New OCR Checklist Outlines How Health Care Facilities Can Fight Cyber Extortion

As technology has advanced, cyber extortion attacks have risen, and they will continue to be a major security issue for organizations. Cyber extortion can take many forms, but it typically involves cybercriminals demanding money to stop or delay their malicious activities, which include stealing sensitive data or disrupting computer services. Health care and public health sector organizations that maintain sensitive data are often targets for cyber extortion attacks.

Ransomware is a form of cyber extortion where attackers deploy malware targeting an organization’s data, rendering it inaccessible, typically by encryption. The attackers then demand money in exchange for an encryption key to decrypt the data. Even after payment is made, organizations may still lose some of their data.

Other forms of cyber extortion include Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These attacks normally direct a high volume of network traffic to targeted computers so the affected computers cannot respond and are otherwise inaccessible to legitimate users. Here, an attacker may initiate a DoS or DDoS attack against an organization and demand payment to stop the attack.

Additionally, cyber extortion can occur when an attacker gains access to an organization’s computer system, steals sensitive data from the organization and threatens to publish that data. The attacker threatens revealing sensitive data, including protected health information (PHI), to coerce payment.

On January 30, 2018, the HHS Office for Civil Rights (OCR) published a checklist to assist HIPAA covered entities and business associates on how to respond to a cyber extortion attack. Organizations can reduce the chances of a cyber extortion attack by:

  • Implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization;
  • Implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
  • Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
  • Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
  • Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
  • Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software;
  • Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
  • Encrypting and backing up sensitive data;
  • Implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
  • Remaining vigilant for new and emerging cyber threats and vulnerabilities.

If a cyber extortion attack does happen, organizations should be prepared to take the necessary steps to prevent any more damage. In the event of a cyber-attack or similar emergency an entity:

  • Must execute its response and mitigation procedures and contingency plans;
  • Should report the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI) and/or the Secret Service. Any such reports should not include protected health information, unless otherwise permitted by the HIPAA Privacy Rule;
  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.
  • Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify individuals without unreasonable delay, but no later than 60 days after discovery; and OCR within 60 days after the end of the calendar year in which the breach was discovered.
© 2018 Dinsmore & Shohl LLPDinsmore & Shohl LLP. All rights reserved.

It’s (Not) Academic: Cybersecurity Is a Must for Universities and Academic Medical Centers

Cutting-edge research institutions need cutting-edge cybersecurity to protect their IP and critical personal and financial data.  Universities hold vast repositories of valuable information, including student healthcare information, patient information from academic medical centers, and financial and personal data from applicants, donors, students, faculty, and staff.  So it’s no surprise hackers have been targeting universities lately—in fact, at least eight American universities (including Harvard, UC Berkeley, University of Maryland, and Indiana University) have announced cyber intrusions over the past two years.

With the cost of a data breach averaging $3.8 million,[1] universities cannot afford to pretend cybercrime won’t happen to them.  For institutions with health records, the financial costs can be even greater (as high as $360 per record!), due to the high value of health records on the internet’s black market, the “Dark Web.”

But, the dollars may not mean as much as the bad PR—having your institution’s name in national headlines, risking research funding from governments or corporate partners, losing protected and sensitive IP, fielding calls from angry donors, students, and parents whose personal information has been compromised, and defending multiple civil suits—all because the institution failed to assess its cyber liability.  (See additional information on assessing cyber liability).

For major research institutions holding valuable IP, health records, and grants for sensitive research, having a cybersecurity prevention and remediation plan is more than just a good idea, it’s an absolute must.  And these cybersecurity measures must extend beyond mere “compliance.”  The Federal Government will continue to create cybersecurity regulations, but their regulations never will keep up with the risks.  A university’s administration answers to the Federal Government, to its Board, to its donors, to the media, to its students and faculty, and to the general public. None of these constituencies will be calmed by minimal compliance with outdated regulations.

Instead, universities can address their cybersecurity risks with some initial measures to prevent intrusions and to minimize the damage if a hacker does get through:

  • Protections against Insider Threats: Attacks by insiders accounted for more than 50% of the cyberattacks in 2014. To help mitigate these threats, create an insider threat team and build a holistic approach to security—include staff from IT and technology, legal, physical security, and human resources. Emphasize training of employees, faculty, and administrators in basic cybersecurity awareness to instill habits that will better protect the institution.

  • Enhance Network Security Policies and Procedures: Implement security precautions to make a hack more difficult. For example: create enhanced protocols to prevent unauthorized access to devices and systems, including multi-factor authentication; provide broad and frequent updates to computers on-campus and for computers that regularly access campus networks; and prevent access to compromised sites by incorporating controls into your network.

  • Cyber Intrusion TestingWork with a vendor to test the institution’s current cybersecurity vulnerabilities and get advice on how to reduce those vulnerabilities.

  • Corrective Action Plan: —one that includes disclosure and mitigation efforts. Importantly, if an institution holds government contracts or grants, follow the required disclosure protocols for cyber intrusion (note that agencies may differ in their disclosure and mitigation requirements).

  • Cyber Insurance: —particularly those with academic medical centers and/or sensitive research programs—should ensure their policies are large enough to cover a worst-case scenario.While a comprehensive cybersecurity plan will require additional systematic and long-term efforts, taking these steps will at least keep an institution off of a hacker’s list of “low-hanging fruit.”

Copyright © 2015, Sheppard Mullin Richter & Hampton LLP.

[1] Ponemon Institute, Cost of Data Breach Study (2015).  Note this average does not include mega-breaches like those experienced by Home Depot, Target, or Sony Pictures.


President Obama Seeks to Strengthen and Clarify Cybercrime Law Enforcement


On Tuesday, President Obama introduced a legislative proposal on privacy and data security that seeks to strengthen and clarify law enforcement’s ability to investigate and prosecute cybercrimes.

The first section of the proposed legislation would expand the definition of “racketeering activity” under the Racketeering Influenced and Corrupt Organizations (“RICO”) Act to include felony offenses under the Computer Fraud and Abuse Act (“CFAA”)—the federal anti-hacking statute.  The second section would amend existing law to deter “the development and sale of computer and cell phone spying devices.”  The third section proposes substantial changes intended to modernize the CFAA.  Finally, the proposal’s fourth section is aimed at strengthening the government’s ability to disrupt and shut down botnets—networks of computers often deployed to commit crimes, such as spreading malware.

Although much of the proposal is modeled off a similar proposal advanced by the White House in 2011, there are key differences, including making clear that it is a crime to access a computer in breach of a use restriction, while at the same time limiting the scope of liability for such access to cases that the Administration believes are serious enough to warrant prosecution under the CFAA.

Updating and Expanding the RICO Act to Include CFAA Offenses

The White House proposal would include felony violations of the CFAA in the definition of “racketeering activity” under the RICO Act.  This would provide for increased penalties for cybercrimes and afford prosecutors the ability to more easily charge certain members of organized criminal groups engaged in computer network attacks and related cybercrimes.

Deterring the Development and Sale of Computer and Cell Phone Spying Devices

The White House proposal seeks to deter the development and sale of computer and cell phone spying devices by instituting two changes.  First, the legislative proposal would amend 18 U.S.C. § 1956 to “enabl[e] appropriate charges for defendants who engage in money laundering to conceal profits from the sale of surreptitious interception devices.”  Second, it would amend 18 U.S.C. § 2513 “to allow for the criminal and civil forfeiture proceeds from the sale of surreptitious interception devices and property used to facilitate the crime.”  This would expand the scope of section 2513, which currently provides for the forfeiture of only the surreptitious devices themselves.

Modernizing the CFAA

According to the White House, the goal of the proposal’s third section is to “enhance [the CFAA’s] effectiveness against attackers on computers and computer networks, including those by insiders.”  The proposed legislation contains several key amendments to various CFAA provisions:

First, the proposal would make access in violation of certain use restrictions an illegal act under the CFAA by amending the definition of “exceeds authorized access” to include instances in which a user accesses a computer with authorization to obtain or alter information “for the purpose that the accessor knows is not authorized by the computer owner.”  Language of this sort would address, at least in part, an existing circuit split on the meaning of the language “exceeds authorized access,” as used in the CFAA.  Some commentators, however, have questioned whether the proposed language will resolve the current ambiguity over the CFAA’s reach.  For example, if an employee accessed a computer for a non-work-related purpose, it would be obvious that the employee would be violating the CFAA (as amended by the White House’s proposed language) if there were a written policy that states “company computers can be accessed only for work-related purposes.”  However, if a non-employee accessed the computer, there may not be a clear violation of the CFAA because the non-employee is not bound by—and thus would not be breaching—the employer’s policy.  As a result, the courts may still have disagreements about the scope of the phrase “exceeds authorized access” even with the new language.

The White House’s proposal would also add a new provision to the CFAA by amending 18 U.S.C. § 1030(a)—the subsection of the CFAA that lists the punishable offenses under the statute.  The added provision would provide new threshold requirements for criminal offenses resulting from users exceeding their authorized access.  The proposal would punish a user who “intentionally exceeds authorized access to a protected computer, and thereby obtains information from such computer” if one of three conditions are met: “(i) the value of the information obtained exceeds $5,000; (ii) the offense was committed in furtherance of any felony violation of the laws of the United States or of any State, unless such violation would be based solely on obtaining the information without authorization or in excess of authorization; or (iii) the protected computer is owned or operated by or on behalf of a governmental entity.”  While courts must still interpret the meaning of these conditions, they provide a clearer framework for prosecution of offenses under the statute and, in theory, would constrain the government’s ability to prosecute individuals under the CFAA for minor offenses.

Additionally, the White House proposal would amend the CFAA “to enable the prosecution of the sale of a ‘means of access’ such as a botnet.”  Further, instead of requiring the government to prove “intent to defraud” under this subsection (the intent standard applicable to violations motived by financial gain), the legislation would require prosecutors only to establish “willfulness,” so as to criminalize unlawful trafficking of access to “other types of wrongdoing perpetrated using botnets” and not just password and similar information.

The proposal would also enhance CFAA penalties and enforcement mechanisms by raising penalties for circumventing technological barriers to access a computer (e.g., hacking into or breaking into a computer), and by making such violations felonies  carrying a prison term of up to ten years.  This is a significant change from the current law, which allows for either a misdemeanor or a felony carrying a maximum prison term of only five years.  The proposal would also create civil forfeiture procedures, “clarify that the ‘proceeds’ forfeitable [under the CFAA] are gross proceeds, as opposed to net proceeds,” and in appropriate circumstances, allow for the forfeiture of real property used to facilitate offenses under the statute.  And the proposal would clarify “that both conspiracy and attempt to commit a computer hacking offense are subject to the same penalties as completed, substantive offenses.”

Shutting Down Botnets

Finally, the legislative proposal would add to existing civil remedies by explicitly providing courts with the authority to issue injunctions aimed at disrupting or shutting down botnets.  Under the proposal, the Attorney General would be authorized to seek injunctive relief under 18 U.S.C. § 1345 if the government can show that the criminal conduct alleged would affect 100 or more protected computers during a one-year period.  Criminal conduct under the proposal would include “denying access to or operation of the computers [denial of services attacks], installing unwanted software on the computers [malware], using the computers without authorization, or obtaining information from the computers without authorization.”  The legislation would also protect from liability individuals or entities that comply with courts orders and would allow courts to order the government to reimburse those individuals or entities for costs directly incurred in complying with such orders.

This post was written with contributions from Jim Garland.



Not By "Any Manner" Of Means: Securing Cyber-Crime Coverage After Zurich v. Sony

Gilbert LLP Law Firm

Much has been written about the New York Supreme Court’s landmark ruling in Zurich American Insurance Co. v. Sony Corp., Index. No. 651982/2011 (N.Y. Supr. Ct. Feb. 21, 2014), in which a New York trial court denied coverage to Sony Corporation for liabilities stemming from a 2011 cyber-attack on its PlayStation Network. The court held that while a wide-scale data breach represents a “publication” of private information, the PlayStation Network breach did not fall within the ambit of Sony’s commercial general liability (“CGL”) policy because the policy covered only publications by the insured itself—not by third-party hackers. The court rejected Sony’s argument that the phrase “in any manner,” which qualified the word “publication” in Sony’s policy, sufficed to broaden coverage to encompass third-party acts. Instead, the court determined that the “in any manner” language referred merely to the medium by which information was published (e.g., print, internet, etc.), not the party that did the publishing.

Most of the commentary surrounding Sony has focused on the court’s interpretation of the phrase “in any manner.” But that aspect of the court’s ruling was relatively unremarkable: other courts have similarly limited the phrase, most notably the Eleventh Circuit Court of Appeals inCreative Hospitality Ventures, Inc. v. United States Liability Insurance Co., 444 Fed. App’x 370 (11th Cir. 2011) (holding that the issuance of a receipt to a customer containing more than the last five digits of the customer’s credit card number does not represent a publication). Lost in theSony debate is the fact that Sony may be able to prevail on appeal even if the appellate court refuses to adopt a broad reading of the “in any manner” language. Indeed, Sony can make a compelling case that the term “publication,” when read in context with the policy as a whole, is intended to encompass both first-party and third-party acts.

In focusing narrowly on the language of the advertising injury coverage grant, the Sony court overlooked a “cardinal principal” of insurance law: namely, that an insurance policy “should be read to give effect to all its provisions and to render them consistent with each other.”Mastrobuono v. Shearson Lehman Hutton, Inc., 514 U.S. 52, 63 (1995). Had the court taken a more holistic approach, it might have noticed that language in other parts of the policy evidenced the insurers’ intent to cover third-party publications. If Sony’s policy resembled the standard Insurance Services Office, Inc. (“ISO”) CGL policy, its exclusions section was surely riddled with clauses restricting coverage for certain types of injury “caused by or at the direction of the insured.” Only six of the exclusions in the ISO policy are not so qualified, including the absolute pollution exclusion and the exclusion for publications that occur prior to the policy period. It makes sense that insurers would wish to broadly exclude such categories of injury, just as it makes sense that exclusions for intentionally injurious acts would be written narrowly to apply only to the insured’s own actions. These carefully worded exclusions—when read together and in context with the policy as a whole—evidence a conscious decision by Sony’s insurers to exclude some injuries only if caused by the insured, while excluding other types of injury regardless of who, if anyone, is at fault. This, in turn, suggests that the insurers contemplated coverage for third-party acts unless such acts are expressly excluded.

Nowhere is this better illustrated that in the ISO policy’s exclusion for intellectual property infringement. This exclusion purports to broadly bar coverage for injury “arising out of the infringement of copyright, patent, trademark, trade secret or other intellectual property rights.” However, this broad exclusion is qualified by the caveat that it “does not apply to infringement,in your ‘advertisement’, [sic] of copyright, trade dress or slogan.” Thus, the exclusion bars coverage in the first instance for all intellectual property infringements irrespective of the identity of the perpetrator, then adds back coverage for certain acts of the insured. This evidences the insurer’s understanding that unless otherwise excluded, the policy affords coverage for advertising injury regardless of who caused it.

At minimum, the fact that the ISO policy exclusions vary with respect to whether they exclude all acts or only first-party acts should be sufficient to raise an ambiguity, thus triggering “the common-law rule of contract interpretation that a court should construe ambiguous language against the interest of the party that drafted it.” Mastrobuono, 514 U.S. at 62. Even if the policy does not unambiguously afford coverage for third-party publications, it is at the very least “susceptible to more than one reasonable interpretation.” Discovision Assocs. v. Fuji Photo Film Co., Ltd., 71 A.D.3d 448, 489 (N.Y. App. Div. 2010) (internal quotation marks and citation omitted). Pointing to ambiguity in the policy as a whole would provide policyholders such as Sony with a more plausible and straightforward avenue to securing coverage for third-party publications than does narrowly parsing the phrase “in any manner.”

The question of whether third-party publications are covered under the typical CGL policy is of crucial importance to policyholders seeking insurance recovery for cyber-crime injuries. Importantly, victory on this point by Sony or another hacking victim would transform Sony into a policyholder-friendly decision, because the Sony court answered the other difficult question presented in the case—whether a data breach represents a “publication”—in favor of coverage. If the appellate court is willing to look past the narrow language of the advertising injury coverage grant and focus on Sony’s policy as a whole, Sony will have a good chance of prevailing on appeal and, in doing so, will set a strong precedent in favor of cyber-crime coverage for hacking victims.