Archive for March, 2016
To save articles or get newsletters, alerts or recommendations – all free.
Don’t have an account yet?
Create an account »
Subscribed through iTunes and need an NYTimes.com account?
Learn more »
Need to connect your Home Delivery subscription to NYTimes.com?
Link your subscription »
Beazley announced the launch of the company’s flagship Beazley Breach Response (BBR) product in Canada, which is data breach response insurance that protects the personal data of up to five million individuals per breach.
Canada’s Digital Privacy Act, passed in 2015, will soon impose additional obligations on companies to notify individuals when their data has been breached, the company said. The Canadian regulations will impose more stringent reporting obligations, similar to those already in place in the U.S. and soon to be implemented in the European Union.
Beazley said it has helped clients handle more than 3,300 data breaches since the launch of BBR in 2009 “and is the only insurer with a dedicated in-house team focusing exclusively on helping clients handle data breaches.”
BBR addresses the growing data breach exposures all organizations face, and the potential impact on their business operations, reputation and financial standing. Clients purchasing this coverage receive access to a suite of Beazley’s breach response service partners who provide legal advice, computer forensics, notification and call center services and credit monitoring for affected individuals.
“Beazley has an exceptional track record working with corporations in a wide range of industries in the US and Europe to mitigate and respond to data breaches,” said Paul Bantick, Beazley’s International focus group leader for technology, media and business services. “We’re excited to launch this offering in Canada, backed by a suite of top response providers.”
Beazley released its Beazley Breach Insights 2016 report earlier this month, which revealed a sharp increase in breaches caused by hacking and malware, with hacks involving ransomware doubling in 2015 compared to 2014.
London-based Beazley plc is the parent company of specialist insurance businesses with operations in Europe, the U.S., Latin America, Asia, the Middle East and Australia. Beazley manages six Lloyd’s syndicates and, in 2015, underwrote gross premiums worldwide of $2 billion-plus.
Healthcare information and security officers are leading efforts to avoid cyberattacks through training and tools as 81% of healthcare executives say that their organizations’ systems have been compromised during the past two years.
This article first appeared in the March 2016 issue of HealthLeaders Magazine.
Now that cyber attacks as a source of data breaches are becoming routine in and out of healthcare, each breach represents not just a monetary loss to providers and payers but also a loss of faith by customers and patients in the healthcare industry. This new fact has pushed data security way up the priority list for healthcare.
Consider this: 81% of healthcare executives say that their organizations have been compromised by at least one malware, botnet, or other cyber attack during the past two years, and only half say they feel that they are adequately prepared in preventing attacks, according to a 2015 KPMG healthcare cybersecurity survey.
“The worst place we could be in is if Americans are so desensitized to the breach of the day that we begin to accept that as normal,” explains Pete Murphy, executive vice president and chief information officer at Cardinal Innovations Healthcare, a managed care organization with 720,000 enrolled members across 16 counties in North Carolina.
Murphy, who previously managed risk and infrastructure in the financial services industry at employers such as TIAA-CREF, started at Cardinal in 2011. “The breach stats in healthcare show that we are being targeted,” he says. “The healthcare security posture is behind other industries that have made these investments and have gone before us, and I think we need to catch up quickly. It’s no mystery that attackers and their methods are increasingly sophisticated.”
One such method is spear phishing, where fraudulent emails appear to originate from a known business or colleague but are, in reality, sent by criminals seeking elevated network credentials or other personal information from the targeted individual.
Once an attacker obtains such credentials, rather than immediately launching an online attack, the attacker may plant advanced persistent threats, Murphy says. “They have some characteristics that are particularly scary. They hide themselves well, either in computer memory or on disk storage. They are likely going to exist in your environment undetected, could be for years sometimes.”
If an organization had only $100 to spend on its security program, “you’d start with bringing your employee base into the problem with you,” Murphy says. “You’d work to increase their awareness of the issue and give them all a little badge and make them all deputy chief information security officers.”
Many of the breaches that occurred in 2015, such as the Anthem breach that affected 30 million members, remain under investigation by the Federal Bureau of Investigation, with no guarantee that the breach cause or causes will ever be brought to light. But the next major breach could have a different cause.
“Companies need to invest in technical security expertise, because the game changes constantly,” Murphy says. “We have some very good security people here that are passionate about it and have inquiring minds and really enjoy what we call threat hunting and attack hunting.”
To respond to the spear phishing threat, Cardinal began doing awareness-testing exercises by sending fake emails to its own employees to see if they would click on them. Murphy says it’s not an exercise that many organizations undertake. As a result of this and other measures, Cardinal’s number of malware infections and actual incidents have declined. Unfortunately, “these extra measures are not yet recognized widely by everyone in the cyber risk insurance world,” so some do not reduce premiums for such insurance, he adds.
In February, California Attorney General Kamala Harris released a report analyzing 657 data breaches that were reported to the attorney general’s office from 2012 to 2015. The report contains numerous findings ranging from the causes of the reported data breaches to the types of data impacted. The attorney general found that the majority of reported data breach incidents resulted from security failures, and that a significant portion of the breaches “were the result of exploitation of known vulnerabilities for which there are known controls.” In an effort to reduce what the attorney general views as preventable data breaches, the report warns that the failure to implement specific controls constitutes a lack of reasonable security. This is the first time the attorney general or any California privacy regulator has suggested what data security measures are necessary to comply with California’s data protection law.
AG’s “Minimum Level” Requirement
Since 2004, California law has required organizations that collect personal information on California residents to implement reasonable security procedures and practices to protect the information. Although this requirement has been in place for more than a decade, California courts and regulators have yet to define what constitutes reasonable security procedures and practices. Unable to look to case law or regulators, organizations prior to the report had to consult materials from outside of California, such as Federal Trade Commission reports and enforcement actions, for guidance on how to implement a compliant data security program. The report therefore represents a significant development for organizations that collect and maintain personal information on California residents.
As explained in the report, the attorney general selects the Center for Internet Security’s Critical Security Controls as the “minimum level of information security that all organizations that collect or maintain personal information should meet.” Formerly known as the SANS Top 20, the controls were created by a group of experts—including the National Security Agency, the U.S. Department of Energy, law enforcement organizations and top forensics and incident response organizations—for the purpose of stopping known cyberattacks. The controls generally teach organizations to take an inventory of authorized hardware and software, secure network configurations, continuously assess vulnerability, maintain and monitor audit logs, limit the use of administrator privileges, install firewalls and other defenses and train employees to detect attacks. Critically, the attorney general warns that the “failure to implement all the [c]ontrols that apply to an organization’s environment constitutes a lack of reasonable security.”
The Impact of the Report Is Uncertain
Importantly, the attorney general did not state that a data security program that incorporates all of the controls is per se reasonable. Rather, the report explains that the controls act as a “starting point of a comprehensive program to provide reasonable security.” Thus, the report does not provide assurances that implementation of the controls will shield an organization from California Department of Justice enforcement actions and private litigation. Nor does the report provide conclusive guidance for small to mid-size businesses with greater budgetary restraints than large organizations. The report briefly addresses this issue by explaining that the controls are intended to apply to organizations of all sizes and that small businesses can adopt “subcontrols that fit the size, complexity, and criticality of their systems.” But the report does not provide a framework to assist the small business owner faced with the difficult decision of how to implement a legally compliant data security program that is also economically feasible.
While the report provides at least some guidance to organizations on how to implement a compliant data security program, there is significant uncertainty as to how the report will be viewed by the courts. The attorney general could have issued her recommendations in a formal opinion. California courts generally give great weight to formal attorney general opinions, but there is a lack of commentary or court decisions on the appropriate degree of deference, if any, to give to an attorney general report. The reported decisions that address this issue indicate that a lower degree of deference is appropriate. The degree of deference that courts provide to this report is thus an open question.
Regardless of the degree of deference given, the California Department of Justice and private plaintiffs will likely use the report’s recommendations to prove that a defendant organization that did not implement the controls violated California’s data protection law. In particular, we expect the California Department of Justice and private plaintiffs, at a minimum, to use the report to challenge those responsible for creating and administering an organization’s data security program on their knowledge and implementation of the controls, and we speculate that a central issue in the battle between experts on both sides will be the organization’s implementation of the controls. Therefore, organizations that do not incorporate all of the controls into their data security program may face potential litigation risk.
Another area of uncertainty is how the report will impact organizations engaged in the transfer of personal information. The data protection law requires organizations that disclose personal information to third parties that are otherwise exempt from the law to require by contract that the third party implement and maintain reasonable security measures. The law exempts various types of organizations, such as health care providers regulated by the Confidentiality of Medical Information Act, financial institutions subject to the California Financial Information Privacy Act, and covered entities governed by the medical privacy and security rules issued by the U.S. Department of Health and Human Services. Exempt organizations that receive personal information from non-exempt organizations may now be required to certify implementation of the controls as a precondition for their receipt of sensitive information from non-exempt organizations.
Greater Clarity Is Needed
By recommending adoption of the controls as the minimum for compliant data security programs, the attorney general has provided some meaningful guidance to large organizations with regard to the California Department of Justice’s interpretation of California’s data protection law. It is still unclear, however, whether the attorney general really believes a small to mid-size business must implement all of the controls regardless of whether doing so would be economically infeasible, or if some proportional subset of the controls would be sufficient. Moreover, it remains to be seen whether the attorney general’s recommendations, issued in an informal report rather than a formal opinion, will have a significant impact on privacy law in California and elsewhere. One thing is clear: The recommendations set forth in the report have defined IT security standards that companies doing business in California should carefully consider.
The data breach is suspected to have occurred in October 2015. Nevertheless, 21st Century claims that it delayed any public announcement of the data breach pursuant to an FBI request that no announcement be made while the FBI was investigating the matter. 21st Century notified affected individuals in March 2016.
“Medical information is considered to be among the most personal and private of information under California law,” says Keller Grover LLP attorney Carey G. Been. “For that reason, healthcare providers are required to give patients timely notice of data breaches and the negligent release and disclosure of medical information can, under certain circumstances, give rise to claims by affected individuals for money damages.”
Similar medical data breaches involving the failure to properly secure medical information have given rise to class action lawsuits. Earlier this year, for example, St. Joseph Health Systems finalized a $7.5 million class action lawsuit settlement in California involving St. Joseph’s alleged failure to properly secure its network, allowing patient information to become publicly accessible on the internet.
If you have any information about the data breach or are a California resident that has been affected by the data breach and have questions, contact Keller Grover’s attorneys at 888 535-5291 or by email at [email protected]
Keller Grover LLP is a leader in the field of medical information privacy litigation and has represented clients in numerous medical data breach class action cases, including lawsuits against St. Joseph Health Systems, Stanford Hospitals and Clinics, and Health Net. Keller Grover will not charge you for reviewing your information and all information that you provide to Keller Grover in the process of seeking legal advice will be held strictly confidential.
To view the original version on PR Newswire, visit:http://www.prnewswire.com/news-releases/keller-grover-llp-investigates-21st-century-oncology-data-breach-300243832.html
SOURCE Keller Grover LLP
The Norfolk Admirals suffered a data breach Wednesday, after a hacker posted website customers names, addresses and other details online.
Per Kimberly Pierceall of The Virginia Pilot, around 250 people are said to have been affected, but no financial information was exposed, as the team does not keep records of such details.
One victim found that not only had her personal information been posted online, but also that of her 5-year-old son, whom she had previously signed up for the Admirals Kids Club.
“It’s upsetting. You give companies your personal and private information expecting it will be protected,” said Monica, who didn’t want her last name used because she was concerned someone could find her personal information posted in the list online. “What’s even more upsetting is my son’s name is out there.”
Norfolk Admirals Vice President Joe Gregory said the club was made aware of the breach by one of the affected customers on Wednesday and that the organisation was seeking advice from its third party online security firm on whether they should report the breach to any law enforcement agencies.
“We take any threat against our customers seriously,” he [Gregory] said in a statement. “Additional safety measures have been added to prevent such a breach from happening in the future.”
The hacker, who was interviewed via Twitter but did not want to provide his name or location, said that the Norfolk Admirals had been sent emails warning of their lax online security, which were ignored.
Gregory said he wasn’t aware of any such warnings sent to the Admirals.
The incident comes a week after the nearby Tidewater Community College was also hacked, exposing current and former staff and faculty members details online.
Recommended for you
Cyber attacks against some of the country’s top law firms are reigniting concerns about the legal industry’s handling of data breaches.
The Wall Street Journal reported that hackers recently broke into the data systems of several prestigious white-shoe law firms, including Cravath Swaine Moore LLP and Weil Gotshal Manges LLP, and federal investigators are probing whether the hackers intended to steal information for insider trading.
Cybersecurity experts have long warned that law firms are attractive targets for cyber fraudsters. Law firms with high-profile corporate clients possess troves of trade secrets and undisclosed deal information on their computer networks that could be exploited.
But unlike breaches that have hit retailers like Target Corp. or banks like J.P. Morgan Chase Co., breaches of law firms rarely become public. That’s because firms don’t typically hold the type of personal information, like Social Security numbers, that would trigger public notification, and the legal industry is less heavily regulated than the financial sector.
It’s not entirely clear when law firms are legally required to reveal to the public or law-enforcement authorities that they’ve been hacked.
Forty-seven states have their own laws about when companies, including law firms, must disclose a breach. These laws typically require companies to disclose data thefts when an entity gets unauthorized access to “personal information,” a term whose definition that varies by state. Personal information usually means names, credit card numbers and Social Security numbers.
Another important question: To what extent are law firms required to keep their clients in the loop about data breaches?
The American Bar Association, which sets guidelines for lawyers, added a rule in 2012 that requires lawyers to take reasonable care to prevent unauthorized disclosure or access to information related to a client. The ABA also instructs lawyers to “keep abreast of changes in the law…including the benefits and risks associated with relevant technology.”
Bar associations in each state have their own ethics codes for law firms. These rules say lawyers have a duty to keep client information confidential. That leaves experts to believe that law firms are ethically obligated to tell clients if a breach compromises client information.
Lawyers who break the rules can be subject to monetary penalties and disciplinary action, including disbarment.
Cravath said its hacking incident, which occurred last summer, involved a “limited breach” of its systems and that the firm is “not aware that any of the information that may have been accessed has been used improperly.” A spokeswoman for Weil Gotshal declined to comment.
style=”” class=” js no-touch history csstransforms csstransforms3d csstransitions video” lang=”en”<!– <!– <Attribute name="Caption" value="
Tidewater Community College logo. (Photo: Tidewater Community College/Facebook)
VIRGINIA BEACH, Va. (WVEC) — Officials at Tidewater Community College tell 13News Now that they now know of 100 employees who have been affected by the school’s recent data breach.
Initially, 15 TCC employees informed the school that when they attempted to file their 2015 tax returns, the IRS told them that a return had already been filed under their social security numbers.
The incidents were thought to be isolated at first. However, the school immediately reported the information to the Virginia Community College System.
Officials say 3,193 employees who worked at TCC in 2015 could be affected by the breach. That is the number of employees with taxable wages from 2015.
These are people who worked for TCC at any point last year. It includes current employees and retirees. Those workers packed a session with the school president Wednesday. She addressed the latest details of the data breach, what the school is doing to help those affected with credit monitoring and protection and took questions from the employees.
“It’s best for you to be cautious, even if you have already received your income tax refund or you have an acknowledgement that everything is ok with your income tax refund,” President Baehre-Kolovani advised. “Take advantage of these very simple techniques to safeguard yourself.”
This was part of an-already planned session, but when news of the breach broke, President Baehre-Kolovani added the topic to the session and allowed media to attend.
“We have nothing to hide,” Baehre-Kolovani added. “So the more transparent we are and let everybody know how to safeguard themselves, the better off we will be. Just stay vigilant.”
According to school officials, a file containing the names of all 2015 TCC employees, their social security numbers, 2015 earnings, withholding and deduction information was sent in response to a request that looked to be from a legitimate TCC account.
The account, however, was a scam.
“We’re working with our parent organization, The Virginia Community College System, which bringing in the FBI and state police on this,” said Marian Anderfuren, the public information officer for TCC. “There will be a vigorous investigation to see if the source of the email can be determined.”
The names included current and former full-time, part-time and adjunct employees; anyone who received payable wages from TCC for 2015.
Learn More: TCC data breach could impact 3,193 employees
Tidewater Community College advises employees to take these immediate actions to protect their information:
- Contact one of the three major credit bureaus (Experian, TransAmerica, Equifax) to place a fraud alert on your credit file. The one you place a fraud alert with will contact the other two. Renew the fraud alert every 90 days.
- Complete and submit IRS Form 14039 (Identity Theft Affidavit). It alerts the IRS that you have reason to believe your personal information may be used fraudulently. The form, as well as other information, is available here. You can also call the IRS toll free at 1-800-829-1040.
- If you believe your personal information has already been used fraudulently:
- Report the identity theft to the Federal Trade Commission at www.idtheft.gov.
- File an identity theft report with your local police. The police report is necessary if you want to file for a new Social Security number.
- Report the theft of your Social Security number to the Internet Crime Complaint Center at http://www.ic3.gov/.
The school says they are working with law enforcement to identify the means of the attack and taking steps to prevent it from happening again.
Tidewater Community College serves South Hampton Roads with four campuses in Chesapeake, Norfolk, Portsmouth and Virginia Beach.
Many are wondering what the school is doing to make sure this doesn’t happen again. Right now, the president is waiting to hear back from the Attorney General’s Office and the Virginia Community College System to work on that aspect of the investigation. The school has another open session for employees at the Virginia Beach campus Thursday.
TCC is the largest provider of higher education and workforce services in Hampton Roads, enrolling almost 40,000 students annually.
(© 2016 WVEC)
JOIN THE CONVERSATION
To find out more about Facebook commenting please read the
Conversation Guidelines and FAQs
Hundreds of customers’ information exposed in…
TCC: 100 employees affected by data breach
One dead, one injured in school bus accident in Hampton
FRANKFORT, Ky. (WTVQ) – A message from Kentucky State University president Raymond Burse says that the school suffered a data breach on March 22, 2016.
The message says that the breach granted access to “personally identifiable information of current and former Kentucky State University employees,” namely, W-2’s for 2015 and University identification information. The school says that includes names, social security numbers and addresses.
The police report says someone impersonating KSU President Raymond Burse sent an email to a employee requesting 2015 W-2’s for employees. That worker replied with the information, unaware the sender was not Burse.
Burse says the school has already taken action to limit the effects of the breach by notifying all three of the major credit reporting agencies.
Federal and state authorities have been notified and are investigating the breach.
The police report shows 1,071 people were affected by the breach. The school says 452 are current regular employees and 210 are students. The remainder are former employees. The school has offered all of the victims credit protection by Experian.
Article source: http://www.wtvq.com/2016/03/30/ksu-hit-with-data-breach/
A hacker posted several thousand Norfolk Admirals customers’ email accounts, addresses and names on Wednesday, but the team’s online security firm says the data breach affected only about 250 customers.
Norfolk Admirals Vice President Joe Gregory said his online security firm eliminated duplicates and spam email addresses from the list, significantly winnowing the number of people affected from 4,476 email accounts to about 250.
“This is still something that was troublesome,” Gregory said, adding that it represented a small sample set of people who had purchased items through the Admirals’ website and didn’t include any financial account information because the team doesn’t keep it.
One woman found out when she received an alert from service Have I Been Pwned? that her email address had been posted online. The list includes names, email accounts, physical addresses and the types of credit card people used but no credit card numbers. In her case, it includes the name and address of her 5-year-old son because she had signed him up for the Admirals Kids Club two seasons ago.
“It’s upsetting. You give companies your personal and private information expecting it will be protected,” said Monica, who didn’t want her last name used because she was concerned someone could find her personal information posted in the list online. “What’s even more upsetting is, my son’s name is out there.”
Gregory said the team was made aware of the breach Wednesday afternoon by one of the people whose information was posted. He said no sensitive financial information, including credit card numbers, were stored in the databases. He said he’s contacted his outside online security firm to ask whether the breach should be reported to law enforcement.
“We take any threat against our customers seriously,” he said in a statement. “Additional safety measures have been added to prevent such a breach from happening in the future.”
This is the first alert Monica has gotten from Have I Been Pwned?, a free service that automatically scrapes sites for publicly posted data dumps from breaches. When someone is “pwned,” they’ve essentially been “owned” or defeated.
“I’m not sure if I’ll want to sign up my son under his actual name in the future,” she said.
The breach comes a week after Tidewater Community College announced that Social Security numbers and personal information belonging to 3,193 current and former faculty and staff were leaked in a phishing scam. As of Friday, about 15 people had not been able to file tax returns because their information had already been fraudulently used. On Wednesday, Tidewater Community College spokeswoman Marian Anderfuren confirmed the number had risen to 100. She said the school is encouraging people to tell them when they encounter problems filing their tax returns so they can have a clear understanding of the scope of the cyberattack.
The Admirals hacker, going by the handle @Gift2Death, said in an interview conducted through Twitter that the team brought the attack on itself. He said his emailed warnings to the Admirals about their lax online security were ignored. Gregory said he wasn’t aware of any warning s.
The hacker wouldn’t give his name or say where he’s based, but said he knew some of the people in the Admirals’ databases.
“Now, YOU have to take responsibility for what you can NOT protect,” the hacker wrote in his online post, which featured a comical devil drawn with keyboard keys. He also posted what was purportedly the hockey team’s Twitter password but said he hadn’t tried to access the account. “But if you want to, give it a try.”