating in Portland in a new ordinance that broadly bans the use of facial recognition technology in the city, subject to certain exceptions. The ordinance, which took effect January 1, 2021, restricts private businesses from using automated or semi-automated processes to identify an individual by comparing an image of a person captured through a camera with images of multiple individuals in a database. Due to the expansive language contained in the final version of the ordinance, routine business practices used to support or improve operations are no longer permitted. For example, retailers may have previously used software that compares surveillance video images of individuals as they enter a store with a cloud-based photo database to identify suspected shoplifters. The ordinance now prohibits use of this software.

The law also has teeth. It creates a private right of action, statutory damages of $1,000 per day for each violation, and allows for recovery of attorneys’ fees. Similar to other biometric privacy laws, this ordinance has the potential to trigger a wave of costly class action litigation and upend business operations. This ordinance creates significant risk with use of facial recognition technology, and organizations should proceed with this awareness. The law also raises numerous unanswered questions, as noted below. Continue Reading

Digital Transformation – Cybersecurity Lessons from Recent Lawsuits

Digital transformation,[1] the process of leveraging technology, people and processes to innovate, requires an “all-in, ongoing commitment to improvement.”[2] But the main drivers of digital transformation – data and profits – don’t always mesh seamlessly.

As shown by recent class actions filed against Blackbaud and Morgan Stanley, and a settlement with the New York Attorney General by Dunkin’ Brands, digital transformation has numerous cybersecurity issues that present legal obligations and potential liability.

Blackbaud

In May, Blackbaud, Inc., a company that provides cloud software services to thousands of non-profits including hospitals, suffered a ransomware attack.[3]  In July, it began informing its users of the attack, many of whom used Blackbaud to process personal and sensitive information.

On August 12, the first of many lawsuits was filed against Blackbaud.  Among the allegations in the lawsuit, Blackbaud is accused of failing to properly monitor its computer network and systems, failing to implement policies to secure communications, and failing to train employees.

The five years prior to the attack are telling.  In that timeframe, Blackbaud underwent a digital transformation that involved acquiring numerous other software platforms including a predictive modeling platform, and a software provider focused solely on corporate giving.

Since the ransomware attack, Blackbaud has published cybersecurity improvements that support adherence to industry standards for incident management, employee training, systems and network testing, risk assessments, application security, encryption, and end-user authentication.[4] Continue Reading

Digital Transformation – Regulator Issues $80 Million Penalty for Not Doing It Right

Digital transformation refers to the process of leveraging technology, people and processes to innovate or stay competitive.  The main driver of this process is often data.  For a vivid illustration see Data Never Sleeps, an infographic released by Domo, a leading business analytics company.

While executing digital transformation the right way can lead to great success (think Google, Facebook, and Amazon), overlooking pitfalls associated with potential legal obligations – most notably, cybersecurity and data privacy – can have the opposite effect, harming an organization’s reputation and its balance sheet.

On August 6, 2020, the Office of the Comptroller of the Currency (“OCC”) assessed an $80 million penalty against bank Capital One for what it determined was a failure to implement effective cybersecurity prior to migrating information technology to the cloud.  This failure was exposed in July 2019 when Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.

Why This Penalty Is Important

While $80 million may not be a significant hit to Capital One’s balance sheet, the accompanying consent order is notable for pointing out the bank’s failure to

[E]stablish appropriate risk management for the cloud operating environment, including appropriate design and implementation of certain network security controls, adequate data loss prevention controls, and effective dispositioning of alerts.

The OCC also highlighted the bank’s failure to “identify numerous control weaknesses and gaps in the cloud operating environment” and the bank’s failure to correct the deficiencies in a timely manner.

The OCC then singled out the Board of Directors for failing “to take effective actions to hold management accountable, particularly in addressing concerns regarding certain internal control gaps and weaknesses.”  This focus on a board’s knowledge of cybersecurity issues is not new.  The Federal Trade Commission (“FTC”) focused on this last year. 

Maintain a Strong Risk Management Program

Last year, the FTC also mandated that as an industry standard, organizations that collect and handle consumer data must implement a comprehensive written information security program. The OCC seems to agree, requiring Capital One to implement a risk management program that at least includes:

  1. A continuous risk management process that helps identify “reasonably foreseeable internal and external threats” to the confidentiality, integrity and availability of information assets and systems.
  2. The right framework for determining the likelihood and potential impact of one of these threats on the information being protected.
  3. Reasonable policies and procedures and adequate technical controls to address these risks.

What Organizations Should Do

Before, during, and after any aspect of digital transformation, organizations should consider doing the following:

  1. Obtaining the support of executive leadership to ensure that risk management is a priority for your organization.
  2. Adopting an established framework such as the NIST RMF, COSO ERM or the ISO 31000 standard.
  3. Maintaining a Risk Register and revisiting risk treatment on a regular basis – not just once a year – to ensure your organization is mitigating risk to an acceptable level.

Even if you are a novice, any reasonable effort to identify, assess, treat and monitor risks to your organization should result in heightened awareness of threats and an improvement in policies, processes, and controls.

As for migrating information technology operations to the cloud, this digital transformation process is not just for sophisticated banks.  A day after the OCC assessed its $80 million penalty, Utah Governor Gary R. Herbert announced a statewide initiative to train and certify 5000 residents in cloud computing.

If you have any questions about cybersecurity and data privacy legal obligations that your organization should be considering in connection with its digital transformation processes, please reach out to Romaine Marshall, Jon Washburn, or Jose Abarca.

Securing Online Shopping has Never Been More Important

In the wake of the COVID-19 pandemic, more consumers than ever before are shopping online – and they’re not likely to be very forgiving to any retailer that breaches their personal information. According to this recent survey from payment solutions provider PCIPal, 64% of people in the US would avoid a business following a COVID-19 related breach, and 17% would never return. While I imagine this sentiment would apply to any breach of personal information and not just one related to the current crisis, these numbers are a sharp step up from the estimated average customer turnover rate of 3.9% in last year’s 2019 IBM/Ponemon Cost of a Data Breach Report. While it’s just one survey, the significant increase in expected customer turnover rate in such a short time-period may represent a rapidly diminishing level of tolerance for websites that leak valuable personal information.

In order to remain in business, many retailers had to rush to upgrade their online presence in order to compensate for store closures and reduced foot traffic in locations that were able to remain open; or for the more fortunate retailers, to simply manage an unprecedented increase in online purchasing. As we balance security risk against the need to maintain the health of the business, it would not be surprising if ‘speed to market’ concerns took priority over rigorous application security review in some of these instances – after all, a strong cybersecurity program is meaningless if there’s no organization left to protect. Nevertheless, it is still critical to complete the cycle of secure software development and thoroughly test any changes and integration of new solutions to verify they are secure.

If you are a retailer that has had to prioritize retooling your online presence over everything else, please be sure to circle back around and undertake these important tasks:

  • Conduct a code review that focuses on verifying that your site is not vulnerable to web application security risks, such as those included in the OWASP Top 10
  • Validate that any integration of new technology – such as payment processing, customer experience or even anti-fraud solutions – is still properly managing personal information in line with your security and privacy policies
  • If you don’t already offer it, consider offering two-factor authentication to your online customers
  • Confirm your web servers are still using strong security certificates and aren’t allowing weak protocols.  You can check this for free at ssllabs.com
  • Ensure everything is still running using the Principle of Least Privilege

Coast to Coast and Back Again – Cybersecurity and Data Privacy Rules

March 2020 will long be remembered as the month and year of en masse shutdowns.  But the pandemic has done little if anything to slow new cybersecurity and data privacy laws.  As highlighted below, regulations for one have been submitted (CA), another has gone into effect (NY), and yet another has been proposed (CA).

California Consumer Privacy Act (“CCPA”) Gets Confirmed by State Attorney General

After nine months, a lot of public input, and three proposed drafts, the regulations for enforcement of the CCPA have been submitted for approval.  The final text of the regulations demonstrates how granular enforcement could be.  Here are five examples:

  1.  A business’s required privacy policy must include the date it was last updated.
  2. A business must provide at least two methods for consumers to send requests for deletion of their information.
  3. A service provider can retain, use, or disclose information in certain circumstances, such as to detect security incidents even after a deletion request.
  4. A business must confirm within 10 days that it has received a request to know what it has collected from consumers.
  5. A business must have a documented policy for verifying the identity of a person making a request related to their personal information.

Continue Reading

Court Orders Disclosure of Capital One’s Incident Report

Last July, Capital One announced that an outside individual gained unauthorized access to information belonging to 100 million individuals in the United States and approximately six million in Canada.[1]  Within days, lawsuits were filed nationwide asserting an assortment of claims relating to the data breach.

Last week, in a class action filed in Virginia a federal magistrate ordered Capital One to provide its incident report for the data breach to counsel for the plaintiffs.  Capital One had contended that the report is protected attorney work product and that it shouldn’t have to.  The Virginia court disagreed, for reasons that are instructive.

When an Incident Report Is Not Attorney Work Product

Since 2015, Capital One had retained Mandiant to provide various cybersecurity services.  The data breach occurred in March 2019, but it was not confirmed until July 19 of that year.  A day later Capital One retained outside counsel which then retained Mandiant to assist with its investigation on July 24.  Then, on July 29 the public was notified about the data breach.

The issue the court decided last week was whether the Mandiant incident report was privileged and therefore protected from disclosure by the work product doctrine.[2]  This doctrine generally preserves the privacy of attorneys’ case materials, but it has limits.  To guide its decision in Capital One the court stated:

In order to be entitled to protection, a document must be prepared “because of” the prospect of litigation and the court must determine “the driving force behind the preparation of each requested document” in resolving a work product immunity question.[3]

Applying this standard, the court believed the incident report would have been prepared anyway even if the data breach had not occurred and determined that it needed to be disclosed.  In reaching this conclusion, after “considering the totality of the circumstances,” the court found these facts compelling: Continue Reading

Is Your Incident Response Plan Ready for Novel Computer Viruses?

A “novel” virus is one that has not been previously identified, according to the Centers for Disease Control and Prevention.[1]  In 2000, like the COVID-19 virus that was officially named on February 11, 2020, the ILOVEYOU virus became a global pandemic for data systems.  Within days, millions of computers were infected as the virus compromised files and caused widespread email outages.  The virus appeared in inboxes as fake messages with infected attachments:

Since then, scores of novel viruses have been deployed as destructive malware.  The ILOVEYOU virus, MyDoom worm, SOBig spam, and WannaCry ransomware alone are said to be responsible for $95 billion in financial damages.  As a result, anti-virus software has become a multi-billion-dollar, must-have computer program, and cybersecurity has become a multidisciplinary industry fighting an evolving threatscape. Continue Reading

Working from Home? Here are 12 Steps to Reduce Data Privacy and Security Risk

Businesses are instituting widespread remote work policies and procedures to facilitate social distancing and “flatten the curve.” Enterprises simultaneously need to be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to well-intentioned employee shortcuts. Hackers will try to take advantage of uncertain and sometimes chaotic circumstances.

Below is a checklist of fundamental measures businesses and employees should implement to mitigate the data privacy and security risks associated with working remotely. Most of these measures require an investment of time, not money, through adoption of sound policies and behavior adjustment. You can maintain good privacy and security as we respond to COVID-19. Here’s how:

  1. Turn on Multi-Factor Authentication Immediately. Implement MFA to ensure no unauthorized party is remotely accessing the company’s networks or user accounts. The popular Microsoft Office 365 service includes MFA for free.
  2. Develop and Follow Sound Data and Funds Transfer Procedures. Implement two-step verification for wire transfers or other transfers of data. For example, if you get an email with an invoice, verify the request by placing a phone call to a known individual (not just a number in the email) to confirm and obtain authorization. Work with business partners to send and receive test transfer payments of small amounts (a few cents or a dollar) before transferring substantial sums.
  3. Maintain Confidentiality. Employees should be instructed that confidential conversations should take place in private and relatively secluded areas. Such conversations should not occur within range of virtual assistants or other IoT listening devices. For example, the Office of Civil Rights for the Department of Health and Human Services has relaxed certain rules to make it easier to use technology to facilitate remote services, but requirements of privacy and security must still be met.
  4. Use Secure Workspaces. Employees should have a secure workspace with reliable connectivity. Remote workspaces should be secure from eavesdropping. Employees should not leave work computers unattended to reduce the risk of theft, and unsecured (“public”) wireless networks should be avoided, such as free wi-fi at coffee shops. If there is no other option, ensure employees are trained to first connect using their VPN client before doing anything else.
  5. Distribute Tech Support Contact Info. Employees should readily have access to company IT policies, procedures, and contact information of critical IT personnel to whom security incidents can be reported and who can assist with technical issues.
  6. Avoid Storing Data Locally. Employees should avoid saving data locally on their computers and instead utilize on company-approved network and cloud storage locations – the ones your company backs up regularly – as much as possible to store data. For convenience and perceived efficiency, employees might be tempted to save data locally or on machines that are not business-issued devices. Remote workers and businesses should resist this temptation as much as possible and adjust expectations and deliverable timing to promote sound practices as we adjust to new realities.
  7. Make Sure You Have Appropriate Insurance. Companies should review the scope of their insurance policies and coverage limitations to ensure their policies cover incidents stemming from employees working remotely.
  8. Stay Connected While Staying Distant. Companies should adopt and implement policies for supervising remote employees, such as instituting frequent team calls to facilitate transparent communication, encouraging employees to report security incidents and risks, learn from experience, and provide tips and training for secure work from home, etc.
  9. Don’t Get Hooked – Beware of Phishing Attacks. When employees receive emails or other electronic communication, they should be trained to identify potential phishing emails. Specifically, employees should be educated and reminded to (1) verify that the sender’s email address matches the address of a known contact (especially on mobile devices, select the sender to see the real address); (2) hover over any link before clicking it to identify the destination; (3) be wary of emails that are unusually brief, unexpected, or out of character; and (4) refrain from opening suspicious attachments. If a seemingly normal email or communication is from an unverifiable or suspicious sender, then employees must be trained to report such phishing incidents to the company. Taking these precautions can reduce the effectiveness of phishing attacks.
  10. Minimize Printing Confidential Information. Employees should not print confidential information, including protected health information, at home. If such information must be printed, then the paper copies of such information should be properly secured until they are properly disposed – for example, by using a level P-4 or better cross-cut shredder.
  11. Use Appropriate Encryption. Employees should not share protected health information or other types of information requiring elevated protection via email or other unsecured modes of electronic transmission. Such information should be shared only by using transmission technology that provides guaranteed end-to-end encryption.
  12. Share These Tips and Other Useful Insight. Share this announcement and other resources discussing data privacy and security measures with all employees, team members, business partners, clients, customers, suppliers, vendors, etc. We are all in this together!

Stoel Rives’ Privacy and Data Security team is prepared to address your COVID-19 related or other data privacy and security questions and concerns. If you have any questions, please ask your primary Stoel Rives contact or reach out to Hunter Ferguson at 206.386.7514 or hunter.ferguson@stoel.com for more information.

Soon, All Ransomware Attacks May Be Data Breaches

As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has been released when the victim doesn’t pay up. If this becomes the norm – and it looks like it will – victims will need to consider all ransomware attacks as possible data breaches.

Ever since the Maze ransomware operators realized they could increase the odds of collecting the ransom by leaking data, many other ransomware groups have started following suit.  In the latest variant to be seen using this tactic, the attackers basically guarantee they can decrypt the files if you pay (proof provided on two random files.) But at that point, the data is already stolen.

While the attackers will only steal a segment of the data they encrypt – a few GB, random emails, etc. – the victim will likely have no idea which portion of the encrypted files were stolen and will have to consider all data that was accessed as “breached”, unless they can assess that there is a reasonably low risk that certain data was not extracted.

As security professionals we strive to prevent the attackers from compromising our organizations in the first place.  But in the event they are successful, following is a sample of additional controls that can be implemented to better detect data exfiltration:

  • Content filters: filters on outgoing traffic can be configured with white-listing/black-listing rules to restrict traffic to known bad (by reputation or by content) sites/IP addresses. They can watch common exfiltration channels such as DNS tunneling, FTP and HTTP and can be configured to alert on and/or automatically stop unusual patterns of data transfer. Content filtering is offered as a standalone service, but it is also a feature included with many secure gateway solutions.
  • SIEM: Security Information and Event Management solutions act as centralized collectors of logs from multiple sources. Consider deploying a SIEM inside your organization and feeding it as many logs as are useful. In order to get the value out of a log collection/analysis solution it must be monitored 24/7/365 by qualified personnel.  Unless your organization is large enough to employ its own security team, consider a managed solution from a reputable service provider.
  • Endpoint Detection and Response (EDR) solutions: These solutions are designed to stop attackers in the first place, but they also alert on potentially malicious activity with continuous monitoring. For example, if your EDR solution lights up because it sees a number of nodes being hit with Emotet – a malware precursor to a ransomware attack that generally steals credentials, but can also steal email – you could be under attack, and should check all endpoints to confirm you don’t have one that might be leaking data (like the “road warrior” salesperson whose laptop is rarely on the network, and always seems to be behind a little on updates…)
  • Deep Packet Inspection (DPI) and Watermarking: For the more advanced organizations out there, you can embed a watermark or ‘digital signature’ that can alert a packet-inspection solution that certain files are being sent out of the organization. In order for this to have value you’d want to be selective and/or have various different watermark labels (for example “internal confidential”, “PII”, etc.) and ensure your watermarks are “permanent.”
  • Honeytokens: similar to the honeypot concept, a honeytoken is the same concept, but as a URL. You can implement honeytokens for free at https://canarytokens.org; some cool tricks for using them in a honeyfile (a file that appears to be highly valuable, but is in fact deceptive bait), databases, links and other traps can be found here.  While honeypots/files/tokens are primarily an intrusion detection tool, if the target can be accessed then it – and anything else at that access level/in that container – can likely also be exfiltrated.

In addition to these controls, as noted in this blog post last month, organizations that fall victim to ransomware should engage experienced outside counsel to commence an internal investigation and to:

  • Retain technical consultants to engage with the threat actors as necessary, determine what data was exfiltrated, manage the decryption process, recover and remediate impacted systems, and eliminate the risk of reinfection.
  • Leverage relationships with law enforcement to cross-reference elements of the ransomware with databases and obtain helpful information.
  • Work with insurers to determine whether and how coverage applies (i.e., cyber risk, kidnap and ransom, cyber extortion, or various other cybercrime policies).
  • Establish separate lines of communication for key personnel in case normal lines of communication are compromised during negotiation, decryption and/or recovery phases.
  • Provide advice relating to what, if any, legal obligations have been triggered by the exfiltration of data and the deployment of ransomware.
LexBlog