CyBIR: Cyber and Privacy Breaches – Insurance and Reinsurance

Data Privacy Lawyers: Walker Wilcox & Matousek Law Firm

WWM to Present at PLUS Conference

Posted in Ransomware

Please Join Jeremy Kerman at the 2017 PLUS Conference in Atlanta on November 2nd, at 3:45pm for the panel “Ransomware Attacks! A Survival Guide.”

Moderator: Matt Prevost, RPLU, Senior Vice President, Chubb

Panelists:
Jeremy Batterman, Associate Director Incident Response, Navigant
Dan Burke, Vice President, Technology Product Head, Hiscox
Shannon Groeber, Senior Vice President, JLT Specialty USA
Jeremy Kerman, Attorney, Walker Wilcox Matousek LLP

Ransomware Demand for Something Other than Bitcoin

Posted in Bitcoin, Ransomware

The increase in ransomware attacks over the past few years shows no signs of abating, with cybercriminals continuing to develop new methods of extorting businesses and consumers.

We are used to hackers’ demands for payment in cryptocurrencies such as Bitcoin or threats to release compromising names or even photos in exchange for release of data.  Last month, researchers at MalwareHunterTeam discovered a new form of malware.

Once infected with the malware, a user’s machine displays a message that “Your computer has been locked. After we reply, you must send at least 10 nude pictures of you. After that we will have to verify that the nudes belong to you.”

The message is displayed over a tiled, smiling image of the popular fictional children’s character Thomas the Tank Engine.  Oddly, the malware plays background music  which matches the theme from the HBO television series “Curb Your Enthusiasm.”

Fortunately, the ransomware does not appear to actually encrypt files, and instead operates as a screenlocker.  Thus, the malware may be intended as a prank.  But it is another example how  consumers and business need to remain vigilant to protect themselves against cyber-blackmail threats, which continue to multiply and become more novel and sophisticated.

 

From Kerman’s Korner: How Much Is Too Much Data?

Posted in Data Breach, Data Storage

A common data breach is not by hackers and is not targeted towards big businesses.  It happens to a small to medium sized business or government agency or school that looses a laptop through theft or carelessness.  What is remarkable is the  amount of data that these small entities keep.  Take a recent claim involving a governmental entity that stored employee data dating back to 1982 on microfilm.  The entity sent the microfilm by mail to be imaged so data could be downloaded. Sure enough, the box with the microfilm fell apart in transit, and the microfilm with 30 years of employee data was either lost or stolen.

What’s the take home lesson here?  Destroying all data is not an option.  So  sit down with the risk manager and lawyers to (1) find out if any regulations  tell your business how long to store data, and (2) think about what data you really need and how many years of data you should retain.  Develop a written policy about how long to store data and what format to keep it in.  With modern technology, it does not cost as much to store or destroy data as when data was on paper in boxes in warehouses.  Think about what data you need and how long you need it for, because the next time you loose a laptop or microfilm,  you may save yourself a lot of exposure by limiting the amount of data.

 

 

The Long Reach of ‘WannaCry’ Ransomware

Posted in Bitcoin, Ransomware, WannaCry Virus

 The ransomware trend of 2016 shows no signs of slowing down in 2017.  If anything, this favorite tool of hackers seems to be gaining steam domestically and internationally.  Preying on a vulnerability in Microsoft systems that was reportedly first discovered (but not confirmed) by the NSA , hackers last week infected hundreds of thousands of computers with interconnected ransomware attacks in almost 100 countries.  The attack spread quickly – targeting, locking out  and blackmailing a broad swath of users such as the UK’s  public health system,  Russia’s Interior Ministry and FedEx in the U.S.  A second-wave of attacks crippled more computers, but not at the rate seen on May 12. 

The cost to unlock individual computers was about $300 per computer paid in hacker-preferred Bitcoin, an amount that doubled if the ransom was not paid within 3 days.   Had most affected users paid up, the hackers would have had a good payday.  But reports put their collections at about $70,000.   It is still unclear how many victims paid ransom, accepted their fate or had back-up systems in place.  

Why was this particular attack so pervasive?  Some experts point to the hackers’ use of an encrypted file that, once downloaded, allowed the ransomware to take over the host computer, locking access to data until ransom was paid.   The encrypted file was particularly crafty because the ransomware was undetected until  opened and downloaded by the user.  By that point, it was too late to react because the ransomware was replicating across the already-infiltrated network.

This latest attack is a sobering wake-up call about the vulnerability of all systems and yet another reminder that it is better to have cyber insurance before you need it. 

 

How the Cyber Insurance Market is Changing

Posted in Coverage

The cyber insurance market has been around since the 1990s.  It started to pick up steam in 2003 after California passed the nation’s  first privacy law.  Now 48 states have privacy protection laws – New Mexico joined the groupin April 2017, leaving Alabama and South Dakota as the remaining hold-outs.

For the past several years, the cyber insurance market has grown, although the rate of growth slowed in 2016 to “only” 7%, compared to a 18% increase between 2014 and 2015.

So what does the future of the cyber insurance market look like?  First, insurers will look beyond traditional risks such as health care and retail services to emerging risks such as manufacturing and homeowners coverage, two areas that  are solidly connected to  the Internet of Things.  Second, traditional privacy protection coverage is fairly standard now: its pricing is predictable and the claims handling is good.   But business interruption losses are going to ramp up.   These types of losses will involve time delays, forensic accountants and maybe on-site inspections for insurers.  Third, reinsurers are going to start to feel the cyber market and begin to look more closely at claims.

A brave new world.  Again.

Why Ransomware and Bitcoin Go Together

Posted in Bitcoin, Ransomeware

Continuing from our earlier post, it is no surprise that hackers demand that ransomware be paid in Bitcoin.    Since wallets do not require users to share their identities, Bitcoin is untraceable so long as a hacker keeps his ransom in Bitcoin form.  And since the blockchain only shows amounts and wallet account numbers, there is no way to tell why Bitcoin was paid for any given transaction.  The appeal to  criminals is obvious:  simply viewing the blockchain does not reveal whether Bitcoin was paid for a legitimate reason or for illegal purposes like purchasing drugs, funding terrorist activities or paying off a ransomware attack.

Other appealing features of Bitcoin for criminals include:

•lack of central authority overseeing the transactions.  This means that Bitcoin can be used in any country without fear of authorities attempting to freeze Bitcoin accounts that may be suspected of funding illegal activities; 

•even though the blockchain is public, the lack of a central authority means only the user with a private key matching a specific wallet can access the Bitcoin;

•because Bitcoin transactions are processed without a bank or other authority–all that is required is the ten-minute verification process by miners; 

•each transaction is non-reversible and final so a hacker is guaranteed to keep any ransom payment without fear of confiscation.

•”Bitcoin-to-other” currency exchanges are paid to launder Bitcoins.  They convert hundreds of Bitcoin transactions to other forms of currency while ignoring the identity of the criminal seeking the exchange.

Bitcoin was not created for criminal enterprise, but it is clear why it has become a perfect vehicle for ransomware attacks.  Bitcoin has many benefits, but as long as it remains untraceable, ungoverned by a central authority and with irreversible transfers, ransomware hackers will continue to exploit its virtues.

 

Bitcoin: What Is It and Why Do Hackers Love it?

Posted in Bitcoin, Ransomeware

With 2014 coined “the year of the retail breach” and 2015  “the year of the health care breach,” the trend looks to tag 2016 “the year of ransomware.” 

In a typical ransomware attack, hackers use software to block access to a computer system until party pays a ransom amount, usually in the form of “Bitcoins.” 

But what is a Bitcoin and why is it so popular in ransomware attacks?   Bitcoin has two hacker-friendly features:  (1) transfers are anonymous and (2) no central bank or agency oversees the transactions.

For starters, Bitcoin is digitally created currency that exists  electronically.  Unless it is converted into another form of currency through an exchange, Bitcon only exists on-line.  Unlike currency which is printed by a government, Bitcoin is created through a process called “mining.”  Bitcoin “miners” solve complex math problems with randomized input data, and when the problem is solved and verified by other miners, the miner who solved the problem is rewarded with Bitcoins (usually 25, but the number can vary).

 A Bitcoin miners’ work serves another function: it verifies each Bitcoin transaction.  In other words, the “complex math problem,” that a miner solves is the verification of prior transactions.  As a result, the verification process necessarily involves prior Bitcoin transactions as part of the data needed to solve the problem.  When a series of transactions (called a “block”) occur, miners put the information in that block through a publicly available mathematical formula to convert it into a more compact, random series of numbers and letters called a “hash.”  A critical portion of each hash is produced using the hash of the block that preceded it.  This allows miners to track the history of transactions back to the very first Bitcoin transaction. 

This entire history of Bitcoin transactions is called the “blockchain,” a public ledger for the whole Bitcoin system.  Since miners can look at each block and check it against each preceding block as well as the entire block chain, they can confirm that each transaction is legitimate.  Otherwise, it could not be reconciled with the  blockchain. 

A miner who verifies a block submits his solution (called a “proof of work”) to other miners who essentially double check the result.  The other miners stamp the proof of work as a notary would stamp the recording of a deed, publicly verifying that each transaction, and therefore the whole blockchain, is trustworthy.  It takes only about ten minutes for a miner to submit a proof of work and for other miners to verify it, thus finalizing the Bitcoin transaction.

Bitcoin users store their Bitcoins in a digital “wallet” on a computer or mobile device.  The amount of Bitcoins in each wallet is visible to everyone since the blockchain (and every transaction within it) is public, but each user has a “private key” that only they know.  The private key is what allows users to exchange or transfer Bitcoins within their wallet.  Think of the wallet as a safety deposit box made of glass so everyone can see how much is in it, but only the safety deposit box owner has the key to access the contents inside.

Importantly, wallets do not require users to identify themselves by name or any other type of identifying information.  The wallet is simply an account identified by a series of random numbers and letters.  When a pure Bitcoin transaction is made, the real names of buyers and sellers are not revealed in the wallet or anywhere on the blockchain.  The exception to the anonymous exchange occurs if someone wants to exchange a Bitcoin for a good or service, or wants to convert the Bitcoin into another type of currency through an exchange.

In Part II, I will talk about why Bitcoin is a favorite form of ransom.  

 

DDOS Disruption: The Dreaded Aggregation?

Posted in Aggregation, DYN Attacks

Today a DDOS attack disrupted major websites reportedly including Twitter, Spotify, Reddit and even Major League Baseball on the U.S. east coast.   By mid-day a second wave of attacks appeared  underway against Dynamic Network Services, Inc. (Dyn), a domain host company or DNS server.   The first attack started at about 7:00am EST and lasted for more than two hours.  The source of the attacks is presently unknown.

A DNS server links a website address to the website’s domain name, so users can search for  a travel website by its name, not its 10-digit IP address.

This attack may signal a new approach.  Instead of shutting down one website, attackers   prevented end-users from reaching a wide swath of websites.

For insurers, this type of disruption heightens fears of an aggregated loss: one incident over a discrete period of time disrupts website traffic for multiple companies, any number of which may be insureds.  Business interruption for Amazon is bad enough unless you also insure Disqus’ technology risks.  And it appears that today’s attacks cut across all sorts of business lines.  The accumulation risk for insurers who endorse cyber risks to multiple lines of business is a genuine one.  Knowing your portfolio is key.

 

Data Breach Insurers: Learning from Product Recall

Posted in Attorney Client Privilege, Product Recall Similarities

Data breach claims are often referred to as the new EPL claims: high volume, high intensity, low impact on most insurers’ bottom line.  But a more apt analogy is product recall litigation.

Product recall and data breach claims have a lot in common:

  1. they involve a problem with a major “brand,” whether cars, food or confidential data;
  2. the problem is often discovered internally before it is known by the public;
  3. lawyers and third parties investigate immediately, leading to privilege issues later on;
  4. governmental agencies require prompt notification and can levy fines and penalties;
  5. state and federal laws apply;
  6. the company’s reputation takes a hit;
  7. class action litigation is nearly inevitable; and
  8. someone usually loses his job.

Product recall cases differ from data breaches because they may involve criminal prosecution and/or bodily injury claims, although IOT can implicate bodily injury.

But product recall litigation is ahead of privacy cases when it comes to privilege attaching to pre-suit investigation  by lawyers and third parties.  For an interesting opinion on privilege and work product in the pre-suit stage, take a look at this opinion in the GM ignition switch recall litigation.   GM Ignition Switch Litigation (01303157xAE57E)

 

Is Credit Monitoring a Step Towards Standing?

Posted in Damages, Data Breach, standing

On September 12, the 6th Circuit Court of Appeals concluded that members of a class action have Article III standing to sue Nationwide Insurance for negligence after hackers breached Nationwide’s computer network and stole personal information.  Galaria/Hancox v. Nationwide Mut. Ins. Co., Nos. 15-3386/3387, 2016 WL 4728027 (6th Cir. Sep. 12, 2016).

As with the P.F. Chang and Neiman Marcus opinionsthis court found that plaintiffs alleged a substantial risk of harm and reasonable mitigation costs to satisfy the injury-in-fact standard.   And like those cases, Galaria noted that Nationwide’s offer to pay for credit monitoring and its recommendation (but not reimbursement) for other protective measures were evidence of concrete and imminent harm.

This rationale causes a dilemma for an entity that has a breach and is required to notify its customers or clients.  Most breached entities offer credit monitoring, although no state law requires credit monitoring (California law creates a duration for credit monitoring, but only if it is offered in the first instance).  Companies that offer protection typically do so out of a sense of responsibility or to regain customer loyalty or to mitigate long-term damages if credit monitoring works to reduce identity theft.

Companies may think twice about offering remediation services because the services may become evidence of concrete and imminent harm.  But whether the company offers mitigation relief or not, a customer’s reasonable belief that a breach threatens his financial identity may be proof enough of concrete and imminent injury.   A company’s notification requirements are governed by statute but it can still weigh for itself whether offering credit monitoring becomes too sharp of a double-edged sword.