Yahoo! data breach litigation to proceed

Yahoo! data breach litigation to proceed

On 9 March 2018, the United States District Court for the Northern District of California, San Jose Division, granted in part and denied in part Yahoo! Inc. (‘Yahoo’) and Aabaco Small Business, LLC’s (‘Aabaco’) (collectively, ‘the Defendants’) motion to   dismiss the putative class litigation brought by nine named individuals (‘the Plaintiffs’) over the way the Defendants handled several data breaches that occurred between 2013 and 2016.  See discussion at:

http://cecileparkmedia.com/cyber-security-practitioner/article_template.asp?Contents=Yes&from=cslp&ID=348

Update:

The U.S. Securities and Exchange Commission (“SEC”) issued a press release on April 24, 2018 announcing a $35 million penalty payment by Yahoo! (n/k/a Altaba), in order to settle charges that it misled investors by failing to disclose “one of the world’s largest data breaches…”  As noted by the SEC, “within days of the December 2014 intrusion, Yahoo’s information security team learned that Russian hackers had stolen what the security team referred to internally as the company’s ‘crown jewels…”  The SEC’s San Francisco regional director commented that “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark…”  Altaba, Formerly Known as Yahoo!, Charged With Failing to Disclose Massive Cybersecurity Breach; Agrees To Pay $35 Million  The case reportedly is the first time the SEC has pursued a company for failing to disclose a data breach.  U.S. regulator fines Altaba $35 million over 2014 Yahoo email hack

Biometric Data: Watching the Watchers

As Illinois and other jurisdictions seek limitations, those limits get tested.

In 2008, the Illinois legislature passed the Illinois Biometric Information Privacy Act (BIPA).  The Act requires entities to develop written policies, made available to the public, which establish a retention schedule and guidelines for permanently destroying identifiers.  Private entities that collect, capture, purchase, receive or otherwise obtain a biometric identifier or information must inform the subject in writing, inform the subject of the purpose and length of time the data will be stored, and receive a written release.  As of 2018, there were in excess of twenty-five actions filed in Cook County Circuit Court (Illinois) with other litigation pending in federal courts in Illinois, California and one case on remand from the Second Circuit, where Plaintiffs have alleged violations of BIPA.

See link to discussion of these cases and status of challenges to use of biometric data in commercial settings.

-Biometric Data: Watching the Watchers

Happy Bicentennial, Illinois!

Eighteen-eighteen saw your founding, Illinois, Illinois,

And your progress is unbounding, Illinois, Illinois…

HiRes

Illinois State Song

200 YEARS AGO, ON DECEMBER 3, 1818, ILLINOIS BECAME THE 21ST STATE IN THE UNION.  

HHS Issues Guidance on Processor Vulnerabilities

In a follow up to an earlier alert regarding the critical problems in modern processors recently reported by Google, HHS issued its own “Technical Report.”  In Google’s “white papers,” they explain that their teams and other analysts and academics discovered and reported on vulnerabilities dubbed “Spectre” and “Meltdown.”  These are described as vulnerabilities that affect nearly every computer chip manufactured in the last 20 years. Recently, the patches also have come under scrutiny as Intel reports reboot problems and slowdowns following implementation.  Microsoft then reported new updates for Windows 10 to resolve such issues.

The fault arises from features built into chips that are supposed to help them run faster.  There is no evidence that the flaws have been exploited but reportedly such exploits may be difficult to detect.

HHS cautions in its alert that the vulnerabilities have the potential to expose sensitive information, such as protected health information (PHI), which is processed on these chips.  HHS warns that entities should employee risk management processes to address the vulnerabilities and ensure the security of medical records.  HHS list the major concerns as:

  • Challenges identifying vulnerable medical devices and accessory medical equipment and ensuring patches are validated to prevent impacts to the intended use.
  • Cloud Computing: Potential PHI or Personally Identifiable Information (PII) data leakage in shared computing environments
  • Web browsers: Possible PHI/PII data leakage
  • Patches: Potential for service degradation and/or interruption from patches

 

Searching medical

Privately disclosed to chipmakers in June 2017, the bugs became public after a series of leaks in early January 2018.  Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. HHS notes that although medical devices and support equipment may not resemble PCs, their operating systems (Windows, Linux) run on processors that could be vulnerable.  HHS states: “The risks of PHI data leakage is especially acute in shared infrastructure like cloud computing instances.”  Amazon Web Services, Google Cloud and Microsoft Azure all immediately deployed patches against the Meltdown attack.  HHS cautions that while the major platforms handled the response in a timely way, there are other cloud managed service providers and institutional or private cloud instances that may not have known about the vulnerabilities before January 3, 2018.

The HHS alert provides technical details and mitigation tactics.  The alert includes links to various references, support pages and press reports.  Technical Report on Widespread Processor Vulnerabilities

For more information on the vulnerabilities: The Meltdown and Spectre security flaws.  One congressman from California has sent a letter to Intel, AMD and ARM requesting  briefing on the vulnerabilities and the companies’ handling of them.  Congressman Requests Briefing

 

Class Action Filed Against Chrysler Following “Hack” of Jeep Cherokee

 Connected Cars Present Safety, Security and Privacy Challenges

The Connected Car
The Connected Car

On August 4, 2015, Plaintiffs filed a class action against Chrysler and Harmon International following a recent story in Wired Magazine that detailed how researchers were able to take control of a Jeep Cherokee via the vehicle’s uConnect system.  The suit essentially argues that there is a design defect in these vehicles as programs are pre-loaded onto the vehicle, which have been shown to be insecure and create security and safety vulnerabilities to owners and passengers.  Plaintiffs Brian Flynn and George and Kelly Brown filed suit, in the U.S. District Court for the Southern District of Illinois, on behalf of themselves and a putative class (Case 3:15-cv-00855).  The complaint alleges violations of the federal statute on warranties for consumer products (Magnuson-Moss), breach of implied warranty of merchantability, fraud, negligence, unjust enrichment, violations of the Illinois deceptive business practices act, fraudulent concealment/fraud by omission, and violations of the Missouri merchandising practices act.  Plaintiffs allege that because the uConnect system is always connected to the Internet (via 3G cellular data), even if a vehicle owner chooses not to use any Internet related services, there is no way to disable the cellular connectivity.  Plaintiffs argue that the vehicles are defectively designed in that essential engine and safety functionality is connected to the unsecure uConnect system.  Plaintiffs allege “malicious hackers could broadcast harmful signals over radio waves causing a security and safety related crisis as a large number of vehicles all fail simultaneously.”  The system allegedly is also accessible through the vehicles’ USB port, allowing anyone with access to the vehicle to load malicious software onto the system, which would spread to critical functions.  Plaintiffs argue that the uConnect system should be segregated from the other critical systems.  Plaintiffs argue that software updates are only remedial fixes as now that the capability to affect powertrain and safety functionality has been shown, hackers will find new vulnerabilities to exploit.  Plaintiffs argue that a recall is deficient as the vehicles designed this way will never be safe or secure.

The plaintiffs have not alleged that any of them have actually experienced a “system” failure or intercept.  The plaintiffs seek damages, of course, but not tied specifically to any statutory violation.  Also, plaintiffs seek a court order to monitor any recall program or remedial measure.

Plaintiffs appear to be trying to get out in front of potential arguments that a particular car manufacturer may make and that Tesla, for instance, is trying to address.  In Tesla’s case, it would likely argue that because Tesla is so “wired,” to borrow a phrase, the over-the-air updates are meant to identify and patch any vulnerabilities. Every three months every Tesla car receives automated software upgrades.

[See story at:

http://www.npr.org/sections/alltechconsidered/2015/08/06/429907506/tesla-model-s-can-be-hacked-and-fixed-which-is-the-real-news ]

However, Congress is likely to cast another critical eye on these issues.  Senators Ed Markey and Richard Blumenthal have introduced the Security and Privacy in Your Car Act (“SPY Act”) which would require automobile manufacturers to build IT security standards into connected cars.  Blumenthal has commented that the “same kind of advances in technology that can bring enormous benefits of wireless connections can also guarantee our privacy and security.”  If the bill were to become law, it would instruct the National Highway Traffic Safety Administration and the Federal Trade Commission to create IT security and privacy standards for vehicle electronics and associated in-vehicle networks.  Part of the effort, as illustrated by the Flynn allegations above, is to require that critical navigation systems would need to be isolated from access points and attempt to stop hacking incidents in “real-time.”  Another feature of the proposed legislation, which is not something the Flynn plaintiffs highlighted or alleged, are the privacy issues.  The legislators are focusing on the collection of data associated with these systems.  The legislation would prevent driving data from being used for advertising or marketing purposes (unless the owner “opts-in” for such use).

connected car 2

Bitcoin – “The Second Age” and Other News

Idea, solution, money
Idea, solution, money

For an update on the state of the online payment exchange landscape see Techcrunch article:

The Mt.Gox Arrest Is The End Of The First Age Of Bitcoin

Looking to move on from Bitcoin is the Winklevoss exchange, Gemini.  There is a dedicated website, which notes that their exchange operates (will operate) fully in the U.S., exclusively with American banks and the dollars never leave the country.  Although not yet operational, the twins filed an application with the New York State Department of Financial Services in July 2015 seeking approval to operate as a trust company.  The approval process may take months.  

http://moneymorning.com/2015/07/27/gemini-bitcoin-exchange-from-the-winklevoss-twins-is-one-step-closer-to-launch/

Back to hacking cars and now guns – what could possible go wrong? It seems like every week there is a new attempt to call out car companies by attempts to hack into remote services  …

http://www.wired.com/2015/07/gadget-hacks-gm-cars-locate-unlock-start/

…and now there are high tech firearms that reportedly can be altered.

Husband and wife hackers claim that high-tech sniper rifles can be hacked. The duo will present their findings at the Black Hat annual conference starting in early August.

http://www.wired.com/2015/07/hackers-can-disable-sniper-rifleor-change-target/

iStock_000054011980_Small

Illinois AG Proposes Updates to Breach Law

HiResIllinois’ Attorney General Lisa Madigan issued a report and a press release on March 2, 2105 addressing proposed updates to the Personal Information Protection Act, the Illinois breach notification statute.  In her press release, she states:

Madigan recently drafted legislation to strengthen the state’s Personal Information Protection Act (PIPA). Originally passed in 2005 at Attorney General Madigan’s direction, PIPA made Illinois among the first states in the country to require entities that suffer a data breach to notify Illinois residents if the breached information included residents’ drivers’ license numbers, social security numbers, or financial account information. Since the law’s enactment, the extent of sensitive information collected about consumers has expanded and the threat of data breaches has increased significantly, necessitating the need to update and strengthen the state’s law.

Madigan’s bill, which is sponsored by Sen. Daniel Biss and Rep. Ann Williams, will expand the type of information that requires a company to notify consumers of a breach, including medical information outside of federal privacy laws, biometric data, geolocation information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts. The bill also requires entities holding sensitive information to take “reasonable” steps to protect the information and requires entities to notify the Attorney General’s office when breaches occur. Madigan said her office would create a website that lists every data breach that affects Illinois to increase awareness among residents.

One of the notable findings in the report is what the AG calls “confusion over breaches,” citing comments from consumer roundtable discussions.  The report states that the most frequent complaint from participants was that while they were well aware of breaches from the media, they were not always aware if those breaches had affected them directly.  The report outlines three principles the updated legislation should address:

1. Disclosure – the new law should require websites and apps that collect personal information to display privacy policies that explain what information is collected and who that information is shared with.

2. Protection – the updated law should require entities to establish reasonable security measures to safeguard sensitive personal information.

3. Notification – the legislation should expand the definition of personal information (medical, health insurance information, biometric data, geolocation information, sensitive marketing data, contact information when combined with additional identifying information like DOB, and log in credentials); require entities to notify the AGs office and create a database of breaches affecting Illinois; enable small businesses to notify local media rather than statewide media when breaches occur.

News reports suggest the legislation will go to the Illinois General Assembly shortly.

Happy Data Privacy Day

dataprivacyiStock_000019536561XSmallThe Ponemon Institute has released its list of Most Trusted Companies for Privacy.  Spoiler alert, they include:

Amazon
American Express
PayPal
Hewlett Packard
IBM

http://www.ponemon.org/blog/ponemon-institute-announces-results-of-2014-most-trusted-companies-for-privacy-study

You might also celebrate by joining IAPP and getting access to the Prudence the Privacy Pro comic strip.

https://privacyassociation.org/news/a/guess-what-its-data-privacy-day/

In related news, the FTC has released a Report on the Internet of Things.  The report includes the following recommendations for companies developing Internet of Things devices:

  • build security into devices at the outset, rather than as an afterthought in the design process;
  • train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
  • ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
  • when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
  • consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
  • monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

http://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices

And, finally, a move to update ECPA;

• Proponents of updating ECPA, or the Electronic Communications Privacy Act, are using today to renew their call for reform.

“The statute governing access to electronic communications was written in 1986, well before most Americans relied on email and mobile devices to communicate,” said Ed Black, president and CEO of the Computer & Communications Industry Association (CCIA), in a statement. “After nearly 30 years on the books, it’s long overdue for an update.”

An update is what reform legislation, which will reportedly be re-introduced in “the coming weeks” by Sens. Patrick Leahy, D-Vermont, and Mike Lee, R-Utah, would provide. The bill would require a warrant before authorities could search email or other online communications. Under today’s ECPA, no warrants are required for such content that’s older than 180 days.

http://www.siliconbeat.com/2015/01/28/data-privacy-day-canada-spying-ecpa-reform-ubers-god-view-protecting-info/