Breach

What the Wyndham v. FTC Ruling Means to You – Prepare to Get Wynded

Hudson HarrisLeave a comment

On August 24, 2015, a US Appeals Court ruled that a company can be sued by the Federal Trade Commission (“FTC”) for the criminal behaviors of a third party; based upon the failure of a company to meet its duty to protect its clients’ data. This is a remarkable shift in both power and scope for the FTC.

The genesis of that case comes from Wyndham repeatedly failing to protect the consumer data of ~619,000 individuals. The FTC found that between 2008-2009 hackers successfully breached and stole data three times, each time using hacked administrator credentials and exploiting network vulnerabilities. While many business leaders, congressmen, and legal pundits are criticizing this case as an overstep of authority, read these highlights of the Wyndham Cybersecurity handbook and decide for yourself:

  1. PCI Compliance – None, credit card data stored in clear text.
  2. Password Policy for Network Components – None, default user IDs and passwords permitted (Actual Sun Microsystems login info – ID: micros; password: micros).
  3. Network Password Policy – None, default passwords and IDs permitted.
  4. Network Hardware Security – None, firewalls were not used on the network.
  5. Network Components – No inventory or asset tracking system used.
  6. Patch Policy – Un-patched operating systems permitted (*Some without patches in three (3) years).
  7. IP Restrictions – None, Wyndham failed to restrict specific IP addresses, at all.
  8. Network Intrusion Detection Policy – None, second and third attack undetected until consumers notified Wyndham.
  9. Incident Response Policy – None, Wyndham failed to fix security gaps after first and second attacks.

What’s amazing is that the above policies remained in place after not one, but two large scale hacking events resulting in hundreds of thousands of people having their data compromised. The nine bullet points above reflect the state of Wyndham data security after the third time they were hacked. It appears that after each attack Wyndham decided to continue with business as usual and not make any changes or improvements to the cybersecurity infrastructure.

what’s next

As of the date of the ruling, companies are officially on notice that the FTC has the authority to go after companies who fail to be good stewards of our data  (Note: The court found that companies were all ready on notice prior to this case). Watch in the coming months for more updates as the FTC fully pursues its case against Wyndham, odds are more is yet to come.

The question on everyone’s mind is what types of security measures should I employ that will help me avoid the FTC wrath? Fortunately for us, in June 2015 the FTC broke ground and became the first government agency to actually set forth data security guidelines: “Start with Security: A Guide for Business.” This document summarizes the ten most important data security lessons a business must heed, all drawn from the FTC’s 50+ data security settlements. Here is my rundown on Data Security Standards in a Post-Wyndham v. FTC World over at Tripwire – State of Security.

Once you’ve read the above, work with your IT and legal departments to audit your data security policies and procedures with an eye towards the FTC’s ten lessons.

Prepare now, or get wynded later.

/s/ HH @LegalLevity

Blue Cross Hacked, again.

Hudson Harris3 Comments

This morning news broke that another member of the Blue Cross family, this time Excellus, was hacked, exposing approximately 10.5 million records. The hack originally began December 23, 2013, but was not discovered until August 5, 2015. In other words, Blue Cross had a persistent, ongoing vulnerability that was actively exploited for almost two (2) years.

The attack on Excellus compromised the following information: Name, DOB, SSN, mailing address, telephone number, member ID, financial account information and claims information. Amazingly, the attack also exposed records of individuals who were not Excellus members, but belonged to other Blue Cross plans, including but not limited to: any BCBS client who received services in New York; BCBS Central New York; BCBS Rochester; and BCBS Utica-Watertown.

According to BCBS, the hacking event occurred, but they are not sure whether any data was taken. Honestly, how is that even possible, unless you are not monitoring network traffic or logging access and downloads.  Further, while the information was encrypted (according to BCBS), there is a rather obtuse statement from them saying that the hackers had administrative access, so they had access.

On top of the above exposures of personal data, the hack also exposed the information of business partners and vendors. Specifically, those who provided Excellus with financial account information and SSN’s.

Let’s recap the banner year for BCBS and its affiliates.

Total Number of Breaches Attributable to BCBS in 2015: 103,303,208

BCBS also has the dubious honor of now holding the top three spots for largest PHI breaches. Here is a breakdown of the breaches spread across Anthem, Premera, and several smaller BCBS entities. This will be updated to include the most recent Excellus hack once the data is available. At a certain point, it begs the question of what is going on at BCBS that has led to the largest three PHI breaches in US history, all occurring in a single year? This is not to mention how a company’s risk analysis approved of cross company data on servers, non-segregated networks, often no encryption, and apparently no network monitoring for suspicious activity.

If you are impacted and need more information, here is the link to the Excellus Breach Response page.

If you have not read my post on the FTC’s guidelines on data security, go read it now. It’s a great place to start on determining whether your data security plan has a good foundation.

Prepare now, or pay later.

/s/ HH @LegalLevity

Data Security Standards in a Post-Wyndham v. FTC World – Tripwire

Hudson Harris6 Comments

This week I did a guest post for Tripwire: The State of Security

Please go over and take look! Big shout out to Tripwire for the spot and opportunity!

Data Security Standards in a Post-Wyndham v. FTC World

Coming soon, my take and a rundown on what happened at Wyndham to trigger such a shift in FTC power.

/s/ HH @LegalLevity

The New Normal – 60 Minutes to Notify HHS of HIPAA Breach

Hudson Harris2 Comments

We all knew it was coming after the Anthem HIPAA Breach, but frankly, the intensity of the swing in the other direction is a bit startling. On February 15, 2015, the Texas Department of Health and Human Services (HHS) posted a new Data Use Agreement (DUA) that applies to ALL contractors and subcontractors that provide services in relation to HHS and:

“…who create, receive, maintain, use, disclose or have access to Confidential Information on behalf of HHS, its programs or clients.

As of this morning, I know of two entities who have already received the notice from Texas that the agreement must be signed. This agreement applies:

“[T]o any communication or record (whether oral, written, electronically stored or transmitted, or in any other form) provided to or made available to CONTRACTOR or that CONTRACTOR may create, receive, maintain, use, disclose or have access to on behalf of HHS…”

Here are some highlights from the agreement.

1) First Notification of Breach of Federal Data – 60 Minutes

“For federal information, including without limitation, Federal Tax Information, Social Security Administration Data, and Medicaid Client Information, within the first, consecutive clock hour of Discovery, and for all other types of Confidential Information not more than 24 hours after Discovery, or in a timeframe otherwise approved by HHS in writing, initially report to HHS’s Privacy and Security Officers via email at: privacy@HHSC.state.tx.us”

2) Formal Notification of Breach – 48 Hours

“48-Hour Formal Notice. No later than 48 consecutive clock hours after Discovery, or a time within which Discovery reasonably should have been made by CONTRACTOR of an Event or Breach of Confidential Information.” (emphasis added)

Of particular note here is the language, “should have been made.” This could have huge implications for covered entities.

3) Data Encryption – All data in motion must be encrypted. All data at rest must be encrypted unless “there is adequate administrative, technical, and physical security, or as otherwise protected as required by rule, regulation or law.” You must also document why you chose not to encrypt data at rest and provide that policy to HHS.

4) All Breach, Privacy and Security Policies must be provided to HHS.

5) Pre-Approval from HHS on Breach Notification Method and Contents

[C]ontractor must obtain HHS’s prior written approval of the time, manner and content of any notification to Individuals, regulators or third-parties, or any notice required by other state or federal authorities.

What is particularly potent about these requirements is that they apply to all contracts, even those already signed and in effect. This contract is mandatory and applies retroactively to current contracts. While this new policy is only in Texas for now, given the scale and scope of the Anthem HIPAA Breach, I think we can anticipate this spreading to other states, fast.

If you want to get ready, bring your legal, IT and management to the table. Evaluate your HIPAA breach, security, and privacy policies. Utilize a HIPAA compliance tool such as the NIST toolkit and perform a Security Risk Analysis.  Finally, take a hard look at your encryption policies and what you can do to improve them. Now is the time to act.

/s/ HH @legallevity