Category Archives: Risk Management

Symantec Survey: SMBs Invest in Addressing Data Security Threats

In the recently published Symantec survey of 2,500 executives with responsibility for IT security – half from companies of less than 100 employees – cyber-attacks were ranked as their top business risk.  And, of those polled by Symantec, 74 percent said they were “somewhat or extremely concerned” about losing sensitive electronic data.  In fact, 42 percent lost confidential or proprietary information sometime in the past and 73 percent of the respondents were victims of cyber-attacks just this past year.  

Addressing this challenge, SMBs are now spending an average of $51,000 a year, or about two-thirds of IT staff time, working on “information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.”  This seems like a sound investment given that the average cost of a breach to these SMBs was $188,242.

All of this fear seems to be somewhat well placed given that 95 percent of security and compliance professionals recently polled by nCircle believe that data breaches have been and will continue to increase in 2010. Knowing what to do in the event of a data breach is not necessarily intuitive.

CyLab Survey: Corporate Protection of Digital Assets Not a Priority

The recently released Carnegie Mellon CyLab 2010 Corporate Governance survey confirms that there is little change in senior management’s views towards data security – it’s not really a priority.   The CyLab annual survey, which measures board and management attitudes towards the protection of digital assets, is based upon results received from respondents at the board or senior executive level from Fortune 1000 companies.   Given public filing requirements, you would think protection of digital and related intangible assets – which now comprise the bulk of a firm’s value – would be a top of mind issue.  It’s not. 

When asked to identify their boards’ three top priorities, “improving computer and data security” was not selected by 98% of the respondents.  The respondents also indicated that their boards were not “actively addressing” IT operations or vendor management.  In essence, privacy and security of data inside or at outside vendors is receiving little oversight from management.  

Interestingly, 65% of the respondents also indicated that their boards were not reviewing their companies’ insurance coverage for data risks even though most standard policies offer little or no coverage.   Standing alone, this approach may not be an example of sound business judgment given the availability of specific insurance policies able to cover loss or destruction of digital assets. 

Not quite sure if this survey is a real wake up call or not.  The only thing for certain is that these attitudes are hardly what one would consider a best practice.  Sarbanes Oxley Section 404 requires a “top down” audit on internal controls which should provide some guidance on how digital assets are protected.  Indeed, under 15 U.S.C. § 7262(a), the Section 404 report must “contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.”  It is difficult to see how management can in good conscious sign off on these assessments while still maintaining that “improving computer and data security” is not a priority.  

Notwithstanding how firms may perceive their Section 404 obligations, recognizing the potential “materiality” of computer security failings, Google, Intel, Symantec and Northrop Grumman recently added new warnings to their SEC filings informing investors of such risk.  The fact that some companies have come forward to detail recent breaches and the possibility of future breaches should indicate to other companies the need to address this reporting issue in a more proactive manner.  And, once risk disclosures are publicly made, the next obvious step is to ensure that proper protections are in place to address the risk.   Reporting uncoupled with affirmative preventive action is simply fodder for class action litigation the next time an event takes place.  What may be even worse is completely turning a blind eye to the entire problem.

iPad Exploit Exposes Email Addresses of 114,000 Users

According to a Gawker exclusive, a simple online request made on the AT&T network allowed access to user account information.  The information exposed in the breach “included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID.”   One security consultant offered that “recent holes discovered in the GSM cell phone standard mean that it might be possible to spoof a device on the network or even intercept traffic using the ICC ID.”  It is unclear whether that is the case but there is no denying that some heavy hitting iPad users now have exposed email addresses and ICC IDs.

The article points out that one impacted iPad user is William Eldredge, who “commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force.”  Here is a listing of some others:

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

In the media and entertainment industries, “affected accounts belonged to top executives at the New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO and Hearst.”

Apple's Worst Security Breach: 114,000 iPad Owners Exposed

The lesson here is that AT&T did not anticipate a hack that was apparently pretty obvious while Apple did no wrong — other than align its fortunes to AT&T.

Here We Go Again — FTC Extends Red Flags Enforcement Deadline

It what has come to be a now common event, the FTC has decided to extend again the enforcement of its Red Flags Regulations.  Succumbing to Congressional pressure, the FTC has decided to extend the prior deadline – which was last slated for June 1, 2010 – until December 31, 2010.   Most privacy professionals have probably lost track by now as to how many times the enforcement of these regulations has been pushed back.   The original date was November 1, 2008!  According to the FTC press release, “If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.”

Given that Congress will now “clarify” who is subject to these regulations, it is highly likely that those companies who have not yet complied will wait until such clarification comes down the pike.  Who can blame them?  Certainly not the FTC.

Lehman, D&O Liability and Mark-to-Market Reporting

The Devil’s Casino, Vicky Ward’s first book, is the latest account of the fall of Lehman Brothers.  Released in April, this Lehman tome applies  a gossipy approach to storytelling.  Although we learn much about the shopping habits of some Lehman wives, repo transactions are nowhere to be found.   The book, however, becomes noteworthy when Ward details a September 9, 2008 meeting between JPMorgan’s Jamie Dimon and the Fed’s head Ben Bernake (on page 200) that purportedly directly led to JPMorgan’s request that Lehman provide $5 billion more in collateral. Less than a week later, Lehman filed its bankruptcy petition (the largest in US history) ostensibly given its lack of liquidity brought on by the collateral call of its clearing bank, JPMorgan. 

In a Report by Lehman’s bankruptcy examiner, dated March 11, 2010, the issue of JPMorgan’s collateral demand was analyzed and determined to be barely actionable.  The Report states: 

the Examiner concludes that the evidence may support the existence of a colorable claim – but not a strong claim – that JPMorgan breached the implied covenant of good faith and fair dealing by making excessive collateral requests to Lehman in September 2008.  A trier of fact would have to consider evidence that the collateral requests were reasonable and that Lehman waived any claims by complying with the requests.  

(Report of Anton R. Valukas, Examiner at page 1073)

On the heels of this Report and the Ward book, on May 27, 2010, the Lehman estate sued JPMorgan.  The suit takes a different position regarding the relationship between JPMorgan and Lehman by alleging that JPMorgan’s breach of duty was actionable. 

Unlike JPMorgan, Lehman’s board and officers were essentially given a free pass by Lehman’s bankruptcy estate as well as all regulators.  The Lehman Examiner’s Report actually spends much ink analyzing Delaware fiduciary law yet concludes numerous potential fiduciary lapses were not colorable claims.   On the other hand, a bank that potentially obtains crucial information from a third party (a governmental third party with a near real-time raw account of Lehman’s financial status) and merely seeks to protect its own interests, is forced to defend itself in a costly legal battle.   To many, it makes little sense that Lehman’s directors and officers were exonerated by regulators and Lehman’s bankruptcy Examiner.  Although the existing shareholder suits and claims made by those who sustained direct harm may eventually hit their mark, it is just not the same as potential jail time or a large personal SEC fine.  Not even close.  It is easy to argue that some Lehman folks should have paid with more than the inconvenience of a deposition.

If FASB had acted a bit more aggressively two years ago, maybe none of this would have even happened.  It would have been interesting to have seen FASB actually go through with its Exposure Draft of two years ago regarding FASB Statement 5 (loss contingency accounting) and FASB Statement 133 (hedging strategy accounting).  The vast opposition to the drafts caused FASB to abandon its plans.   Much of the opposition was typified in the McDermott Will & Emery letter that opined if the suggested changes to FASB Statement 5 were made, the opposing side to a filing entity would be able to learn litigation strategy.  If the proposed changes had matured (FASB Statement 5 has not changed since 1975) some of the decisions made by Lehman may have been altered or some of the actions may have been more cleanly delineated as wrongful.  Either way, there would have been more clarity regarding the propriety of their actions. 

As it stands, the Lehman saga provides some guidance to directors and officers looking to see how insulated they are from their financial accounting decisions.  They are pretty insulated given current standards. 

FASB may now be ready to change that dynamic.  It will revive the FASB Statement 5 Exposure Draft in the second quarter of 2010 – now with only a 30-day comment period.  And, FASB issued on May 26, 2010 an Exposure Draft that provides guidance regarding the financial reporting of derivative instruments and hedging strategies.  The overall approach taken moves towards a “mark-to-market” approach for derivative instruments that will have a “seismic effect” on how banks value loan portfolios beginning in 2013 (for large banks) and 2017 (for regional and community banks).  It remains to be seen what FASB will ultimately do given the negative comments it is certain to receive prior to the September 30, 2010 comment deadline.   The takeaway is that FASB  is finally taking a serious look at how companies report on loss contingencies and asset valuations.

All reporting companies – not just financial institutions – should obviously monitor how this and other related financial reporting initiatives evolve.   To a large degree, these accounting standards dictate the extent to which firms such as Lehman can push the envelope.  Although a widening of the reporting net may bring with it a separate set of problems, the change will certainly cause executives to think twice before being coy about a lack of liquidity.  As seasoned investors themselves, reporting officers should probably apply a “Would I want to know this information?” test the next time they are on the fence about the materiality of an item.  True mark-to-market reporting (not Lehman’s “mark-to-make believe” strategy) may bring on headaches for companies with many assets  having big value swings.  Nevertheless, it certainly seems to be part of the reporting standard of the future so you might as well get used to it.

Most Important Lesson Learned from Supermarket Data Breach

It has been over two years since the grocery chain Hannaford Brothers announced a breach of its network security that exposed over 4 million credit card numbers and led to 1,800 cases of fraud.   In fact, a quick review of the Privacy Clearinghouse’s Chronology of Data Breaches shows that Hannaford is not the only supermarket chain to have sustained a data breach. 

Several years ago, Ahold USA (parent company of Stop & Shop and Giant stores) sustained a breach via its subcontractor Electronic Data Systems.   Numerous Stop & Shop Supermarkets in Rhode Island and Massachusetts had credit and debit card account information stolen, including PIN numbers, by thieves who apparently tampered with checkout-line card readers and PIN pads.  Albertsons (Save Mart Supermarkets) in Alameda, California also had credit and debit card numbers stolen using bogus checkout-line card readers.   And, Lunardi’s Supermarket in Los Gatos, California had a similar experience with  ATM and credit card readers that quickly led to the theft of  $300,000.  

What makes the Hannaford incident noteworthy is the fact that the chain was supposedly PCI compliant at the time.  According to the indictment filed against the Hannaford mastermind, the theft was a result of a hack into corporate computer networks that allowed placement of malware which, in turn, provided backdoor access to the networks — and credit card information.  The means of attack was the commonly used SQL Injection Attack. 

In other words, being PCI compliant should never be the ultimate goal of your security strategy.   Whether you are a supermarket chain or a large law firm, a risk management approach to network security and privacy should always take precedent.   Most companies — large and small — still apply a uniform approach to security that treats all data the same.  The ultimate lesson learned from the Hannaford breach:   Always make sure your most valuable data is always most protected.   It really does not matter whether your company sells fruits and vegetables or builds nuclear missiles.

Small Professional Service Firms Put Implementation of FTC Red Flags Regs on Hold

According to a recent article in Lawyers USA, small and middle market business owners are so jaded by the number of times the FTC has delayed enforcement of its Red Flags Regulations, they have pushed compliance to the back burner.  Tanya Forsheit, of InformationLawGroup, is quoted in the article as saying, “I suspect a lot of small businesses were hoping this ultimately wouldn’t happen.”   As it stands, all businesses that bill for goods and services and accept payment on a deferred basis are covered by these regulations.  Unfortunately, most such firms do not have any sort of written procedure or policy specifically dealing with identity theft — a main requirement of these regulations.   Moreover, as recognized in the article, “[s]mall businesses without extensive in-house resources have found it challenging to comply with the specifics of the rules, such as the recommendations for data encryption, regular review and annual updates of the policy, procedures for responding to red flags, training of staff, and approval of the policy by the company’s board of directors.” 

Professional service firms have been fighting hard to avoid compliance.  Lawyers successfully challenged the applicability of the regulations to law firms with an appeal currently pending.  Accountants filed suit last year and are still waiting for a decision.   Doctors and dentists have sought a legislative answer by seeking a statutory exemption.    Come the date of enforcement – June 1st- only law firms currently have a free pass.

It is recommended that all professional or consulting businesses who defer payment should immediately consult with their professional advisers to see how a cost effective compliance solution can be implemented.

Law Firms Need to be Diligent on Delinquent Accounts

Times remain tough for law firms.  The legal sector lost another 1,100 positions in April  — making it the second month in a row of four-digit losses.  Since April 2009, the legal sector has lost a total of roughly 28,000 jobs.   It is no surprise some firms are choosing to sue clients for non-payment rather than work things out.  Unfortunately, as Squire Sanders & Dempsey recently found out, such suits usually lead to a malpractice claim.  Squire Sanders waited until the unpaid tab reached $1.2 million before suing. 

In an article published by the Daily Business Review, Steve Zelkowitz, managing partner of GrayRobinson’s Miami office, said “the trend of clients suing law firms, which are considered deep pockets, is growing, particularly when a firm loses a case.”  According to Zelkowitz, “[o]nce clients lose, they will do anything to try not to pay.”   Zelkowitz also said disputes over unpaid bills are “definitely becoming more prevalent, and law firms need to be more vigilant.  No one should get more than 90 days behind with clients.”  All words of wisdom. 

Thankfully, there exist risk management solutions that immediately address “slow pay” or “no pay” law firm clients.

Colorado Casualty: Stolen Health Records Not a Covered Event

As detailed by the Salt Lake Tribune, Colorado Casualty Insurance Co. contends it is not obligated to cover costs incurred in 2008 by the University of Utah after tapes containing electronic medical billings records on 1.7 million patients were stolen from a car.   The insurer filed a declaratory judgment action on April 9, 2010 seeking a declaration that the commercial package insurance purchased by the vendor who was to safeguard the records, Perpetual Storage, did provide coverage for the claims made against the insurer.   A review of the seven-page complaint provides no insight as to the terms of the policy in question. 

The claim is ultimately based on first-party costs incured by the University of Utah.   Not including 6,232 in personnel hours responding to the breach, the University allegedly spent over $3.2 million on:  (1) $646,149 in printing and mailing costs; (2) $81,389 for a call center that fielded over 11,000 calls within two weeks; and (3) $2.5 million for credit-monitoring services. 

Notwithstanding what the Colorado Casualty policy may actually state, the above claim would have been covered under most network security and privacy policies.   Lesson learned:   It is critical to confirm a vendor’s insurance clause lists the necessary coverages — including NSAP coverage if they are to handle sensitive data.

White House Cyber Security Plan Focuses on EHR Management

According to an article in Government Health IT, the White House is looking to develop a network security strategy “that pays particular heed to the importance of building a trusted arena for electronic health care transactions.”    Howard Schmidt, the White House Cyber Security Czar, said at a May 11 HIPAA conference on privacy and security that the administration will roll out a “trust framework” based on  technologies, standards, services and policies that will eventually be adopted by the government, industry and consumers. 

According to Schmidt, “[o]ne-person physician offices have to be part of this system.  They have to have the capacity to trust identity and to trust medical records and information because they don’t have infrastructure and they don’t have a CIO.”  The White House’s ultimate goal is to instill enough “trust” in the system so that small practice groups and individual providers would be willing to adopt electronic health records (EHRs).   This initiative comes on the heels of the HITECH Act’s goal of prodding the use of EHRs throughout the health care food chain.

Since the passage of the HITECH Act, there has been much criticism regarding the utility of EHRs (the time needed to transcribe notes, mistakes made in such transcriptions, content limitations, etc.) so it remains to be seen whether widespread use will ever take hold notwithstanding the HITECH Act’s stick/carrot approach to prodding implementation.  Indeed, some have argued that one of the goals of the Act, i.e.,  the improvement of health care by changing patient behavior, will likely take a turn for the worse after EHR implementation.  

To the extent practice groups and providers actually take the plunge and devote resources to a new EHR implementation, they should likely apply a holistic approach to security and privacy that applies general risk management principles.   This article recently published by AHRMNY in its Risk Management Quarterly provides an EHR risk management overview that can help start that process.   As well, here is a link to the presentations from the recent HIPAA conference (minus Mr. Schmidt’s keynote address).   There are several linked presentations that talk to risk assessments and other security considerations of interest to providers and those folks who advise them.