California AG Issues Report on Data Breaches Covering 2012

stock-illustration-19023722-california-flag-icon

In a report issued July 1, 2013, the California Attorney General, Kamala Harris, notes that more than 2.5 million Californians were “put at risk” by data breaches in 2012.  The Data Breach Report 2012 (“the Report” or “the Data Breach Report”) cites key findings: 131 data breaches reported to the AG in 2012; the average breach incident involved 22,500 individuals; more than 28% of the breaches would not have required notification if the data had been encrypted; the retail industry reported the most data breaches; and, more than half of the breaches were the result of intentional intrusions by outsiders or unauthorized insiders.  See link to AG website:  http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-releases-report-data-breaches-25-million.

Notably, Attorney General Harris provides some recommendations:

  • Companies should encrypt digital personal information
  • Companies and agencies should review and tighten security controls
  • Companies and agencies should improve readability of breach notices
  • Companies and agencies should offer mitigation products
  • And, in a message to the Legislature – amend the breach notification law to require notification of breaches of online credentials, such as user name and password

This last recommendation would appear to significantly alter the notification landscape as there are numerous breaches that do not fall within the reporting/notifying criteria given the nature of the information impacted.  States with notification statutes have used a variety of ways to define personal information (e.g., SSNs, bank information, routing numbers, taxpayer IDs) and typically the definition is based on the assumption that access to such information leaves a resident of that state more susceptible to some type of credit or financial fraud.  The Data Breach Report notes that, in recent years, intrusions online have targeted passwords and other account credentials, which then allows criminals access to the account information (specifically referencing news reports on Sony, Yahoo!, the New York Times and Twitter).  The Report highlights the social engineering aspect of data security: most consumers do not use unique passwords for all of their accounts.  A takeover of one account may result in access to all, “including banking and other supposedly secure accounts.”

The Report specifies that the incidents reported on were submitted to the AG in 2012, while some occurred earlier and some breaches that occurred in 2012 were reported in 2013.  Also, the Report does not cover the universe of data breaches, given that the notification law requires reporting to the AG only on breaches of electronic data affecting more than 500 individuals.

Another recommendation to the Legislature is a law to require the use of encryption to protect personal information on portable devices and media and in email.  Other than the statutory suggestions, the Report serves as a guidepost for businesses, given the admonishments regarding improvement for security, clarity/accessibility in the actual notification texts and encouraging the notifying entities to offer credit security freezes.  With respect to the last point, the Report underscores another serious type of ID theft: new account fraud.

California

BREACH REPORT 2012

iStock_000019699898XSmall

U.S. Supreme Court Again Affirms Application of Arbitration Agreements

supremecourtl

The Court has held that the FAA (Federal Arbitration Act) does not permit courts to invalidate a contractual waiver of class arbitration on the ground that the plaintiff’s costs of individually arbitrating a federal statutory claim exceeds the potential recovery.  In a 5-3 decision (Justice Sotomayor recused herself)[1], the Court found that:

 “[T]he fact that it is not worth the expense involved in proving a statutory remedy does not constitute the elimination of the right to pursue that remedy.”  Also the court noted that its earlier ruling in the AT&T Mobility v. Concepcion matter “all but resolves this case,”  because that ruling held that the Federal Arbitration Act trumps a state law requiring classwide arbitration proceedings .  See summary at:  http://lawyersusaonline.com/blog/2013/06/20/justices-high-cost-no-bar-to-class-arbitration-waiver/?utm_source=WhatCounts+Publicaster+Edition&utm_medium=email&utm_campaign=Justices%3a+High+cost+no+bar+to+class+arbitration+waiver+&utm_content=+Justices%3a+High+cost+no+bar+to+class+arbitration+waiver+

The Supreme Court issued its ruling on Thursday, June 20, 2013 in the matter of American Express Co. v. Italian Colors Restaurant.  See:

http://www.supremecourt.gov/opinions/12pdf/12-133_19m1.pdf

The respondents in the case were merchants who accept American Express cards.  Respondents had alleged that American Express used its monopoly power in the market for charge cards to force merchants to accept credit cards at rates approximately 30% higher than the fees for competing credit cards.  This tying arrangement allegedly violated the Sherman Act and the merchants sought treble damages for a class under the Clayton Act.  In response to this action, American Express moved to compel individual arbitration under the Federal Arbitration Act.

Respondents claimed in opposition to the motion to compel that in order to prove the antitrust claims, the costs would be “at least several hundred thousand dollars, and might exceed $1 million,” while the maximum recovery for an individual plaintiff would be $12,850 , or $38,549 when trebled.

Writing for the majority, Justice Scalia stated that the text of the Act “reflects the overarching principle that arbitration is a matter of contract.”  See, American Express v. Italian Colors Restaurant, 570 U.S.___ (2013) (slip op., at 3); citing Rent-A-Center, West, Inc. v. Jackson, 561 U.S. ___ (2010) (slip op., at 3).  Courts must ‘rigorously enforce’ arbitration agreements, Justice Scalia asserted.  In addressing whether requiring plaintiffs to litigate their claims individually would contravene the policies of antitrust laws, the Court advised that the antitrust laws do not guarantee an affordable procedural path to the vindication of every claim.  See, American Express, slip op. at 4.  The Sherman and Clayton Acts make no mention of class actions; and, the acts were enacted before Federal Rule of Civil Procedure 23, the procedural rule allowing for cases to proceed on a class basis.  In contrasting this ruling with language  from an earlier Supreme Court decision (which was dicta, Justice Scalia noted), the Court reiterated that “so long as the prospective litigant effectively may vindicate its statutory cause of action in an arbitral forum, the statute will continue to serve both its remedial and deterrent function.”  See, American Express at slip op. 6 referring to Mitsubishi Motors v. Soler Chrysler-Plymouth, 473 U.S. 614, 637 (1985).

The dissent (Justices Ginsburg, Breyer and joined by Justice Kagan) expressed concern that the approach would allow all kinds of de facto prohibitions into arbitration agreements to prevent parties from effectively vindicating their rights.

As noted in SCOTUSBlog, “class proceedings are an exception to the rule, not an entitlement.”  http://www.scotusblog.com/2013/06/opinion-analysis-a-class-action-waiver-in-an-arbitration-agreement-will-be-strictly-enforced-under-the-federal-arbitration-act/#more-165505

The Court included a discussion of the “effective vindication exception,” however, it noted this applied more appropriately at attempts to prohibit the assertion of statutory rights.  In Justice Thomas’ concurrence, he notes, “[b]ecause Italian Colors has not furnished ‘grounds…for the revocation of any contract,’… the arbitration agreement must be enforced.”


[1] Justice Sotomayor sat on the Second Circuit panel that originally decided the case.

SONY DSC

Retaliatory DDoS Attack and Large-Scale Hacking: The Threats Continue

spamkeyboard

Two headline grabbing criminal cases bring stark reminders that services and data remain vulnerable to unauthorized access, misuse and abuse.

In one case, Dutch authorities are holding a suspect on suspicion of participating in a distributed denial of service attack.  Reportedly, the attacks slowed Internet service globally for several days in April (especially for Russia and other European countries).  The authorities suspect that the attacks were in retaliation for postings by a spam-tracking service provider, which listed the accused’s web-hosting service as a suspected spammer.

In the other, old school meets new school.  In February, thieves struck ATMs for over 10 hours, withdrawing $2.4 million in New York City alone. The thieves were part of an Internet hacking ring which was able to manipulate financial information through an unnamed Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards.  The hacking allowed the thieves to raise the withdrawal limits on the prepaid debit accounts issued by a bank in the United Arab Emirates, the National Bank of Ras Al-Khaimah, a/k/a Rak Bank.  Using prepaid cards does not set off account alarms as quickly because no individual bank account is being compromised.  With five account numbers, hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards.

MasterCard alerted the Secret Service to the activity soon after the transactions were completed.  The thieves first struck in December via the Indian processing company but by February, the hackers had infiltrated a card processing company based in the U.S. (name not yet disclosed).  It remains unclear who ultimately is responsible for the losses.

creditcardwith lock laptop

See NYT articles:

http://www.nytimes.com/2013/05/09/technology/09iht-spam09.html?ref=technology&_r=0

http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-45-million-global-cyber-bank-thefts.html

See another update – vendors identified (EnStage and ElectraCard):

http://www.reuters.com/article/2013/05/11/net-us-usa-crime-cybercrime-india-idUSBRE94A06P20130511?feedType=RSS&feedName=topNews

 

NYT Article on BYODs, Workplace App Policies

interiors of an office

This is a nice overview of the concerns facing employers who have an active, creative workforce using websites and apps that are not necessarily in comformity with in-house security standards.  See article at:

http://www.nytimes.com/2013/03/04/technology/it-managers-struggle-to-contain-corporate-data-in-the-mobile-age.html?pagewanted=2&hpw

Quotes from the article:

“People are going to bring their own devices, their own data, their own software applications, even their own work groups,” drawing off friends and contractors at other companies, said Bill Burns, the director of information technology infrastructure at Netflix. “If you try and implant software that limits an employee’s capabilities, you’re adding a layer of complexity.”

“The popular term now when people bypass the in-house organization is ‘shadow I.T.,’ ” says Sunny Gupta, chief executive of Apptio.

In the comments section below the article, many industry observers share their thoughts:

From Milwaukee, one says:

To be honest, the problem isn’t really the integrity of the apps, but the app user. If a person is going to mis-use proprietary information, they will do it, security or no security.

From New York, the comment is:

HIPPA rules are only taken seriously after the breach, fine or lawsuit. BYOD is what keeps hospital CIOs and CEOs up late at night.

Another suggests corporate IT teams continually lag behind what their personnel wants or is doing.  One suggests IBM SmartCloud.  And, finally, others mention that the best security is no outside devices inside the office or an agreement by the employee to have their device readily available and subject to getting wiped clean remotely without notice.

Apple, Facebook, Twitter: Mobile App Development Leads to Hacking?

wateringholeStock_000006594898XSmall spearStock_000004731498XSmall

Watering Holes and Spear Phishing

From AllThingsD:

http://allthingsd.com/20130219/this-is-the-site-likely-responsible-for-the-recent-major-tech-company-hacks/

“A ‘watering hole’ attack, in that it’s launched from a centralized, popular location that many people visit across multiple industries.”

Twitter reports at least 250,000 accounts affected.  Attack reportedly originated in Eastern Europe:

http://www.theverge.com/web/2013/2/19/4006868/hackers-exploit-java-vulnerability-apple-facebook-twitter#apple-facebook-and-twitter-hacks-reportedly-originated-in-eastern

Executive Order – Improving Critical Infrastructure Cybersecurity

The White House issued a press release on February 12, 2013 that included the President’s Executive Order on cybersecurity.  The Order is the administration’s initiative to work “in partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement
risk-based standards.”

Digital Globe

This Executive Order fills something of a void left by orphaned Congressional proposals.  Earlier legislative proposals were criticized as  not going far enough to protect consumer’s privacy interests (data collection issues); other proposals were criticized as being too heavy-handed on the so-called critical infrastructure entities (requiring utilities, transportation/shipping to share data).  The Order specifically cites “Critical infrastructure,” without specifically defining what/who is included in that group. Commentators believe the initiative will affect a great deal of economic activity, not to mention the broadest possible spectrum of relevant technologies.  The Order also incorporates the FIPPs – Fair Information Privacy Principles, which are a set of eight principles rooted in the tenets of the Privacy Act of 1974.

 http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

The National Institute of Standards and Technology have already instituted a new cybersecurity framework in conjunction with the Order.  This is a set of voluntary standards and best practices to guide industry in reducing cyber risks to the networks and computers that NIST says are vital to the nation’s economy, security and daily life.   http://www.commerce.gov/news/press-releases/2013/02/13/national-institute-standards-and-technology-initiates-development-new

For further comments, see:

http://www.nationaljournal.com/tech/why-some-privacy-advocates-are-grinning-over-obama-s-cybersecurity-order-20130213?print=true

And, see renewed Congressional effort: The President’s Executive “order allows the sharing of government data with the private sector, the data sharing doesn’t flow back the other way. That means the order, unlike CISPA, doesn’t raise the hackles of privacy groups that have protested that CISPA could grant immunity to private sector firms who want to share their user’s personal information with the government.”  CISPA is Cyber Intelligence Sharing and Protection Act; the legislation passed the House last year but did not reach a vote in the Senate.

For further details:

http://www.forbes.com/sites/andygreenberg/2013/02/12/president-obamas-cybersecurity-executive-order-scores-much-better-than-cispa-on-privacy/

See also: http://www.pcmag.com/article2/0,2817,2415413,00.asp