Category: cybersecurity

Make Remote Access for Your Employees Safer & Quicker with Disciplined User Rights

During times of disruption as well as an unpredictable future, your organization’s focus on “the basics” regarding a fundamental remote access strategy and design is essential. The newly widespread remote working environment dictated by various states’ stay at home orders due to the Coronavirus pandemic, demand that successful organizations of tomorrow fully grasp the fundamentals of safe and remote access protocols and prepare for the elastic growth of a disciplined remote access initiative.

The landscape of remote access is forever changed. Regardless of your organization’s existing hardware, software or network (WAN) and cloud design,  basic planning activities – which pave the runway for successful remote access – ensure your organization’s sustainability and enhance your competitiveness in a crowded marketplace.

First and foremost, it’s recommended you audit your current infrastructure design – including a review of your hardware, software, infrastructure, bandwidth, security etc. Any high performing organization’s s remote access strategy should maintain SLAs (Service Level Agreements) or project deadlines and objectives with all internal users and exercise resiliency when confronted with the performance, compliance, and security demands needed to scale.

Three core strategic planning activities are highly recommended prior to, or in parallel with, an audit of your remote access posture:

Clean Up Your Users

Identity hygiene is a constant necessity of any organization to ensure its security stance and guarantee fluidity in the face of dynamic change. Legacy user account cleanup falls into this category, but the lesser practiced aspects of identity hygiene include organization unit restructuring and security group management. These components of a well-tuned identity management infrastructure represent the organizational layout of a business and mapping of processes to business roles which too often grow organically as companies mature. Complacency to organic growth has led many organizations to make drastic and costly decisions to start over rather than re-organize, in order to remove the cancer that has developed in their identity management infrastructure.

Segment User Roles

Likewise, segmenting roles is critical to identity hygiene. Most enterprises have adopted the bifurcation of administrator and personal accounts to ensure audit trails but considerably fewer have aligned security stance to personnel role. As tenure grows and roles change to meet the needs of the organization, new rights and responsibilities are created and added to those individuals with few taken away as the firm’s requirements change. Aligning roles to responsibilities, and more importantly permissions, assures audit compliance without complex explanations and eases transition should those trusted employees ultimately leave the company.

Assign Least Access Rights to Segmented Roles

Finally, the selection of rights assigned to those segmented roles solidifies a corporate identity management strategy. Whether assigned through a workflow engine or maintained through formalized manual processes, assuring least access aligned to each role eliminates the organic growth of unnecessary permissions or access to no longer appropriate applications. This last part is a key facet of a comprehensive strategy that many organizations – including large enterprises – develop complacency around. And the removal of access is no longer strictly necessary. It is too easy to allow excuses that support and even justify this laxity but it’s this very lassitude for least access which opens doors to ransomware propagation, disgruntled and disaffected IT administrators and glaring audit infractions.

In summary, organizational resilience is steeped in discipline. Crisis management and the daily “X factor” can create havoc even with the best laid plans for systems maintenance. The ways in which your firm interacts with clients, partners, suppliers, and others will undoubtedly change with the heavy reliance on remote access capabilities. Those who grasp this concept now will be ahead of the game.

Remote access prowess is now an entry ticket to conducting business post-COVID-19 and absolutely can be viewed now as a true competitive differentiator. When organizations run with elephants there are only two types: 1/ the quick and 2/ the dead. Let’s encourage each other to be in the former category, rather than the latter.

© 2020 Plan B Technologies, Inc.. All Rights Reserved.

For more on remote work considerations during the COVID-19 Pandemic, see the National Law Review Coronavirus News section.

Cybersecurity Whistleblower Protections for Employees of Federal Contractors and Grantees

For information security professionals, identifying cybersecurity vulnerabilities is often part of the job.  That is no less the case when the job involves a contract or grant with the U.S. government.

Information security and data privacy requirements have become a priority at federal agencies.  These requirements extend to federal contractors because of their access to government data.  Often, cybersecurity professionals are the first to identify non-compliance with these requirements.  As high-profile data breaches have become more common, those who report violations of cybersecurity and data privacy requirements often experience retaliation and seek legal protection.

Reporting non-compliance or misconduct in the workplace can be necessary, but it can also be daunting.  It is important for cybersecurity whistleblowers to know their legal rights when disclosing such concerns to management or a federal agency.

In many cases, federal law protects cybersecurity whistleblowers who work for federal contractors or grantees.  This post provides an overview of those protections.

What cybersecurity requirements apply to federal contractors?

Federal contractors are subject to data privacy and information security requirements.

The Federal Information Security Management Act (“FISMA”) creates information security requirements for federal agencies to minimize risk to the U.S. government’s data.  FISMA also applies these requirements to state agencies administering federal programs and private business contracting with the federal government.  Federal acquisition regulations codify the cybersecurity and data privacy requirements applicable to federal contractors.  E.g., 48 C.F.R. §§ 252.204-7008, 7012 (providing for cybersecurity standards in contracts with the U.S. Department of Defense); 48 C.F.R. § 52.204-21 (outlining basic procedures for contractors to safeguard information processed, stored, or transmitted under a federal contract).  

Pursuant to the FISMA Implementation Project, the National Institute of Standards and Technology (“NIST”) produces security standards and guidelines to ensure compliance with FISMA.  Key principles of FISMA compliance include a systemic approach to the data that results in baseline controls, a risk assessment procedure to refine controls, and implementation of controls.  A security plan must document the controls.  Those managing the information must also assess the controls’ effectiveness.  NIST also focuses its standards on determining enterprise risk, information system authorization, and ongoing monitoring of security controls.

Essential standards established by NIST include FIPS 199, FIPS 200, and the NIST 800 series.  Core FISMA requirements include:

  • Federal contractors must keep an inventory of all of an organization’s information systems.
  • Contractors must identify the integration between information systems and other systems in the network.
  • Contractors must categorize information and information systems according to risk. This prioritizes security for the most sensitive information and systems.  See “Standards for Security Categorization of Federal Information and Information Systems” FIPS 199.
  • Contractors must have a current information security plan that covers controls, cybersecurity policies, and planned improvements.
  • Contractors must consider an organization’s particular needs and systems and then identify, implement, and document adequate information security controls. See NIST SP 800-53 (identifying suggested cybersecurity controls).
  • Contractors must assess information security risks. See NIST SP 800-30 (recommending that an organization assess risks at the organizational level, the business process level, and the information system level).
  • Contractors must conduct annual reviews to ensure that information security risks are minimal.

In addition to generally-applicable standards, individual contracts may create other cybersecurity or data privacy requirements for a government contractor.  Such requirements are prevalent when the contractor provides information security products or services for the government.

What protections exist for cybersecurity whistleblowers who work for federal contractors?

Federal law contains whistleblower protection provisions that may prohibit employers from retaliating against whistleblowers who report cybersecurity or data privacy concerns.  See Defense Contractor Whistleblower Protection Act, 10 U.S.C. § 2409; False Claims Act, 31 U.S.C. § 3730(h); NDAA Whistleblower Protection Law, 41 U.S.C. § 4712.  These laws protect a broad range of conduct.

Protected conduct under these laws includes:

  • Efforts to stop false claims to the government;
  • Lawful acts in furtherance of an action alleging false claims to the government; and
  • Disclosures of gross mismanagement, gross waste, abuse of authority, or a violation of law, rule, or regulation related to a federal contract or grant. Id.

These provisions have wide coverage.  They protect any employee of any private sector employer that is a contractor or grantee of the federal government.  In some cases, even the employer’s contractors and agents are protected.

An employer’s non-compliance with information security requirements could breach the employer’s contractual obligations to the federal government and violate federal law and regulation.  Thus, whistleblowers who report cybersecurity or data privacy concerns related to a federal contract or grant may be protected from employment retaliation.

What is the burden to establish unlawful retaliation for reporting cybersecurity concerns?

Exact requirements vary, but an employee typically establishes unlawful retaliation by proving that (1) the employee engaged in conduct that is protected by statute, and (2) the protected conduct to some degree caused a negative employment action.  See, e.g., 10 U.S.C. § 2409(c)(6) (incorporating burden of proof from 5 U.S.C. § 1221(e)); 41 U.S.C. § 4712(c)(6) (same); 31 U.S.C. § 3730(h)(1).  

Under some of the applicable protections, an employee need prove only that the protected conduct played any role whatsoever in the employer’s decision to take the challenged employment action.  See 10 U.S.C. § 2409; 41 U.S.C. § 4712.

What damages or remedies can a cybersecurity whistleblower recover for retaliation?

The relief available depends on which laws apply to the particular case.  Remedies may include an amount equal to double an employee’s lost wages, as well as reinstatement or front pay.  In some cases, a whistleblower may also recover uncapped compensatory damages for harms like emotional distress and reputational damage.  Additionally, a prevailing plaintiff can recover reasonable attorneys’ fees and costs.

Recently, a jury awarded a defense contractor whistleblower $1 million in compensatory damages.  The whistleblower proved that the employer more than likely retaliated by demoting him after he reported issues with tests related to a federal contract, according to the jury.  Specifically, the whistleblower alleged he reported and opposed management’s directive to misrepresent the completion status of testing procedures.

In a recent case under the False Claims Act, a whistleblower received more than $2.5 million for retaliation she suffered after internally reporting off-label promotion for a drug outside its FDA-approved use.  The False Claims Act protects employees from retaliation who blow the whistle on fraud against the government, including those who blow the whistle internally to a government contractor or grantee.

Do any court cases address whether cybersecurity whistleblowers are protected?

Yes.  Judges and juries have applied these laws to protect cybersecurity whistleblowers.

For example, in United States ex rel. Glenn v. Cisco Systems, Inc., defendant Cisco Systems settled for $8.6 million in what is likely the first successful cybersecurity case brought under the False Claims Act.  The plaintiff/relator James Glenn worked for Cisco and internally reported serious cybersecurity deficiencies in a video surveillance system, soon after which he was fired.  Cisco had sold the surveillance systems to various federal government entities, including the Department of Homeland Security, FEMA, the Secret Service, NASA, and all branches of the military.  After monitoring Cisco’s public pronouncements regarding the system and confirming the company had not solved the problems or reported vulnerabilities to customers, Glenn contacted the FBI.  Multiple states joined in the complaint and brought claims under state laws.

While the case did not proceed to litigation, Glenn received nearly $2 million of the settlement, and the federal government’s attention to the issue proves that cybersecurity and data privacy are of utmost importance.

Surely, as more of our lives and businesses move online, the government will place increased importance on contractors and grantees following data security and privacy requirements and disclosing known vulnerabilities.  Cybersecurity whistleblowers working for government contractors play an important part in revealing these vulnerabilities and keeping the federal government secure.  Still, these whistleblowers may experience retaliation after blowing the whistle internally at their place of work.

How can employees enforce these protections from retaliation?

Employees generally have the right to bring claims of unlawful retaliation for cybersecurity or data privacy whistleblowing in federal court.  However, some claims limit that right to whistleblowers who first exhaust all their administrative remedies.  For example, in some cases whistleblowers will first need to pursue relief from the Office of Inspector General of the relevant federal agency.  Additionally, cybersecurity whistleblower claims are subject to strict deadlines.  See, e.g., 31 U.S. Code § 3730; 10 U.S.C. § 2409; 41 U.S.C. § 4712.

© 2020 Zuckerman Law

Techplace Tickler: eDiscovery Challenges in a Remote Work Environment

In the first episode of our Techplace Tickler series, Danielle Ochs, Tom Lidbury, and Traer Cundiff discuss various eDiscovery-related issues that have arisen during the COVID-19 pandemic when many people are working remotely. They cover data security concerns while working from home, remote document review, and best practices for collecting, capturing, and transferring data remotely.

© 2020, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.

For more legal & data security issues amid the COVID-19 Pandemic, please see the National Law Review Coronavirus News section.

6 Months Until Brazil’s LGPD Takes Effect – Are You Ready?

In August 2018, Brazil took a significant step by passing comprehensive data protection legislation: the General Data Protection Law (Lei Geral de Proteção de Dados Pessoais – Law No. 13,709/2018, as amended) (LGPD). The substantive part of the legislation takes effect August 16, 2020, leaving fewer than six short months for companies to prepare.

While the LGPD is similar to the EU’s General Data Protection Regulation (GDPR) in many respects, there are key differences that companies must consider when building their compliance program, to be in line with the LGPD.

Application

The LGPD takes a broad, multi-sectoral approach, applying to both public and private organizations and businesses operating online and offline. The LGPD applies to any legal entity, regardless of their location in the world, that:

  • processes personal data in Brazil;
  • processes personal data that was collected in Brazil; or
  • processes personal data to offer or provide goods or services in Brazil.

Thus, like the GDPR, the LGPD has an extraterritorial impact. A business collecting or processing personal data need not be headquartered, or even have a physical presence, in Brazil for the LGPD to apply.

Enforcement and Penalties

After many debates and delays, the Brazilian Congress approved the creation of the National Data Protection Authority (ANPD), an entity linked to the executive branch of the Brazilian government, which will be tasked with LGPD enforcement and issuing guidance.

Violations of the LGPD may result in fines and other sanctions; however, the fine structure is more lenient than the GDPR’s. Under the LGPD, fines may be levied up to 2% of the Brazil-sourced income of the organization (which is considered any legal entity, its group or conglomerate), net of taxes, for the preceding fiscal year, limited to R$ 50,000,000.00 (app. $11 million), per infraction. There is also the possibility of a daily fine to compel the entity to cease violations. The LGPD assigns to ANPD the authority to apply sanctions and determine how the fines shall be calculated.

Legal Basis for Processing

Similar to the GDPR, an organization must have a valid basis for processing personal data. Personal data can only be processed if it meets one of the 10 requirements below:

  • with an individual’s consent;
  • when necessary to fulfill the legitimate interests of the organization or a third party, except when the individual’s fundamental rights and liberties outweigh the organization’s interest;
  • based on a contract with the individual;
  • to comply with a legal or regulatory obligation;
  • public administration and for judicial purposes;
  • for studies by research entities;
  • for the protection of life or physical safety of the individual or a third party;
  • by health professionals or by health entities for health care purposes; or
  • to protect an individual’s credit.

Sensitive personal information (race, ethnicity, health data, etc.) and children’s information may only be processed with the individual or a parent or legal guardian’s consent, as applicable, or as required by law or public administration.

Individual Rights

Brazilian residents have a number of rights over their personal data. Many of these rights are similar to those found in the GDPR, but the LGPD also introduces additional rights not included in the GDPR.

Established privacy rights, materially included in the GDPR

  • access to personal data
  • deletion of personal data processed with the consent of the individual
  • correction of incomplete, inaccurate, or out-of-date personal data
  • anonymization, blocking, or deletion of unnecessary or excessive data or personal data not processed in compliance with the LGPD
  • portability of personal data to another service or product provider
  • information about the possibility of denying consent and revoking consent

Additional rights provided by the LGPD

  • access to information about entities with whom the organization has shared the individual’s personal data
  • access to information on whether or not the organization holds particular data

Transferring Data Out of Brazil

Organizations may transfer personal data to other countries that provide an adequate level of data protection, although Brazil has not yet identified which countries it considers as providing an adequate level of protection. For all other transfers, organizations may not transfer personal data collected in Brazil out of the country unless the organization has a valid legal method for such transfers. There are two main ways organizations can transfer data internationally:

  • with the specific and express consent of the individual, which must be prior and separated from the other purposes and requisitions of consent;
  • through contractual instruments such as binding corporate rules and standard clauses, committing the organization to comply with the LGPD principles, individual rights, and the Brazilian data protection regime.

Governance & Oversight

In addition to the requirements above, under the LGPD, organizations must, in most circumstances:

  • Appoint an officer to “be in charge of the processing of data,” who, together with the organization, shall be jointly liable for remedying any damage, whether individually or collectively, in violation of the personal data protection legislation, caused by them (there is little specificity around the role or responsibility of the data processing officer; however, it is not mandatory for the officer to be located in Brazil);
  • Maintain a record of their processing activities;
  • Perform data protection impact assessments;
  • Design their products and services with privacy as a default;
  • Adopt security, technical, and administrative measures able to protect personal data from unauthorized access, as well as accidental or unlawful destruction, loss, alteration, communication (likely similar standards to those established under the Brazilian Internet Act); and
  • Notify government authorities and individuals in the case of a data breach.

Meeting these requirements will likely be a significant administrative burden for organizations, especially as they work to meet varying documentation and governance requirements between the GDPR, CCPA, and LGPD. This effort is made more complicated by the lack of clarity in some of the LGPD administrative requirements. For example, while the LGPD requires a record of processing, it does not delineate what should be included in the document, and while it establishes that privacy impact assessments should be carried out, it does not indicate when such assessments are required.

Final Thoughts

Given August 2020 is right around the corner, global organizations processing personal data from or in Brazil should consider immediately moving forward with a review of their current data protection program to identify and address any LPGD compliance gaps that exist. As privacy law changes and global compliance requirements are top of mind for many clients operating global operations, we will be sure to provide timely informational updates on the LGPD, and any ANPD guidance issued.

Greenberg Traurig is not licensed to practice law in Brazil and does not advise on Brazilian law. Specific LGPD questions and Brazilian legal compliance issues will be referred to lawyers licensed to practice law in Brazil.

©2020 Greenberg Traurig, LLP. All rights reserved.

For more privacy laws around the globe, see the National Law Review Communications, Media & Internet law section.

SEC Examiners Release Cyber Observations: What You Need To Know

On January 27, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced its most recent Cybersecurity and Resiliency Observations. This report highlights specific practices that have been, and can be taken to enhance cybersecurity preparedness and incident response. The release of these observations is the latest move by the SEC demonstrating its increased attention to corporate cybersecurity practices. If you are a market participant supervised by OCIE, you may want to consider this report a benchmark to help navigate the SEC’s expectations when reviewing internal cybersecurity programs. The SEC has indicated that cybersecurity compliance and procedures remain a top priority—and they should be for you too.

OCIE Cybersecurity and Resiliency Observations

The OCIE, which reviews the effectiveness of market participants’ compliance programs, focused on seven areas in the cybersecurity report: governance and risk management; access rights and controls; data loss prevention; mobile security; incident response and resiliency; vendor management; and training and awareness. OCIE explained that it “felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cyber-security practices.”

OCIE made clear that the most effective cybersecurity programs were those with proactive senior leaders committed to improving their organization’s cyber posture before an incident occurs. “Devoting appropriate board and senior leadership attention to setting strategy of and overseeing the organization’s cybersecurity and resiliency programs,” was a key observation.

Preventing data loss is a perennial focus of cybersecurity programs. OCIE observed a variety of tools and practices to ensure that sensitive data, including client information, was not lost, misused, or accessed by unauthorized users. These included frequent vulnerability scans of software and devices, utilizing encryption, keeping software patched with the latest updates, and monitoring for insider threats. On that last point, OCIE observed companies creating insider threat programs to identify specious behaviors, including escalating issues to senior leadership as appropriate.

Consistent with cybersecurity guidance from other sources but relatively new from the SEC, the report highlighted the risks associated with mobile devices, urging the implementation of security measures to prevent unauthorized access to sensitive systems. As corporate employees increasingly rely on mobile devices for work, the amount of sensitive data stored on those devices continues to grow, creating unique security concerns. OCIE observed companies implementing security measures that prevent users from saving sensitive information to personally owned devices and maintaining the ability to remotely clear data on employees’ devices, if necessary.

Addressing vendor management, OCIE underscored the increased risk related to vendor use of cloud services and the importance of due diligence when selecting vendors. Lastly, and arguably the most important topics addressed were incident response and training. OCIE stressed that market participants should be consistently testing and updating their incident response plans and training employees to identify and respond to cyber threats. These seven areas of focus provide important guidance for market participants regarding the expectations of OCIE examiners when conducting reviews.

Takeaways

With the release of the 2020 observations, the SEC continues to send the clear message that it expects market participants to not only respond timely and responsibly to cyber incidents, but also to proactively implement mitigation policies to reduce threats. Importantly, OCIE recognized that there is no one-size-fits-all approach.

Every organization should develop incident response plans that are tailored to their unique circumstances. Regulators continue to emphasize that is not enough to simply have policies on the books—companies must routinely update and practice those plans. Senior leaders should be involved in that process and should be prepared for the SEC and other regulators to closely examine their plans and other internal security protocols. Failure to do so is not only a regulatory issue, but creates private litigation risk.

The SEC is paying attention to and reiterating a common cybersecurity compliance roadmap: develop and implement cybersecurity plans to reduce risks, be prepared for regulatory scrutiny that may follow a cybersecurity incident, conduct staff training, and be prepared to respond to cybersecurity incidents.

© 2020 Bracewell LLP

How Law Firms Can Prevent Phishing and Malware

Law firms harbor information directly linked to politics, public figures, intellectual property, and sensitive personal information. Because lawyers rely on email to manage cases and interact with clients, hackers exploit technical vulnerabilities and people via email. After cybercriminals infiltrate a law firm’s systems in a successful phishing or malware attack, they leverage breached information for financial gain.

Starting with email, law firms must control the availability, confidentiality, and integrity of data. Or they will suffer breaches that bring increased insurance premiums, loss of intellectual property, lost contract revenue, and reputational damage.

Law firms aren’t securing their cloud technology

As lawyers adapt with best practices in technology, they’re moving client data and confidential documents from on-premise to cloud-hosted databases. 58% of firms use cloud technology to manage their clients and run their firms, according to the 2019 Legal Technology Survey Report on Cybersecurity and Cloud Computing from The American Bar Association’s Legal Technology Resource Center.

Migrating data to the cloud is a good thing, despite concerns about its availability. Data is more secure when stored in a system with modern infrastructure and security protocols, instead of stored locally on an outdated system no longer supported by vendors — such as a desktop device still running Windows 7 software, rather than Windows 10.

Even though the cloud is safe, law firms inevitably fall victim to cloud-based cyberattacks like phishing and malware.

26% of lawyers reported a security breach at their firm. TECHREPORT’s other findings explain why the breach rate is so high:

  • Fewer than half (41%) of all respondents changed their security practices after migrating to the cloud.

  • Only 35% of lawyers adopt more than one standard security measure — like encryption, anti-malware, anti-phishing, and network security.

  • 14% of respondents using cloud-based technology to manage their firm do not have any preventative security measures in place.

Changes to your firm's security policies.

Source: 2019 ABA TECHREPORT

How law firms can prevent phishing and malware

Lawyers know data breaches create downtime, loss of billable hours, and reputational harm. But they’re less aware of how to prevent those outcomes.

Phishing explained

Phishing happens via email, when hackers impersonate trusted senders to trick recipients into divulging sensitive or confidential information. Most often, phishers trick victims to click a malicious URL and interact with spoofed login pages. Microsoft is the most spoofed brand in the world, because it is the hub for organizations to collaborate and exchange information. If a lawyer enters their Office 365 credentials onto a spoofed login page, the username and password go directly to the hacker’s server.

Most common brands in phishing attacks.

Source: TechRadar

Successful credential-harvesting phishing attacks allow hackers to access data-dense services like Office 365, online banking, and practice management software. Stolen credentials lead to account takeover scenarios that result in further exploits, including network infiltration, database infiltration, and data exfiltration.

3 common characteristics of phishing attacks

  1. Subject lines that appear highly urgent

Many subject lines in phishing emails are in all-caps to pressure the recipient. Beware of subject lines that say “URGENT” or “Are you available?” An infographic from cybersecurity firm KnowBe4 reveals the top phishing email subject lines from 2019.

Top-clicked phishing tests.

Source: KnowBe4

  1. Spelling errors, grammar errors, and awkward language

Hackers need to deceive language parsing technology like Optical Character Recognition (OCR) that identifies suspicious content and blocks the message. To bypass anti-phishing algorithms, they’ll intentionally misspell words, use special characters that look like letters, and replace letters with lookalike numbers. Phishing URLs are often misspelled, or the domain name does not match the content of the page. Carefully read every URL to see if the words and letters match the content of the page.

  1. Unexpected or unusual requests for documents or money.

Phishers can spoof the sender name and domain of trusted contacts’ email addresses to lull recipients into a false sense of trust and compliance. Requests for sensitive information (bank routing numbers, trust account numbers, login credentials, document access, etc.) should be confirmed over the phone or any other communication channel besides that same email thread.

6 ways to prevent phishing at your law firm

  1. Check if email addresses associated with the firm were involved in high-profile breaches

Have I Been Pwned is a website that identifies compromised email addresses and passwords across online services that have been breached so that victims can change their password and prevent account access. Set up alerts through the website to monitor any future breaches.

Check if you have an account that has been compromised in a data breach.

Source: HaveIBeenPwned.com

  1. Install password managers

The best passwords don’t need to be memorized. 25% of people reuse the same password for everything, according to OpenVPN. Password manager services like 1Password (paid) and LastPass (free) use browser plug-ins and mobile applications to create, remember, and autofill complex, randomly-generated passwords. They identify weak or reused passwords across websites, and run a program to simultaneously rewrite and save new passwords on those sites.

LastPass password management software

Source: LastPass.com

  1. Make Multi-Factor authentication (MFA) mandatory at the firm

Multi-factor authentication, a secure login method using two or more pieces of confirmation, adds another step to the login process to prevent account takeover and the breach of confidential data. When username and password credentials are submitted to the login page, MFA generates and sends a unique alphanumeric code to the account holder’s email or phone for use as a secondary password. Unless this code is submitted on the follow-up login screen in a timely manner, it will expire.

Because email accounts and cell phone numbers are publicly available and can be compromised, use app-based and hardware-based MFA instead.

Solo and small/medium firms should use the Google Authenticator app, which continuously creates dynamic codes that swap out every 30 seconds and are unique to the device on which the app was installed.

Larger firms should adopt physical MFA. These “keys” plug into your laptop, tablet, or mobile device ports to authenticate access to software — and even the device itself. Because the keys are unique, hackers can’t access accounts supported by hardware MFA keys like Yubico’s YubiKey, which is used by every Google employee. If the key is lost, account access can be gained through backup codes or MFA codes delivered via email, mobile, or authentication apps.

Make Multi-Factor authentication mandatory at the law firm.

YubiKeys (Source: Wired Store)

  1. Participate in phishing awareness training programs

These software programs regularly educate and train employees on the characteristics of spam, phishing, malware, ransomware, and social engineering attack methods. Microsoft’s Attack Simulator and KnowBe4 offer free programs that train users not to interact with phishing attempts and give visibility into how well they’re trained, based on their click rate during the attack simulations. The 2019 Verizon Data Breach Investigation Report found that lawyers and other professional service workers were the third most likely group to click on phishing emails.

2019 Verizon Data Breach Investigation Report

Source: 2019 Verizon Data Breach Investigation Report, Figure 45

  1. Only connect to secure WiFi

Connecting to public WiFi in a cafe, airport, or hotel is dangerous. Malicious worms can transfer from one device to another if they are connected on the same network. When traveling, use a virtual private network (VPN) to extend a remote private network across the public network and secure the WiFi connection.

  1. Report suspicious emails

Popular email clients like Office 365 and Google Gmail offer suspicious message reporting. Use this built-in tool to improve their anti-phishing algorithm. If applicable, contact the IT team or cybersecurity staff at the firm so they can update security configurations in the email client or third-party security tool they may use.

What is malware?

Malware is any malicious file that launches scripts to hijack a device, steal confidential data, or launch a Distributed Denial of Service (DDoS) attack. Most malware is delivered via email. The 2019 Verizon Data Breach Investigation Report found that 51% of phishing attacks involve malware injections into a network. These malicious scripts are usually injected via spoofed DocuSign and Adobe attachments, or fraudulent billing and invoicing documents.

Ransomware is a subset of malware that hackers use to hold information or access hostage until a ransom is paid. Ransomware exploits frequently involve blackmailing tactics, and “sextortion” phishing emails (in which hackers purport to have footage of the victim watching pornography) are gaining popularity.

The 2019 ABA TECHREPORT noted that 36% of firms have had systems infected, and about a quarter (26%) of firms were unaware if they’ve been infected by malware. Larger firms, which tend to use on-premise software because of the up-front work associated with cloud migration, are the least likely to know if they’ve suffered a malware attack.

3 ways to prevent malware

  1. Monitor and update outdated software and hardware 

Application updates are necessary and should not be treated as optional. These software upgrades implement essential security features to ward off new strains of attacks. Not updating software and hardware provides short term savings, but will be very costly in the long run.

Be aware that:

  • Windows 7 is no longer supported since January 2020.

  • MS Office 2010 will no longer be supported as of October 2020.

  • Support for Adobe Acrobat X Reader/Standard/Pro, Adobe Acrobat XI, and Reader XI has ended. 88% of attorneys continue to use these highly-vulnerable Adobe programs, according to the 2019 ABA TECHREPORT.

  1. Monitor email for links and executables (including macro-enabled Office docs)

Executable files automatically launch actions, based on the code in the file. Apply software restrictions on your device to prevent executable files from starting up without your consent. Microsoft found that 98% of Office-targeted threats use macros. In 2016, Microsoft pushed a macro-blocking feature in Word to prevent malware infection.

Block macros and prevent malware in Microsoft Office Word.

Source: Microsoft Security Blog

  1. Hire a Managed Service Provider (MSP) for cybersecurity

MSPs offer an affordable portfolio of solutions to manage cyber risk across firm operations.

The solution: control the login process and data access in cloud-based apps

Lawyers are obligated to protect sensitive client information from phishing, malware, and ransomware. As breaches continue to make headlines, clients are selecting firms based on their data security. Law firms educated on confidentiality, security, and data control will be able to reassure security-conscious clients.

Cloud security — especially in email and document storage — relies on identity and access management. Establish a secure login process, govern user privileges in applications, and ensure that everyone at the firm can spot suspicious emails and attachments.

Choose cloud providers with a reputation for secure software and identify third-party security vendors for anti-phishing, anti-malware, and MFA.

© Copyright 2020 PracticePanther

Written by Reece Guida of PracticePanther.
For more on cybersecurity for legal and other businesses, see the National Law Review Communications, Media & Internet law section.

Offered Free Cyber Services? You May Not Need to Look That Gift Horse in the Mouth Any Longer.

Cyberattacks continue to plague health care entities. In an effort to promote improved cybersecurity and prevent those attacks, HHS has proposed new rules under Stark and the Anti-Kickback Statute (“AKS”) to protect in-kind donations of cybersecurity technology and related services from hospitals to physician groups. There is already an EHR exception1 which protects certain donations of software, information technology and training associated with (and closely related to) an EHR, and HHS is now clarifying that this existing exception has always been available to protect certain cybersecurity software and services. However, the new proposed rule explicitly addresses cybersecurity and is designed to be more permissive then the existing EHR protection.

The proposed exception under Stark and safe harbor under AKS are substantially similar and unless noted, the following analysis applies to both. The proposed rules allow for the donation of cybersecurity technology such as malware prevention and encryption software. The donation of hardware is not currently contemplated, but HHS is soliciting comment on this matter as discussed below. Specifically, the proposed rules also allow for the donation of cybersecurity services that are necessary to implement and maintain cybersecurity of the recipient’s systems. Such services could include:

  • Services associated with developing, installing, and updating cybersecurity software;

  • Cybersecurity training, including breach response, troubleshooting and general “help desk” services;

  • Business continuity and data recovery services;

  • “Cybersecurity as a service” models that rely on a third-party service provider to manage, monitor, or operate cybersecurity of a recipient;

  • Services associated with performing a cybersecurity risk assessment or analysis, vulnerability analysis, or penetration test; or

  • Services associated with sharing information about known cyber threats, and assisting recipients responding to threats or attacks on their systems.

The intent of these rules is to allow the donation of these cybersecurity technology and services in order to encourage its proliferation throughout the health care community, and especially with providers who may not be able to afford to undertake such efforts on their own. Therefore, these rules are expressly intended to be less restrictive than the previous EHR exception and safe harbor. The proposed restrictions are as follows2:

  • The donation must be necessary to implement, maintain, or reestablish cybersecurity;

  • The donor cannot condition the donations on the making of referrals by the recipient, and the making of referrals by the recipient cannot be conditioned on receiving a donation; and

  • The donation arrangement must be documented in writing.

AKS has an additional requirement that the donor must not shift the costs of any technology or services to a Federal health care program. Currently, there are no “deeming provisions” within these proposed rules for the purpose of meeting the necessity requirement, but HHS is considering, and is seeking comment on, whether to add deeming provisions which essentially designate certain arrangements as acceptable. Some in the industry appreciate the safety of knowing what is expressly considered acceptable and others find this approach more restrictive out of fears that the list comes to be considered exhaustive.

HHS is also considering adding a restriction regarding what types of entities are eligible for the donation. Previously for other rules, HHS has distinguished between entities with direct and primary patient care relationships, such as hospitals and physician practices, and suppliers of ancillary services, such as laboratories and device manufacturers.

Additionally, HHS is soliciting comment on whether to allow the donation of cybersecurity hardware to entities for which a risk assessment identifies a risk to the donor’s cybersecurity. Under this potential rule, the recipient must also have a risk assessment stating that the hardware would reasonably address a threat.

1 AKS Safe Harbor 42 CFR §1001.952(y); Stark Exception §411.357(bb)
2 AKS Safe Harbor 42 CFR §1001.952(jj); Stark Exception §411.357(w)(4)

©2020 von Briesen & Roper, s.c

More on cybersecurity software donation regulation on the National Law Review Communications, Media & Internet law page.

Venmo’ Money: Another Front Opens in the Data Wars

When I see stories about continuing data spats between banks, fintechs and other players in the payments ecosystem, I tend to muse about how the more things change the more they stay the same. And so it is with this story about a bank, PNC, shutting off the flow of customer financial data to a fintech, in this case, the Millennial’s best friend, Venmo. And JP Morgan Chase recently made an announcement dealing with similar issues.

Venmo has to use PNC’s customer’s data in order to allow (for example) Squi to use it to pay P.J. for his share of the brews.  Venmo needs that financial data in order for its system to work.  But Venmo isn’t the only one with a mobile payments solution; the banks have their own competing platform called Zelle.  If you bank with one of the major banks, chances are good that Zelle is already baked into your mobile banking app.  And unlike Venmo, Zelle doesn’t need anyone’s permission but that of its customers to use those data.

You can probably guess the rest.  PNC recently invoked security concerns to largely shut off the data faucet and “poof”, Venmo promptly went dark for PNC customers.  To its aggrieved erstwhile Venmo-loving customers, PNC offered a solution: Zelle.  PNC subtly hinted that its security enhancements were too much for Venmo to handle, the subtext being that PNC customers might be safer using Zelle.

Access to customer data has been up until now a formidable barrier to entry for fintechs and others whose efforts to make the customer payment experience “frictionless” have depended in large measure on others being willing to do the heavy lifting for them.  The author of Venmo article suggests that pressure from customers may force banks to yield any strategic advantage that control of customer data may give them.  So far, however, consumer adoption of mobile payments is still miniscule in the grand scheme of things, so that pressure may not be felt for a very long time, if ever.

In the European Union, the regulators have implemented PSD2 which forces a more open playing field for banking customers. But realistically, it can’t be surprising that the major financial institutions don’t want to open up their customer bases to competitors and get nothing in return – except a potential stampede of customers moving their money. And some of these fintech apps haven’t jumped through the numerous hoops required to be a bank holding company or federally insured – meaning unwitting consumers may have less fraud protection when they move their precious money to a cool-looking fintech app.

A recent study by the Pew Trusts make it clear that consumers are still not fully embracing mobile for any number of reasons.  The prime reason is that current mobile payment options still rely on the same payments ecosystem as credit and debit cards yet mobile payments don’t offer as much consumer protection. As long as that is the case, banks and fintechs and merchants will continue to fight over data and the regulators are likely to weigh in at some point.

It is not unlike the early mobile phone issue when one couldn’t change mobile phone providers without getting a new phone number – that handcuff kept customers with a provider for years but has since gone by the wayside. It is likely we will see some sort of similar solution with banking details.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.

For more on fintech & banking data, see the National Law Review Financial Institutions & Banking law page.

Escalated Tension with Iran Heightens Cybersecurity Threat Despite Military De-Escalation

The recent conflict between the United States and Iran has heightened America’s long-time concern of an imminent, potentially lethal Iranian cyber-attack on critical infrastructure in America.   Below, is the latest information including the United States Government’s analysis on the current standing of these threats as of January 8, 2020. 

CISA Alert

The U.S. Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued Alert (AA20-006A) in light of “Iran’s historic use of cyber offensive activities to retaliate against perceived harm.”  In general, CISA’s Alert recommends two courses of action in the face of potential threats from Iranian actors: vulnerability mitigation and incident preparation.  The Alert specifically instructs organizations to increase awareness and vigilance, confirm reporting processes and exercise organizational response plans to prepare for a potential cyber incident.  CISA also suggests ensuring facilities are appropriately staffed with well-trained security personnel who are privy to the tactics of Iranian cyber-attacks.  Lastly, CISA recommends disabling unnecessary computer ports, monitoring network, and email traffic, patching externally facing equipment, and ensuring that backups are up to date.

Iranian Threat Profile

CISA asserts that Iranian cyber actors continually improve their offensive cyber capabilities. These actors are also increasingly willing to engage in destructive, kinetic, and even lethal cyber-attacks.  In the recent past, such threats have included disruptive cyber operations against strategic targets, including energy and telecommunications organizations. There has also been an increased interest in industrial control systems (such as SCADA) and operational technology (OT).  Refer to CISA’s Alert and the Agency’s “Increased Geopolitical Tensions and Threats” publication for specific Iranian advanced persistent threats to the nation’s cybersecurity.

Imminence of an Iranian Cyber-attack

While CISA urges vigilance and heightened prudence as it pertains to cybersecurity, DHS has been clear that there is “no information indicating a specific, credible threat to the Homeland.”  Nevertheless, the same National Terrorism Advisory System Bulletin publication (dated January 4, 2020) warns that Iran maintains a robust cyber program. This program can carry out attacks with varying degrees of disruption against U.S. critical infrastructure. The bulletin further states that “an attack in the homeland may come with little to no warning.”  There is also a concern that homegrown violent extremists could capitalize on the heightened tensions to launch individual attacks.  With the ongoing tension, it is unlikely that the imminence of an Iranian cyber-attack will dissipate in the near term.

Implications

It is vital for businesses, especially those deemed critical infrastructure, to stay apprised of new advances on these matters.  Given that the Alert calls for organizations to take heightened preventative measures, it is imperative that critical infrastructure entities revisit their cybersecurity protocols and practices and adjust them accordingly.  A deeper understanding of the organizational vulnerabilities in relation to this particular threat will be imperative.

© 2020 Van Ness Feldman LLP

For more on cybersecurity, see the Communications, Media & Internet section of the National Law Review.

Hackers Eavesdrop and Obtain Sensitive Data of Users Through Home Smart Assistants

Although Amazon and Google respond to reports of vulnerabilities in popular home smart assistants Alexa and Google Home, hackers continually work hard to exploit any vulnerabilities to be able to listen to users’ every word to obtain sensitive information that can be used in future attacks.

Last week, it was reported by ZDNet that two security researchers at Security Research Labs (SRLabs) discovered that phishing and eavesdropping vectors are being used by hackers to “provide access to functions that developers can use to customize the commands to which a smart assistant responds, and the way the assistant replies.” The hackers can use the technology that Amazon and Google provides to app developers for the Alexa and Google Home products.

By putting certain commands into the back end of a normal Alexa/Google Home app, the attacker can silence the assistant for long periods of time, although the assistant is still active. After the silence, the attacker sends a phishing message, which makes the user believe had nothing to do with the app that they interacted with. The user is then asked for the Amazon/Google password and sends a fake message to the user that looks like it is from Amazon or Google. The user is then sent a message claiming to be from Amazon or Google and asking for the user’s password. Once the hacker has access to the home assistant, the hacker can eavesdrop on the user, keep the listening device active and record the users’ conversations. Obviously, when attackers eavesdrop on every word, even when it appears the device is turned off, they can obtain information that is highly personal and can be used malevolently in the future.

The manufacturers of the home smart assistants reiterate to users that the devices will never ask for their account password. Cyber hygiene for home assistants is no different than cyber hygiene with emails.

Copyright © 2019 Robinson & Cole LLP. All rights reserved.

For more hacking risk mitigation, see the National Law Review Communications, Media & Internet law page.