Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

© Copyright 2023 Squire Patton Boggs (US) LLP

Privilege Dwindles for Data Breach Reports

Data privacy lawyers and cyber security incident response professionals are losing sleep over the growing number of federal courts ordering disclosure of post-data breach forensic reports.  Following the decisions in Capital One and Clark Hill, another district court has recently ordered the defendant in a data breach litigation to turn over the forensic report it believed was protected under the attorney-client privilege and work product doctrines. These three decisions help underscore that maintaining privilege over forensic reports may come down to the thinnest of margins—something organizations should keep in mind given the ever-increasing risk of litigation that can follow a cybersecurity incident.

In May 2019, convenience store and gas station chain Rutter’s received two alerts signaling a possible breach of their internal systems. The same day, Rutter’s hired outside counsel to advise on potential breach notification obligations. Outside counsel immediately hired a forensic investigator to perform an analysis to determine the character and scope of the incident. Once litigation ensued, Rutter’s withheld the forensic report from production on the basis of the attorney-client privilege and work product doctrines. Rutter’s argued that both itself and outside counsel understood the report to be privileged because it was made in anticipation of litigation. The Court rejected this notion.

With respect to the work product doctrine, the Court stated that the doctrine only applies where identifiable or impending litigation is the “primary motivating purpose” of creating the document. The Court found that the forensic report, in this case, was not prepared for the prospect of litigation. The Court relied on the forensic investigator’s statement of work which stated that the purpose of the investigation was to “determine whether unauthorized activity . . . resulted in the compromise of sensitive data.” The Court decided that because Rutter’s did not know whether a breach had even occurred when the forensic investigator was engaged, it could not have unilaterally believed that litigation would result.

The Court was also unpersuaded by the attorney-client privilege argument. Because the forensic report only discussed facts and did not involve “opinions and tactics,” the Court held that the report and related communications were not protected by the attorney-client privilege. The Court emphasized that the attorney-client privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.

The Rutter’s decision comes on the heels of the Capital One and Clark Hill rulings, which both held that the defendants failed to show that the forensic reports were prepared solely in anticipation of litigation. In Capital One, the company hired outside counsel to manage the cybersecurity vendor’s investigation after the breach, however, the company already had a longstanding relationship and pre-existing agreement with the vendor. The Court found that the vendor’s services and the terms of its new agreement were essentially the same both before and after the outside counsel’s involvement. The Court also relied on the fact that the forensic report was eventually shared with Capital One’s internal response team, demonstrating that the report was created for various business purposes.

In response to the data breach in the Clark Hill case, the company hired a vendor to investigate and remediate the systems after the attack. The company also hired outside counsel, who in turn hired a second cybersecurity vendor to assist with litigation stemming from the attack. During the litigation, the company refused to turn over the forensic report prepared by the outside counsel’s vendor. The Court rejected this “two-track” approach finding that the outside counsel’s vendor report has not been prepared exclusively for use in preparation for litigation. Like in Capital One, the Court found, among other things, that the forensic report was shared not only with inside and outside counsel, but also with employees inside the company, IT, and the FBI.

As these cases demonstrate, the legal landscape around responding to security incidents has become filled with traps for the unwary.  A coordinated response led by outside counsel is key to mitigating a data breach and ensuring the lines are not blurred between “ordinary course of business” factual reports and incident reports that are prepared for litigation purposes.

© 2021 Bracewell LLP

Fore more articles on cybersecurity, visit the NLR Communications, Media, Internet, and Privacy Law News section.

Interpol Issues Alert on Increased Risk of Ransomware Attacks Against COVID-19 Medical Organizations

Interpol has issued an alert to global law enforcement agencies about the increased risk of ransomware attacks on hospitals, health care providers and other organizations on the front line of response to the COVID-19 pandemic.

The Purple Notice, issued to all 194 member countries, notified them that Interpol’s Cybercrime Threat Response team has detected a “significant increase” in ransomware attempts against hospitals and medical organizations.

According to a spokesman from Interpol, “[A]s hospitals and medical organizations around the world are working non-stop to preserve the well-being of individuals stricken with the coronavirus, they have become targets for ruthless cyber-criminals who are looking to make a profit at the expense of sick patients. Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths. INTERPOL continues to stand by its member countries and provide assistance necessary to ensure our vital healthcare systems remain untouched and the criminals targeting them held accountable.”

The primary vector for the ransomware attacks continues to be phishing attempts. Unfortunately, due to the emergency nature of COVID-19, healthcare workers are working long, stressful hours, and may not be as vigilant as usual in spotting phishing emails. The criminals are luring tired workers into clicking on links and attachments with subject lines that appear to be COVID-19- related or are from the Centers for Disease Control or other governmental bodies trying to keep healthcare workers informed about the rapidly spreading virus.

Hospitals and other healthcare entities should be aware of these warnings from INTERPOL and Microsoft [view related post] and notify their employees to be extra vigilant when opening emails, links and attachments.


Copyright © 2020 Robinson & Cole LLP. All rights reserved.

For more industries affected by COVID-19, see the National Law Review Coronavirus News section.

Emerging Cyber-Security Threats for 2020: The Rise of Disruptionware and High-Impact Ransomware Attacks

Disruptionware is defined by the Institute for Critical Infrastructure Technology (ICIT) as a new and “emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity and confidentiality of the systems, networks and data belonging to the target.”  New forms of disruptionware can be a more crippling form of cyber-attack than other more “garden-variety” malware and ransomware attacks. This is the case since, as the ICIT notes, disruptionware not only attempts to encrypt and deny users access to their data, but works as a “layered attack” designed to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Disruptionware has “consumed” many traditional cyber-attacks, making them part of the disruptioware “toolkit.” These techniques include cyber-attacks such as ransomware, “wipers,” “bricking capabilities,” automated components, data exfiltration tools and network reconnaissance tools. (See ICIT report for further definitions.) Today, the rise of disruptionware is a new and even more chaotic form of cyber warfare attack – it not only attempts to encrypt and deny users access to their data, but disruptionware works to “disrupt operations and production in manufacturing or industrial environments (as well as infrastructure) in order to achieve some other strategic goal.”

Additionally, generalized forms of ransomware attacks – designed to block access to the victim’s computer systems until money is paid – are continuing to represent a more prevalent threat to government agencies, healthcare providers and educational institutions. Ransomware was so destructive on its own that the FBI recently issued a Public Service Announcement (PSA) warning about such “high-impact” attacks on critical private and public sector institutions. Underscoring the FBI’s announcement, another publication has noted the rise of ransomware attacks since the beginning of 2019 finding that there have been at least 621 reported successful ransomware attacks against U.S.-based corporations. Of these attacks, at least 491 were targeted against healthcare providers, while another 68 of the attacks were directed at county and municipal institutions, and 62 of the attacks were focused on school districts.

According to the FBI, hospitals and health care institutions are the primary targets of these high-impact ransomware attacks because of the critical role they play in providing lifesaving services, and the fact that these institutions usually do not have the luxury of taking time to restore backups in order to get their networks working again and running safely and securing after an attack. Above and beyond the costs associated with paying the ransom and restoring computer networks and systems, ransomware attacks on hospitals and health care providers have proven especially damaging because they affect the ability of the targeted healthcare providers to deliver critical health care services to patients. Perhaps even more disturbingly, many of the victim companies reported losing data even when they paid the ransom demanded by the hackers. Nevertheless, according to the blog “knowbe4,” it was predicted that ransomware payments alone by victim companies will have exceeded $11.5 billion in 2019 – representing an increase of almost 30% over the approximately $8 billion paid in 2018.

Along with the rise of disruptionware and high-impact ransomware, hackers are also now using new and diverse techniques to launch multiple forms of cyber-attacks including, among other things, an increased use of new Remote Desktop Protocol (RDP) attacks, as well as leveraging various software vulnerabilities to infect organizations through backdoor channels. Unfortunately, few businesses are hardening their IT infrastructure against these new types of extremely damaging cyber-attacks. RDP attacks are becoming far more common because of the simplicity of many users’ login credentials, while companies are not doing enough to “whitelist” exclusively acceptable computer software and applications to prevent security holes caused by numerous software vulnerabilities in unsecured and sometimes untested software applications.

The FBI’s PSA serves as a warning to businesses that they should have a plan in place to respond efficiently and appropriately in the event of high impact ransomware and disruptionware attacks. Such plans should include, among other things, clear designations of responsible individuals (both inside and outside the company), procedures for contacting law enforcement, and the business having a firm understanding of what their data is as well as a good understanding of its importance in the overall business plan. Finally, businesses need a current and workable Disaster Recovery Plan for getting the organization up and running again as quickly as possible if there is a cyber-attack. Businesses would be wise to review how their systems are backed up, as reliable and readily accessible backups are often critical in allowing ransomware or disruptionware victims to try and resume normal business operations as quickly as possible.


©2020 Drinker Biddle & Reath LLP. All Rights Reserved

For more on ransomware and other cyberthreats, see the Communications, Media & Internet section of the Nationa Law Review.

British Member of “The Dark Overlord” Hacking Organization Extradited to Face Conspiracy and Identify Theft Charges in the United States

Beginning in 2016, the computer hacking organization known as “The Dark Overlord,” began to target victims in the St. Louis, Missouri area, including various health care providers, several accounting firms, and a medical records company.  By remotely accessing these victims’ computer networks without authorization, The Dark Overlord was able to obtain sensitive records and information, which it then threatened to release unless the companies paid a ransom in bitcoin.

Following a lengthy investigation conducted by the Federal Bureau of Investigation and British authorities, United Kingdom national Nathan Wyatt was extradited to the United States and appeared before a federal district court in eastern Missouri on Wednesday, December 18, 2019, to face charges of aggravated identity theft, threatening damage to a protected computer, and conspiracy.  While Wyatt is the first member of The Dark Overlord to face prosecution, government officials have expressed a hope that this will signal to other cyber hackers targeting American companies that they will not be able to use territorial borders to evade justice and prosecution by the United States.


Copyright © 2019 Robinson & Cole LLP. All rights reserved.

Hackers Eavesdrop and Obtain Sensitive Data of Users Through Home Smart Assistants

Although Amazon and Google respond to reports of vulnerabilities in popular home smart assistants Alexa and Google Home, hackers continually work hard to exploit any vulnerabilities to be able to listen to users’ every word to obtain sensitive information that can be used in future attacks.

Last week, it was reported by ZDNet that two security researchers at Security Research Labs (SRLabs) discovered that phishing and eavesdropping vectors are being used by hackers to “provide access to functions that developers can use to customize the commands to which a smart assistant responds, and the way the assistant replies.” The hackers can use the technology that Amazon and Google provides to app developers for the Alexa and Google Home products.

By putting certain commands into the back end of a normal Alexa/Google Home app, the attacker can silence the assistant for long periods of time, although the assistant is still active. After the silence, the attacker sends a phishing message, which makes the user believe had nothing to do with the app that they interacted with. The user is then asked for the Amazon/Google password and sends a fake message to the user that looks like it is from Amazon or Google. The user is then sent a message claiming to be from Amazon or Google and asking for the user’s password. Once the hacker has access to the home assistant, the hacker can eavesdrop on the user, keep the listening device active and record the users’ conversations. Obviously, when attackers eavesdrop on every word, even when it appears the device is turned off, they can obtain information that is highly personal and can be used malevolently in the future.

The manufacturers of the home smart assistants reiterate to users that the devices will never ask for their account password. Cyber hygiene for home assistants is no different than cyber hygiene with emails.


Copyright © 2019 Robinson & Cole LLP. All rights reserved.

For more hacking risk mitigation, see the National Law Review Communications, Media & Internet law page.

Small and Mid-Sized Businesses Continue to Be Targeted by Cybercriminals

A recent Ponemon Institute study finds that small and mid-sized businesses continue to be targeted by cybercriminals, and are struggling to direct an appropriate amount of resources to combat the attacks.

The Ponemon study finds that 76 percent of the 592 companies surveyed had experienced a cyber-attack in the previous year, up from 70 percent last year. Phishing and social engineering attacks and scams were the most common form of attack reported by 57 percent of the companies,  while 44 percent of those surveyed said the attack came through a malicious website that a user accessed. I attended a meeting of Chief Information Security Officers this week and was shocked at one statistic that was discussed—that a large company filters 97 percent of the email that is directed at its employees every day. That means that only 3 percent of all email that is addressed to users in a company is legitimate business.

A recent Accenture report shows that 43 percent of all cyber-attacks are aimed at small businesses, but only 14 percent of them are prepared to respond. Business insurance company Hiscox estimates that the average cost of a cyber-attack for small companies is $200,000, and that 60 percent of those companies go out of business within six months of the attack.

These statistics confirm what we all know: cyber-attackers are targeting the lowest hanging fruit—small to mid-sized businesses, and municipalities and other governmental entities that are known to have limited resources to invest in cybersecurity defensive tools. Small and mid-sized businesses that cannot devote sufficient resources to protecting their systems and data may wish to consider other ways to limit risk, including prohibiting employees from accessing websites or emails for personal reasons during working hours. This may sound Draconian, but employees are putting companies at risk by surfing the web while at work and clicking on malicious emails that promise free merchandise. Stopping risky digital behavior is no different than prohibiting other forms of risky behavior in the working environment—we’ve just never thought of it this way before.

Up to this point, employers have allowed employees to access their personal phones, emails and websites during working hours. This has contributed to the crisis we now face, with companies often being attacked as a result of their employees’ behavior. No matter how much money is devoted to securing the perimeter, firewalls, spam filters or black listing, employees still cause a large majority of security incidents or breaches because they click on malicious websites or are duped into clicking on a malicious email. We have to figure out how employees can do their jobs while also protecting their employers.


Copyright © 2019 Robinson & Cole LLP. All rights reserved.

For more on cybersecurity, see the National Law Review Communications, Media & Internet law page.

Is Your Iphone Spying on you (Again)?

In the latest installment of this seemingly ongoing tale, Google uncovered (for the second time in a month) security flaws in Apple’s iOS, which put thousands of users at risk of inadvertently installing spyware on their iPhones. For two years.

Google’s team of hackers – working on Project Zero – say the cyberattack occurred when Apple users visited a seemingly genuine webpage, with the spyware then installing itself on their phones. It was capable of then sending the user’s texts, emails, photos, real-time location,  contacts, account details (you get the picture) almost instantaneously back to the perpetrators of the hack (which some reports suggest was a nation state). The hack wasn’t limited to Apple apps either, with reports the malware was able to extract data from WhatsApp, GoogleMaps and Gmail.

For us, the scare factor goes beyond data from our smart devices inadvertently revealing secret locations, or being used against us in court – the data and information the cyberspies could have had access to could wreak absolute havoc on the everyday iPhone users’ (and, the people whose details they have in their phones) lives.

We’re talking about this in past tense because while it was only discovered by Project Zero recently, Apple reportedly fixed the vulnerability without much ado in February this year, by releasing a software update.

So how do you protect yourself from being spied on? It seems there’s no sure-fire way to entirely prevent yourself from becoming a victim, or, if you were a victim of this particular attack, to mitigate the damage. But, according to Apple,  “keeping your software up to date is one of the most important things you can do to maintain your Apple product’s security”. We might not be ignoring those pesky “a new update is available for your phone” messages, anymore.


Copyright 2019 K & L Gates

ARTICLE BY Cameron Abbott and Allison Wallace of K&L Gates.
For more on device cyber-vulnerability, see the National Law Review Communications, Media & Internet law page.

Heavy Metal Murder Machines and the People Who Love Them

What is the heaviest computer you own?  Chances are, you are driving it.

And with all of the hacking news flying past us day after day, our imaginations have not even begun to grasp what could happen if a hostile person decided to hack our automotive computers – individually or en masse. What better way to attack the American way of life but disable and crash armies of cars, stranding them on the road, killing tens of thousands, shutting down functionality of every city? Set every Ford F-150 to accelerated to 80 miles an hour at the same time on the same day and don’t stick around to clean up the mess.

We learned the cyberwarfare could turn corporal with the US/Israeli STUXNET bug forcing Iran’s nuclear centrifuges to overwork and physically break themselves (along with a few stray Indian centrifuges caught in the crossfire). This seems like a classic solution for terror attacks – slip malicious code into machines that will actually kill people. Imagine if the World Trade Center attack was carried out from a distance by simply taking over the airplanes’ computer operations and programing them to fly into public buildings.  Spectacular mission achieved and no terrorist would be at risk.

This would be easy to do with automobiles. For example, buy a recent year used car on credit at most U.S. lots and the car comes with a remote operation tool that allows the lender to shut off the car, to keep it from starting up, and to home in on its location so the car can either be “bricked” or grabbed by agents of the lender due to non-payment. We know that a luxury car includes more than 100 million lines of code, where a Boeing 787 Dreamliner contains merely 6.5 million lines of code and a U.S. Airforce F-22 Raptor Jet holds only 1.7 million lines of code.  Such complexity leads to further vulnerability.

The diaphanous separation between the real and electronic worlds is thinning every day, and not enough people are concentrating on the problem of keeping enormous, powerful machines from being hijacked from afar. We are a society that loves its freedom machines, but that love may lead to our downfall.

An organization called Consumer Watchdog has issued a report subtly titled KILL SWITCH: WHY CONNECTED CARS CAN BE KILLING MACHINES AND HOW TO TURN THEM OFF, which urges auto manufacturers to install physical kill switches in cars and trucks that would allow the vehicles to be disconnected from the internet. The switch would cost about fifty cents and could prevent an apocalyptic loss of control for nearly every vehicle on the road at the same time. (The IoT definition of a bad day)

“Experts agree that connecting safety-critical components to the internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicle’s operations and take it over from across the internet. . . . By 2022, no less than two-thirds of new cars on American roads will have online connections to the cars’ safety-critical system, putting them at risk of deadly hacks.”

And if that isn’t frightening enough, the report continued,

“Millions of cars on the internet running the same software means a single exploit can affect millions of vehicles simultaneously. A hacker with only modest resources could launch a massive attack against our automotive infrastructure, potentially causing thousands of fatalities and disrupting our most critical form of transportation,”

If the government dictates seat belts and auto emissions standards, why on earth wouldn’t the Transportation Department require a certain level of security of connectivity and software invulnerability from the auto industry.  We send millions of multi-ton killing machines capable of blinding speeds out on our roads every day, and there seems to be no standard for securing the hackability of these machines.  Why not?

And why not require the 50 cent kill switch that can isolate each vehicle from the internet?

50 years ago, when Ralph Nader’s Unsafe at Any Speed demonstrated the need for government regulation of the auto industry so that car companies’ raw greed would not override customer safety concerns.  Soon after, Lee Iacocca led a Ford design team that calculated it was worth the horrific flaming deaths of 180 Ford customers each year in 2,100 vehicle explosions due to flawed gas tank design that was eventually fixed with a tool costing less than one dollar per car.

Granted that safety is a much more important issue for auto manufacturers now than in the 1970s, but if so, why have we not seen industry teams meeting to devise safety standards in auto electronics the same way standards have been accepted in auto mechanics? If the industry won’t take this standard-setting task seriously, then the government should force them to do so.

And the government should be providing help in this space anyway. Vehicle manufacturers have only a commercially reasonable amount of money to spend addressing this electronic safety problem.  The Russian and Iranian governments have a commercially unreasonable amount of money to spend attacking us. Who makes up the difference in this crital infrastructure space? Recognizing our current state of cyber warfare – hostile government sponsored hackers are already attacking our banking and power systems on a regular basis, not to mention attempting to manipulate our electorate – our government should be rushing in to bolster electronic and software security for the automotive and trucking sectors. Why doesn’t the TSB regulate the area and provide professional assistance to build better protections based on military grade standards?

Nothing in our daily lives is more dangerous than our vehicles out of control. Nearly 1.25 million people die in road crashes each year, on average 3,287 deaths a day. An additional 20-50 million per year are injured or disabled. A terrorist or hostile government attack on the electronic infrastructure controlling our cars would easily multiply this number as well as shutting down the US roads, economy and health care system for all practical purposes.

We are not addressing the issue now with nearly the seriousness that it demands.

How many true car–mageddons will need to occur before we all take electric security seriously?


Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

This article was written by Theodore F. Claypoole of Womble Bond Dickinson (US) LLP.
For more on vehicle security, please see the National Law Review Consumer Protection law page.

New OCR Checklist Outlines How Health Care Facilities Can Fight Cyber Extortion

As technology has advanced, cyber extortion attacks have risen, and they will continue to be a major security issue for organizations. Cyber extortion can take many forms, but it typically involves cybercriminals demanding money to stop or delay their malicious activities, which include stealing sensitive data or disrupting computer services. Health care and public health sector organizations that maintain sensitive data are often targets for cyber extortion attacks.

Ransomware is a form of cyber extortion where attackers deploy malware targeting an organization’s data, rendering it inaccessible, typically by encryption. The attackers then demand money in exchange for an encryption key to decrypt the data. Even after payment is made, organizations may still lose some of their data.

Other forms of cyber extortion include Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These attacks normally direct a high volume of network traffic to targeted computers so the affected computers cannot respond and are otherwise inaccessible to legitimate users. Here, an attacker may initiate a DoS or DDoS attack against an organization and demand payment to stop the attack.

Additionally, cyber extortion can occur when an attacker gains access to an organization’s computer system, steals sensitive data from the organization and threatens to publish that data. The attacker threatens revealing sensitive data, including protected health information (PHI), to coerce payment.

On January 30, 2018, the HHS Office for Civil Rights (OCR) published a checklist to assist HIPAA covered entities and business associates on how to respond to a cyber extortion attack. Organizations can reduce the chances of a cyber extortion attack by:

  • Implementing a robust risk analysis and risk management program that identifies and addresses cyber risks holistically, throughout the entire organization;
  • Implementing robust inventory and vulnerability identification processes to ensure accuracy and thoroughness of the risk analysis;
  • Training employees to better identify suspicious emails and other messaging technologies that could introduce malicious software into the organization;
  • Deploying proactive anti-malware solutions to identify and prevent malicious software intrusions;
  • Patching systems to fix known vulnerabilities that could be exploited by attackers or malicious software;
  • Hardening internal network defenses and limiting internal network access to deny or slow the lateral movement of an attacker and/or propagation of malicious software;
  • Implementing and testing robust contingency and disaster recovery plans to ensure the organization is capable and ready to recover from a cyber-attack;
  • Encrypting and backing up sensitive data;
  • Implementing robust audit logs and reviewing such logs regularly for suspicious activity; and
  • Remaining vigilant for new and emerging cyber threats and vulnerabilities.

If a cyber extortion attack does happen, organizations should be prepared to take the necessary steps to prevent any more damage. In the event of a cyber-attack or similar emergency an entity:

  • Must execute its response and mitigation procedures and contingency plans;
  • Should report the crime to other law enforcement agencies, which may include state or local law enforcement, the Federal Bureau of Investigation (FBI) and/or the Secret Service. Any such reports should not include protected health information, unless otherwise permitted by the HIPAA Privacy Rule;
  • Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs.
  • Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notify affected individuals and the media unless a law enforcement official has requested a delay in the reporting. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify individuals without unreasonable delay, but no later than 60 days after discovery; and OCR within 60 days after the end of the calendar year in which the breach was discovered.
© 2018 Dinsmore & Shohl LLPDinsmore & Shohl LLP. All rights reserved.