data breach
Subscribe to data breach's Posts

Uber Criminal Complaint Raises the Stakes for Breach Response

On August 20, 2020, a criminal complaint was filed charging Joseph Sullivan, Uber’s former chief security officer, with obstruction of justice and misprision of a felony in connection with an alleged attempted cover-up of a 2016 data breach. These are serious charges for which Mr. Sullivan has the presumption of innocence.

At the time of the 2016 data breach, Uber was being investigated by the US Federal Trade Commission (FTC) in connection with a prior data breach that occurred in 2014. According to the complaint, the hackers behind the 2016 breach stole a database containing the personal information of about 57 million Uber users and drivers. The hackers contacted Uber to inform the company of the attack and demanded payment in return for their silence. According to the complaint, Uber’s response was to attempt to recast the breach as a legitimate event under Uber’s “bug bounty” program and pay a bounty. An affidavit submitted with the complaint portrays a detailed story of deliberate steps undertaken by Mr. Sullivan to allegedly conceal the 2016 breach from the FTC, law enforcement and the public.

Contemporaneous with the filing of the complaint, the Department of Justice (DOJ) submitted a press release quoting US Attorney for the Northern District of California David L. Anderson:

“We expect good corporate citizenship. We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush money payments.”

The press release also quoted Federal Bureau of Investigation (FBI) Deputy Special Agent in Charge Craig Fair:

“Concealing information about a felony from law enforcement is a crime. While this case is an extreme example of a prolonged attempt to subvert law enforcement, we hope companies stand up and take notice. Do not help criminal hackers cover their tracks. Do not make the problem worse for your customers, and do not cover up criminal attempts to steal people’s personal data.”

Collectively, the case and statements from the DOJ are probably a unicorn based on, if the facts as alleged are true, a case involving a deliberate cover-up of a data breach in the course of an active FTC investigation. However, many of the statements from the DOJ and the specific allegations in the complaint appear to have potentially far-reaching implications (for companies, their executives and cybersecurity professionals) that breach response counsel must seriously consider in future incidents.

A common question when responding to a ransomware or other cyberattack is whether and when to inform law enforcement. The criminal complaint has the potential to make this an even more difficult decision for future cyberattack victims. Further, while the alleged conduct at issue may seem particularly egregious, the DOJ’s statements could cause a blurring of the lines between what the government may contend is illegal concealment of a security incident and activities generally thought to be legitimate security incident risk and exposure mitigation. We explore these and other key takeaways from the criminal complaint in more detail below.

[...]

Continue Reading



Guidance on Ransomware Attacks under HIPAA and State Data Breach Notification Laws

On July 28, 2016, US Department of Health and Human Services (HHS) issued guidance (guidance) under the Health Insurance Portability and Accountability Act (HIPAA) on what covered entities and business associates can do to prevent and recover from ransomware attacks. Ransomware attacks can also trigger concerns under state data breach notification laws.

The HIPAA Security Rule requires covered entities and business associates to implement security measures. It also requires covered entities and business associates to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) the entities create, receive, maintain or transmit and to implement security measures sufficient to reduce those identified risks and vulnerabilities to a reasonable and appropriate level. The HIPAA Security Rule establishes a floor for the security of ePHI, although additional and/or more stringent security measures are certainly permissible and may be required under state law. Compliance with HIPAA’s existing requirements provides covered entities and business associates with guidance on how to prevent and address breaches that compromise protected health information. The new HIPAA guidance specific to ransomware reinforces how the existing requirements can help an entity protect sensitive information.

Read the full article here.




Canadian Government Amends and Strengthens PIPEDA, Adding Breach Notification Requirement and Filling Other Gaps

Just prior to recessing for the summer, the Canadian government enacted the Digital Privacy Act. It includes a number of targeted amendments to strengthen existing provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), but falls short of providing the Privacy Commissioner of Canada (Commissioner) with direct enforcement powers, as some stakeholders—including the former Commissioner—had proposed.

The Digital Privacy Act was introduced in April 2014 as part of the government’s “Digital Canada 150” strategy. While it was touted as providing new protections for Canadians when they surf the web and shop online, there is nothing that is particularly “digital” about the bill, which will equally affect the bricks and mortar, paper-based world.

Of particular note, the Digital Privacy Act creates a duty to report data breaches to both the Privacy Commissioner and to affected individuals “where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Failure to report data breaches in the prescribed manner could result in fines of up to $100,000 for non-compliant organizations. While the majority of the new law is currently in force, the provisions relating to breach notification have yet to be proclaimed in force by the government.

Once in force, the mandatory breach-reporting regime will bring the federal law into alignment with many international laws, as well as with Alberta’s own Personal Information Protection Act, which has had a breach notification provision since 2009. However, unlike the Alberta law, the Digital Privacy Act would also require organizations to maintain records of all data breaches involving personal information under their control—even if they do not require reporting to the Commissioner or to affected individuals—and to provide these records to the Commissioner on request. Failure to comply with these requirements could also result in a fine of up to $100,000.

The law also creates an explicit authority to enable the federal Privacy Commissioner to enter into a compliance agreement with an organization, where the Commissioner believes on reasonable grounds that the organization has, or is about to, contravene the Act.  If such an agreement is later contravened, the Commissioner will be able to apply to the Federal Court of Canada for a remedial order, even if the original limitation period for such an application has lapsed. The law also extends the limitation period for an application to the Federal Court for damages or injunctive relief to one year after the Commissioner issues a report of findings or otherwise discontinues an investigation. Previously, such applications had to be brought by either the Commissioner or a complainant within 45 days of a report of findings or discontinuation.

The Digital Privacy Act also imposes new requirements on the form of consent that the Act requires from individuals respecting the handling of their personal information. Going forward, any consent will be valid only if an individual to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use and disclosure of [...]

Continue Reading




Data Breach Insurance: Does Your Policy Have You Covered?

Recent developments in two closely watched cases suggest that companies that experience data breaches may not be able to get insurance coverage under standard commercial general liability (CGL) policies. CGLs typically provide defense and indemnity coverage for the insured against third-party claims for personal injury, bodily injury or property damage. In the emerging area of insurance coverage for data breaches, court decisions about whether insureds can force their insurance companies to cover costs for data breaches under the broad language of CGLs have been mixed, and little appellate-level authority exists.

On May 18, 2015, the Connecticut Supreme Court unanimously affirmed a state appellate court decision that an IBM contractor was not insured under its CGL for the $6 million in losses it suffered as the result of a data breach of personal identifying information (PII) for over 500,000 IBM employees. The contractor lost computer backup tapes containing the employees’ PII in transit when the tapes fell off of a truck onto the side of the road. After the tapes fell out of the truck, an unknown party took them. There was no evidence that anyone ever accessed the data on the tapes or that the loss of the tapes caused injury to any IBM employee. Nevertheless, IBM took steps to protect its employees from potential identity theft, providing a year of credit monitoring services to the affected employees. IBM sought to recover more than $6 million dollars in costs it incurred for the identity protection services from the contractor, and negotiated a settlement with the contractor for that amount.

The contractor filed a claim under its CGL policy for the $6 million in costs it had reimbursed to IBM. The insurer refused to pay. In subsequent litigation with the contractor, the insurer made two main arguments. First, it argued that it only had the duty to defend against a “suit,” and that the negotiations between the contractor and IBM were not a “suit.” Second, the insurer argued that the loss of the tapes was not an “injury” covered by the policy.

The Connecticut Supreme Court adopted both of the insurer’s arguments, and the decision highlights two key areas for any company considering whether it needs additional insurance coverage for data breaches: what constitutes an “injury” under a CGL, and when an insurer is required to reimburse a company for costs associated with an injury. First, the court held that the loss of the computer tapes was not a “personal injury” under the CGL, because there had been no “publication” of the information stored on the tapes. In other words, because there was no evidence that anyone accessed or used the stolen PII, the court found that the data breach did not constitute a “personal injury” under the policy—even though the contractor spent millions of dollars reimbursing IBM for costs associated with the data breach.

Second, the court found that the CGL policy only required the insurer to reimburse [...]

Continue Reading




Update on State Breach Notification Laws

In the first few months of 2015, a number of states have introduced data breach notification bills and proposed legislative amendments designed to enhance consumer protection in response to increasingly high profile data breaches reported in the media.  This activity at the state level seems to indicate  that protecting consumers from data breaches is one area where democrats and republicans can find common ground.

From the text of these bills, some of which have already become law, we see two emerging trends:  (1) an expansion of the definition of personal information to include more categories of data that, if compromised, would trigger a notification requirement, and (2) the addition of a requirement to notify state agencies (such as attorneys general and state insurance commissioners) where none previously existed.

Here are developments in three states reflecting these emerging trends:

Wyoming

In late February, Wyoming passed two bills that amend its existing data breach notification law by specifying the content required in notices to Wyoming residents, modifying the definition of personal information, and providing for covered entities or business associates that comply with HIPAA to be deemed in compliance with the state individual notice requirements.

In particular, Wyoming’s definition of personal information will now include the following:

  • Shared secrets or security tokens that are known to be used for data-based authentication;
  • A username or email address, in combination with a password or security question and answer that would permit access to an online account;
  • A birth or marriage certificate;
  • Medical information (a person’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional);
  • Health insurance information (a person’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the person or information related to a person’s application and claims history);
  • Unique biometric data (data generated from measurements or analysis of human body characteristics for authentication purposes); and
  • An individual taxpayer identification number.

These changes to Wyoming law will become effective July 1, 2015.

Montana

Beginning October 1, 2015, amendments to Montana’s breach notification law will require entities that experience a data breach affecting Montana residents to notify the Montana Attorney General and, if applicable, the Commissioner of Insurance.  Notification must include an electronic copy of the notice to affected individuals, a statement providing the date and method of distribution of the notification, and an indication of the number of individuals in the state impacted by the breach.  Entities must provide notice to state regulators simultaneously with consumer notices.

The recent amendments to the Montana law also expand the definition of personal information to include medical record information, taxpayer identification numbers and any “identity protection personal identification number” issued by the IRS.  The law specifies that medical information is that which relates to an individual’s physical or mental condition, medical history, medical claims history or medical treatment, and is obtained from [...]

Continue Reading




Employers with Group Health Plans: Have You Notified State Regulators of the Breach?

Data security breaches affecting large segments of the U.S. population continue to dominate the news. Over the past few years, there has been considerable confusion among employers with group health plans regarding the extent of their responsibility to notify state agencies of security breaches when a vendor or other third party with access to participant information suffers a breach. This On the Subject provides answers to several frequently asked questions to help employers with group health plans navigate the challenging regulatory maze.

Read the full article.




C-Suite – Changing Tack on the Sea of Data Breach?

The country awoke to what seems to be a common occurrence now: another corporation struck by a massive data breach.  This time it was Anthem, the country’s second largest health insurer, in a breach initially estimated to involve eighty million individuals.  Both individuals’ and employees’ personal information is at issue, in a breach instigated by hackers.

Early reports, however, indicated that this breach might be subtly different than those faced by other corporations in recent years.  The difference isn’t in the breach itself, but in the immediate, transparent and proactive actions that the C-Suite took.

Unlike many breaches in recent history, this attack was discovered internally through corporate investigative and management processes already in place.  Further, the C-Suite took an immediate, proactive and transparent stance: just as the investigative process was launching in earnest within the corporation, the C-Suite took steps to fully advise its customers, its regulators and the public at-large, of the breach.

Anthem’s chief executive officer, Joseph Swedish, sent a personal, detailed e-mail to all customers. An identical message appeared in a widely broadcast press statement.  Swedish outlined the magnitude of the breach, and that the Federal Bureau of Investigation and other investigative and regulatory bodies had already been advised and were working in earnest to stem the breach and its fallout.  He advised that each customer or employee with data at risk was being personally and individually notified.  In a humanizing touch, he admitted that the breach involved his own personal data.

What some data privacy and information security advocates noted was different: The proactive internal measures that discovered the breach before outsiders did; the early decision to cooperate with authorities and press, and the involvement of the corporate C-Suite in notifying the individuals at risk and the public at-large.

The rapid and detailed disclosure could indicate a changing attitude among the American corporate leadership.  Regulators have encouraged transparency and cooperation among Corporate America, the public and regulators as part of an effort to stem the tide of cyber-attacks.  As some regulators and information security experts reason, the criminals are cooperating, so we should as well – we are all in this together.

Will the proactive, transparent and cooperative stance make a difference in the aftermath of such a breach?  Only time will tell but we will be certain to watch with interest.




Incorporating Risk Analysis Into Your HIPAA Strategy

In building a stout privacy and security compliance program that would stand up well to federal HIPAA audits, proactive healthcare organizations are generally rewarded when it comes to data breach avoidance and remediation. But an important piece of that equation is performing consistent risk analyses.

McDermott partner, Edward Zacharias, was interviewed by HealthITSecurity to discuss these topics and more.

Read the full interview.




Kentucky Becomes 47th State with a Data Breach Notification Law

On April 10, 2014, Kentucky became the 47th state to enact breach notification legislation.  Under the new law, companies that conduct business in Kentucky and hold consumer data of Kentucky residents will now be required to disclose data breaches involving the unauthorized acquisition of unencrypted computerized data of Kentucky residents.  Companies must disclose the breach in the “most expedient time possible” and “without unreasonable delay” to any state resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

The Kentucky law is similar to many other state breach notification laws.  For example, the Kentucky law defines “personal information” as an individual’s first name or first initial and last name in combination with either their Social Security number; driver’s license number; or account, credit or debit card number in combination with any required security or access code.  In addition, the legislation permits companies to provide notification in written or electronic form, through email, through major statewide media or by posting an alert on their website, and allows for the delay of notification if a law enforcement agency determines the action will impede its criminal investigation.

Notably, the law does not require notification to the state attorney general, but does require that notification be given to consumer reporting agencies and credit bureaus if the breach affects more than 1,000 individuals.

Now that Kentucky has a data breach notification law, just Alabama, New Mexico and South Dakota remain as the three states that still do not have a comprehensive notification law outside of the public sector.




New Mexico Moves One Step Closer to Becoming the 47th State with a Breach Notification Law

46 states plus Washington, D.C. have data breach notification laws.  Alabama, Kentucky, New Mexico and South Dakota still do not have a comprehensive notification law outside of the public sector.  That may change soon though, because the New Mexico House of Representatives unanimously passed a bill on February 17, 2014, that would require companies to notify state residents of a breach of their unencrypted personal information.  The bill appears to resemble many existing state breach notification laws, and contains a number of exceptions under which companies would not be required to provide notice of a breach.

The definition of personal information is the standard definition we see in many state breach notification laws – defined as name plus another data element that could lead to identity theft or financial fraud: social security number; driver’s license number; government-issued ID; or account number, credit card number or debit card number, in combination with any required code or password that would permit access to a person’s financial account.

If the bill passes, New Mexico will join the handful of other states with specific timing provisions for notification—if the breach involves 1,000 or more residents, companies would be required to notify affected individuals within 45 days of discovering the breach, and the state attorney general (AG) within 14 days (like Vermont).

Companies can avoid notification to affected residents if there is no “significant risk of identity theft or fraud,” but when the incident involves 1,000 or more individuals, the company still must notify the state AG with a written explanation of its risk of harm analysis.  Like many other states, the bill also contains a “deemed in compliance” provision stating that companies in compliance with the federal Gramm-Leach-Bliley Act or the federal Health Insurance Portability and Accountability Act would be deemed to be in compliance with the proposed law.

At the federal level, there have been increased demands for Congress to establish a national data breach notification standard, and several bills have been introduced that would create such a standard.  Most recently, on February 4, 2014, U.S. Senators Edward Markey (D-Mass.) and Richard Blumenthal (D-Conn.) introduced the Personal Data Protection and Breach Accountability Act, which seeks to establish a federal breach notification standard and impose minimum data security requirements for companies, like the approach taken in Massachusetts with 201 C.M.R. 17.00, et seq.  We will be watching these bills closely and reporting on any further developments.




STAY CONNECTED

TOPICS

ARCHIVES