On September 12, the 6th Circuit Court of Appeals concluded that members of a class action have Article III standing to sue Nationwide Insurance for negligence after hackers breached Nationwide’s computer network and stole personal information. Galaria/Hancox v. Nationwide Mut. Ins. Co., Nos. 15-3386/3387, 2016 WL 4728027 (6th Cir. Sep. 12, 2016).
As with the P.F. Chang and Neiman Marcus opinions, this court found that plaintiffs alleged a substantial risk of harm and reasonable mitigation costs to satisfy the injury-in-fact standard. And like those cases, Galaria noted that Nationwide’s offer to pay for credit monitoring and its recommendation (but not reimbursement) for other protective measures were evidence of concrete and imminent harm.
This rationale causes a dilemma for an entity that has a breach and is required to notify its customers or clients. Most breached entities offer credit monitoring, although no state law requires credit monitoring (California law creates a duration for credit monitoring, but only if it is offered in the first instance). Companies that offer protection typically do so out of a sense of responsibility or to regain customer loyalty or to mitigate long-term damages if credit monitoring works to reduce identity theft.
Companies may think twice about offering remediation services because the services may become evidence of concrete and imminent harm. But whether the company offers mitigation relief or not, a customer’s reasonable belief that a breach threatens his financial identity may be proof enough of concrete and imminent injury. A company’s notification requirements are governed by statute but it can still weigh for itself whether offering credit monitoring becomes too sharp of a double-edged sword.
Missed call notifications in Microsoft Outlook are the latest delivery mechanism for viruses. Tricksters are using recorded voicemail messages that appear in emails as another route for ransomware and malware.
The attack email arrives with an attachment that seems to contain a voice message compressed in a zip folder. But the folder actually contains hidden malicious code that will install ransomware. Once unzipped, ransomware will encrypt files on your computer, and maybe the entire network. These attacks are also happening in residential systems, not just businesses.
Hacking voice mails is not new, and there have been voicemail notification breaches before, too. Nor does this attack have to be limited to voicemail – why not phishing emails posing as legitimate notifications from printers and faxes?
Professional athletes may be used to the public knowing the terms of their multi-million dollar contracts, but Milwaukee Bucks organization received a surprise when the team announced last week that it had fallen victim to a phishing scam.
On April 26, a hacker posing as the NBA team’s owner Peter Feigin e-mailed team employees and requested 2015 IRS documents for all the organization’s employees, including players. An employee sent the requested documents, including W-2 forms containing names, addresses, social security numbers, compensation and dates of birth. The Bucks did not discover that the request came from an impersonator until May 16, when they notified the IRS and FBI.
After the incident, the Bucks announced that they will “provide additional privacy training to our staff and implementing additional preventative measures.” The team also will offer three years of credit monitoring and non-expiring identity restoration services.
One might expect a professional sports organization worth hundreds of millions or even billions of dollars to have better security measures in place. But this incident shows that many businesses, large and small, do not have internal security policies that might prevent these types of scams.
This incident is a good reminder that we all should pay attention to emails requesting personal, sensitive, or financial information:
- Be sure you recognize the email address. Most phishing scam artists do not create a fake email address, even if they change the sender’s name.
- Call the person who allegedly sent the email to verify the request.
- Use common sense – why would the person need the information requested?
For the second time in less than a year, the 7th Circuit has found standing by plaintiffs seeking class certification for a data breach.
On April 14, 2016 the 7th Circuit issued its opinion in Lewert v. P.F. Chang’s China Bistro, Inc. PF Chang Opinion (7th Circuit April 14, 2016) (01168901xAE57E)
P.F. Chang had a credit card breach in 2014 involving 33 restaurants in the Chicago area. Customers affected by the breach sought class certification which the district court denied on grounds plaintiffs had no standing.
The Court of Appeals reversed the lower court, finding that class representatives alleged sufficient harm by way of fraudulent credit card charges, $106 in credit monitoring costs and time monitoring potential identity theft.
This is the second time the 7th Circuit has found standing for data breach claimants, the first being the Neiman Marcus decision issued last summer. Rejimilas v Neiman Marcus 7th Circuit Opinion (2015) (01129892xAE57E) P.F. Chang tried to distinguish Neiman Marcus because its breach involved only credit cards so there was no risk of wider identity theft. In rejecting this argument, the court said that it is unknown whether a stolen credit card can lead to identity theft.
Plaintiffs argued that they were damaged in the amount of their meal because they would not have eaten at P.F. Chang’s had they known data security was ineffective. The court’s response was tepid.
Plaintiffs also alleged that their identity has value, just as a stolen car has value. The court stated that a court that previously found value in personal identity had limited scope.
P.F. Chang highlights (again) the importance of an insured’s first response to a breach. The fact that Neiman Marcus offered credit monitoring helped persuade the court that the store anticipated harm to its customers. And P.F. Chang’s suggestion that customers monitor credit reports also raised the specter of future
On February 17, Hollywood Presbyterian Medical Center announced that it had paid cyber extortionists a ransom of 40 bitcoins in order to restore control over its systems and administrative functions. While the number might not seem high at first glance, it equates to roughly $17,000. The hospital first noticed malware on its system on February 5, but waited ten days before deciding that payment was the fastest way to regain control of their systems. The hackers had introduced malware into the hospital’s system that encrypted the hospital’s files, making them inaccessible. The FBI is still investigating how the hackers were able to install the malware.
Bitcoin is a completely digital currency that attracts cyber extortionists because bitcoin transactions do not go through any intermediary such as a bank. There is a lower chance that an illegal payment can be tracked. The extortionist usually sets the amount just low enough for the infected entity to consider payment.
While cyber extortion is popular among some criminals in eastern Europe, the Hollywood Presbyterian Medical Center episode is one of the higher profile examples in the U.S. The publicity about the paid ransom may encourage others looking for a fast payout. Cyber experts believe that about 3% of users with infected systems pay ransom.
It is difficult to say whether the rate of cyber extortion incidents will increase in the US. Not all cyber criminals are willing to shut down operations at a facility where access to files can mean the difference between life and death. But the healthcare industry presents an easy target for attacks because its technology is often outdated and electronic medical records are available on laptops and I-Pads used throughout the hospital and often within easy reach.
Password manager SplashData has announced the 2015 edition of its annual “Worst Passwords List.” As has been the case since 2011, “123456” and “password” remain the most commonly used password.
SplashData’s annual report is compiled from more than 2 million leaked passwords during the year from around the globe. Even though some web users are using longer passwords, their simplicity undercuts any security. SplashData recommends a 12-item password with a mix of 5 types of characters.
So, here’s hoping no one contributing to this list is responsible for nuclear launch codes: Worst Passwords of 2015 (01130454xAE57E)
This year’s Super Bowl is at Levi’s Stadium in Santa Clara, California. Organizers are touting free, open and fast-paced wireless service. According to The Atlantic, the stadium will have 13,000 Wi-Fi access points, about one every 10 feet. (Click here for The Atlantic)
An estimated 100,000 devices are expected to be connected to the stadium network, including devices belonging to high ranking corporate officials who may be carrying a lot of sensitive data on their I-Phones and I-Pads. The FBI is warning fans not to be tricked into logging on to the wrong wireless network. Other security experts recommend cash payments when buying that beer or foam finger.
Russian hackers are suspected in a cyber attack on a Ukrainian electrical grid which would be the first time a cyber attack caused widespread electrical outage. U.S. firm blames Russian ‘Sandworm’ hackers for Ukraine outage.
On December 23, a large swath of the Ukraine involving about 700,000 homes was without power for several hours. It would be the first documented case of a cyber attack on an electrical power facility that caused an electrical blackout. The suspected malware is a virus called Black Energy. It is believed to have entered the system through a mundane phishing attack on email.
“It is a milestone,” said John Hultquist, director of cyber espionage analysis at iSight Partners. “We’ve definitely seen targeted destructive events against energy before – oil firms for example – but never the event which causes a blackout.”
Attempted cyber attacks on power infrastructures are not a new concern, but a successful one is, even for US power sources that are well defended. Among the many issues raised by such an event is whether the next phase of cyber problems has arrived and will eventually overtake claims for privacy breaches.
Late on December 17, 2015, Houston-based Landry’s Inc. announced a massive, network-wide credit card breach affecting its restaurants. Landry’s owns and operates over 500 restaurants, including well-known chains such as Bubba Gump’s, Rainforest Café, Mastro’s Restaurants, McCormick and Schmick’s, Morton Steakhouse and Claim Jumper. According to Kreb’s on Security, the breach may date back to May 2015 and in some cases, may be continuing. It is not clear yet how many restaurant chains are affected.
While Landry’s is investigating the scope of the breach (which the company expects could take weeks or months), it believes that the breach exposed data available on the magnetic stripe of credit cards, which includes consumer names, card numbers, expiration dates and verification codes. According to Kreb’s, banks have detected fraudulent charges. Although Landry’s is implementing an upgraded and more secure payment processing system, it believes that the breach began before the new system’s installation.
From an insurance perspective, what may make this breach different (and worse) is the sheer number of entities under the same corporate umbrella. Unlike the Anthem breach which targeted just Anthem, even though the fall-out reached multiple health plans, the Landry’s breach may involve multiple entities: individual restaurants and chains. If different restaurants and chains qualify as named insureds under a Landry’s policy, then insurers may be looking at a type of aggregation scenario: one insured is actually dozens of insureds, and they all have the same breach. But even if each restaurant has its own policy, they may come after Landry’s as the gateway to the breach.
Under either scenario, insurers will be getting to know the Landy’s breach in 2016.
On October 27, 2015 the U.S Senate passed by a vote of 74-21 the Cyber Information Sharing Act of 2015 (CISA). The bill allows government agencies and businesses to share information about cybersecurity threats with one another. Shared information is supposed to consist of “threat indicators” such as technical information about the type of malware used or how hackers cover their tracks once they penetrate a system. Bill sponsors say that shared information will help organizations better understand the source and type of attacks and therefore be better able to anticipate and defend against cyber attacks.
Companies are encouraged but not required to share cyber threat information with the Department of Homeland Security, which then shares information with other companies and government agencies. The bill requires companies and the DHS to scrub an individual’s personal information from the shared data. Participating companies are granted immunity for civil lawsuits brought by customers who sue for sharing private data.
The Senate bill was co-sponsored by Senate Intelligence Chair Richard Burr (R-North Carolina) and Vice Chair Sen. Diane Feinstein (D-California). Although supported by the White House and a wide range of business groups, the Senate bill was opposed by some legislators and technology companies such as Facebook, Google, Apple and Yahoo on grounds it provides too much data to government agencies without offering privacy protections for US citizens.
Senate bill 754 must be reconciled with similar legislation passed by the House of Representatives last April. A House-Senate agreement is not expected until 2016. Once signed into law by President Obama, the U.S. Attorney General has 180 days to finalize a plan for collecting and disseminating cyber threat data.
A PDF version of the 118-page bill can be found here: Senate Bill (S. 754) on Cyber Sharing (Passed Oct. 27, 2015) (01082756xAE57E)