Data Security and Privacy

phish

By Jessica C. Engler

The IRS has sent an urgent alert to employers this month that a W-2 phishing scam that many companies fell victim to in 2016 is back in full force for 2017. The IRS warns that this scam is emerging earlier this year and is targeting school districts, tribal organizations, and nonprofits in addition to businesses.

The “W-2 Scam” is carried out by persons who disguise (“spoof”) an email to make it look like it came from a top executive or the receiver’s business colleague. The dummy email is sent to (typically) the organization’s accounting and human resources department, and will ask for a list—or the copies themselves—of the company’s W-2 tax forms, employee’s dates of birth, and Social Security Numbers. If the unsuspecting victim responds with this information, the sender can use this data to file false tax returns, generate revenue on the black market, and perpetuate identity theft.

While this email can take many forms, some example phrasing for the email includes:

  • “Please send me the individual 2016 W-2 (PDF) and earnings summary of all W-2s of our company staff for a quick review”
  • “Hope you had a nice weekend. Do you have PDF copies of the employee’s W-2s? Could you please send to me for a quick review?”
  • “I need you to email me the list of individual W-2 copies of all employees’ wages and income tax statements for 2016 tax year in PDF file format for quick review. Prepare the list and send to me ASAP. I will brief you more about this later.”

The IRS warning indicates that these phishing emails are also including requests for wire transfers this year.

The Security Summit (which comprises the IRS, state tax agencies, and members of the tax industry) recommend that employers and employees stay vigilant of this threat. Employers may consider doing additional training with employees on recognizing these phishing emails.

The IRS instructs any organization that receives a W-2 scam to forward that email to phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to the scam can file a complaint with the Internet Crime Compliance Center (IC3), which is operated by the Federal Bureau of Investigation. Organizations should also consider contacting an attorney with experience in data management to assist in the response to affected persons.

anonymous

By Jessica Engler

Continuing the trend from 2015, 2016 has seen a significant number of large, public data breaches. Many of these breaches involved high-profile companies such as the Democratic National Convention, Internal Revenue Service, MySpace, Yahoo!, and Anthem. Since large corporate and government breaches typically get the most attention, many smaller, local businesses can be lulled into a false sense of security, believing that those who do hack and steal data are not interested in their business. However, in 2016, hacker targeting of small businesses increased from 34 percent to 43 percent.[1] Small businesses, including the construction industry, are at risk.

The construction industry is becoming increasingly more connected. In addition to storage of confidential data on computers, many design and construction software systems—like BIM, Revit, Procore, and Aconex—have remote access controls or Internet-connected capabilities. As a company grows more technologically-savvy, the risk of breaches becomes more inherent. This memorandum will answer some basic questions for construction companies regarding data privacy issues. For specific advice regarding individual, company-specific questions, inquirers should seek the assistance of an attorney experienced in data privacy.

I am not MySpace or the IRS—why would a hacker be interested in my business?

Construction companies are often just as reliant on IT and computers as any other business. Construction companies—especially smaller ones—often do not think they are a target, so any protective measures currently in place may be easier to permeate. Several reasons why a hacker may be interested in you include:

Valuable Personally Identifiable Information Data: The vast majority of hacks are made for financial gain. If you use computers at all in your businesses, it is likely that you have confidential data stored on that computer that would be valuable to a hacker. Though you may not have as much personally identifiable information as a financial institution, you likely still have employee information (e.g., Social Security numbers, bank accounts for payroll, healthcare information, etc.) that could be worth money.

  1. Valuable Non-Personal Data: A construction companies often have access to certain proprietary client documents including project bid data, architectural designs, trade secrets, and other intellectual property. A hacker may also target general information about the company’s banking, accounting data, and policies in order to orchestrate social engineering or phishing schemes to have an employee send the hacker valuable data or unwittingly transfer corporate funds/assets.
  2. Access to Private Client Information: At times, the hacker is interested in accessing a client of the company, rather than the company itself. In 2013, approximately 70 million customers’ data was released by retail giant Target through malware installed on credit card machines. The hackers’ access to Target’s network was obtained indirectly through Fazio Mechanical Services, Target’s HVAC vendor, which had Target network credentials.[2] Through Fazio’s credentials, the hackers were able to cross into Target’s network to install the malware.
  3. Extortion: Ransomware is a type of malware designed to block off access to data stored in a computer system until money is paid (typically in bitcoin) to the hacker. When access is blocked—typically through encryption—the data may be lost if the victim does not pay the ransom and the victim does not have the data backed-up.

I don’t buy it. Name a construction company who has had a breach.

In early 2016, Turner Construction was targeted by a spear-phishing[3] scam wherein an employee emailed tax information on current and former employees to a fraudulent email account.[4] The tax information included full names, Social Security numbers, states of employment and residence, and tax withholding data for 2015. Hackers had manipulated, or “spoofed”, the “From” field in the email to the employee to make the email look like it was from a legitimate sender. This scam was a common scam during the 2016 tax season in order to obtain information used to file fraudulent tax returns.

Whiting-Turner Contracting (Baltimore), Central Concrete Supply Company (California), Century Fence (Wisconsin), Trinity Solar, and Foss Manufacturing were also recent victims of this scam.[5]

Are breaches really that big of a deal?

Data breaches can be very costly for a business. Depending on the type of data breached, a breach can cause loss of business and clients, reputation damages, loss of goodwill, decline in share value, increased legal and technological costs, and potential fines. Some businesses are never able to recover from a breach.

Additionally, even when a company can recover, it will often still have incurred significant costs due to business interruption. Depending on when the data incident occurred, a construction company may also be facing the risk of delay damages.

Yikes, that sounds expensive. What can I do to guarantee I will never be breached?

Unfortunately, there really is no way to “guarantee” that you will never be a target of a hacker. “Most security experts believe that it is a matter of when, not if,” your company will be targeted by hackers.[6] However, there are some actions you can take today to reduce your risk:

  • Identify your company’s valuable, private, and/or confidential information and know where that information is located on your network. Block off access to anyone who does not need that information to perform their job duties;
  • Work with your IT provider to ensure the company and its employees have strong password controls, any necessary encryption, current firewalls, updated security patches, and other recommended protections;
  • Consider using a third-party IT consultant to evaluate your system and identify any holes or vulnerabilities that your in-house IT personnel may have missed;
  • If using a subcontractor or other third party service provider that will have access to your network, establish procedures to evaluate those contractors;
  • Train employees to be aware and vigilant of risks and their role in protecting company data and assets; and
  • Create a plan of action in the event of a data incident.

A number of these steps and further actions to help protect your data can be undertaken with the help of legal counsel.

I have CGL insurance. Wouldn’t this be covered under my insurance?

It depends on the terms of your policy. In 2014, the Insurance Services Office, Inc. (the insurance industry organization that develops standard policy forms adopted by many insurance companies) issued a new form for CGL policies that expressly excludes coverage for data incidents.[7] Consultation with legal counsel can help you determine whether your current insurance coverage will provide coverage during a data incident.

If your CGL policy or any other policy leaves you without coverage for a data incident, you may want to consider purchasing cyber liability insurance. This relatively new form of insurance can provide coverage for costs associated with a data breach, including (depending on the terms of your policy) business interruption expenses, cyber extortion demand payments, legal expenses, IT forensic team expenses, cost of notification, and/or credit monitoring for affected persons.

I have been breached. What do I do?

If you have been breached, immediately contact your incident response team assigned in your incident response plan. If you do not have an incident response plan in place, contact your IT professionals and legal counsel. Many notification laws require that notice be given to affected persons and other state and federal agencies within certain time-frames, so it is important to have counsel retained in order to respond quickly and appropriately.

_________________________________________

[1] Symantec, Internet Security Threat Report: Vol. 21 (Apr. 2016) (available at https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf).

[2] Target Hackers Broke in Via HVAC Company, Krebs on Security (Feb. 5, 2014) (available at https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/).

[3] Phishing is a type of email scam wherein the victim receives an email from someone who is pretending to be another person or entity, believes that the email is legitimate, and typically sends assets or information to the scammer based upon that mistaken belief. A well-known phishing scam is the “Nigerian Prince” scam. Spear phishing is a more targeted version of phishing. In a spear-phishing email, the scammer pretends to be a friend, family member, or co-worker. Because the email appears to be from someone the recipient knows, the recipient is often less vigilant in evaluating the legitimacy of the email. 

[4] Turner Construction Data Breach Notification Letter, State of California Department of Justice, Office of the Attorney General (last accessed 12/14/16) (available at https://oag.ca.gov/system/files/Turner%20Construction%20Ad%20r4prf_1.pdf?)

[5] Data Breaches, Cyber Security, and the Construction Industry, iSqFt.com (May 2, 2016) (available at http://www.isqft.com/start/blog-data-breaches-cyber-security-and-the-construction-industry/).

[6] Data Breaches, Cyber Security, and the Construction Industry, iSqFt.com (May 2, 2016) (available at http://www.isqft.com/start/blog-data-breaches-cyber-security-and-the-construction-industry/).

[7] Marla Kanemitsu & Erin Webb, Reviewing Emerging Insurance Protection for Cyber Risks, Security Magazine (Apr. 1, 2014) (available at http://www.securitymagazine.com/articles/85358-reviewing-emerging-insurance-protection-for-cyber-risks).

 

text

By Sam Lumpkin

The US District Court for the Western District of North Carolina recently held that even text messages are subject to the duty to preserve electronically stored information (ESI). In Shaffer v. Gaither, the plaintiff asserted claims against her former boss – a US District Attorney – for constructive dismissal based on sexual harassment and creation of a hostile work environment. The plaintiff also added a claim of defamation, based on an allegation that the former boss had falsely spread rumors plaintiff was fired for having a sexual relationship with a married member of the defense bar. Although the plaintiff admitted that the relationship existed, the defamation claim was based on what plaintiff argued was a false reason for her termination.

The defendant contended that plaintiff had sent her paramour text messages about the termination in which she admitted that she was fired because of the relationship. However, the text messages were lost when plaintiff purportedly dropped her cell phone in a bathroom. The court therefore had to address whether, in light of the claims pending at the time the text messages were lost, the plaintiff had failed to preserve relevant ESI.

Under the recent amendments to Federal Rule of Civil Procedure 37(e), the duty to preserve ESI arises when litigation is “reasonably anticipated,” and the loss of ESI is sanctionable if reasonable steps to preserve the ESI are not taken and the information cannot be restored or replaced through additional discovery. Dismissal is not an automatic remedy for spoliation, and some remedies are only available when the spoliating party acted with intent to deprive the opposing party of evidence.

The court in Shaffer found that before the messages were destroyed, plaintiff had threatened litigation and her attorney had discussed the messages with the defendant’s attorney. The messages were therefore clearly relevant to the defamation claim, and both plaintiff and her attorney knew they had a duty to preserve the messages at least five months before the messages were destroyed. The court did not immediately find that the destruction of the plaintiff’s phone was intentional, and because similar evidence might be available through the testimony of various parties who had viewed the texts before they were destroyed, the court did not order dismissal of the defamation claim.

However, the court did provide guidance to potential litigants: “Once it is clear that a litigant has ESI that is relevant to reasonably anticipated litigation, steps should be taken to preserve that material, such as printing out the texts, making an electronic copy of such texts, cloning the phone, or even taking possession of the phone and instructing the client to simply get another one.” Although the plaintiff in Shaffer did not face dismissal due to the circumstances of the case, other litigants may not be so fortunate.

social

By Jason R. Cashio

Continuing a trend among other courts, a recent ruling from U.S.D.C., Middle District of Louisiana, recognized the discoverability of plaintiff’s social media postings.  Baxter v. Anderson, 2016 U.S. Dist. LEXIS 110687 (M.D. La. Aug. 18, 2016).  In Baxter, Magistrate Judge Bourgeois addressed the discoverability of social media in a recent discovery ruling on August 19, 2016.  The discovery requests calling for production of plaintiff’s social media information, as propounded, were overly broad.  However, the court was still willing to permit the discovery with some limitations. 

Magistrate Judge Bourgeois was not willing to permit unfettered access to a plaintiff’s social media account just because a personal injury lawsuit was filed, which placed plaintiff’s mental and physical conditions at issue.  However, the ruling permitted access to any postings that met one of the following criteria:

  1. Postings by the plaintiff that relate to the accident;
  2. Postings related to any emotional distress or treated received that relate to the accident;
  3. Postings or photographs that relate to alternative potential emotional stressors, or that are inconsistent with the alleged mental injuries;
  4. Postings that relate to physical injuries sustained as a result of the accident and any treatment therefor;
  5. Postings that relate to other, unrelated physical injuries; and,
  6. Postings or photographs that reflect physical capabilities that are inconsistent with the alleged injuries at issue.

Accordingly, the court acknowledged that social media posts/photographs are subject to discovery, which is consistent with numerous other rulings within Louisiana, as well as around the nation.  

 

mask

By Jessica Engler and Lyn Savoie

Ransomware is here to stay. According to a recent United States Government interagency report, on average, there have been approximately 4,000 daily ransomware attacks since early 2016, which is a 300 percent increase from the approximately 1,000 daily ransomware attacks reported in 2015.[1] A significant percentage of those affected by ransomware have been healthcare providers who are subject to the Health Insurance Portability and Accountability Act (“HIPAA”).

Ransomware is a form of malware that targets a user’s critical data and systems in order to extort payment for restoration of the data or system. After the user is locked out of their system, the perpetrator will demand a ransom payment in order to have the data restored. Else, the data will be deleted or permanently encrypted. After the user sends payment, the perpetrator will provide the victim an avenue to regain or access the data.

The healthcare industry is particular vulnerable to this cyber activity because ransomware can block access to electronic medical records, which can disrupt patient care.[2] In February, attackers held data belonging to the Hollywood Presbyterian Medical Center in Los Angeles for ransom using a piece of ransomware called “Locky.” The hospital remained offline for over a week until hospital officials caved to the demands and paid the equivalent of $17,000 in Bitcoin.[3] Other hospitals and healthcare providers have faced similar attacks.[4] According to new research by Solutionary, an Omaha-based security firm, healthcare organizations were 114 times more likely to be hit by ransomware infections than financial firms, and 21 times more likely than educational institutions.[5] This increase of attacks and threat to healthcare records caused lawmakers to push the U.S. Department of Health & Human Services (“HHS”) for guidance regarding ransomware cybersecurity attacks—particularly on the points of reporting attacks and whether such attacks are considered a violation of HIPAA.

On July 11, 2016, the Office for Civil Rights (“OCR”) issued new guidance on how to handle ransomware attacks under HIPAA. This new guidance discusses how the security requirements under HIPAA can help organizations prevent, detect, and recover from ransomware attacks. The OCR guidance expressly provides that the presence of ransomware on a computer system is a “security incident” under the HIPAA Security Rule and, therefore, an entity impacted by such ransomware must initiate security incident and response and reporting procedures.  Additionally, the OCR guidance addresses whether a ransomware infection is considered a “breach” under HIPAA.

Whether or not the presence of ransomware will constitute a breach is a case-by-case determination. The HIPAA Rules define a “breach” as “the acquisition, access, use, or disclosure of Protected Health Information (“PHI”) in a manner not permitted under the [HIPPA Privacy Rule] which comprises the security or privacy of the PHI.”[6] In cases where electronic PHI is encrypted as a result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was accessed and is consequently an impermissible disclosure under the HIPAA Privacy Rule. The entity must then comply with the applicable notification provisions under the HIPAA Breach Notification Rules, including notifying the affected individuals, the Secretary of HHS, and (if the breach affects more than 500 individuals) the media.[7]

Pursuant to the HIPAA Breach Notification Rule, a breach is presumed to have taken place unless the entity suffering the attack can show that there is a “low probability that the PHI has been compromised.”  To make such a determination, the entity must perform a risk assessment that considers, at a minimum, the following four factors:

  • The nature and extent of the PHI involved, including types of identifiers and likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom disclosure was made;
  • Whether PHI was actually acquired or viewed; and
  • The extent to which the risk to the PHI has been mitigated.[8]

In its recent guidance document, OCR encourages entities to consider additional factors, such as the high risk of unavailability of the data or a high risk to data integrity.[9] This risk assessment must be thorough, completed in good faith, and reach conclusions that are reasonable given the circumstances. Further, the covered entity and business associates must maintain supporting documentation regarding the breach assessment—and, if applicable, notification—process, including documentation of: (1) the risk assessment demonstrating the conclusions reached; (2) any exceptions determined to be applicable to the impermissible use or disclosure of the PHI; and (3) all notifications that were made, if applicable.[10] Outside of this guidance, it is undetermined at this time what will satisfy the OCR that a particular ransomware attack qualifies as having a “low probability of harm.”

The full OCR guidance can be found on the HHS’s website, which also includes recommendations for protection of data in order to prevent a breach, as well as response and recovery from the ransomware attack.[11] It should be noted that this new guidance does not create new law. Rather, it is a clarification by OCR of federal law that has been in place since 2013, meaning that entities subject to HIPAA that have suffered a ransomware attack in the past three years may need to determine whether they need to report the incidents.

Data breaches are serious incidents. They can be even more serious and dangerous when patients’ medical records and medical care are at stake. It is recommended that healthcare entities, as well as their HIPAA business associates, consult with an attorney to ensure compliance with HIPAA before a breach happens, as well as immediately after a potential breach is discovered, to perform the proper due diligence and move in the right direction towards compliance and recovery.

_____________________________________________

[1] United States Government Interagency Guidance Document, How to Protect Your Networks from Ransomware, Justice.gov (available at https://www.justice.gov/criminal-ccips/file/872771/download).

[2] Kim Zetter, Why Hospitals are the Perfect Targets for Ransomware, Wired.com (13:31:00, Mar. 30, 2016) (available at https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/).

[3] Id.; Joseph Conn, Hospital Pays Hackers $17,000 to Unlock EHRs Frozen in ‘Ransomware’ Attack, Modern Healthcare (Crain Communications, Inc., Feb. 18, 2016) (available at http://www.modernhealthcare.com/article/20160217/NEWS/160219920).

[4] See, e.g., Bill Siwicki, Ransomware Attackers Collect Ransom from Kansas Hospital, Don’t Unlock All the Data, then Demand More Money, Healthcare IT News (HIMSS Media, 14:58:00, May 23, 2016) (available at http://www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-second-ransom); Mike Miliard, Two More Hospitals Struck by Ransomware, in California and Indiana, Healthcare IT News (HIMSS Media, 10:55:00, Apr. 4, 2016) (available at http://www.healthcareitnews.com/news/two-more-hospitals-struck-ransomware-california-and-indiana); Joseph Conn, Patient Data Held for Ransom at Rural Illinois Hospital, Modern Healthcare (Crain Communications, Inc., Dec. 17, 2014) (available at http://www.modernhealthcare.com/article/20141217/NEWS/312179948).

[5] Meg Bryant, Healthcare Orgs at Much Higher Risk of Ransomware Attack Than Financial Institutions, Healthcare DIVE (Industry Dive, Jul. 28, 2016) (available at http://www.healthcaredive.com/news/healthcare-orgs-at-much-higher-risk-of-ransomware-attack-than-financial-ins/423395/); Maria Korolov, Health Care Organizations 114 Times More Likely to Be Ransomware Victims than Financial Firms, CSO (IDG, 5:00:00, Jul. 26, 2016) (available at http://www.csoonline.com/article/3099852/security/health-care-organizations-114-times-more-likely-to-be-ransomware-victims-than-financial-firms.html).

[6] U.S. Department of Health & Human Services Office for Civil Rights, Fact Sheet: Ransomware and HIPAA, HHS.gov (July 11, 2016) (available at http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).

[7] See 45 C.F.R. 164.400–414.

[8] 45 C.F.R. 164.402(2).

[9] Data integrity is an important consideration in the ransomware context, as many ransomware programs delete the original data and leave only the data in the encrypted form. Eric Schulwolf, HHS OCR Guidance on Ransomware Attacks: They Constitute a “Security Incident” and are Likely a Data Breach, JD Supra Business Advisor (JD Supra, LLC, Jul. 25, 2016) (available at http://www.jdsupra.com/legalnews/hhs-ocr-guidance-on-ransomware-attacks-11173/).

[10] 45 C.F.R. 164.530(j)(iv), 164.414, 164.402(1).

[11] See U.S. Department of Health & Human Services Office for Civil Rights, Fact Sheet: Ransomware and HIPAA, HHS.gov (July 11, 2016) (available at http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf).