Special thanks to Courtney Way (Summer Associate) for her contributions to this post.
When we imagine cyberattacks, we often picture hackers breaking into websites and stealing credit card or social security information. We think of companies full of financial or personal information falling victim to these attacks. What we don’t often think of is a construction company’s information being held hostage, its checks for services being redirected to unknown accounts, or construction equipment being hijacked. Unfortunately, because we aren’t expecting these attacks is exactly why construction companies are exposed.
Hackers are learning that the construction industry is a vulnerable target. These companies constantly manage complex projects while handling data exchanges among many parties including partners, subcontractors, regulators, and suppliers. Daily communications between these parties occur over e-mail, providing hackers a perfect opportunity to strike.
Typically, hackers will use a fake e-mail account or even mirror a familiar account in order to ask the company to send funds to a “new” or “different” bank account. Since the communication appears to come from a person that the company deals with on a routine basis, the company assumes that the new bank account is legitimate. Yet, theft of funds is not the only type of cyberattack construction companies may face; hackers also use information to lock data or destroy or control hardware and equipment.
Given the sophistication of today’s cybercriminals, construction companies must recognize their risk as targets and begin implementing protective measures. The most important steps for companies to take include: (1) conducting security assessments or routine vulnerability scanning; (2) updating software, including advanced e-mail filtering; (3) enforcing password policies; (4) restricting approval rights and administration privileges; and (5) obtaining cyber liability insurance policies.
However, general liability policies typically do not cover harm suffered by a cyberattack. About a decade ago, companies were unsuccessfully fighting with policyholders about general liability policies covering losses resulting from a data breach. Today, commercial general liability policies generally explicitly exclude electronic data from its definition of “property damage.”
Given the need for a policy that would cover the loss of data resulting from a cyberattack, insurance companies began offering separate cyber liability insurance policies. First-party cyber liability insurance typically covers the cost of network business interruptions, forensic investigation and restoration, legal fees, credit monitoring, and cyber threat extortion expenses. Third-party cyber liability insurance typically covers wrongful disclosure, content liability risks, and security or privacy breach regulatory proceedings.
Companies must be well educated and represented when obtaining cyber liability insurance. Unfortunately, many companies that offer these policies seek to limit their liability and in turn, except many incidences. For example, one policy in 2017 attempted to except costs associated with a fraudulent funds transfer that occurred when employees initiated the transfer after receiving a forged e-mail from a hacker. In 2018, another policy attempted to limit its coverage by arguing that the losses incurred by a company were not directly caused by computer fraud, but rather were incidental. Now, policies are attempting to invoke an “act of war” exception where companies argue that large attacks from foreign hackers are in fact “acts of war” and therefore not covered by the policy.
Although it is recommended that companies obtain cyber liability insurance policies in an effort to combat the enormous expense that follows a cybersecurity breach, cyber liability insurance policies are not a simple catch all and are certainly not an alternative route for staying current on training employees, frequently updating software, and conducting regular security assessments.
While construction companies may not appear to be the most profitable targets for hackers, they are the perfect combination of numerous moving parts, people, and complex projects. Add to this their lax cybersecurity measures, and hackers have found an opportune target.
In order to combat the recent uptick in hackers attacking construction companies, we recommend that companies (1) train employees about cybersecurity; (2) frequently update software; (3) conduct regular security assessments; and (4) look into obtaining cyber liability insurance. A cyberattack could cost millions of dollars and your reputation. In a world where three out of four construction companies have reported a breach in the last year, cybersecurity is not to be taken lightly.
In March 2018, shortly after it had been revealed that Facebook had allowed Cambridge Analytica to collect data from millions of users without their knowledge, the Federal Trade Commission (“FTC”) announced that it planned to investigate Facebook’s data privacy practices. A year later, the social media giant is preparing for the FTC to impose a series of fines that could reach up to $5 billion, which would be the largest penalty the FTC has ever imposed on a technology company. Facebook had annual revenue of approximately $56 billion last year and, as such, many believe the upcoming penalty to be relatively lenient given the gravity of the charges levied against Facebook. This is especially true in light of the fact that Facebook breached a settlement that it had reached with the FTC seven years earlier. As part of the earlier settlement, Facebook was required to obtain permission from users before distributing data beyond the privacy settings set by each user.
Although relatively limited in its enforcement power with respect to consent decrees, the FTC has been able to leverage the support of the public in its investigation of Facebook. Indeed, lawmakers have been calling for increased scrutiny of tech companies, an area in which the United States is decidedly behind its European counterparts. Despite the record-setting fine set to be imposed, though, many lawmakers believe the penalty to amount to nothing more than a slap on the wrist given Facebook’s financial power. Many lawmakers and other political activists believe that regulators should impose reforms aimed at the ability of technology companies to share data with business partners from the outset, which would have more of a lasting impact on consumer privacy practices in the technology industry.
In March 2019, the Department of Health and Human Services (HHS) Office of Inspector General (OIG) released its summary report of penetration testing of certain HHS Operating Division networks. The purpose of the audits was to determine whether the Operating Divisions’ existing security controls were effective to prevent cyberattacks, the level of sophistication that an attacker would need to compromise the Divisions’ systems or data, and the Operating Divisions’ ability to detect and respond to cyberattacks.
The OIG conducted penetration testing at eight HHS Operating Divisions in fiscal years 2016 and 2017. Following this testing, the OIG concluded that the existing security controls at the audited HHS Operating Divisions needed to be improved to better detect and protect against cyberattacks. The OIG informed HHS of a number of vulnerabilities, including issues with access control, data input controls, configuration management and software patching.
Following the audits, the OIG provided HHS with four recommendations to implement across its operations to address the identified vulnerabilities. The OIG summary report noted that HHS management agreed with the OIG’s recommendations and that HHS and the eight Operating Divisions audited have or are working to implement the recommendations.
After the initial audit findings, the OIG summary report details how the OIG is working on new audits, reviewing for active threats on HHS networks, as well as past breaches by threat actors.
The OIG’s audits of the HHS Operating Divisions serves as a reminder to health care entities to review their own cybersecurity processes and controls and to take steps to address and mitigate any identified issues.
Copyright © 2019, American Health Lawyers Association, Washington, DC. Reprint permission granted.
On March 8, 2019, JAMA published a study analyzing the effects of simulated phishing emails at U.S. health care organizations. Concluding that the click rates for the simulated phishing emails present a big cybersecurity risk for health care organizations, the study provides helpful insight into how to prepare an organization’s workforce to detect harmful emails.
Phishing emails are deceptive communications intended to trick recipients into disclosing their security credentials or otherwise sharing sensitive information. Oftentimes, a sender’s identity is spoofed, tricking the recipient into thinking that the email originated from within their organization or that it was sent by a colleague or superior. Hospitals and other health care organizations are attractive targets of cyberattacks, as they have high-value personal and health data.
The study analyzed six health care organizations across the United States as they participated in simulated phishing emails between August 1, 2011 and April 10, 2018. The phishing emails fell into three categories: office-related, personal, and information technology-related. The emails were sent to employees in all types of roles. In total, approximately 2.9 million simulated phishing emails were sent, and recipients clicked on approximately 422,000 of them (approximately 14%). This means that the employees from the studied health care organizations clicked on an average of almost one in seven of the simulated phishing emails.
The study showed that the median click rates were higher for the information technology-related simulated phishing emails (18.6%) than the office-related emails (12.2%).
The study noted that repeated phishing simulations decreased the odds of an individual clicking on a simulated phishing email, which highlights the importance of the phishing simulation process and other forms of personnel training on these types of attacks.
As hospitals and other health care organizations face financial and care-related consequences from cyberattacks, this study emphasizes the need for health care organizations to train their workforces on cybersecurity best practices, including through simulated phishing emails. As the study noted, it only takes one successful phishing incident to paralyze a system that is critical to the patient care provided by a health care organization. The study cited to several elements that may make a health care organization more vulnerable to a cyberattack, including a continuous stream of new employees, the use of a large number of information technology systems, and devices and systems that are highly interdependent. It also discussed other techniques that health care facilities can use to prevent or limit personnel from clicking on phishing emails, including using technology to try to filter suspicious emails and indicate on emails when they are sent by a person outside of the organization.
Copyright © 2019, American Health Lawyers Association, Washington, DC. Reprint permission granted.
While there has not been any concrete movement on a federal data privacy law, there has been some progress on the state and local level.
Washington State Senator Reuven Carlyle’s privacy bill, introduced back in mid-January, cleared the State Senate earlier this month and is under consideration in the House. The bill covers companies that control personal data of 100,000 or more Washington residents and also data brokers with information on at least 25,000 Washington state residents
Some of the obligations imposed on these covered entities echo the CCPA and the GDPR. For instance, companies much specify how they use their personal information and for what purposes. They must also comply with consumer requests to delete personal data, so long as requisite conditions are met (e.g., if a company can no longer identify a business reason for keeping that information). Finally, companies have to perform risk assessments of their data processing activities and take stock of any potential harm for consumers’ personal data.
But, other obligations are unique: this bill expressly addresses facial recognition technology. In the bill’s current form, any company that uses facial recognition in a public space must give notice to visitors that the technology is in use. Moreover, companies that sell facial recognition software must make their software available for third-party testing to monitor bias. Finally, the bill expressly bars public agencies from tracking individuals using facial recognition without a warrant.
Last week, Washington, D.C., Attorney General Karl A. Racine introduced an amendment to D.C.’s current data breach notification law. Racine’s bill expands the definition of personal information to include passport numbers, taxpayer identification numbers, military ID numbers, health information, biometric data, genetic information and DNA profiles and health insurance information. Further, data breach notices to consumers would now have to include (a) categories of information that were, or are believed to have been, involved in the breach; (b) contact information for both the person making the notification and for credit reporting agencies, the FTC and the D.C. Attorney General; and (c) the right under federal law to obtain a security freeze at no cost and how to obtain such a freeze. If the breach includes social security numbers, businesses must also offer two full years of free identity theft protection. Finally, in addition to the requirement to maintain “reasonable safeguards” to protect D.C. residents’ personal information, businesses would also have to contractually impose that obligation on any nonaffiliated third party with which businesses share that personal information.
The Internet of Things (IoT), the growing network of Internet connected devices and sensors, will reach over 20 billion devices by 2020. The devices and their data offer substantial consumer benefits and economies of scale, but the relative insecurity and evolving nature of the technology present significant cybersecurity challenges. For example, IoT devices have been used by hackers to launch Distributed Denial of Service attacks on Internet websites, servers and providers. Bipartisan legislation introduced on March 11 seeks to enhance the cybersecurity of Internet-connected devices.
United States Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Maggie Hassan (D-NH) and Steve Daines (R-MT) and Representatives Robin Kelly (D-IL) and Will Hurd (R-TX) have introduced companion legislation in Congress titled “Internet of Things (IoT) Cybersecurity Improvement of 2019.” The legislation follows a similar bill that failed during the last congressional session.
The legislation seeks to impose the following:
· Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing secure development, identity management, patching and configuration of IoT devices.
· Direct the Office of Management and Budget (OMB) to issue guidelines for governmental agencies that are consistent with the NIST recommendations and charge OMB with reviewing these policies at least every five years.
· Require any Internet-connected devices purchased by the federal government to comply with these recommendations.
· Direct NIST to interact with cybersecurity researchers and industry experts to publish guidelines on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
· Require contractors and vendors providing IoT devices to the federal government to adopt coordinated vulnerability disclosure policies.
Several security firms and groups are publicly backing the legislation, including Symantec, Cloudflare and researchers at prominent universities including Harvard and Stamford.
The proposed federal legislation is comparable to California SB 327, the country’s first IoT security law, which passed in September 2018. The California law imposes specific security measures that device makers must meet, such as removing default passwords and requiring users to generate their own passwords before allowing device access.
As IoT devices integrate into our daily business dealings and personal comforts, we must understand collectively and individually the risks that come with the benefits. We will monitor the proposed federal legislation and comparable state laws and report on the evolving legal protective measures on this blog.
In the wake of the seemingly endless stream of data privacy scandals that surfaced over the past year, lawmakers have renewed the push for the nation’s first comprehensive, bipartisan data privacy law. However, at the start of the first hearings on the matter in the current Congress, legislators have encountered a major roadblock, namely, conflicting state regulations that attempt to cover consumer privacy issues.
State legislatures were spurred into action in 2018 as the number of data privacy breaches mounted. In June 2018, California became the first state to pass a consumer privacy law when then-Governor Jerry Brown signed the California Consumer Privacy Act (the “CCPA”) into law. The CCPA, the requirements from which do not go into effect until January 1, 2020, poses hurdles for business both inside and outside of California. The CCPA applies to for-profit entities that collect and process the “personal information” of California residents. While an entity must do business in California in order to be subject to the CCPA, physical presence in California is not a requirement. The definition of “personal information” is much broader than typically seen in U.S. privacy laws, and includes “information that identifies, relates to, describes [or] is capable of being associated with . . .a particular consumer or household.” Other states have expanded definitions relating to personal identifying information in privacy-related laws.
With Congress now addressing the first federal data privacy law in U.S. history, many on both sides of the aisle fear that a patchwork of state regulations may, at best, lead to confusion amongst businesses having to deal with conflicting regulations, and, at worst, may preclude smaller businesses from being able to comply. Preemption is a potential solution to this issue, and legislators have certainly not ruled out the possibility of preemption if the federal bill is able to adequately protect U.S. consumers. The fear amongst Democrats, however, is that Republican lawmakers seek to pass a federal privacy bill simply as a means to preempt the CCPA, a bill which many Republican lawmakers and industry group members oppose. Whether legislators will be able to come together for a bipartisan agreement sufficient to justify preemption remains to be seen.
The FCO’s action against Facebook was an administrative proceeding, intended to compel the company to change its practices, rather than merely extracting a financial penalty. However, Facebook has already announced plans to appeal the decision, in a process that begins next month.
On January 25, 2019, about a hundred people gathered in an auditorium at the California Attorney General’s Office in Los Angeles. Among them were lawyers, business owners, consumer advocates, professors, advertising industry representatives, bankers and computer engineers. We were all there for one reason: to give preliminary public comments to the attorney general about the California Consumer Privacy Act.
On stage were several Deputy Attorneys General (“DAGs”) and a court reporter, ready to transcribe what Californians had to say. There were only two rules. First: the comments had to relate to one of seven topics over which the attorney general had rulemaking power under the statute:
- Whether there should be additional categories in the definition of “personal information”;
- If the definition of “unique identifier” should be updated;
- Exceptions to the CCPA (e.g., state and federal law);
- How consumers should submit requests for their information and how businesses should comply;
- What type of uniform “opt-out” button should be adopted;
- What type of notices and information should be provided, including notices about financial incentives for consumers not to opt out of the sale of their data; and
- Verification of a consumer request.
And second: the DAGs couldn’t actually answer any questions. They could only listen.
Here are some of the most interesting questions and suggestions from this session:
- Since the AG has yet to issue the applicable rules, when do companies need to start the record-keeping process to show compliance with the 12-month look-back period for consumer data access requests?
- If costs of compliance with consumer requests are cost-prohibitive, how do small businesses survive? The statute allows companies to charge a “reasonable fee”—but what does that mean?
- What does it mean to provide a consumer their data in a readily usable format? Can a business rely on existing resources or must it hire a vendor?
- Should IP addresses alone really be personal information?
- What kind of affirmative obligations do companies now have to screen for age, i.e., to get opt-in consent from 13- to 16-year-olds?
- There should be a certification process to show compliance with the CCPA.
- To prove that companies are not discriminating against consumers who opt out of selling/sharing their data, companies could submit to the AG the revenue they receive from the sale of consumer data and show how they evaluate personal data to charge for services. In other words: disclose to the AG and the consumer opting out (1) the value of the information and (2) how that value is related to the charge for goods or services.
- There should be a uniform logo showing compliance with the CCPA on companies’ websites, rather than a button, similar to the “Ad Choices” logo in the advertising industry.
- The AG should issue a template for a CCPA-compliant consumer notice that would provide “safe harbor” to companies making a good faith effort to comply.
- Verifying consumer requests should be based on the quantity and quality of data a company holds, as it could be necessary to collect a lot more additional data on a consumer to verify their identity—which seems contrary to the spirit of the CCPA.
Representatives from the Attorney General’s Office also noted that there will be another opportunity to provide public comment during the formal rulemaking period, likely in the fall of this year.
Transcripts of the public comment forums are available on the California Attorney General’s website, though they reportedly may need a week or two to be uploaded.
As the partial government shutdown nears the one-month mark, there is increasing concern that hackers may use the shutdown as an opportunity to infiltrate U.S. government networks.
Last November, President Trump launched the Department of Homeland Security’s new Cybersecurity and Infrastructure Security Agency (CISA). CISA’s purpose is to defend the federal government’s computer systems from potential cyberattacks. However, less than two months after its creation, nearly 45% of the agency’s staff has been furloughed due to the shutdown. While some cybersecurity processes can be automated, many others require analysts to evaluate threat reports and determine the appropriate course of action. And even “essential” cybersecurity functions have been hampered by the shutdown, due to a lack of incoming information from other government agencies.
At the National Institute of Standards and Technology (NIST), which sets and updates security and privacy standards for the government and private sector, nearly 85% of employees are furloughed. The Computer Security Resource Center, where NIST posts its comprehensive guidelines for network and account security, is another casualty of the shutdown—the website is currently unavailable.
Routine maintenance and security patching of federal websites has also come to a halt, creating opportunities for malicious actors to break a website’s encryption and insert malware. Since the start of the shutdown in December, HTTPS security certificates for over 80 government websites have expired, including pages maintained by the Department of Justice and NASA.
Aside from direct hacking of federal computer systems, the government shutdown creates an opportunity for hackers to examine network activity and determine which are considered “essential,” in preparation for a future attack. Moreover, the rapidly increasing backlog of unassessed threats and system maintenance has the potential to hinder cybersecurity agencies far into the future, even after this record-setting shutdown finally comes to an end.