Millions Exposed in Multiple Heath Data Breaches

This summer, millions of medical patients have learned that their personal information, including names, addresses, birthdates, Social Security numbers, Medicare or health plan ID numbers, and some medical information (conditions, medications, procedures and test results) may have been exposed as a result of two separate security breaches. California’s UCLA Health announced on July 21, 2015 that their information system has been attacked, possibly beginning in November 2014, and that the unencrypted medical information of over 4.5 million patients may have been accessed.  This latest breach follows a 2006 hack compromising personal data, leading some security experts, including Securonix chief scientist Igor Baikalov, to question why UCLA and other medical providers still have not encrypted this sensitive information. A major security breach to NoMoreClipboard, a paperless medical patient information portal allowing access ...
Continue Reading...


New Federal Cybersecurity Legislation and Regulations Proposed in Washington DC

This week, new legislation and regulations have been proposed to address cybersecurity concerns in new automobiles and the nation’s Bulk Electric System. On Tuesday, Senators Edward J. Markey (MA) and Richard Blumenthal (CT) introduced new legislation to address the hacking risks associated with “connected vehicles.”  The Security and Privacy in Your Car Act of 2015 would mandate that sensitive software systems be isolated and additional safeguards be added “to protect consumers from security and privacy threats to their motor vehicles”.  The legislation followed a 2014 report by Senator Markey identifying how vehicles may be vulnerable to hackers, and how driver information is collected and protected. The new legislation was announced the same day Wired magazine reported that “wireless carjackers” were able to seize control of a Jeep through the internet ...
Continue Reading...

Two GAO Reports Detail Deficiencies and Improvements in Thwarting Cyber Crimes

iStock_000038012250_Large The Government Accountability Office (GAO) recently issued two reports on battling cyber threats that are useful for both private and public entities. The first report, issued July 2, 2015, was entitled Cybersecurity: Bank and Other Depository Regulators Need Better Data Analytics and Depository Institutions Want More Usable Threat Information. In that report, the GAO noted that while, “[d]epository institutions obtain cyber threat information from multiple sources, including federal entities such as the Department of the Treasury (Treasury)[,] [r]epresentatives from more than 50 financial institutions told GAO that obtaining adequate information on cyber threats from federal sources was challenging.” One particular challenge is that “[i]nformation that is shared about cyber threats and actual attacks was not always seen as having sufficient context or details to allow depository institutions to take definitive ...
Continue Reading...

Sometimes Newer Isn’t Always Better: U.S. Navy is Paying Millions to Keep XP

US Navy In March 2014, Microsoft announced that it was phasing out support for its Windows XP operating system, including the continued release of patches protecting against hackers and other intrusions. Although the Windows XP platform, originally released  August 24, 2001, has been replaced by updated versions, the United States Navy agreed to pay Microsoft $9 million annually for continued support of the XP program, which runs many of the Navy’s critical systems, including the Space and Navy Warfare Systems Command.  While only 10 percent of government computers run the XP system, as it relates to critical infrastructure, reliance on a proven system that has been adequately tested is more beneficial than upgrading for the sake of having the new product (and there have been several since XP came out). That said, ...
Continue Reading...

Congress and the Internet of Things

US Capitol Despite the trend toward the Internet of Things, some institutions are taking a slow and cautious approach given the possible security vulnerabilities. This includes the U.S. Congress. The Internet of Things usually refers to machine to machine communication.  For example, consider the Microsoft band that monitors heart rate, steps, calories, burned, etc. (which, incidentally, the co-chair of the Congressional Internet of Things Caucus wears). Recent breaches into government computers including the massive data breach at the Office of Personnel Management (“OPM”) clearly demonstrate that government computers are susceptible to hackers. In an effort to maintain security, the Architect of the Capitol notes there is a deliberate “air gap” between Congressional networks that control internal systems and the outside internet (although the Architect also notes that Congressional members and staffs can ...
Continue Reading...

Can A SAFETY Act Designated Product Provide Cyber-Attack Liability Protection?

“So if you use FireEye’s product you basically are prevented from being sued in the criminal justice system of America, which can save a lot of money.” According to CEO Dave DeWalt’s recent comments, it sounds like the U.S. Government stamped FireEye with a seal of approval — a ringing endorsement that’s worth a closer look.  FireEye, Inc. was issued “Certification” under the SAFETY Act for its Multi-Vector Execution (MVX) Engine and Cloud Platform.  It isn’t the only SAFETY Act approved technology; DHS’s website lists hundreds of others.  The SAFETY (Support Anti-Terrorism by Fostering Effective Technologies) Act was part of the enormous Homeland Security Act of 2002 that reshuffled several government agencies and created the behemoth Department.  According to the SAFETY Act website, it “provides important legal liability protections for providers of ...
Continue Reading...

Sony Class Action Moves Forward

Because Sony’s former employees “face ongoing future vulnerability to identity theft” they can proceed with their class action, a California District Court ruled on Monday.  The case, Corona v. Sony Pictures Entm’t, Inc., is linked to the North Korean hackers who tried to stop Sony from releasing the movie The Interview.  It was filed less than a month after Sony became aware of the attack. Relying on the Ninth Circuit’s decision in Krottner v. Starbucks, the court held that the plaintiffs have Article III standing because they alleged “a credible threat of real and immediate harm, or certainly impending injury.”  “Plaintiffs have alleged that the PII [personally identifiable information] was stolen and posted on file-sharing websites for identity thieves to download … [and] that the information has been used to ...
Continue Reading...

Federal Cybersecurity Problems “Decades in the Making”

Yesterday, the House Oversight Committee received testimony from federal officials regarding the April 2015 cyberattack on the Office of Personnel Management (OPM), which compromised the personal information of approximately 4 million government employees and retirees, including social security numbers.  The executive branch delayed reporting the incident until June 4, much to the dismay of the House Committee. OPM head Catherine Archuleta was under fire for what Committee Chairman Jason Chaffetz, R-Utah, called the “most devastating” cyberattack in United States’ history.  Ms. Archuleta attempted to avoid blame, explaining that the security failures were “decades in the making.” Chairman Chaffetz later called for Ms. Archuleta’s removal. The OPM servers, part of the Interior Department data centers, are monitored by the Department of Homeland Security’s $3 billion Einstein continuous network monitoring program. Many, including ...
Continue Reading...

House Committee Leaders Request Information About Cybersecurity for Cars

On May 28, 2015, leaders on the U.S. House Energy and Commerce Committee from both parties wrote to the National Highway Traffic Safety Administration (NHTSA) and 17 auto manufacturers requesting information about plans to address cybersecurity issues in automobiles. The Committee leadership noted: Connected cars and advancements in vehicle technology present a tremendous opportunity for economic innovation, consumer convenience, and public health and safety. These benefits, however, depend on consumer confidence in the safety and reliability of these technologies. While threats to vehicle technology currently appear isolated and disparate, as the technology becomes more prevalent, so too will the risks associated with it. Threats and vulnerabilities in vehicle systems may be inevitable, but we cannot allow this to undermine the potential benefits of these technologies. The industry has an opportunity to ...
Continue Reading...

Connecticut Supreme Court Makes Significant Ruling in Data Breach Case

The Connecticut Supreme Court made a very significant ruling yesterday in Recall Total Information Management, Inc. v. Federal Insurance Co., adopting wholesale the Appellate Court’s well-reasoned ruling that an insured’s loss of sensitive records, without more, does not constitute a “publication” of material that violates a person’s right of privacy. Notably, the Appellate Court held that absent proof of an unauthorized third party’s access to the personal identification information, the “publication” element of the Privacy Offense (under the definition of “personal and advertising injury” in a standard CGL policy) is not satisfied. This ruling is a boon to insurers and provides further evidence that CGL policies are not a viable option for data breach coverage. This is especially true in light of the new ISO data breach exclusion entitled “Exclusion ...
Continue Reading...