Putting aside the salacious details, there is something different about the Ashley Madison hack when compared to other high profile breaches at Anthem or Target.
The Ashley Madison breach revealed secrets that are now known forever. What makes the Ashley Madison attack feel different is that it involved personal and intimate information, disclosed for public shaming, not profit.
Following the recent breach at Ashley Madison, an on-line site dedicated to helping married people find others looking to have an extramarital affair, at least four lawsuits were filed in the US against Ashley Madison’s parent company, Avid Life Media (two in California, one in Texas, and one in Missouri) and at least one in Canada where Avid Life Media is based. All the suits have been filed by anonymous “Jane” or “John Doe” plaintiffs alleging breach of contract, negligent protection of customer data and violation of various state privacy laws. The lawsuits also allege that the Ashley Madison companies knew that their networks were insecure, which may find support if the recent speculation that the hack was an “inside job” by a disenchanted employee proves to be true.
While the legal allegations are familiar to anyone following data breach lawsuits, there is something different about data that was stolen here. Yes, credit card information was accessed, but the crux of the Ashley Madison hack was to share people’s secrets, specifically the identities of people who anonymously tried to pursue an affair. Ashley Madison promised anonymity but the breach erases that promise. In “hacker speak,” the practice of stealing and publishing private information about someone with malicious intent is known as “doxxing.”
Ashley Madison users, while not the most sympathetic group to experience an invasion of privacy, may be victims of a breach that cuts to the heart of what it means to have “private” information stolen. Credit cards can be replaced, but secrets cannot be unrevealed. It strikes the same chords as a recent “internet of things” story about hackers who could hack a baby monitor and view a sleeping child.
These types of hacks show that there does not have to be a monetary loss in order for the hacking of personal information to make an impact. For companies like Ashley Madison that market their ability to protect secrets and other personal, non-monetary information (i.e. information beyond social securities and credit card numbers), the loss of goodwill from a breach is potentially more threatening than the cost of replacing stolen credit cards or defending lawsuits. Such companies would be well-served to plan ahead and take extra precautions with their sensitive data.
On May 31, 2015 the Illinois legislature passed amendments that expanded the Illinois Personal Information Protection Act (“PIPA”). Illinois Senate Bill 1833
The amendments made three significant changes to the existing law. First, the amendments expanded the definition of “personal information” to include medical, health insurance, consumer marketing information, biometrics and geophysical location. The current statute limits “personal information” to social security, driver’s license and financial accounts. Second, any breach involving 250 or more Illinois residents required written notice to the Attorney General within 30 days. The bill laid out the contents of consumer notification letters depending on whether the entity owns or leases the data. Third, the amendments required conspicuous posting of privacy policies, such as linking and text size on the homepage or the first significant page after entering the web site.
But on August 21, Illinois Republican Governor Bruce Rauner executed an amendatory veto, sending the bill back to the Illinois senate. The governor said the bill “went too far” and was a “significant departure” from other state data protection laws including the expanded definition of personal information. Gov. Rauner stated that a 45-day notification period is more reasonable than 30. He indicated that he would re-consider the bill if his changes were adopted.
Click on the link for our article published in the September 2015 edition of Financier Worldwide entitled Effective Cyber Security to Combat Crime and Protect Data with ten practical tips for protecting data. It is also available through Bloomberg Law.
Financier Worldwide (September 2015)
Today the Court of Appeals for the Third Circuit handed down its much anticipated opinion in FTC v Wyndham Worldwide. (FTC-Wyndham Opinion (August 24, 2015) (01049741xAE57E)
In a significant victory for the FTC’s policing powers, the court ruled that the FTC has authority under the “unfairness and deceptive acts or practices” provision in Section 5 of the FTC Act to sue companies that fail to enact reasonable cybersecurity practices to protect consumer data.
The court rejected Wyndham’s claim that it was denied due process because the FTC has never declared what cybersecurity measures are unfair. The court stated that Wyndham is entitled only to “notice of the meaning of the statute and not to the agency’s interpretation of the statute.”
The case will proceed on the merits at the district court level.
The FTC action arose from three data breaches against Wyndham in 2008 and 2009 involving about 600,000 credit cards and $10M in losses.
Before modern aviation, control of airspace followed the maxim that “whoever owns the soil owns the air up to the heavens.” This concept could not survive modern times, giving way to the FAA’s control over airspace.
And now this airspace will be crowded with drones (officially, UAS for “unmanned aircraft systems” or UAV for “unmanned aerial vehicles”). Who regulates drone usage or the airspace they occupy is not at all settled, frustrating companies like Amazon.
One of the most contentious issues concerns drones and privacy. Carrying high-powered cameras, facial recognition technology or license plate readers, drones present a substantial privacy risk. This is particularly true because drones could be used for surveillance and the collection of consumer data for marketing purposes.
Traditional data protection statutes apply to the improper use of personal data. Even though about 17 states have passed drone legislation and more are considering it, they cover a wide spectrum of “what ifs” because no one knows what the landscape (or airspace) on drones will look like. (National Conference of State Legislatures)
A good read can be found in a 2013 Congressional Research Service report on the history of drones and issues such as privacy. ( Drones and Privacy. CRG Paper (2013) (01045874xAE57E)
Most people have an idea of what a startup is. ExxonMobil is not. Uber probably is not. So what makes a startup?
•has more ideas than revenue
•is still a cool place to work
•involves great ideas for a new product, service, process – something that has not been done before
And therein lies the rub. The idea, the concept that makes a startup unique in the marketplace also makes it intriguing for hackers. Startup companies have a lot on their plates: programming bugs to fix, funds to raise, plans to market. Even though cyber security may seem minor when compared to day-to-day pressures, cyber security is critical to a start-up. Not only does a data breach threaten a startup’s goodwill and fledgling customer base but something even more valuable: ideas.
This is when a little common sense can go a long way. Early investments in trusted IT and security vendors can help minimize a breach. Hackers prefer the path of least resistance. It is an easy choice for the thief casing one business with a locked door and one with an unlocked door. Startups who have contacts with breach response teams, legal advisors and insurance brokers have better odds of surviving a breach.
Risk is inherent to the startup but the successful ones manage it. Startups that invest in cyber security, prevention and detection in order to protect their ideas and their customers are one step closer to success.
Cash-strapped start ups may not have the resources for state of the art security technology, and may not be able to absorb the consequences of a data loss like more established companies. Digital Guardian asked 27 data security experts for advice on the best ways start ups can avoid or at least minimize data breaches. (https://digitalguardian.com/blog/startups-data-breaches-how-startup-can-protect-itself-data-breach-2014-beyond)
The consistent themes are:
1. do not assume that because you are small or a start up that your data is not valuable;
2. identify your most valuable data and encrypt it;
3. train everyone on the payroll to exercise day-to-day security practices;
4. pay attention to where you store your data, especially with cloud vendors;
5. know your vendors and how they protect your data;
6. collect only the data you need;
7. use a multi-factor authentication to secure networks, apps, website portals;
8. be familiar with standards such as PCI DDS if you accept credit cards;
9. consider purchasing insurance for privacy breaches;
10. invest is reliable anti-virus and malware systems before going live.
With that, the U.S. Court of Appeals for the Seventh Circuit found that class action plaintiffs in a data breach have Article III standing. This is the first time a federal appeals court reviewed a data breach class action that had been dismissed on standing grounds.
The July 20 decision arises from the Neiman Marcus data breach that compromised approximately 350,000 credit cards. Plaintiffs filed a consolidated class action complaint which Neiman Marcus moved to dismiss. Standing was the only legal issue addressed on appeal.
Plaintiffs made six arguments in support of their claim, none of which are unique to data breach claims but nor had they been addressed by the Seventh Circuit until now:
- Injury for lost time and money resolving fraudulent charges;
- Injury for lost time and money for protecting against future identity theft;
- Injury for financial loss of making purchases at Neiman Marcus that the plaintiffs would not have made had they known about the lax cybersecurity;
- Injury for lost control over the value of personal information;
- Future injury of increased risk of future fraudulent charges; and
- Future injury of greater susceptibility to identity theft.
The court distinguished the “future harm” claim from the frequently cited Clapper v. Amnesty Int’l. decision because Clapper showed no evidence that the plaintiffs’ data was actually taken.
In so doing, the Seventh Circuit deviated from the majority rule and followed the California district court’s opinion in In re Adobe which determined that an “immediate and very real” risk existed that hackers would use a customer’s personal information. The Seventh Circuit said that plaintiffs do not have to wait for actual identify theft because there was an “objectively reasonable likelihood” that identify theft would occur.
The news was not all bad for Neiman Marcus. The court rejected plaintiffs’ claim that they over-payed for their purchases at Neiman Marcus because the store did not have adequate data security. The court found that these types of allegations relate to the inherent deficiency of a product which was not at issue.
But the U.S. Supreme Court may still have the last word. It has accepted the case Spokeo, Inc. v. Robins to decide whether standing exists for a plaintiff who suffers no concrete harm by authorizing a private right of action based on a violation of a federal statute. Spokeo Cert Amicus Brief (01023634xAE57E)
Take the New York Times’ interactive quiz in the July 29, 2015 edition to estimate how many times your personal data may have been exposed to hackers. (New York Times Quiz)
Have you applied to or worked in the federal government since 2000? Who is your health insurer? Do you have an account on certain websites such as AOL or Twitter? Have you used a credit or debit card at stores such as Target or Neiman Marcus?
Depending on your level of involvement with these companies, you’ll see how many times your name, address, date of birth, email, credit card, debit card, employment history and financial information have been exposed to hackers. Each data point accumulated by hackers allows them to identify more individuals.
Just about every day one more entry can be added to the list- including United Airlines which today announced its systems and possibly flight manifests were accessed by the same group suspected in the Anthem and OPM breaches. ( United Airline detects large scale intrusion into its systems)
UCLA Health System is the latest to announce that a data breach may affect as many as 4.5 million people. So far UCLA has not found evidence that personal or medical information was accessed.
Medical breaches can be as expensive to an individual as a financial breach and involve potentially dire consequences.
What can a stolen medical ID be used for?
- to obtain medical services at your expense
- to obtain false prescriptions for sale on the black market
- to combine a patient number with a false provider number and file false claims with insurers
- to obtain medical services with the beneficiary’s consent. A substantial portion of identity theft is consensual between friends and family, although this may wane as more people acquire insurance under the Affordable Health Care Act.
What are some of the consequences of medical identity theft?
- denial of or increased premiums for life or disability insurance based on inaccurate medical history
- denial of medical insurance benefits because aggregate policy limits were exhausted by fraudulent use
- improper medical treatment based on inaccurate medical records
- liability for a fraudulent medical bill, unlike reimbursement for fraudulent withdrawal of funds or credit card use
- denial of employment if a background search discloses a disqualifying medical condition
Individuals are not the only ones at risks. Heath care providers also can have their medical provider identifiers stolen. The most common approaches are:
- fraudsters use a physician’s medical identifier to make it appear that the provider ordered health services
- fraudsters use physician’s medical identifier to make it appear that a physician provided and billed services directly even though the physician never saw the patients. In addition, the IRS may pursue the physician for not paying taxes on income the provider is erroneously recorded as having received.