Reasonable Expectation Legal Blog Focusing On Privacy and Data Security Issues

31Dec/13Off

The Target Breach: How the Financial Industry is Reacting

432px-Target_logo.svg

Retail giant Target recently suffered a massive security breach during the busiest shopping season of the year. The breach involved the credit and debit card information of an estimated 40 million customers who

shopped at one of Target’s retail stores between November 27th and December 15, 2013. So far, Target has not disclosed the precise details of how the breach occurred. While Target continues to work to repair the damage, it is interesting to see how other companies are reacting to one of the largest data breaches in history.

Target publicly disclosed the security breach on December 19th. Two days later, JPMorgan alerted 2 million of its debit card holders that it was lowering the daily limit on ATM withdrawals to $100 and purchases would be capped at $300 per day. This decision could not have been an easy one for JPMorgan, especially when you consider the limits were imposed the weekend before Christmas. Moreover, a $300 per day spending limit is woefully insufficient if anyone on your Christmas list was hoping for the new Xbox gaming console or the latest iPhone, both of which can easily exceed $500 dollars. Although undoubtedly an inconvenience for their customers, this move makes sense. In the case of credit card fraud, the payment processor usually reverses the charges, refunding the customer and leaving the merchant to bear costs. However, with ATM or debit card purchases, the bank is normally responsible for covering the loss. JPMorgan’s decision to impose spending limits is an interesting and unique strategy for limiting the fraud and reducing their own potential liability.

So far, JPMorgan is the only major bank to impose spending limits on debit cards potentially affected by the breach. Citibank took a different approach, announcing that they would impose limits or block transactions if they noticed any suspicious activity. Other banks are struggling with the decision whether or not to simply cancel and reissue cards to customers. However, at a cost of around $3 to $5 dollars per card, reissuing cards can be an expensive and time-consuming process, especially when the banks do not know for certain which cards have actually been compromised.

Frustrated by the lack of communication from Target surrounding the breach, at least one bank decided to take matters into their own hands. As reported by security expert Brian Krebs, a New England bank was able to “buy back” stolen credit cards from a black market card shop. Hackers use black market card shops to sell stolen credit card information. By purchasing the cards online, the bank was able to confirm that the recent Target security breach did not include the three digit security code printed on the backs of cards, known as the CVV, CSC, or CVD numbers. This is an important fact because those numbers are usually required by most online merchants. In addition, the bank confirmed that nearly all of the stolen credit card numbers had been used by customers to make purchases at Target stores around the country between November 27 and December 15. This may not seem like an important fact, especially when Target’s press release indicated as much, but hacking victims are often unable to confirm exactly which cards were compromised because published estimates usually encompass all of the cards that were potentially exposed. Moreover, if the stolen data was password protected or encrypted, there is a chance that the information may not be compromised, at least until the thieves break through those protections. By confirming that the credit card numbers were available on the black market, the bank was able make a more informed decision about whether to reissue the cards.

Another interesting facet of the Target breach is the number of third-party companies that are proactively notifying customers. State and federal breach notification statutes require Target to notify those affected by the breach. But that has not stopped PayPal from sending an email to its users nor prevented personal finance website Mint.com from notifying its users, albeit in an unusual way. If you are not familiar with Mint.com, it is a website that allows individuals to upload banking and credit card information, generally used for managing finances. Using that information, Mint.com identified individuals who used a credit or debit card at Target in the last 30 days and proactively notified them of the Target’s security breach, encouraging them to be on the lookout for potential fraud. To my knowledge, this is the first time a third-party has used customer data to notify individuals of a potential breach. It would be interesting to see if Mint.com continues this practice with future breaches.

Target is not the first nor the last company to suffer a security breach. As recent history has shown, breaches will continue to occur as hackers become more sophisticated. In the perpetual cat-and-mouse fight against security breaches, it is refreshing to see new and different approaches to responding to potential credit card fraud. Only time will tell whether these efforts will have any meaning full impact.

19Nov/13Off

The Ramifications of a Security Breach

New Study Finds that Two Thirds of U.S. Adults Would Not Return to a Business Where Their Personal Information was Stolen.

From hackers to stolen laptops, security breaches have been on the rise.  While most businesses are aware of the dangers associated with potential security breaches, few truly understand the full ramifications.  Calculating the time and money spent on investigations and notifications is fairly straight forward but measuring the damage to a company’s reputation or customer confidence is more complicated.  A recent survey sponsored by Cintas is helping to shed some light on this issue.  An online survey of 2,061 U.S. adults ages 18 and older was conducted by Harris Interactive in August of this year and the results are surprising.  Nearly two thirds of the participants indicated that they would not return to a business where their personal information was stolen.  For specific types of businesses:

– 55 percent would change banks

– 46 percent would switch insurance companies

– 42 percent would go to a different drug store/pharmacy

– 40 percent would get a new doctor or dentist

– 39 percent would get a new lawyer

– 38 percent would donate to a different charity/non-profit organization

– 35 percent would not return to their hospital

– 24 percent would no longer donate to their alma mater or another educational institution they attended.

It should be noted that the discrepancy between the two-thirds rate and the industry-specific rates suggest that while consumers are concerned about security breaches on a whole, there is a certain amount of customer loyalty maintaining the relationship.  As expected, that loyalty is strongest with educational institutions and charities but weakest with banks and insurance companies.  Nevertheless, the survey results indicate that loyalty will only get you so far and that businesses should be proactive in safeguarding confidential information.

For additional details, including a break-down of the survey variables, please contact Christina Alvarez at calvarez@mulberrymc.com.

21Aug/120

Why passwords have never been weaker—and crackers have never been stronger

Aurich Lawson / ThinkstockIn late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn, Battle.net, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.

The warnings Brooks and millions of other people received that December weren't fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.

"The danger of weak password habits is becoming increasingly well-recognized," said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, "show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks."

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.

Read the full article here

 

11Mar/110

Data Security Breach at Chapman University

On February 15, officials at Chapman University were informed that a document that should have been secured was available to authorized logged in system users who were not authorized to see that document .  The university immediately secured the document by correcting the access privileges, and on February 22, notified the New Hampshire Attorney General’s Office that 15 New Hampshire residents were among those who had sensitive data on the exposed document. According to their letter, information in the file included students’ names, Social Security numbers, student ID numbers, and financial aid information of those who applied for financial aid for the 2009-2010 academic year.

 

[Full Disclosure: I attended Chapman University many years ago and throughly enjoyed the experience.]

 

24Feb/110

Mass. General to pay $1M to settle privacy claims

Massachusetts General Hospital and its physicians organization have agreed to pay the federal government $1,000,000 to settle claims related to a worker leaving personal health documents on the subway.

The hospital also agreed to develop a comprehensive new privacy policy to prevent patient information from being compromised in the future, and to provide training to workers. The hospital must remit semi-annual compliance reports to the U.S. Dept. of Health and Human Services for the next three years.

“To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules,” HHS Office of Civil Rights Director Georgina Verdugo said in a statement. “A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.”

The settlement stems from a 2009 complaint from a patient whose personal health information was lost. The federal government subsequently opened an investigation and found that records from 192 patients of Mass General’s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS, were lost. It was determined that a Mass General employee had left the records on the MBTA while commuting to work on March 9, 2009.

Source:  Boston Business Journal.

15Dec/100

IE9 To Include Tracking Protection

On December 1, 2010, the Federal Trade Commission issued a major report discussing consumer privacy online. In the report, the FTC advocated the use of a "Do Not Track" mechanism governing the collection of information about consumer’s Internet activity. Specifically, the FTC suggested the use of a "persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted ads."

In the wake of that report, Microsoft announced a new feature to be included in version 9 of Internet Explorer. Although still in development, IE9 will include a opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking as well as a “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.

For an example of how this is supposed to work, check out the following video:

Source: Microsoft

10Sep/100

University Hospital Fined $250,000 for Breach

HealthLeaders Media reports that California Department of Public Health (CDPH) officials have fined Lucile Salter Packard Children's Hospital at Stanford University $250,000--the maximum amount allowed under state law--for failing to report a breach of 532 patient medical records due to the theft of a hospital computer. The records included such information as names, dates of birth, procedures and Social Security numbers. The hospital, which is appealing the decision, has stated that when it was determined the computer could not be recovered, the incident was reported to the CDPH, federal authorities and families of potentially affected patients. Under California's failure-to-notify penalties, which are unique in the U.S., state health officials have issued more than $1.8 million in fines against 143 hospitals for failing to report a variety of incidents including breaches of medical records, the report states.

Full Story

26Aug/10Off

Apple to Combat Jailbreaking Using Patent Kill Switch

Two weeks ago, the Daily Journal published an article authored by me entitled, “Cell Phone Users Catch a Break.”  The subject of this article was a new DMCA exemption that allowed the jail breaking of cell phones, in particular the Apple iPhone.  I want to make clear that I do not recommend anyone to jail break their phone and would strongly advise against doing so.  In addition to violating your warranty, jail breaking can cause any number of performance problems and has the potential to “brick” your phone.[1]

That being said, in my article I discussed potential responses by Apple to the DMCA exemption, in particular I noted that Apple has the technical resources to continually update and change the iPhone operating system to thwart jailbreaking attempts.  Shortly after the DMCA announcement, it was revealed that Apple has submitted a patent application entitled, “Systems and Methods for Identifying Unauthorized Users of an Electronic Device.”  In other words, it is a method for detecting unauthorized users and uses of a device and if those are detected, shutting them down or disabling the device.  Engadget.com described it best by calling it a “patent kill switch.”  I believe this application is an indicator that Apple will be taking a strong stance against jail breaking and will be combating it primarily through technical means.

Source: U.S. Patent Office Application, Apple Insider.


[1] “Brick,” is a term which refers to the situation where either by jail breaking or other means, the phone no longer operates and is essentially an expensive paper weight or “brick.”

21Jul/100

Hidden Message in US Cyber Command Logo Is Solved

When the United States Cyber Command unveiled its company logo, it contained an encoded message. In small letters along the inside ring of the logo, contained the text: “9ec4c12949a4f31474f299058ce2b22a.”  When this code was discovered, Wired.com Magazine held a contest to see who could crack the code first.  Sadly, it took just a little more than three hours for someone to crack the code using a MD5 hash.

MD5 hash is a mathematical algorithm used in security applications and forensics which translates almost any length of text or data into a 32 bit string.  For example, the text “The quick brown fox jumps over the lazy dog” has an MD5 hash value of “9e107d9d372bb6826bd81d3542a419d6” while the hash value of my last blog post is “28c2a82cba12c6c0275f12fa95464def”.  The easy part was recognizing that the code was an MD5 hash, the hard part was figuring out what it referred to.  This can be very difficult because MD5 hashes are designed to be one-way.  Luckily for us, someone figured out that the hidden code was a MD5 hash of the U.S. Cyber Command’s Mission Statement:

USCYBERCOM plans, coordinates, integrates, synchronizes and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.

That’s it!  Seriously, try it for yourself using this MD5 Generator.

This simple and fun puzzle has made the U.S. Cyber Command logo truly unique.  Of course, MD5 hash may not have been the best choice to immortalize on the logo considering the 2008 announcement by the U.S. Department of Homeland Security which said MD5, "should be considered cryptographically broken and unsuitable for further use,” and most U.S. government applications will be required to move to the SHA-2 family of hash functions after 2010.

Source: Wired.com Magazine

30Aug/090

New Regulations Require Disclosure of Data Breaches

HIPAA-covered entities need to be aware of new regulations issued this week that require public disclosure of data breaches. The U.S. Department of Health and Human Services has issued new regulations that require providers, health plans, and other HIPAA-covered entities to notify individuals when their health information is breached.

Data breaches involving protected health information must be reported to the Department of Health and Human Services. Breaches affecting less than 500 individuals can be reported to the HHS secretary on an annual basis. However, breaches that affect more than 500 individuals must be promptly disclosed to the affected individuals, the HHS secretary, and the media.

Principal Deputy Director of the HHS Office Robinsue Frohboese has said that “The new federal law ensures that covered entities and business associates are accountable to the department and to individuals for proper safeguarding of the private information entrusted to their care. These protections will be a cornerstone of maintaining consumer trust as we move forward with meaningful use of electronic health records and electronic exchange of health information.”

These regulations were issued pursuant to provisions of the Health Information Technology and Economic and Clinical Health Act, which was signed into law in February 2009 by President Obama.

Originally Posted by Scott Koller at Life, Heath and Disability Insurance Blog