GDPR is Coming – Penalty Primer

ICYMI, I wrote an article for Tripwire: State of Security

Please go over and take a look! Big shout out to @tripwireinc for the spot!

GDPR is Coming – Penalty Primer

/s/ HH @LegalLevity

What the Wyndham v. FTC Ruling Means to You – Prepare to Get Wynded

On August 24, 2015, a US Appeals Court ruled that a company can be sued by the Federal Trade Commission (“FTC”) for the criminal behaviors of a third party; based upon the failure of a company to meet its duty to protect its clients’ data. This is a remarkable shift in both power and scope for the FTC.

The genesis of that case comes from Wyndham repeatedly failing to protect the consumer data of ~619,000 individuals. The FTC found that between 2008-2009 hackers successfully breached and stole data three times, each time using hacked administrator credentials and exploiting network vulnerabilities. While many business leaders, congressmen, and legal pundits are criticizing this case as an overstep of authority, read these highlights of the Wyndham Cybersecurity handbook and decide for yourself:

  1. PCI Compliance – None, credit card data stored in clear text.
  2. Password Policy for Network Components – None, default user IDs and passwords permitted (Actual Sun Microsystems login info – ID: micros; password: micros).
  3. Network Password Policy – None, default passwords and IDs permitted.
  4. Network Hardware Security – None, firewalls were not used on the network.
  5. Network Components – No inventory or asset tracking system used.
  6. Patch Policy – Un-patched operating systems permitted (*Some without patches in three (3) years).
  7. IP Restrictions – None, Wyndham failed to restrict specific IP addresses, at all.
  8. Network Intrusion Detection Policy – None, second and third attack undetected until consumers notified Wyndham.
  9. Incident Response Policy – None, Wyndham failed to fix security gaps after first and second attacks.

What’s amazing is that the above policies remained in place after not one, but two large scale hacking events resulting in hundreds of thousands of people having their data compromised. The nine bullet points above reflect the state of Wyndham data security after the third time they were hacked. It appears that after each attack Wyndham decided to continue with business as usual and not make any changes or improvements to the cybersecurity infrastructure.

what’s next

As of the date of the ruling, companies are officially on notice that the FTC has the authority to go after companies who fail to be good stewards of our data  (Note: The court found that companies were all ready on notice prior to this case). Watch in the coming months for more updates as the FTC fully pursues its case against Wyndham, odds are more is yet to come.

The question on everyone’s mind is what types of security measures should I employ that will help me avoid the FTC wrath? Fortunately for us, in June 2015 the FTC broke ground and became the first government agency to actually set forth data security guidelines: “Start with Security: A Guide for Business.” This document summarizes the ten most important data security lessons a business must heed, all drawn from the FTC’s 50+ data security settlements. Here is my rundown on Data Security Standards in a Post-Wyndham v. FTC World over at Tripwire – State of Security.

Once you’ve read the above, work with your IT and legal departments to audit your data security policies and procedures with an eye towards the FTC’s ten lessons.

Prepare now, or get wynded later.

/s/ HH @LegalLevity

Blue Cross Hacked, again.

This morning news broke that another member of the Blue Cross family, this time Excellus, was hacked, exposing approximately 10.5 million records. The hack originally began December 23, 2013, but was not discovered until August 5, 2015. In other words, Blue Cross had a persistent, ongoing vulnerability that was actively exploited for almost two (2) years.

The attack on Excellus compromised the following information: Name, DOB, SSN, mailing address, telephone number, member ID, financial account information and claims information. Amazingly, the attack also exposed records of individuals who were not Excellus members, but belonged to other Blue Cross plans, including but not limited to: any BCBS client who received services in New York; BCBS Central New York; BCBS Rochester; and BCBS Utica-Watertown.

According to BCBS, the hacking event occurred, but they are not sure whether any data was taken. Honestly, how is that even possible, unless you are not monitoring network traffic or logging access and downloads.  Further, while the information was encrypted (according to BCBS), there is a rather obtuse statement from them saying that the hackers had administrative access, so they had access.

On top of the above exposures of personal data, the hack also exposed the information of business partners and vendors. Specifically, those who provided Excellus with financial account information and SSN’s.

Let’s recap the banner year for BCBS and its affiliates.

Total Number of Breaches Attributable to BCBS in 2015: 103,303,208

BCBS also has the dubious honor of now holding the top three spots for largest PHI breaches. Here is a breakdown of the breaches spread across Anthem, Premera, and several smaller BCBS entities. This will be updated to include the most recent Excellus hack once the data is available. At a certain point, it begs the question of what is going on at BCBS that has led to the largest three PHI breaches in US history, all occurring in a single year? This is not to mention how a company’s risk analysis approved of cross company data on servers, non-segregated networks, often no encryption, and apparently no network monitoring for suspicious activity.

If you are impacted and need more information, here is the link to the Excellus Breach Response page.

If you have not read my post on the FTC’s guidelines on data security, go read it now. It’s a great place to start on determining whether your data security plan has a good foundation.

Prepare now, or pay later.

/s/ HH @LegalLevity

Data Security Standards in a Post-Wyndham v. FTC World – Tripwire

This week I did a guest post for Tripwire: The State of Security

Please go over and take look! Big shout out to Tripwire for the spot and opportunity!

Data Security Standards in a Post-Wyndham v. FTC World

Coming soon, my take and a rundown on what happened at Wyndham to trigger such a shift in FTC power.

/s/ HH @LegalLevity