Privacy Shield Is not in play

On March 2, 2017, Věra Jourová – the Justice on the European Commission tasked with “Consumers and Gender Equality” recently raised a vague concern as to whether the Privacy Shield could withstand President Trump’s recent immigration executive order.  She said “If there is a significant change, we will suspend”.  This minimalist threat, however, seems more like an attempt to play up her visit to the White House in late March.

Privacy Shield is the data-transfer agreement negotiated by the United States and the European Union in February 2016 that is now relied upon by many international firms transferring and maintaining personal data between the EU and US.   Given that it was a court challenge that ultimately gave rise to Privacy Shield, it will always be subject to threat from legal action.  In fact, the ACLU and Human Rights Watch has already tried to stir the pot by sending a letter to the EU Commission after Trump’s recent executive action on immigration.  It is not clear why the American Civil Liberties Union would care about the privacy rights of those in the EU but that is left for a separate discussion.

To nip all of this in the bud, on February 22, 2017, Acting Federal Trade Commission Chairman Maureen Ohlhausen previously said that the immigration order would not in any way affect the FTC’s enforcement of the Privacy Shield given that order does not impact commercial activity.  To that end, Commissioner Jourová also previously said she was “not worried” but remained vigilant regarding the order.

There are lawyers who believe that Privacy Shield may be in play due to the President’s activities.  For example,  Aaron Tantleff of Foley & Lardner LLP is reported as saying “certain actions being taken by this administration could lead to the suspension of Privacy Shield. We may leave the EU Commission and Parliament with no choice.”  Such vague missives may be good at percolating new business but do not represent a pragmatic perspective regarding Privacy Shield’s real threat.

Given the now entrenched nature of Privacy Shield and the vested interest EU and US business interests have in its continued implementation, it appears only another judicial blow based on the lack of data security will derail it – requiring the same sort of EU court ruling based on NSA data collection that ultimately cut down the predecessor Safe Harbor rules in the first place.  Simply put, until the new Administration’s activities adversely impact the security of personal data by mass collecting data or forcing companies to compromise data security features there is not much to worry about.

Horizon settles state HIPAA claims based on lost laptops

On February 15, 2017, Horizon Healthcare Services, Inc. (“Horizon”) agreed to pay New Jersey authorities $1.1 million to resolve alleged HIPAA Privacy and Security Rule violations based on the November 2013 theft of two unencrypted laptops.  The stolen laptops compromised the privacy of 687,838 New Jersey policyholders.  This settlement comes on the heels of the Third Circuit reversing the dismissal of a putative class action filed against Horizon based on the same laptop incident.

After acknowledging that vendor moving company employees may have stolen the laptops, the Complaint recounts numerous alleged HIPAA violations.   Complaint ¶ 17, 43.  Horizon ultimately agreed by way of its consent judgment to a corrective action plan (“CAP”) and third-party audit – with $150,000 of the consent judgment as a “suspended penalty” that would be automatically vacated if the CAP was in material compliance two-years after entry of the judgment.

This costly Horizon incident provides several takeaways that never get old – encrypt all laptops and use an IT asset management plan that ensures the IT team can track all laptops with network access.   Most importantly, unlike Horizon never make any exceptions.  Complaint ¶ 23 (“As a result of the procurement of the MacBooks outside of Horizon BCBSNJ’s established process, certain MacBooks were not configured with approved encryption, data deletion and other software required by corporate policy.”).

FTC settles major IoT privacy case with smart TV maker VIZIO

On February 6, 2017, smart TV maker VIZIO entered into a stipulated Order granting injunctive relief and a monetary judgment to the FTC and New Jersey Division of Consumer Affairs.  The FTC brought its claims pursuant to Section 13(b) of the Federal Trade Commission Act, 15 U.S.C. § 53(b), and the New Jersey DCA brought claims pursuant to the New Jersey Consumer Fraud Act, N.J. Stat. Ann. § 56:8-1 et seq.  VIZIO and a subsidiary will pay $2.2 million to settle claims that the companies improperly tracked consumers’ viewing habits and sold this information without compensating viewers.  According to the Complaint filed the same day as the stipulated Order, Vizio and its subsidiary since February 2014 continuously collected viewing data on a “second-by-second” basis without any notice to the consumer.  Complaint at ¶ 14.  This action comes on the heels of the FTC’s smart TV workshop this past December.

Pursuant to the Order, all viewing data obtained by VIZIO prior to March 1, 2016 must be destroyed.  As for obtaining future viewing data, VIZIO must first prominently disclose to the consumer, separate and apart from any “privacy policy” or “terms of use” page: “(1) the types of Viewing Data that will be collected and used, (2) the types of Viewing Data that will be shared with third parties; (3) the identity or specific categories of such third parties; and (4) all purposes for Defendants’ sharing of such information.”  And, VIZIO will be able to collect such information only after the consumer affirmatively consents to such collection.

It is not entirely clear what incentive currently exists for consumers to voluntarily provide their viewing data to VIZIO given their initial smart TV purchases exist apart from any potential future relationship with VIZIO.  In other words, VIZIO really has nothing new to offer for this viewing data – it can only offer something on behalf of those who buy or broker this data.  Accordingly, VIZIO may act in the future as a new stream of commercials.  It has already been suggested that Netflix could make billions by bringing ads to its streaming offerings.

It has been reported that over half of US households use an internet-enabled television.  The VIZIO settlement with the FTC and New Jersey DCA does a great job of highlighting the peril of collecting IoT data such as TV viewing data without proper consent.  Samsung and LG faced similar pressure in 2015 but that was far from a clarion call given the lack of any hefty fine.

The VIZIO resolution may actually be more similar to the major shift brought on after CardSystems was breached over a decade ago.  CardSystems had no excuse for unsecurely maintaining track 2 data for its potential marketing purposes so that breach definitely helped promulgate the PCI data security standard.  Similarly, the VIZIO settlement may lead to more safeguards regarding the use of IoT data.  Rather than Visa or Mastercard waiting in the wings to enforce compliance we would have the FTC and state regulatory bodies.  Nevertheless, such efforts will still have to garner consumer support given the backdoor of affirmative consent that still exists even after the VIZIO resolution.  In other words, there may still have to be something in it for the consumer.

As previously suggested, it may finally be time for consumers to just be paid cash for their consumer data.

Third Circuit reinstates data breach case alleging FCRA violation

On January 20, 2017, the Third Circuit reversed the dismissal of a putative class action filed against Horizon Healthcare Services, Inc. (“Horizon”).  The suit was brought after two laptops containing personally identifiable information were stolen in 2013 from Horizon’s Newark offices.  The four named Plaintiffs filed suit on behalf of themselves and 839,000 other Horizon customers whose unencrypted personal information was stored on those laptops.  Plaintiffs alleged willful and negligent violations of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681, et seq., claiming that Horizon inadequately protected their personal information.

The District Court dismissed the suit under Fed. R. Civ. P. 12(b)(1) for lack of Article III standing.  According to the lower Court, none of the Plaintiffs had claimed a cognizable injury because, although their personal information had been stolen, none of them had adequately alleged that the information was actually used to their detriment.

According to the Third Circuit, in light of the congressional decision to create a remedy for the unauthorized transfer of personal information, an alleged violation of FCRA gives rise to an injury sufficient for Article III standing purposes.  And, even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury. Accordingly, the Court ruled that all of the Plaintiffs suffered a cognizable injury, and the Complaint should not have been dismissed under Fed. R. Civ. P. 12(b)(1).  The fact that Horizon offered credit monitoring and identity theft protection services to those affected was not of any import to the majority or concurring opinion.

Reviewing the matter de novo, the Third Circuit first recognized that FCRA was enacted in 1970 “to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” In Re: Horizon Healthcare Services Inc. Data Breach Litigation, No. 15-2309, Slip Op. at 8 (3d Cir. January 20, 2017) (citing Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 52 (2007)). With respect to consumer privacy, the statute imposes certain requirements on any “consumer reporting agency” that “regularly … assembl[es] or evaluat[es] consumer credit information . . . for the purpose of furnishing consumer reports to third parties.” 15 U.S.C. § 1681a(f).  Id.  And, any such agency that either willfully or negligently “fails to comply with any requirement imposed under [FCRA] with respect to any consumer is liable to that consumer.” Id.  (citing 15 U.S.C. §§ 1681n(a) (willful violations); 1681o(a) (negligent violations)).  See also Id. at 27 (“But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself – whether or not the disclosure of that information increased the risk of identity theft or some other future harm.”); Id. at 29, n. 20 (“Congress has elevated the unauthorized disclosure of information into a tort. And so there is nothing speculative about the harm that Plaintiffs allege.”).

Horizon did not challenge the validity of any of the Plaintiffs’ factual claims as part of its standing motion – arguing instead that that the allegations of the Complaint, even accepted as true, are insufficient to establish the Plaintiffs’ Article III standing.  Id. at 13.  This is significant given that the Third Circuit was only hearing the standing issue and not the substantive motion to dismiss.  See Id. at 13, n. 9 (“In its 12(b)(6) motion, which is not before us, Horizon questions whether it is bound by FCRA. In particular, Horizon suggests that it is not a “consumer reporting agency” and therefore is not subject to the requirements of FCRA. . . . Because we are faced solely with an attack on standing, we do not pass judgment on the merits of those questions. Our decision should not be read as expanding a claimant’s rights under FCRA. Rather, we assume for purposes of this appeal that FCRA was violated, as alleged, and analyze standing with that assumption in mind. Likewise, our decision regarding Article III standing does not resolve whether Plaintiffs have suffered compensable damages.”) (emphasis added).

It was this alleged substantive FCRA violation – which again was assumed to exist for purposes of its standing ruling, that ultimately caused the Third Circuit to find in favor of plaintiffs.     See Id. at 22, n. 16 (“Again, whether that injury is actionable under FCRA is a different question, one which we are presently assuming (without deciding) has an affirmative answer. See supra note 9.”); Id. at 28 – 29 (“So the Plaintiffs here do not allege a mere technical or procedural violation of FCRA. They allege instead the unauthorized dissemination of their own private information – the very injury that FCRA is intended to prevent.”) (footnotes omitted).

In reviewing the allegations found in the Complaint, the Third Circuit reasoned that the “trifle of injury” necessary to determine standing was met by virtue of the alleged FCRA violation.  Id. at 15.  Moreover, it found that its prior recent cases of In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015) and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016) reconciled with such a result.  Id. at 22 (“In light of those two rulings, our path forward in this case is plain. The Plaintiffs here have at least as strong a basis for claiming that they were injured as the plaintiffs had in Google and Nickelodeon.”).

In a strong nod to what it perceived to be the stare decisis injury-in-fact precedents rendered prior to the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), the Third Circuit reconciled that decision with the following:  “Although it is possible to read the Supreme Court’s decision in Spokeo as creating a requirement that a plaintiff show a statutory violation has caused a “material risk of harm” before he can bring suit, id. at 1550, we do not believe that the Court so intended to change the traditional standard for the establishment of standing.”  Id. at 24See also Id. at 25 (“Spokeo itself does not state that it is redefining the injury-in-fact requirement. Instead, it reemphasizes that Congress “has the power to define injuries,” 136 S. Ct. at 1549 (citation and internal quotation marks omitted), “that were previously inadequate in law.” Id.”).

In Re: Horizon Healthcare Services Inc. Data Breach Litigation is an important decision for numerous reasons – not the least of which is the fact the Third Circuit is one of the most influential circuit courts in the country.  First, notwithstanding the fact Defendant is a health insurer, in their Complaint, the Plaintiffs successfully asserted for standing purposes Horizon is also a consumer reporting agency.  This is significant given that the very first count of Plaintiffs’ Complaint claims that Horizon committed a willful violation of FCRA.  And, FCRA permits statutory damages for willful violations. See 15 U.S.C. § 1681n(a) (“Any person who willfully fails to comply with any requirement imposed under this subchapter with respect to any consumer is liable to that consumer in an amount equal to the sum of … any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000. . . .”).

In other words, counsel recognized that statutory damages are a necessary predicate to successfully pursuing a class action based on a data breach claim and that merely alleging that a company is a consumer reporting agency will now be sufficient to get in the courthouse.   Even though retail breaches may be too difficult a stretch, there is nothing stopping class counsel from branching out from health insurers.   In the future, defense counsel may be forced to simply forego the previously successful standing motions and go straight to a Fed. R. Civ. P. 12(b)(6) substantive motion.   And, given that such motions are quite difficult to win, the end result may be many more “cost of suit” settlements ranging significantly upward.

This decision may ultimately end up being more noteworthy for the concurring opinion of Judge Shwartz.   According to Judge Shwartz, there was no reason to even rely on FCRA to reverse the lower court’s decision.  According to Judge Shwartz, the mere “loss of privacy” was sufficient to demonstrate injury in fact.  See Id. at 1, n. 4 (Shwartz, J., concurring) (“Plaintiffs allege that the theft of the laptops caused a loss of privacy, which is itself an injury in fact.”).    Moreover, the lack of encryption was deemed the efficient cause of this loss.  Id. at 5, n. 4 (Shwartz, J., concurring) (“I also conclude that Plaintiffs have sufficiently alleged that the injury was traceable, in part, to the failure to encrypt the data, and am satisfied that if proven, the injury could be redressable.”).

Judge Shwartz was not persuaded that there was sufficient reconciliation with prior cases or that there was even the need to have such reconciliation based on her view of the law.  Id. at 5, n. 3  (Shwartz, J., concurring) (“My colleagues view In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), as providing a basis for Plaintiffs to assert that a violation of the FCRA, without any resulting harm, satisfies the injury-in-fact requirement.  I do not rely on the possible existence of a statutory violation as the basis for standing, and am not persuaded that these cases support that particular point.”).   As a result, Judge Shwartz’ concurring opinion will likely be heavily cited by plaintiffs in data breach cases involving unencrypted data whether or not there are any possible FCRA violations.

All in all, January 20, 2017 was a very good day for class counsel pursuing data breach litigation.

OCR’s latest expensive HIPAA lessons

On January 18, 2017, the Office for Civil Rights (OCR) announced a HIPAA settlement based on the disclosure of unsecured electronic protected health information (ePHI) by MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) stored in a USB storage device.    Simply put, a thumb drive stolen in 2011 from MAPFRE’s IT department cost it an astounding $2.2 million as a “resolution amount” in addition to a fairly onerous corrective action plan.

Apparently, the fact that MAPFRE is the U.S. subsidiary of a large “global multinational insurance company headquartered in Spain” played some role in the harsh fine.  The USB data storage device included complete names, dates of birth and Social Security numbers and impacted 2,209 individuals.   Given that MAPFRE’s lack of encryption was an adverse mitigating factor for OCR, covered entities should bite the bullet and continue to encrypt all devices touching ePHI no matter what the budget constraints.

Another recent HIPAA settlement allowed OCR to shine a light on something else of concern to HHS, namely the need to report breaches within the 60-day reporting window applicable to breaches impacting 500 or more patients.  On January 9, 2017, OCR issued a press release that says it all:  “First HIPAA enforcement action for lack of timely breach notification settles for $475,000”.  Rather than report within 60 days, Presence Health – a large health care network serving Illinois, took 104 days to report the loss of “paper-based operating room schedules, which contained the PHI of 836 individuals.”  A spokesman from Presence Health said in a statement that contact and financial information were not even compromised.

As done in the past when it came to the need for properly-worded business associate agreements, undergoing a comprehensive risk analysis, and cooperating in investigations, covered entities should be appreciate the examples made of MAPFRE and Presence Health – encrypt and timely report after a breach.

New York’s DFS provides a two-month reprieve

On December 28, 2016 – after a very public outcry from the financial community it regulates, New York’s Department of Financial Services (“DFS”) pushed to March 1, 2017 the January 1, 2017 deadline to comply with its proposed data security standards.  These security standards and related regulatory requirements – which are unique in the country, were first disclosed by DFS this past September and include a data breach reporting deadline that is a mere three days in length.

After reviewing 150 comments, the DFS doubled down on its proposed standards and only gave two more months for compliance.  As it now stands, the regulation will be officially implemented on March 1, 2017 and impacted firms will have 180 days to begin compliance – September 1, 2017.  And, by February 15, 2018, firms will be required to submit a certificate of compliance to DFS.

Despite vigorous opposition found in the submitted comments, the DFS retained several important aspects of its proposed regulations, including the three-day window to report a “cybersecurity event” – broadly defined to also include unsuccessful attempts, and the need to file annual certifications of compliance.

Another key component of these proposed regulations requires the designation of a Chief Information Security Officer.  Even though most large financial institutions already have that position filled, many firms subject to DFS jurisdiction will now have to allocate resources to either hire such an employee or reassign an existing employee to take on these new challenges.

All in all, the new DFS regulations – implementing specific security standards on New York’s largest business sector, will immediately generate significant business for those tech vendors and privacy lawyers offering gap-filling solutions that actually work.

New Jersey District Court Denies Standing in FACTA Case

On October 20, 2016, Judge William J. Martini of the District of New Jersey ruled, in Kamal v. J.Crew, that actual evidence of fraudulent credit card use was necessary before a customer could properly assert Article III standing in a suit brought under Section 113(g) of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”). Given FACTA allows statutory damages of up to $1,000 in a private cause of action based on a willful violation, FACTA has been a very popular statute for class actual counsel. For example, in 2015, LabCorp agreed to fund an $11 million settlement – nearly $200 to each class member to settle FACTA charges, which included a nationwide class of plaintiffs comprising 665,000 consumers.

Relying on the May 2016 Supreme Court ruling in Spokeo v. Robins, Judge Martini dismissed a previously-stayed FACTA class action against J.Crew. Judge Martini ruled J.Crew’s printing of ten digits of a customers’ account does not meet or create a claim meeting Article III’s concreteness requirement.

Although FACTA precludes a retailer from printing more than five digits of a credit card number on a sales receipt, Judge Martini found that printing 10 digits instead of five did not raise the risk of fraud sufficiently to create a concrete injury for “case” or “controversy” standing purposes. According to the Court, without the risk of concrete harm, the court lacks subject matter jurisdiction and has no choice but to dismiss the case given Article III of the Constitution did not allow him to hear the case.

In dismissing, the Court essentially ruled that the mere exposure of more numerals of a credit card number did not compromise plaintiff’s security sufficiently to demonstrate actual harm.  Of most significance, the Court ruled: “Congress’ role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right.” Kamal v. J.Crew at 5 – 6.  See also Kamal v. J.Crew at 3 (“Spokeo did not disturb this circuit’s standing jurisprudence. See In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262, 273 (3d Cir. 2016).”).

Other courts interpreting Spokeo have been more tenuous. For example, in Carr v. Parking Solutions, the District Court ruled: “The Supreme Court did not offer a conclusive ruling, and instead remanded Spokeo to the Ninth Circuit for further consideration of Article III’s injury-in-fact requirements.” See also Spokeo, 136 S. Ct. at 1553 (Thomas, J., concurring) (“Congress can create new private rights and authorize private plaintiffs to sue based simply on the violation of those private rights. A plaintiff seeking to vindicate a statutorily created private right need not allege actual harm beyond the invasion of that private right.”).

No one can predict whether or not Judge Martini’s ruling will stand the test of time.  What is clear, however, is that his ruling has significance with future privacy actions beyond FACTA.  As previously pointed out, FACTA could have been an important stepping stone for privacy class counsel seeking to monetize a data breach.   As it currently stands in the Third Circuit, however, statutory damages would not even be enough to get the job done for class counsel.

Google pays $5.5 million to cy pres fund

Gavel at the computer keyboard

On August 29, 2016, Google resolved yet another privacy suit – this one for $5.5 million with again nothing going to consumers.  Instead, the money will go to privacy groups agreed upon by Google and class counsel. Specifically, the list of proposed recipients of this latest cy pres fund include:

  1. Berkeley Center for Law & Technology;
  1. Berkman Center for Internet & Society at Harvard University;
  1. Center for Democracy & Technology (Privacy and Data Project);
  1. Public Counsel;
  1. Privacy Rights Clearinghouse; and
  1. Center for Internet & Society at Stanford University (Consumer Privacy Project)

As previously discussed, the cy pres method of settling privacy class actions is sought after by tech companies given such a mechanism more easily helps fund non-profit partners – organizations that more often than not push for the very policies advocated by defendants.  Given that class counsel look to resolve cases as soon as possible, the settling defendant obviously dictates the cy pres recipients.   More than likely, this latest Google settlement will obtain the necessary court approval.

Hopefully, Courts in the future take a harder look at this settlement method given the lack of direct benefit to those most impacted.

Microsoft wins data protection case before Second Circuit

Microsoft wins in Second Circuit

On the heels of a recent Third Circuit decision protecting the data collection practices of Google, the Second Circuit Court of Appeals ruled today that a U.S. law enforcement agency could not compel a provider of communications services to disclose the content of digital information stored outside the United States.

The Stored Communications Act (“SCA”) authorizes the Government to seek the contents of stored communications that are more than 180 days old, using a subpoena, court order, or warrant.  Relying on the SCA, the underlying warrant directed Microsoft “to seize and produce the contents of an e-mail account that it maintains for a customer who uses the company’s electronic communications services” after it “found probable cause to believe that the account was being used in furtherance of narcotics trafficking.” Opinion at 4 – 5.

Microsoft argued below that the issued search warrant would require an extraterritorial search and seizure of data stored in Microsoft’s data center in Ireland.  According to Microsoft, absent express authorization, statutes are presumed to have no extraterritorial effect and given the lack of such statutory authorization, the warrant should have been quashed.

On April 24, 2014, Magistrate Judge James Francis of the District Court for the Southern District of New York sided with the government, saying that the order to produce the emails stored in Ireland was “not a conventional warrant; rather, the order is a hybrid: part search warrant and part subpoena [and] It has long been the law that a subpoena requires the recipient to produce information in its possession . . . regardless of the location of that information.” Opinion at 12 – 13.  Microsoft successfully argued that given there was no such authorization, the Government could not execute a search and seizure in Ireland or otherwise force Microsoft itself to produce the data.

Given the recently implemented EU Privacy Shield, forcing U.S. service providers to turn over data stored abroad would have certainly led to new headaches for transnational corporations – which is likely why there were so many filing amicus filings in this case.   Notwithstanding the fact this case involved a narcotics case that could have benefited from the emails sought from Microsoft, the Second Circuit correctly interpreted the SCA and avoided potential turmoil for companies still looking to get solid footing for their international privacy programs.

The rise of Ransomware

Given credit card data and account information is now dirt-cheap to buy on the dark web; it no longer makes much sense for criminals to exclusively target financial information – especially since the data must also be sold after it’s stolen. Much more lucrative – and quicker to obtain, are the bitcoins deposited by ransomware victims into a thief’s account.

Welcome to the hottest cyber-criminal activity of today – ransomware.  Although ransomware such as PGPCoder has been around for a decade, this exploit only gained wide traction during the past several years. Combining the best of social engineering, e.g., well-crafted spear phishing using publicly available information, including emails of licensed professionals, with botnets usually tasked with promulgating spam, criminals have been able to re-purpose the latest Trojans for a much more lucrative job.

The most recent crop of ransomware scams have successfully targeted professionals. The Florida Bar recently warned its members these phishing exploits can use various subject lines, including “Florida Bar Complaint – Attorney Consumer Assistance Program”.   A scam email with “Lawyers and judges may now communicate through the portal” in the subject line uses information found in a June 1, 2016 Florida bar article. Preying on many lawyers’ natural tendency to help, the email asks recipients to “test the portal and give feedback.”

Florida Scam Email

During the past several weeks, Florida lawyers clicking on the masked link found in the above email notice were surprised to learn their entire computer network was held for ransom – automatically encrypted in one fell swoop by criminals half way across the world. Users only become aware of this exploit when they can no longer access their data and see a message on their screen demanding a ransom payment in exchange for a decryption key. The message also includes instructions on how to pay the ransom, usually with a widely traded anonymous digital currency such as Bitcoin or anonymous pre-paid cash vouchers such as MoneyPak and Ukash.

In the same way the IRS would never cold call you about an audit, no bar association would ever deliver a complaint simply by email.   Nevertheless, these scams succeed with a good number of professionals who are pressed for time, have computers systems that do not automatically filter executable content or simply just don’t have adequate training. Indeed, even if there is adequate training and sophisticated IT personnel running a firm’s network, law firms are never immune to hacking incidents.   This past March, it was reported by The Wall Street Journal that two blue chip firms, Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, were among a number of law firm hacking victims.  Law firms will always be vulnerable to a direct attack by a sophisticated hacker.  A panel of law enforcement specialists in 2015 put it best when they said law firms are seen as “soft, ripe targets for hackers.”

As reported by the Wisconsin Bar Association, the ABA’s Division for Bar Services has been monitoring a rise in ransomware exploits, with recent confirmations of scam emails also sent to lawyers in Alabama, Georgia, and California. The ABA has been working with the FBI to get the word out regarding ransomware – leading to state bars pushing out the message via newsletters and blog posts. In fact, the ABA has been warning lawyers for years regarding data security. Indeed, there is an argument that improved data security helps with the marketing of a law firm.

Although recent attacks have fed on a lawyer’s publicly accessible email address, these very same attacks also go after other professionals. For example, targets include hospitals – where patient information can ill afford to stay locked for a very long time.  As well, a growing number of accounting firms are falling prey to ransomware.   Ransomware is especially damaging to accounting firms given accountants hold critical financial data of clients that is often deadline-focused. Indeed, there may be significant penalties accessed against clients for untimely filings.

The threats have become more pronounced as criminals realize the benefit of redirecting resources to ransomware aimed at professionals such as lawyers and accountants. A consultant who assists accounting firms guard against ransomware attacks warned accountants last year of the polymorphic Virlock that spawns unique versions after every use so antivirus programs cannot recognize it as well as TeslaCrypt that uses file names associated with well-known online games found on a child’s computer – which can spread to other computers attached to a home network, including an office PC.

As set forth in a 2014 CERT notice, destructive and lucrative ransomware variants include: Xorist, CryptorBit, CryptoLocker, CryptoDefense, and Cryptowall. All of these exploits encrypt files on the local computer, shared network files, and removable media. Although the private decryption keys for CryptoLocker, Xorist, CryptoDefense have since become available – rendering these exploits defensible, recent ransomware variants with no available decryption keys continue to launch.  For example, in June 2015, the ABA warned about the CryptoWall ransomware exploit.  And, a March 9, 2016 blog post from the security firm TrustWave details a major botnet operator moving from spam campaigns to delivering a new ransomware exploit deploying malicious javascript – the Locky ransomware.   Kaspersky Labs also wrote about the Locky ransomware – and its successful targeting of several hospitals.   If it has not already done so, it is only a matter of time before the Locky ransomware migrates to lawyers and accountants.

 

FBI April 2016 Report

The FBI has addressed ransomware exploits for some time now – likely given it was inadvertently a participant in one such exploit. In 2012, the FBI was spoofed in a Reveton ransomware attack activated when a user visited a compromised website. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law. The bogus message goes on to say that the user’s Internet address was identified by the FBI as having been associated with child pornography sites or other illegal online activity. To unlock their machines, users are required to pay a fine using the MoneyPak prepaid money card service.

According to an April 29, 2016 FBI Bulletin, the FBI saw a pronounced increase in ransomware attacks in 2015 – with a projection that it will grow a great deal more during 2016. Despite the fact it will always be easy to pay ransom given the instructions are explicit and the amount sought can be in the $400 range, the FBI doesn’t support paying a ransom in response to a ransomware attack: “Paying a ransom doesn’t guarantee an organization that it will get its data back [and] not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”

Instead, the FBI suggests the key areas to focus on with ransomware are prevention, business continuity, and remediation. Given that ransomware techniques are rapidly evolving, business recovery and continuity become even more crucial. More to the point, as recognized by the FBI: “There’s no one method or tool that will completely protect you or your organization from a ransomware attack.”   Instead, the FBI suggests firms focus on a variety of prevention efforts – in terms of awareness training for employees and technical prevention controls, as well as the creation of a solid business continuity plan in the event of a ransomware attack.  Planning for disaster can never be considered wasted time. And, after a ransomware attack is suspected, victims should immediately contact the local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.

If a firm has a proactive approach, there are certainly some basic things that can be done today to avoid a ransomware exploit. In an effort to help its constituency, the ABA has conveyed some basic technical defenses against ransomware:

  • Block executable files (such as “.exe” files) and compressed archives (such as zip files) containing executable files before they reach a user’s inbox.
  • Keep operating systems, browsers and browser plug-ins, such as Java and Silverlight, fully updated.
  • Program hard drives on your computer network to prevent any unidentified user from modifying files.
  • Regularly back up data with media not connected to the Internet.

As for the most basic of “basic training”, law firm administrators are being awakened to this threat with some sound advice that never gets old: “Be smart. Be aware. Don’t open or click on anything that looks suspicious. They won’t come in if you don’t open the door.” In other words, never click on a link, file or image from an untested source or untrusted URL. The extra seconds it takes to confirm the actual sender of an email message or owner of a website is well worth the time.

Given that business continuity best practices should mesh with IT security best practices, backups should obviously be stored outside the network. And, if you are forced to restore from a backup it is never wise to restore your data over existing production data. Consulting with a disaster recovery specialist before disaster strikes probably is a good idea.

Professionals – especially lawyers and accountants should also consider purchasing insurance that covers ransomware losses – including the related IT expenses.  Such insurance is typically purchased using a standalone policy that has been around for years. There are some malpractice insurers, however, e.g., CPAGold, who provide such coverage directly in the policy. Tech vendors and legal counsel associated with these carriers typically have years of experience handling these incidents and can be rapidly deployed to address any situation.

Given the serious threat of ransomware, businesses large and small are reminded to at least do the basics – train staff regarding email and social media policies, implement minimum IT security protocols, regularly backup data, plan for disaster, and regularly test your plans.

Intellectual property and data breach counsel