CORONA-VIRUS (COVID-19) SCAMS ARE ESCALATING

Email phishing scams and social engineering are significantly rising!  With many Americans now working remotely from home and with the stress of the current situation being felt in many homes and communities across the nation, cyber-criminals are busy showing their inventiveness and creativity for using the current pandemic for their gain. 

In recent days, the FBI, OCR, U.S. Secret Service, the defense department and other officials have posted alerts warning of the significant spike in scams related to the current pandemic. 

Three of the most common recent scams to be on the lookout for:

  1. Fake WHO emails. Recent phishing emails from cyber-criminals posing as the WHO (World Health Organization), CDC (Center for Disease Control) and other local or state health agencies with “news” that may seem important.  These FAKE emails contain malicious links tempting you to click, don’t.  Some are very “legitimate” looking, as nation-state and other well-heeled hackers have gotten quite sophisticated.  In recent days, many IT security experts and chief legal and data security officers, like myself, have been commenting on how “good” (how “real”) some of these recent phishing emails look.  If you get something in your inbox that looks like it’s from WHO, CDC or any other regulatory agencies, don’t open it.  If it’s a work email, contact your employer first.  They may advise you to delete it or capture a screen shot so they can warn other workforce members.  If you’re working remotely, take extra caution opening emails from anyone not known to you or external sources. These “spoofers” have gotten so good at it that it may seem it’s internally generated from your employer or a co-worker or a governmental entity.  For many years, healthcare workers, hospitals, defense industry and other industries have been hackers’ favorite targets. But the reach of these recent attacks go far beyond and is unprecedented. Every home, business and industry needs to be more vigilant. These emails are often very convincing looking as if they come from legitimate governmental organizations, or are internally generated by a corporate employer, they’re not. 

One wrong click could take down an entire network or pose other significant financial, corporate or personal losses. 

2. Robo calls, texts and emails offering to sell you a virus test kits or offering cures for a fee.  Most consumers know that virus testing is only available at certain healthcare sites in the U.S., and not available like this online.  Many also know there is currently no vaccine or known cure. But, that unfortunately, that doesn’t stop the cyber-criminals, who will use many different ploys like this to prey on the hopes and fears of some in the community. Hackers are too often successful in getting vulnerable individuals and communities, or just someone not paying attention, to click a link, a malicious link. Then it’s too late.  The results can be devastating from risking fraudulent charges to bank account information being compromised, identity theft, medical fraud, loss of corporate intellectual property and worse.  It’s critically important to be vigilant right now and check-in with neighbors, friends, co-workers and family members, who may be more vulnerable to these types of tactics threatening their personal and financial well-being.  And it’s critical for companies with remote workers to quickly take extra steps to ensure their workforce is aware of some of the newest tactics, and ever-present threats.

3. Emails or calls from cyber-criminals purporting to be from local or federal health organizations warning you that someone in your community has tested positive for the virus, seeking your personal information that they would then quickly sell on the dark web, posing potentially significant privacy and financial risks.

The best way to avoid these scams is to always go directly to an official governmental website such as CDC, WHO, or other federal, state or local governmental agencies for any important updates.  And question everything before clicking or offering any information. Regulatory agencies will not contact you in this way.  And always use known, reliable news sources for keeping yourself up to date on important information affecting you and your community.  Whenever you receive an email, phone call or text, requesting any personal, business, health or financial information, don’t click, don’t respond.  If you receive something through your work or personal email, take the extra few seconds, stop, don’t click.   First verify whether it’s from an internal, legitimate company source or go the official, external source directly to obtain information.  Anything related to the current pandemic is fair game for these hackers, anything ranging from airline ticket refunds, testing kits and vaccines to the economic stimulus package are other areas where clever spammers are likely to go next.

During these challenging, unprecedented times, we wish all of our clients, friends and colleagues, continued health, safety and well-being.  By working together, we shall overcome.

_____________________________________________________________________________

Please be advised, our law firm is remote capable at all times.  We will continue to work remotely to serve our clients during the current situation.  To protect our support staff, clients and the community, we’re following CDC guidelines and are prepared to respond to any requests whether related to this topic or the other legal needs via email to tegan@teganblackburn.com, phone 860-651-9500 or remote video-conferencing.  

______________________________________________________________________________

If you or someone you know may have been a victim, there are several resources available:  National Center for Disaster Fraud hotline 866-720-5721; email disaster@leo.gov or report it to the FBI tip line at fbi.gov.

It’s National Cybersecurity Awareness Month

Ransomware.  Email phishing.  These are among today’s top cybersecurity threats.  Recognized every October, National Cybersecurity Awareness Month began as a collaborative effort between government and private industry groups to spread the word, about some simple steps, to protect yourself from these insidious online threats.

Malware, ransomware and online fraud have been dramatically increasing.

Cyber threats affect everyone, from individuals and private businesses to public-sector organizations and critical service providers like your local utility company and hospital.  It’s not just large organizations and the highly-publicized data breaches we keep hearing about in the news, like the major Anthem, Equifax, Yahoo and Facebook breaches. Every time you’re online, there’s a threat of being victimized, sometimes by human bad actors, sometimes by non-humans or bots, sometimes because somebody just wasn’t paying attention and opened something bad.  The single biggest cause of data breach is because someone opened something they shouldn’t have.  Online threats are real and everywhere. And there are a few steps you can take to avoid the most common pitfalls.

Right now, the laws surrounding cybersecurity, privacy and breach notification here in the U.S. exist on a very patch-work basis across the states, some have more detailed and stringent laws than others.  And at the federal level, cybersecurity and data protection have largely been industry-specific regulations, with no single federal data protection law like the General Data Protection Regulation (GDPR) enacted a few months ago in the European Union.  California and New York have also recently enacted strong data protection regulations and more states are likely to follow suit. There’s no perfect answer to whether new cybersecurity laws here or abroad will put meaningfully limits the growing number of cyberattacks.  But regardless of what legal or technical developments do, or don’t occur, individuals and businesses alike can, and need to, protect themselves from these growing online threats. And if the worst was to happen, it’s important to be prepared to recover from a cyberattack, as quickly and cost-effectively as possible.

Now, more than ever, it’s critical to STOP and THINK, before you CLICK.

The biggest online threats over the past few years continue to be email compromise (typically through phishing attacks) and ransomware attacks.   Not only has the number of attacks increased this past year, so has the sophistication of both human and non-human actors, with large-scale phishing attacks available at extremely low cost and ransomware available as a service (Raas), the FBI reporting over 300,000 complaints to its cybercrimes unit this year alone, totaling over $800 million in losses.  Congress also reported over 300 billion of losses nationally due to cyber theft just this past year.  More than ever, every U.S business and individual with internet access needs to know what you can do to avoid these growing online threats.

Anyone can be a victim of online crime with devastating personal, financial or commercial consequences, from identity theft to stolen personal, health or other confidential information, disruption (and in some instances locking-down) computers or entire network infrastructures.  In some instances, requiring expensive breach notifications with business reputations at stake, the single biggest cause of cyberattack is because someone clicked something they shouldn’t have.

While this blog isn’t intended as a definitive answer-all to cybersecurity, there are a few common-sense rules every internet user should keep in mind to avoid the most common pitfalls when online.  Take a minute before you open it. Keep security programs and patches up to date. Use encryption, secure password logons and phrases and multi-factor authorization, whenever possible, and change them regularly.  Public or shared Wi-Fi should be avoided.  For businesses, training everyone in your organization on best practices to protect the privacy and security of your network and customers is not only a great idea, many times it’s a regulatory mandate. Most of these problems occur because of a poor understanding of how computers work or good computer hygiene, not understanding how attacks occur, not knowing or understanding the ethical or regulatory rules, visiting a site that’s infected or opening a link that well, was probably obvious, but someone hadn’t taken a moment to stop and question the source, before opening. All too often, if someone had taken a moment to stop and think, before clicking, the problem could have been avoided.

Email phishing and ransomware attacks have become increasing pervasive problems in many industries with healthcare, technology, financial and government sector organizations among hackers’ favorites.  But individuals and small businesses have also increasingly been targeted by ransomware, resulting in a computer being “locked” until the “ransom” is paid.  And there’s no guarantee the data will even be there or be uncorrupted, if you do pay the ransom. The FBI recommends not paying the ransom to deter crime.

What would you do if you were hit with ransomware?  It’s important to know the answer, and what your legal and ethical obligations are if you have regulated personal, health or other confidential information on your system or devise.  (Please visit our earlier Blog, “You’ve Been Hit with Ransomware, Now What? And Do You Have a Duty to Report?) So, whether you’re a small business owner, a large, highly-regulated organization or an individual using a home computer, there’s a lot you can, and should do, to help avoid these costly, pervasive problems.

Recognizing the problem is the most important part of fighting the problem.  So, before you open it, STOP & THINK, before you CLICK.   Many of these problems can be avoided.

__________________________________________________________________________

This blog is not and is not intended as legal advice.  The information provided is a general overview of the topic only and an attorney should be consulted for advice on any specific issues.

The author is legal counsel and chief data protection officer to a number of highly-regulated industry clients and frequently writes and speaks on privacy and data security issues.

If you’d like more information on this topic and what you can do to avoid these ever-growing online threats, we’d be glad to help you design and implement a privacy and information security awareness program at your organization.

 

GDPR: What Businesses (and Consumers) Need to Know:

The European Union’s sweeping new privacy regulation General Data Protection Regulation (GDPR) just went into effect, May 25, 2018.

Considered by many to be the most important development in data privacy in decades, GDPR heightens and standardizes data protection requirements across all EU member states applying to anyone doing business in the EU involving using or sharing personal data of any EU resident.  This new law has been several years in the making and provides far-stricter rules on protecting personal information (PI and PII) than any of its American counterparts such as HIPAA, GLB, SOX or other U.S. data protection laws that typically regulate “industry specific data” such as patient information or financial data rather than one very broad law applying to all residents.

While this new law doesn’t “technically” regulate activities with U.S. consumers, everyone in the U.S. is expected to benefit from these sweeping new regulations imposed on global providers such as Facebook, Google, Twitter and many other, well-known and lesser-known businesses that use, access or share personal data of anyone residing in one of the EU’s 28-member states – that covers a whole lot of businesses and business activities here and abroad.  Many of these types of more comprehensive data protection laws have been circulating around D.C. for years without adoption and a number of U.S. states have taken the initiative to enact tougher privacy, security and data breach notification laws than some of their federal counterparts. This new E.U. law is expected to provide better data protection and transparency across the globe.

As a result of this new law, decision-makers, C-suites and board of directors across America and the globe have been evaluating and putting into place required new privacy policies for better security, transparency and accountability, including provisions allowing consumers to choose how their personal information is or is not used or shared.   We’ve all been seeing our inboxes filling up lately with notices from all the big providers like Google, Facebook, Twitter and others with a global presence updating their privacy policies.   This isn’t due to the big Facebook Cambridge Analytica debacle, them trying to save face or generate goodwill –  for them it’s required by GDPR and the recent Facebook situation certainly highlighted the need for change.

Any businesses with strict, robust HIPAA compliance programs protecting regulated patient data (or similar compliance programs) already in place will be steps ahead of their counterparts in meeting the sweeping, new compliance requirements for any EU activities.  In the area of data security and compliance it’s always a pay-now or pay-later situation.

Businesses that haven’t yet fully-complied with data protection requirements risk significant consequences.  For those of us who work in their field, we know and often say “It’s not a question of IF – It’s a question of WHEN” a data security incident or comprise may occur – even for those who have fully-complied with data protection laws.  And it’s critically important for businesses to meet all the requirements, not skip steps, or delay completing the requirements, as non-compliance or partial compliance is what gets most into trouble.  There are just too many bad things out there on the Internet with new variants popping up every day for anyone think they can’t be compromised.  And the consequences of non-compliance with this new EU law are significant – far more significant than their U.S. counterparts – allowing regulators to impose fines of 4% of worldwide revenue, or 20 million dollars, whichever is greater, unlike the now more reasonable-seeming penalties for non-compliance under HIPAA, which depending upon culpability, are up to 1.5 million, per violation.

A few other important, distinguishing features of this new law, include the obligation to appoint a Data Protection Officer, who must be an expert in knowledge of data protection law.  HIPAA and other similar U.S. regulations have similar concepts requiring the appointment of compliance officers to ensure compliance and security. The new EU law also specifically allows affected individuals to make claims directly against providers, which is not the case under many U.S. federal regulations.  An extremely important difference in this EU law is also the far-stricter breach notification standards of 72 hours, as opposed to the general concept under many U.S. laws requiring breach notification within a “reasonable time” often interpreted to mean 30-60 days depending upon the situation and jurisdiction and varies widely state to state.

Data protection is one of the single, most urgent challenges facing businesses here and across the globe.  According to a recent report by Reuters, many U.S. businesses are still struggling to understand the implications of their data privacy and protection obligations.  This isn’t necessary and it’s not difficult, it just requires the time and commitment to understand the rules and put the right resources in place.  Those who don’t protect customer data sufficiently will not only jeopardize their reputations, these high levels of fines are designed to send a message, a strong message, some businesses will not survive.  Those who aren’t get up to speed with implementing the requirements of GDPR, or who fail to fully-comply with other data protection laws here in the U.S., will learn pretty quickly the true costs and consequences of putting it off for another day.

The most effective strategy for protecting personal information and combating cyberattack is understanding the rules that apply to your organization, and then implementing and enforcing the required policies and procedures.  The bad guys are just one untrained, gullible user away from a full-on, all-out intrusion.  And these laws aren’t really as much about technology as how the technology is used and require adequate, additional protections to be in place – physical, administrative and organization-wide, in addition to sufficient technology safeguards.

Many U.S. data protection regulations, such as HIPAA, have other, additional important requirements like security awareness training for all workforce members, as failing to train employees and test their understanding and knowledge of vulnerabilities and threats is cited as the single biggest factor in most, successful data intrusions.  Hospitals, banks and other highly-regulated business are among favorites for hackers for their treasure troves of valuable PII and PHI – so any business entity using, storing, transmitting or using this type of highly-protected information needs to take the All the required actions – and take them seriously, as penalties for skipping steps are costly and often lead to problems.  Costly, completely avoidable problems.

For American businesses, this is an excellent opportunity to evaluate what’s needed to protect yourself and your customers and stay a step or two ahead of the bad guys.  Consumers around the globe are expected to benefit from GDPR.  And many more comprehensive data protection laws should be forthcoming here and abroad.  All businesses large and small, have the obligation to protect personal data and must take adequate steps.  There’s too much at stake. One wrong click is all it takes.

______________________________________________________________________

Disclaimer.   While Attorney Tegan Blackburn frequently acts as counsel and compliance officer to a number of highly-regulated entities, this article is intended to provide a broad-overview of the topic only, is not legal advice and is not a replacement for advice from qualified legal counsel.  ______________________________________________________________________

All Rights Reserved.  Tegan Blackburn LLC ©

 

 

CONNECTICUT STATE CONTRACTORS – NEW DATA BREACH LAW

Our blog this month highlights some important changes to Connecticut’s data breach notification statute with important new security requirements for anyone doing business with the state. (Public Act No.15-142, “An Act Improving Data Security and Agency Effectiveness –  “the Act”.)” State contractors must comply with this new law by October 1, 2017. The Act includes some important new requirements and a few modifications to existing laws regulating personal information.  These comprehensive new security requirements include mandatory security training, certifications and agency oversight. (See What’s Required of Contractors below.)

Briefly, the Act will:

  • impose extensive new security requirements on contractors that provide goods or services to the State of Connecticut;
  • require health insurers and certain other entities subject to the jurisdiction of the Department of Insurance to implement a comprehensive information security program;
  • modify the existing Connecticut breach notification law;
  • address state agency data security and data exchange practices; and
  • add new security requirements for smartphones sold to Connecticut purchasers.

This new law applies to all state contractors, health insurers and entities subject to Department of Insurance oversight, which may have access to personal, health or other confidential information.

What’s Required of State Contractors?

In every agreement where a state contracting agency may need to share personal information (PII), protected health information (PHI) or other confidential information (CI) with a contractor, the contractor must:

  1. take precautions to prevent a data breach;
  2. implement and maintain a comprehensive data security program to protect confidential information provided by a state agency;
  3. limit access to confidential information only as necessary to complete the contracted services;
  4. maintain confidential information on only secured servers or devises; and
  5. Alert both the state contracting agency and CT Attorney General of an actual or suspected data breach.

Contractors are required to have a data security program including:

  1. security policies for all employees to protect any personal, health or confidential information accessed, used, stored or transported;
  2. reasonable restrictions on accessing confidential information;
  3. at least once annually, policies and security measures must be evaluated and updated; and
  4. All employees with access to confidential information must be given security awareness training provided by the state contracting agency.

Important New Requirements for Security Breach Notifications

Many other federal and state laws already require many of the security protections required by this new law, however, not all laws are consistent and this law is intended to provide additional protections to state residents, as well as provide clearer breach notification requirements.

Data breach notification under this new law requires:

  • Notices must be provided to the consumers no later than 90 days after discovering a breach, unless shorter time notice is required under federal law; and
  • Notices must include an offer that includes identity theft prevention and, if applicable, identity theft mitigation services to affected residents, at no cost to those residents, for at least one year.
  • The consumer notification must also include information about how to enroll in the service and how to place a credit freeze on their credit file.

Comprehensive Information Security Program:

By October 1, 2017, any person or entity subject to the Act must have a comprehensive information security program in place to safeguard the PII, PHI or CI of insured or enrollees. Also, each company must certify annually to the Insurance Department demonstrating it maintains a program in compliance with the Act. The Attorney General and Insurance Commissioner will have oversight authority under the new law and may also request a copy of a company’s program to determine compliance.

The program requirements apply to every:

  1. health insurer, HMO, and other entity licensed to write health insurance in CT;
  2. pharmacy benefits manager;
  3. third-party administrator that administrates health benefits; and
  4. utilization review company.  Just like many of its federal counter-parts, such as health and finance laws like HIPAA and GLBY, each Security Program must be reviewed at least once annually, be in writing and include appropriate administrative, technical, and physical safeguards to protect data.

Of note is the additional provision prohibiting sales of new smartphone models in CT unless it has hardware or software that enables authorized user to disable smartphone’s essential feature.

Lastly, and very importantly, the Attorney General has the authority to investigate potential violations by State contractors and bring civil actions for violations.  So compliance and enforcement must be taken seriously.  The Act also empowers Department of Insurance to enforce the information security program requirements for health insurers and other entities subject to the information security requirements. State Department of Education can ban a contractor from receiving access to education records for up to five years if a breach involves the contractor’s access to education records.

_______________________________________________________________________________

In additional to our firm’s general counsel services advising diverse industry clients on a wide range of day-to-day legal and business matters, we have extensive expertise advising clients on best practices for avoiding cyber threats; and if the worse should occur, have extensive, hands-on experience guiding clients through the critical steps that must be taken to respond to security incidents and data breaches.  We welcome your inquires on this important subject and how our firm can help you avoid these risks.

You’ve been hit with Ransomware – Now what?

You’ve been hit with Ransomware  –  Now what? And is it a reportable breach?

Well, that depends.  Given the dramatic rise in ransomware attacks recently, many regulators have issued formal guidance that it’s presumed a reportable breach.  That is, unless you can prove otherwise – prove being the operative word here. If you haven’t taken a look at our blog post, below, on the “Alarming Increase of Ransomware” and what you can do to avoid it, please take a moment to review our important recommendations.

To determine if a ransomware attack is a reportable breach under privacy and security laws such as HIPAA/HITECH Privacy and Security Rules and other consumer protection laws, we have to start with how a breach is defined.  Under HIPAA laws, a breach is defined: as the unauthorized or impermissible “acquisition, use or disclosure” of protected health information (“PHI”), which compromises the privacy or security of the protected information.  Many other privacy and security laws governing protected information have similar definitions that boil down to whether or not personal, health or other confidential information (“PII”, “PHI”, ePHI or “CI”) was compromised or compromise would be likely.

There are now at least 200 different “families” (variants) of ransomware, some more sophisticated than others. The most commonly used ransomware “wraps” encryption over data locking users out of infected devises or networks (through a locking devise the attacker controls).  An attack doesn’t necessarily mean that confidential data has been accessed, used or viewed, but an analysis is required by many federal and state privacy and security laws and you don’t want to get it wrong.  And there’s newer ransomware out there that’s doing more than just encrypting, it’s pulling information such as the amount of records encrypted or other information so they can charge a higher ransom.

THIS IS NOT A SCREEN YOU WANT TO SEE!

your computer has been encrypted pic

 If you visit the websites of many federal and state regulators, including HHS, OCR and the FBI, you’ll see just how serious and prevalent this problem is. Attackers especially like targeting hospitals, government agencies and others with critical or sensitive information, and many are using newer versions of ransomware, hybrid ransomware, which infects a system, but stays quiet behind the scenes loading other malware that allows data to be viewed or accessed by other third parties.  Cyber thieves are known to advertise on the Dark Web auctioning off information and access to the highest bidder (in the same way pools of stolen credit card information are illegally auctioned off to the highest bidder).  By providing access to confidential data to other unauthorized users,  the definition of breach is met.  In guidance released late last year, HHS announced that “the presence of any ransomware (or any malware for that matter) on a covered entity’s or business associate’s computer is a Security Incident under the HIPAA rules, and therefore, requires prompt investigation, remediation and possible notification.  Once the ransomware is detected, the affected entity must promptly initiate the required security analysis and reporting procedures. See 45 C.F.R. 164.308(a) (6). Whether or not the presence of ransom ware would be a reportable breach under HIPAA or other security laws is a fact specific question.  Know what’s required!

Which begs the question – how does an organization prove protected confidential data wasn’t improperly used or compromised?  (Or whether it was and must be reported!) It may not be fast or easy, but it’s in organization’s interests to quickly take steps to determine (and document) its findings.  In its recent Guidance, HHS has taken the position that unless the affected entity can demonstrate that there is “… low probability that PHI has been compromised”, based on the HIPAA Breach Notification Rule factors, a breach is presumed.   If other types of regulated personal data are potentially at risk and it can be established (and documented in a justifiable, reasonable way) that ransomware only wrapped or encrypted data and the data was never viewed, used, accessed or moved off servers or devises, it may not be a reportable breach, but you have to get it right. (The exact type and variant of malware and exfiltration attempts and other information is critical to verify.)

The affected entity should immediately put its Incident Response Plan into action.  (Let’s hope there is an Incident Response Plan, as this isn’t the ideal time to try to figure it out.  And I’d like to point out that everyone regulated under HIPAA and many other similar laws is required by law to have an incident response plan and have other security steps in place such as training all workforce members annually.  Big fines will be coming to those who don’t take this seriously and don’t have legally compliant plans in place.)   Besides the many smart business reasons to establish an incident response plan, many federal and state laws require it.

Ransomware attacks in the healthcare sector in particular and other organizations holding confidential data are becoming much more common and sophisticated.  The consequences of a ransomware attack on the delivery of healthcare and other critical systems is staggering – computer networks and devises are immediately locked down, preventing access to data and systems with potentially catastrophic results.  It’s critical to respond quickly when a suspected or known security incident occurs.  And if it’s a ransomware attack, the consequences will be immediate!

Training employees on what to look out for is critical – and required!

bad guy pic

Defending against security risks must be a top priority for every organization.  HIPAA and other similar laws require ALL workforce personnel with access to systems and data to be trained at least once annually.  This is the first thing regulators will look at and the best way to avoid attacks.  If training is deficient, or all workforce members aren’t being trained annually, then big fines and other sanctions will be imposed.  Proper training is the single, most important part of protecting your organization from ransomware and similar cyber threats – make sure every person with access to a computer system or devise is trained on what to look out for!  Most security incidents are avoidable and result from the “human factor”: someone opening something, clicking without thinking and now it’s too late – systems and data are compromised or worse. Preventing attacks is a far better way to go and far less costly proposition than reacting after an attack occurs.  I’d also like to point out that if you elect to pay the ransom, there’s no guarantee the data will be there or won’t be compromised.  The FBI and many other regulators recommend not paying ransom to hackers as a disincentive to the huge number of attacks occurring and provide the same caution we do that the data may not be there even after you pay up.   There’s no guarantee.  Following the advice we’ve outlined for avoiding the problem in the first place and having a back-up plan ready, just in case (See our July, 2016 Client Alert) is a far safer, better way to go.  ______________________________________________________________________________

In addition to acting as general counsel and compliance officer to diverse business organizations, we’re frequently called on to advise clients regulated under HIPAA/HITECH laws on the best ways to assess risks and ensure compliance; and if the worst should happen, how to respond.  We welcome your inquiries on our general business and corporate legal services; and would be glad to speak with you specifically about how we can help your organization with avoiding these costly, disruptive problems.

Tegan Blackburn LLC       www.teganblackburn.com             All Rights Reserved.

National Cyber Security Awareness Month

National Cyber Security Awareness Month recognized every October is a collaborative effort between government and industry to ensure everyone has the resources to stay safe online.  Now in its 6th anniversary and with more and more sophisticated cyber crime attacks affecting individuals and organizations of all sizes from large to small – Be Cyber Savvy.  Cyber crime affects us all, not just the highly publicized targets we keep hearing about.  Learn what you can do and STOP and THINK before you CLICK.   nat-cyber-sec-mo-download

Anyone can be a victim of cyber crime, which can result in stolen IP, theft of personal information, disruption of computer systems and critical services; not to mention the high costs of responding to incidents and ransom demands made by cyber criminals who’ve locked down your computer or network until you pay up.  Ransomware attacks alone (those that are known and reported) have greatly increased in number and sophistication this past year with some 200 new types of ransomware now lurking online. The FBI reported 300,000 complaints to its cyber crimes unit this year totaling over $800 million in losses.  Congress reported 300 billion of losses nationally due to cyber theft this past year.  Every U.S business and individual with a devise and online access needs to keep up with what’s going on in cyberspace and the latest threats from ransomware to spear phishing – and learn what you can do to stay safe online.

Recognizing the problem is the most important part of fighting the problem.  So before you open it, STOP & THINK, before you CLICK. If you’re in a leadership role in a public or a private organization and would like more information what you can do to avoid these ever-present threats, we’d be glad to help you with adopting the right employee awareness training and risk management techniques to keep your organization ahead of these costly, unnecessary problems.  It’s imperative that organizations keep themselves abreast of developments in cyberspace and establish suitable defenses.  Have you taken the right steps to protect yourself?

Defend Trade Secrets Act of 2016

Important new federal legislation, Defend Trade Secrets Act (“DTSA”) has been signed into law.  The most significant change of this new law is trade secret owners may now bring a civil claim for misappropriation of trade secrets to federal court. Prior to this legislation, trade secret theft was governed exclusively by state law resulting in wide variety of outcomes and uncertainty.  Another significant change under the new federal law is the right, in extraordinary circumstances, for an ex parte seizure order; if certain specific findings are made, showing: (1) a temporary restraining order or another form of equitable relief is inadequate; (2) an immediate and irreparable injury will occur if seizure is not ordered; and (3) the person against whom seizure would be ordered has actual possession of the trade secret and any property to be seized. This new federal law doesn’t preempt state laws.  It provides trade secret holders with important, additional recourse, more uniformity and access to federal courts.trade-secrets-pic

The single most important part of this new legislation requires employers and contractors to provide a specific “whistleblower clause” (or reference to it) in every contract with employees or independent contractors governing trade secrets, proprietary rights or confidential information in order to recover critically important damages – such as punitive damages or attorney’s fees. Unless employers provide the prescribed notice in every contract with their employees or independent contractors they waive these incredibly important rights. The one immediate step we’re recommending is for all Non-Disclosure Agreements, Employee Policies and Procedures or other Confidentiality Agreements to be reviewed and updated to include the notice language required by the statute.  Otherwise, a sizable element of potential recovery in every successful trade secret case will be forever lost.

A brief re-cap of this new legislation includes:

The first group of new enactments includes a number of more technical provisions such as re-defining “trade secret” and “improper means”; clarifies that ex parte seizures may only be instituted for a limited and defined set of circumstances; and directs the Federal Judicial Center to develop best practices for the execution of seizures and the storage of seized information.

The second group of enactments provides protection to whistleblowers, who disclose trade secrets to law enforcement in confidence for the purpose of reporting or investigating suspected violations of law, and outlines protections for confidential disclosures of trade secret in lawsuits or anti-retaliation proceedings.  The statute, importantly, extends immunity under both state and federal laws in both civil and criminal proceedings.

We’d be glad to assist clients with reviewing and updating documents to ensure these important protections are included in all applicable confidentiality agreements.

________________________________________________________________

Attorney Tegan Blackburn regularly counsels clients on wide range of sophisticated business and corporate matters, including advice on protecting their assets and “secret sauce”, trademark registration and infringement issues, regulatory compliance and a wide range of contacting issues.

(Note: This new law is based on a number of the provisions of the Uniform Trade Secret Act of 1985, adopted by several states, which was intended to provide better trademark protection and more uniform standards to trade secret holders doing business in multiple states.)

Tegan Blackburn LLC         All Rights Reserved.

The Latest Security Threat – Ransomware

Ransomware Increasing in Alarming Numbers

The growing sophistication and volume of cyber security threats is a serious, ever-present risk.  Here’s the latest one – ransomware.  Today’s blog will help you understand what this latest threat is, how to avoid it and if the worst thing happens, how to respond to it.

Just how serious is it? If you visit the websites of any federal regulators or enforcement agencies such as the FBI, HHS, OCR or the Secret Service, you’ll see what a big threat this has become – some estimating a 3,500% increase of ransomware just this year.  Readily available, free open source code makes for easy exploits by cyber thieves. With the return on investment for cyber criminals very high, everyone from mom and dad to the local grocer, as well as big business is at risk.

bad guy pic

There are a lot of different types of ransomware out there, but all of them have the same purpose. And it’s pretty much what it sounds like – they kidnap your data, leaving you at the mercy of criminals, who’ve taken over and locked down your computer (using an encrypted locking device) until you pay up.  This is just the latest in highly profitable criminal enterprises out there lurking on the internet, hitting businesses and individuals alike with software capable of locking down a computer or entire computer network with just one wrong key stroke.

The typical way ransomware takes over is by:

  • Drive-by downloads – all it takes is a visit to malicious website, clicking a pop-up ad or opening an infected email attachment. This often called the “human factor” – people clicking before thinking, not taking a moment to consider if what they’re about to open is legit.  Click, and it’s too late, they’ve taken over and locked you out until you pay up.
  • Exploiting program vulnerabilities if you don’t run and update anti-virus and malware detection (settings to automatic updates is best); you’ve left the door wide open to cyber criminals gaining easy entry to your computer system.   The hackers and crackers, or whatever you want to call them, aren’t targeting you, they have malware spiders and bots running behind the scenes 24/7 looking for any open doorway.

 To up the ante, criminals often use scare tactics displaying logos and images of known law enforcement agencies threatening punishment or imprisonment if payment isn’t made.  All of this works at lightning speed and without warning.  As soon as the pop-up ad, email attachment or link containing ransomware is opened, everything is immediately encrypted preventing access to the computer or network.  The attacker then demands payment (usually requiring purchase and delivery of unregulated bit coins) before giving you the decryption key that, presumably, allows access to the computer.

What can you do to avoid this?    computer locked pic                                      

  1. Always back up your data: Frequent (sometimes redundant) backups of data is the best policy – if the worst happens, your data can be promptly restored.
  2. Think before clicking: Don’t click pop-up ads, open attachments or unrequested links unless you know and trust the source.  A lot of these infected emails and links contain red-flags and everyone should be trained on what to look out for.
  3. Secure your PC: Make sure you run and update adequate anti-virus and malware detection software on all systems. Check all system settings so they automatically update and apply appropriate patches.
  4. Don’t Pay: If you think you’ve been the victim of ransomware attack, don’t panic and rush to pay. There’s no guaranty after making payment that your computer’s functionality and files will be restored. In some instances, more recent less “robust” versions of this malware delete all your data so even after you pay up, there’s no guarantee your data will be here. In some instances the Secret Service, FBI or other law enforcement officials should also be contacted.  These agencies typically recommend not paying up as a disincentive to the bad guys, who are often here and gone, beyond the reach of U.S. officials.  (Our next blog will discuss the intricacies posed by a number of federal and state privacy, security and breach notification laws such as HIPAA, which may require notifications and additional steps to be taken.)

If you’ve done what we recommend, frequently backing up files and programs, then using your own resources to quickly restore functionality is a far better way to go than negotiating with criminals and hoping for the best.  Of course, avoiding the problem all together is the goal and we’d be glad to assist.

_____________________________________________________________________

Our firm frequently advises clients and provides training on how to avoid these all too present security threats, and if the worst should happen, how to respond.  We welcome your inquiries on our business and corporate legal services; and would be glad to speak with you specifically about our extensive background and expertise helping clients develop and implement the best practices, policies and procedures to avoid these unnecessary, costly problems.

Tegan Blackburn LLC                      www.teganblackburn.com            All Rights Reserved.

PRIVACY POLICIES REQUIRED

 

Think it doesn’t apply to you? Connecticut’s privacy law doesn’t just apply to the highly-regulated industries we’re accustomed to hearing about – like banking, healthcare, retail, publicly-traded companies and the government sector, who’re all regulated under a variety of strict, federal privacy and security laws. The Connecticut legislature (as well as many other states) saw fit to require anyone doing businesses in the state to safeguard personal information and requires that privacy policies be posted (See Conn. Gen. Stat.42-471). privacy policy picThis applies with the same force and effect to businesses both public and private. I can think of few, if any, businesses that don’t use, store, transmit or collect some type of “personal information” whether for payroll, offering health or other benefits, collecting social security numbers, conducting employment screenings, maintaining important customer and banking information – just to name a few of the areas covered by this law. Connecticut law requires more than just developing privacy policies – they must be publicly posted.

These privacy protections much like their federal counter-parts extend to any “personally identifying information” such a full name, social security number, address – essentially any information that either does or could reasonably lead to identifying someone. The definition of “personal information” under the Connecticut follows the definitions of other federal and state laws to include “information capable of identifying a particular individual by one or more identifiers – name, social security number, driver’s license, account numbers, photos, biometric information, health insurance information, credit or debit card numbers” and the like. Financial institutions that have complied with the privacy and security standards required under Gramm-Leach-Bailey (15 U.S.C. 6801) will be in compliance with this Connecticut law. Healthcare providers and business associates regulated under HIPAA/HITECH regulations (45 C.F.R. Sec. 160, et seq.) that have complied with the requirements of the 2013 Final Omnibus Rule will also likely avoid trouble.

To say the least, it’s a complex area. Depending upon the context and type of information collected, used or stored, businesses may also be required to comply with a variety of other privacy laws, in addition to this Connecticut law. While there are more than 30 federal laws governing privacy, and the list is growing, below is a summary of other, key federal laws that frequently apply to businesses (and their vendors) who are using, accessing, storing or transmitting “sensitive” information:

  1. HIPAA/HITECH covers past, present, or future physical, mental health conditions of a person;
  2. Financial information regulated under Gramm-Leach-Bliley Act (GLBA and FMSA);
  3. Credit card payments regulated under PCI-DSS industry standards;
  4. Computer Fraud and Abuse Act (CFAA) ;
  5. Children’s Online Privacy and Protection (COPP);
  6. Fair Trade Communications Act – FTC Privacy; and
  7. Electronic Communications Privacy Act (ECPA) regulating computer crimes.

With cyber hacking and data breach incidents rising throughout the healthcare, retail, banking and government sectors, Connecticut employers and businesses, who haven’t taken steps to evaluate the regulated information they use or possess along with developing written privacy and security policies to keep “personal information” safe from misuse – are making a high stakes gamble. Many of us who regularly work in this area know it’s really not a question of if – it’s a question of when information that wasn’t adequately protected may fall prey. Why chance what will be costly, embarrassing event?  Developing, implementing and posting privacy policies is a must.

Where do you start? For many companies, compliance with this Connecticut law (and other state and federal laws) can be accomplished by conducting security assessments, training employees on the importance of protecting data, developing and enforcing security policies – and most importantly posting these privacy policies. In the past year, dozens of bills have been introduced to protect consumers from the real and increasing threats of identity theft and fraud. And more are likely to follow. Those not in compliance with the important intent of this law – to safeguard personal information – face the real and ever present risk of harm to innocent victims, significant regulatory fines or worse. Why chance it. Call us today for practical guidance on avoiding these risks.

With over a decade of experience as Legal Counsel & Chief Compliance Officer to a variety of highly-regulated industry clients, our firm has the dedication and experience to help clients assess security vulnerabilities, train employees and develop the all important privacy and security policies needed in today’s Internet of Things world.

Please contact us today for more information. Let us know if you’d like a speaker on these important topics at your next business event.

 

 

 

 

 

 

HHS, OIG, DOJ & OTHER INDUSTRY LEADERS RELEASE COMPLIANCE GUIDANCE

If HHS or another regulator knocked on your door today – would you “pass” the audit?30647-doctors-and-nurses

On April 29, 2015, HHS (Dept. of Health and Human Services), OIG (Office of the Inspector General), HCS (Healthcare Compliance Association) and AHLA (American Health Lawyers Association) along with other industry leaders released a first of its kind joint collaboration education resource entitled “Practical Guidance for Healthcare Boards on Compliance Oversight” providing helpful tools for identifying risks, preparing for audits and responding to incidents. The document provides diverse tools and insights to governing boards, compliance officials and those reporting to them. Recognizing there is no uniform approach to compliance – no “one size fits all” approach, this multi-faceted guidance document will be a valuable resource for organizations both large and small to evaluate the scope and adequacy of their compliance programs.

In addition to asking the right questions of the right people to evaluate the risks posed to an organization, having an incident response plan before it’s needed is one of the best ways to ensure an organization can effectively respond to and recover from a security incident. Working with qualified legal and other professionals with strong compliance experience is one of the best ways to avoid problems.

This guidance emphasizes the importance of organization-wide accountability and offers decision makers a variety of tools to evaluate the effectiveness of policies and procedures within their organizations. The guidance – I believe correctly – concludes that asking the right questions is critical to staying ahead of problems.

The DOJ (Dept. of Justice) has also just released its guidance document entitled “Best Practices for Victim Response and Reporting of Cyber Incidents” providing practical advice for fending off and responding to cyber attacks. Offering guidance on what businesses should do before, during or after a cyber attack, DOJ outlines what’s expected in the event of a security incident, including the preservation of evidence and cooperation with their investigations.

As more and more healthcare and other entities are affected by illegal intrusions, these guidance documents offer practical advice for protecting against the ever present risk of cyber attack. An organization’s risk analysis (or lack of one) is a primary area of focus for regulators – knowing insufficient analysis to be the single, biggest culprit behind many known breaches. The absolute worst time to develop a breach response plan is after an attack – having the right people, processes and resources in place before it’s needed puts every organization in the best position to respond and successfully recover from a security breach.

With more than a decade of experience helping companies prepare for and respond to regulatory audits and security incidents, we welcome your inquires on how we can help.