Category Archives: Network Security

NJDC Affirms FTC Regulatory Power Regarding Data Security Practices

Judge Esther Salas of the United States District Court of New Jersey ruled today that a Section 5 action brought by the FTC was sustainable against Wyndham Worldwide Corporation (“Wyndham Worldwide”) as well as various corporate affiliates primarily involved in the franchise side of its business.  This decision re-affirmed the FTC ‘s power to regulate “unfair trade practices” based on the failed data security of companies.   Judge Salas denied a motion to dismiss a FTC action based on the alleged violation of both the deception and unfairness prongs of Section 5(a) “in connection with Defendants’ failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”  Wyndham Worldwide also looked to dismiss the action given the consumer representations made by some corporate affiliates were not intended to be applicable to all corporate affiliates.

In what Wyndham Worldwide considered a matter of first impression, the Court rejected Wyndham Worldwide’s position that the FTC does not have authority to bring an unfairness claim involving lax data security.  Another allegedly unique aspect of this case turns on the fact the corporate affiliate who initially sustained the data incident and also made most of the representations in question (Wyndham Hotels and Resorts, LLC) was able to implicate its corporate parent.

This decision is a rare judicial affirmation of the FTC’s broad power to assert itself in the data protection activities of companies. Typically, the FTC simply obtains consent as a byproduct of a settlement agreement.  Hacked companies routinely acknowledge the FTC’s power in this regard.

Although this decision merely resolves a motion to dismiss — with liability issues left unresolved, privacy practitioners who visit with the FTC should review Judge Salas’ opinion and continue to track this matter.  Given the hard public positions taken by Wyndham and the FTC,  this case may very well end up in the Third Circuit or even the Supreme Court — eventually leading to an appellate court potentially defining the exact contours of the FTC’s authority to regulate hacked companies.

October is National Cyber Security Awareness Month

National Cyber Security Awareness Month is being sponsored by the Department of Homeland Defense as well as the National Cyber Security Alliance and the Multi-State Information Sharing and Analysis Center.   In a Presidential Proclamation, President Obama called “upon the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and trainings that will enhance our national security and resilience.”  Many of the same corporations and universities who promote Privacy Day in January also promote NCSAM in October.

According to the FBI, since the first NCSAM was celebrated nine years ago the network security threat has continued to grow even more complex and sophisticated — “Just 12 days ago, in fact, FBI Director Robert Mueller said that ‘cyber security may well become our highest priority in the years to come.'”

There is no denying the obvious good in promoting security awareness and diligence.  It is hoped, however, that a month devoted to “cyber security awareness” does not inadvertently dilute the more important message that security diligence is something that should be done every day of the year.   On the other hand, to the extent NCSAM’s “Stop.Think.Connect.” message touches even one small business owner in Des Moines and makes her less likely to fall victim to a phishing exploit in the future, NCSAM will be a success.

Third Circuit Agrees Standing is Lacking in Breach Case

The United States Court of Appeals for the Third Circuit, in Reilly v. Ceridian Corporation, 2011 U.S. App. LEXIS 24561, 3 (3d Cir., December 12, 2011), found that “allegations of an increased risk of identity theft resulting from a security breach” were insufficient to secure Article III standing.  In so doing, the court affirmed the dismissal of claims brought by former employees of a NJ law firm after the firm’s payroll processor was breached.

Recognizing that “a number of courts have had occasion to decide whether the ‘risk of future harm’ posed by data security breaches confers standing on persons whose information may have been accessed”, the Third Circuit sided with those courts finding that plaintiffs lack standing because the harm caused is too speculative.   Specifically, the court did not consider an intrusion that penetrated a firewall and potentially allowed access to employee payroll data sufficient to meet the Article III requirement of an “actual or imminent” injury.  No misuse was alleged so no harm was found.

As well, the Third Circuit rejected the notion that time and money expenditures to monitor financial information conferred plaintiffs with standing.  Id. at 5 (“That a plaintiff has willingly incurred costs to protect against an alleged increased risk of identity theft is not enough to demonstrate a ‘concrete and particularized’ or ‘actual or imminent’ injury.”).  See also In re Michaels Stores PIN Pad Litigation, Slip Op. at 14 (N.D. Ill November 23, 2011) (reasoning that “individuals cannot create standing by voluntarily incurring costs in response to a defendant’s act.  Accordingly, Plaintiffs cannot rely on the increased risk of identity theft or the costs of credit monitoring services to satisfy the ICFA’s injury requirement.”).

The Third Circuit’s decision stands in sharp contrast to those decisions that stretched hard to find a cognizable harm sufficient to trigger constitutional standing as well as a recent ruling from the First Circuit reversing a dismissal because costs associated with credit card reissuance fees and ID theft insurance were deemed sufficient to constitute an injury.

There is now a growing body of law that has sprung from public data breaches that can be used by either side of the class action table.  The key metric will be how such decisions can be tooled by plaintiff’s counsel to defer dismissal.   Given the potential use of cy pres settlements, defense counsel need to cut off the discovery beast before it grows out of control and gives rise to such settlement discussions.  All plaintiff’s counsel needs to do is hope for a sympathetic judge before the wheel is spun.

First Circuit Rules Hannaford Damages Include ID Theft Insurance and Card Reissuance Fees

On October 20, 2011, the United States Court of Appeals for the First Circuit issued an opinion reversing a Maine District Court’s dismissal of negligence and implied contract claims against grocer Hannaford Brothers.  The underlying data breach publicly announced on March 17, 2008 by Hannaford led to a consolidated class action that was ultimately rejected in its entirety by the Maine District Court.   After receiving guidance from the Maine Supreme Court regarding whether time and effort alone could represent a cognizable injury — it did not — the District Court ultimately ruled that even though claims for implied contract and negligence could be alleged by the plaintiffs, because the associated damages were not cognizable in law, the action had to be dismissed. 

In reversing, the First Circuit recognized that “[t]here is not a great deal of Maine law on the subject [of damages recoverable under § 919 of the Restatement (Second) of Torts].”  Accordingly, it reviewed a good deal of caselaw outside of Maine before applying § 919’s rule that “[o]ne whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened” to the specifics of this case.   Several cited cases found such mitigation damages valid even if they exceed the potential savings and are purely financial in nature. 

Recognizing the Hannaford breach involved a large-scale criminal operation that already led to over 1,800 identified fraudulent charges and many banks issuing new cards, the First Circuit ruled that mitigation damages in the form of ID theft insurance and credit card reissuance fees were financial losses recoverable under the negligence and implied contract claims so long as they are considered reasonable mitigation damages.   There was no remand for further factual findings on the issue.  The First Circuit simply made a determination that such damages were both foreseeable and reasonable and reversed on that basis.  Now that the consolidated complaint lives another day, the District Court may certify a class but if it does it remains to be seen how far the lower court will go in sizing the class and allowing for such mitigation damages.

Anonymous Supports September 17 Efforts

On August 23, 2011, Anonymous released a video endorsing the September 17, 2011 planned “Day of Rage” occupation of Wall Street and other financial areas around the world.   Specifically, in its video, Anonymous urges protesters on September 17th to “flood into lower Manhattan, set up tents, kitchens, peaceful barricades and occupy Wall Street for a few months … Once there, we shall incessantly repeat one simple demand in a plurality of voices.”

This endorsement might seem fairly harmless.  On the other hand, those in the financial sector are urged to take this implicit threat pretty seriously.  According to a duo of FBI agents talking today at a public briefing regarding the entry of Anonymous to the September 17th efforts, financial institutions are advised to step up their network security during the next few days.  In fact, a recent FBI crackdown on Anonymous may be tied to S17.   Given there is deliberately no leadership core within Anonymous, all that can be hoped is that on the 17th its members choose to take a day off from clicking on a computer; and instead take a relaxing train ride downtown.

Update:  September 19, 2011
As of Monday morning, the “Day of Rage” event showed no publicly reported increase in data security events.  It is estimated that several thousand attended the rally in New York City but there was not much in the way of media reporting given it was largely a peaceful event.

Update:  September 28, 2011
On September 23, 2011, the FBI’s Cyber Division issued the following informational bulletin to Infragard members:

For situational awareness, the following message was posted online by the hacking group Anonymous:

Anonymous announces a nationwide “Day Of Vengence” to take place in dozens of cities across the USA on Saturday – September 24, 2011 at High Noon.  In coordination with these protests across the USA on September 24th, Anonymous and other cyber liberation groups will launch a series of cyber attacks against various targets including Wall Street, Corrupt Banking Institutions – and the NYC Police Department.  We encourage the media to follow the Twitter feed @PLF2012 for ongoing reports throughout the day.

Additional public source information has identified possible targets of these attacks, to include entities in New York (state and city), public and private entities associated with the recent execution of Troy Davis in the state of Georgia, and law enforcement in general.

No further information is available at this time in regard to the specific nature, means, or potential targets of Anonymous’ plans for September 24th; however, in the past, Anonymous has engaged in distributed denial of service (DDoS) attacks, utilized SQL injection to gain unauthorized access to computer systems, conducted social engineering to gather personal identifying information, and released both personal information (i.e. “doxing”) and the contents of compromised systems (e.g. e-mail message content, passwords, etc.).

InfraGard members are encouraged to engage in information security best practices, such as using strong passwords, not reusing passwords, updating software to protect against known vulnerabilities, and ensuring that web-based applications are not at risk to attacks, such as SQL injection.

September 24, 2011 came and went without any publicly disclosed incident tied to this threat.  The hope is that the FBI’s future warnings are not ignored given the lack of traction of these recent Anonymous warnings.  Bottom line:  Safeguarding against SQL injection exploits is obviously sound advice with or without an Anonymous threat.

Update:  October 12, 2011
Although similar to the October 8-11, 1969 “Days of Rage” riots in Chicago that led to the arrest of several hundred Weatherman radicals, the current Wall Street “Days of Rage” protesters are not facing nearly as much opposition from the police or popular media.   Moreover, despite the Anonymous threat, there have been no reports of cyber incidents directly tied to this protest.  RIM, however, has faced several recent outages.  Although RIM has publicly stated that these Blackberry blackouts were caused by a “core switch failure”, given that there is still strong Blackberry usage in the financial sector, it will be interesting to hear in a few months time whether there was anything else that contributed to these blackouts.

Update:  November 13, 2011
Much has happened since the first Day of Rage took place several months ago on Wall Street — including its morphing  into a national “Occupy” movement in cities around the country.  It’s generally been tough going for these occupiers.  There have been deaths in the Occupy Oakland and Occupy Burlington protests as well as a death at the one in Salt Lake City; a tuberculosis outbreak  hit Occupy Atlanta; and the starting point at Zuccotti Park near Wall Street has seen its share of viruses and STDs thin the ranks.  As for Anonymous, the general consensus is that the hype they generated yielded PR benefits to the organization even though to date they apparently have not been directly involved in any related cyber-security incident.

Ponemon Second Annual Cost of Cybercrime Study

A detailed study regarding the impact of cybercrime on corporations was recently released by the Ponemon Institute.  According to the Second Annual Cost of Cyber Crime Study, the median annualized cost of cybercrime incurred by a benchmark sampling of organizations was $5.9 million per year, with a range of $1.5 million to $36.5 million each year per organization.  This was an increase of 56 percent from the median cost reported in the inaugural study.

According to this Ponemon deep dive of organizations who have sustained incidents of cybercrime, more than 90 percent of all cybercrime costs were caused by malicious code, stolen devices and web-based attacks.  During a four week period, the organizations surveyed by the Ponemon Institute experienced 72 successful attacks per week, an increase of nearly 45 percent from last year.  Interestingly, according to a recent study by Webroot Research, cybercrime on social networks also continues to increase — with the number of US-based users who have experienced attacks on social networks growing from 8% in 2009 to 13% in 2010 to 18% in 2011.

Smaller-sized organizations were found by Ponemon to incur a significantly higher per capita cost than larger-sized organizations ($1,088 versus $284).  This may be given that smaller organizations do not readily negotiate much off of vendor rack rates — another reason to evaluate network security and privacy insurance as well as working with a law firm that has significant experience in dealing with breaches.

According to this Ponemon survey, the average time to resolve a cyber attack is 18 days, with an average cost to participating organizations of $415,748 over this 18 day period.  Interestingly, this represents a 67 percent increase from last year’s estimated average cost of $247,744, which took place over a 14 day period. Results of the study show that malicious insider attacks can take more than 45 days on average to contain.

On September 14, 2011, New York Metro InfraGard and Coalfire are co-sponsoring a New York City event that will feature Dr. Larry Ponemon speaking on the Ponemon Institute’s Cost of Cybercrime Study.  For details on this event, visit the Infragard site or registration site.

Betterley Report on Cyber Insurance is Now Available

The highly-anticipated annual Betterley Report on cyber insurance was released right before the 4th of July holiday weekend.  In the free summary of the issue, there is mention of the 29 insurers now providing some form of network security and privacy insurance.  Betterley projects the existing market to be in the $800 million range — which would make it probably the fastest growing insurance product in the current soft insurance market.

In the free summary there is also an article written regarding cloud exposures and how such exposures may impact coverage under a network security and privacy policy.  As recently reported in the Wall Street Journal, a World Economic Forum report found “that 90% of suppliers and users of cloud services consider privacy risks to be a ‘very serious’ impediment to widespread cloud adoption.”  Given this concern, having the right privacy insurance in place becomes that much more important.

Defense Contractors May Be Impacted by RSA Breach

On the heels of the breach that potentially exposed RSA’s source code for its SecurID tokens– the same tokens used every day by thousands of employees to access their corporate VPNs –  a defense contractor acknowledged on May 27, 2011 that its network may have been compromised as an indirect result of the RSA breach.  As reported by Reuters, Bloomberg, and the New York Times, the defense contractor “detected an intruder trying to break into its networks last Sunday. It shut down much of its remote access and has been providing new tokens and passwords to many workers.”

It is still not certain whether the two breaches are related but it is interesting to note that this story was first broke by a blogger and not the broader media.   Given the fact this incident may  involve military information, it is likely we will never fully learn what has happened.  When it comes to divulging secrets, misinformation is usually the stock in trade of the military.

What remains clear, however, is that advanced persistent threats continue to pose long term threats to corporate and governmental interests.   The good old days of naive hackers stumbling upon exposed databases and inadvertently helping to plug a previously unknown hole are no more.   We are now in the age where a state actor or sophisticated cyber criminal will gladly sit on vulnerabilities for as long as it takes.  Simply put, with enough patience, a determined and sophisticated thief will eventually get whatever information a buyer may want.

[Update:  June 10, 2011]
RSA conceded that the defense contractor breaches may be related to RSA’s March breach and has offered to replace corporate SecurID fobs.  There is some supposition that a large defense bid was the catylist leading to both the RSA breach and subsequent defense contractor breaches.  We may never know who caused the various attacks or why.   What we do know, however, is that RSA has decided to appoint its first chief security officer.

Latest APT Victim: RSA

In what has become an annual mecca for the data security industry, thousands visit San Francisco each February to attend “RSA” — a conference named after the network security company purchased by data storage firm EMC five years ago.  This mega-conference caters to the security cognoscenti — as well as those who only profess to be.

Well, a few days ago, RSA announced it was the latest high-profile victim of an APT exploit.  As recognized by RSA’s Executive Chairman, Art Coviello,”APT threats are becoming a significant challenge for all large corporations.”  These exploits are the same sort of attacks that the press were quick to blame the Chinese on last year.  In fact, the Wall Street Journal reported last year that these attacks impacted over 2,400 businesses.  How exactly can a company avoid an APT or “advanced persistent attack” when a firm like RSA also gets hit by such criminal activity?

By way of background, APTs are social engineering techniques — once upon a time simply known as confidence or con games — applied with a healthy dose of hacking and malware.  RSA’s attack is a bit more troublesome than most APTs given the possible repercussions to customers as per a recent alert:

We have determined that a recent attack on RSA’s systems has resulted in certain information being extracted from RSA’s systems that relates to RSA’s SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. RSA urges immediate action.

The reason that this breach is significant has to do with the fact RSA customers all over the world use RSA SecurID to protect outside access to sensitive data.  In order to access a computer protected by SecurID, users enter a traditional password as well as the number displayed on their RSA SecurID hardware token. The numeric value displayed on the token changes once every few minutes to provide added protection.

Although the security community gave RSA high marks for its quick disclosure, there are obvious concerns — not the least of which is the mere fact that a firm such as RSA was able to be compromised in the first place.  A leading security consultant voiced a complaint that the lack of information emanating from firm makes it hard for customers to know what exactly to do other than be really diligent regarding password usage.

Although exactly how RSA was compromised will likely never make it to the kitchen table, there are many vectors that can be compromised during a successful APT threat.  The key factor to a successful APT exploit is the level of trusted connection breached — whether that is an executive friend on FaceBook or a next door neighbor’s email address.  Another important success factor is the willingness to be patient and wait for the right time to retrieve the sought-after information.  This is where there is a significant disconnect from the typical financial data hacker.  Such hackers may wait before using card data to commit a fraudulent purchase but will not likely wait to steal the compromised data.  That is why most APTs are blamed on governmental entities — who are notoriously patient when moving on a target.  Those committing APTs may get very valuable data along the way but would never risk getting caught with such data until the final target is achieved.  In other words, the APT criminal may spend months lurking in a network before any information is even compromised.  That is one of the reasons why detecting APT activity is so difficult.

For now, the way to address this very real corporate threat is not necessarily to change a firm’s security posture.  The threat is more derived from employee policy lapses, i.e., use of social media at a workstation and use of infected thumb drives, than it is from brute force hacking.  Accordingly, employee training and testing that is tied to discipline and compensation is a step in the right direction.

Thinking like an intelligence agency can’t hurt.  If a senior executive does not need to know all aspects of a project, there is no need to provide her with constant email reports.   In other words, the old adage “on a need to know basis” becomes more and more important as APTs become more and more familiar to corporations.

Finally, the basic tenets of risk management should play a role in the defense of APTs — if there is even such as a thing as a viable defense.  Knowing the relative value of your assets and the costs to mitigate a loss in advance of a loss are the bread and butter of risk managers.  Applying such insight in the proper measure will remove from the equation some ego-driven security initiatives to be replaced by focused efforts aimed at the most sensitive data of an organization.  Risk managers are routinely given the task of protecting the personal assets of the chairman of the board — by, among other things, a D&O insurance placement — as well as coordinating large scale enterprise risk management initiatives.  Providing some guidance on this front should not be that much of a stretch.

OCR Gets Serious: $4.3 Million Penalty Under Privacy Rule

As shown by yesterday’s press release and this morning’s email blast, OCR is certainly eager to let the world know that it just issued a Notice of Final Determination and Notice of Proposed Determination finding that Cignet Health violated the HIPAA Privacy Rule to the tune of $4.3 million dollars.

According to yesterday’s Associated Press news feed that blanketed the news outlets as well as fed many privacy blogs, Cignet Health “is a Christian-influenced medical service, has four locations in Prince George’s County, in southern Maryland just outside Washington.”   And, according to its website, “[t]he focus of Cignet health center is to minister to the whole person, both spiritually and physically. Our desire is to help the sick and suffering people the best way we can to the glory of God.”   Cignet Health offers health plans in Nigeria as well as Ghana and acts as “a patient-Provider advocacy alternative to other healthcare presently available in the healthcare market today.”

It is unknown whether this apparently small-scale operation is equipped to pay a $4.3 million penalty.  Frankly, it is pretty surprising that such a small healthcare player has the honor of being the very first CE in which HHS has imposed a civil money penalty (CMP) for alleged  violations of the HIPAA Privacy Rule.  As well, this CMP is the first one based on the “violation categories and increased penalty amounts authorized under the Health Information Technology for Economic and Clinical Health (HITECH) Act.”  The HITECH Act has certainly seen noteworthy action given the Connecticut AG’s HITECH Act penalties against Health Net – the first time a state has used the HITECH Act to settle a data breach claim — as well as the enforcement of the HITECH Act’s public disclosure of data breaches.  Cignet Health, however, did not sustain a data breach so the huge penalty is curious to say the least.

What exactly did Cignet Health do?  For starters, it did NOT breach the privacy rights of its patients in any traditional sense.  Unlike with the Health Net breach or the HITECH publications of breaches, this incident involved a more vanilla HIPAA violation.  According to the OCR:

In a Notice of Proposed Determination issued Oct. 20, 2010, OCR found that Cignet violated 41 patients’ rights by denying them access to their medical records when requested between September 2008 and October 2009.  These patients individually filed complaints with OCR, initiating investigations of each complaint.  The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient’s request. The CMP for these violations is $1.3 million.

During the investigations, Cignet refused to respond to OCR’s demands to produce the records.  Additionally, Cignet failed to cooperate with OCR’s investigations of the complaints and produce the records in response to OCR’s subpoena.  OCR filed a petition to enforce its subpoena in United States District Court and obtained a default judgment against Cignet on March 30, 2010.  On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means.

OCR also found that Cignet failed to cooperate with OCR’s investigations on a continuing daily basis from March 17, 2009, to April 7, 2010, and that the failure to cooperate was due to Cignet’s willful neglect to comply with the Privacy Rule.  Covered entities are required under law to cooperate with the Department’s investigations.  The CMP for these violations is $3 million.

In other words, Cignet Health failed to give 41 patients copies of their records on a timely basis and then “failed to cooperate with OCR’s investigations” after complaints were filed by these patients.   Although OCR points out in its Notice of Proposed Determination that the boxes provided to OCR by Cignet Health “also contained the medical records of approximately 4,500 individuals for whom OCR made no request or demand and for whom Cignet had no basis for the disclosure of their protected health information to OCR” this inadvertent disclosure was not the basis of the CMP.

This Cignet Health result is in contrast to the non-CMP “resolution amount” of $100,000 issued to Providence Health in 2008 for alleged HIPAA privacy violations involving unprotected backup tapes, optical disks and laptops that compromised the protected health information of more than 386,000 patients.  HHS publicly stated there was no need for a CMP given the level of cooperation given during the investigation.  Providence Health did, however, sustain significant defense costs and a corrective action plan that brought that $100,000 fee into the millions.

The lesson here is that if called upon to respond to an investigation, do it.  Based on the Cignet Health result and public statements made by OCR personnel at various privacy seminars, OCR certainly places a significant premium on what it perceives to be good faith during an investigation.  As well, be ready to smile into the camera because the OCR is obviously launching into an aggressive enforcement campaign in 2011 and beyond.   For example, the OCR email missive of February 23, 2011 includes the following appeal to potential claimants and whistleblowers:

If you believe that a person or organization covered by the Privacy and Security Rules (a “covered entity”) violated your health information privacy rights or otherwise violated the Privacy or Security Rules, you may file a complaint with OCR.  For additional information about how to file a complaint, visit OCR’s web page on filing complaints at http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

Make no mistake about it:  The OCR is HHS’s enforcement arm and is looking to knock some heads together and make some money for the boss.  And, the tools, i.e., the HITECH Act and accompanying regs, are now in place to make that Supranos moment a reality.