Archive for April, 2016

Sanders Campaigns Ends DNC Lawsuit Over Data Breach

Four months ago, in an impulsive overreaction and at a critical point in the campaign just weeks before the closest Iowa caucus results in history, the DNC shut down the Sanders campaign’s access to its own voter file data, only restoring access after the campaign filed a lawsuit in Federal court.

The Clinton campaign in tandem with DNC Chair Debbie Wasserman Schultz publicly accused the Sanders campaign of theft.

“This information is really key to our campaign and our strategy,” said Clinton campaign manager Robby Mook. “We are particularly disturbed right now that they are using the fact that they stole data as a reason to raise money for their campaign.”

DNC Chairwoman Debbie Wasserman Schultz said that the Sanders campaign “inappropriately and systematically” accessed Clinton’s data. 

Now, four months later, an independent investigation of the firewall failures in the DNC’s shared voter file database has definitively confirmed that the original claims by the DNC and the Clinton campaign were wholly inaccurate – the Sanders campaign never “stole” any voter file data; the Sanders campaign never “exported” any unauthorized voter file data; and the Sanders campaign certainly never had access to the Clinton campaign’s “strategic road map.”

Back in December the Sanders campaign vehemently denied any theft of Clinton’s information.

“Clearly, in this case, they are trying to help the Clinton campaign,” Sanders campaign manager Jeff Weaver said of the Democratic National Committee.

The independent investigation has confirmed what the Sanders campaign said from the start:

  • The DNC’s security failures allowed four Sanders campaign staffers – three junior-level staffers led by a manager who had been hired at the recommendation of the DNC and who was immediately terminated after the incident – to have extremely short-lived access for one hour to Hillary for America’s scoring models, but not to any of Hillary for America’s proprietary voter data.
  • No one else in the Sanders campaign, outside these four staffers, accessed the Hillary for America’s scoring models or had knowledge that the activity was taking place until well after the incident was over.
  • With one exception, all unauthorized access took place within the DNC’s own system. While there is evidence that the terminated staffer may have exported a summary data table, the independent investigation of Sanders campaign computers could not locate that file and no one in the Sanders campaign has ever seen that file.

With the investigation behind us, the campaign has withdrawn its lawsuit against the DNC today but continues to implore the DNC to address the systemic instability that remains in its voter file system. It is imperative that the DNC make it a top priority to prevent future data security failures in the voter file system, failures that only serve as unnecessary distractions to the democratic process.

Bernie Sanders Campaign Manager Jeff Weaver said “We are gratified by the results of this independent investigation.”

Jeff Weaver 2

Article source: http://thebernreport.com/sanders-campaigns-ends-dnc-lawsuit-over-data-breach/

,

No Comments

Sanders campaign drops lawsuit against DNC over voter database breach

Bernie Sanders’ campaign Friday withdrew its lawsuit against the Democratic National Committee after claiming the party had unfairly blocked its access to a critical voter database in December.

The lawsuit came after a Sanders staffer exploited a software error to improperly access confidential voter information collected by Hillary Clinton’s team. The DNC database is a goldmine of information about voters and being blocked from it threatened to complicate Sanders’ outreach efforts just weeks before the Iowa caucuses. The incident also fueled a long-held belief in the Sanders camp and among his allies that the DNC was stacking the deck in favor of Clinton.

A DNC investigation, the results of which were also released Friday, concluded that the wrongdoing did not go beyond the four Sanders staffers who accessed the database and were fired soon after the incident came to light.

“With the investigation behind us, the campaign has withdrawn its lawsuit against the DNC today but continues to implore the DNC to address the systemic instability that remains in its voter file system,” Sanders’ campaign said in a statement.

The DNC agreed to restore the Sanders campaign’s access to the database by the next day. The campaign agreed to cooperate in an independent investigation of the data breach and to pay a share of those costs.

“An independent investigation of the firewall failures in the DNC’s shared voter file database has definitively confirmed that the original claims by the DNC and the Clinton campaign were wholly inaccurate — the Sanders campaign never ‘stole’ any voter file data,” the campaign said in its statement Friday.

“The Sanders campaign never ‘exported’ any unauthorized voter file data; and the Sanders campaign certainly never had access to the Clinton campaign’s ‘strategic road map,'” the campaign added.

The Sanders team ran multiple searches in Iowa, New Hampshire, Nevada, South Carolina and about 10 March states, including Florida and Colorado, after it noticed the error. One of the data sets it accessed was a Clinton spreadsheet that ranked voters’ enthusiasm — a potential opportunity for Sanders’ campaign to target voters who were hesitant to support the former secretary of state.

Sanders apologized for the breach during a Democratic debate in December. The Clinton campaign declined to comment on the record Friday.

Friday’s developments come as Sanders badly trails Clinton in the Democratic primary fight. Earlier in the week, Sanders himself acknowledged that he has a “narrow path” to the nomination, and Oregon Sen. Jeff Merkley, Sanders’ lone supporter in the Senate, told CNN on Thursday that if the Vermont senator is still losing to Clinton after the primary season concludes in June, he should end his campaign rather than take his bid to the party convention.

Article source: http://www.wbaltv.com/politics/sanders-campaign-drops-lawsuit-against-dnc-over-voter-database-breach/39290846

,

No Comments

Data breach shows you can never be too safe

Data breach shows you can never be too safe Ten tips to protect your business while waiting for the Wyoming Cybersecurity Symposium

facebooktwittergoogle_plusredditpinterestlinkedinmail

A few weeks ago, in anticipation of the Wyoming Cybersecurity Symposium — which the Wyoming Business Report will be hosting in Cheyenne next month — this publication ran a story that included some tips on how businesses could help protect themselves and their computer systems from shady characters like hackers and data thieves.

Now, in light of the phishing scam that victimized two employees at the Wyoming Medical Center in Casper, which put at risk the data of 3,184 of the hospital’s patients — including names, dates of birth, medical records, account numbers, dates of service and other medical information — this might be a good time to offer up another round of practices that could save your business (or even your home computer) a lot of potential headaches and maybe even save you a few dollars — or a lot of them — in the process.

Here are 10 tips from the Federal Communications Commission to help guard your company’s data:

  1. Train employees in security principles
    Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.
  2. Protect information, computers and networks from cyber attacks
    Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
  3. Provide firewall security for your Internet connection
    A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
  4. Create a mobile device action plan
    Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
  5. Make backup copies of important business data and information
    Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
  6. Control physical access to your computers and create user accounts for each employee
    Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
  7. Secure your Wi-Fi networks
    If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
  8. Employ best practices on payment cards
    Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
  9. Limit employee access to data and information, limit authority to install software
    Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
  10. Passwords and authentication
    Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.

To learn more about how to safeguard your data, attend the Wyoming Cybersecurity Symposium, scheduled from 8 a.m. to 7 p.m. on May 18 at the Little America in Cheyenne.

The FCC’s CyberSecurity Hub has more information, including links to free and low-cost security tools.

 

 

Article source: http://www.wyomingbusinessreport.com/data-breach-shows-you-can-never-be-too-safe/

,

No Comments

Data breach shows you can never be too safe

Data breach shows you can never be too safe Ten tips to protect your business while waiting for the Wyoming Cybersecurity Symposium

facebookgoogle_plusredditpinterestlinkedinmail

A few weeks ago, in anticipation of the Wyoming Cybersecurity Symposium — which the Wyoming Business Report will be hosting in Cheyenne next month — this publication ran a story that included some tips on how businesses could help protect themselves and their computer systems from shady characters like hackers and data thieves.

Now, in light of the phishing scam that victimized two employees at the Wyoming Medical Center in Casper, which put at risk the data of 3,184 of the hospital’s patients — including names, dates of birth, medical records, account numbers, dates of service and other medical information — this might be a good time to offer up another round of practices that could save your business (or even your home computer) a lot of potential headaches and maybe even save you a few dollars — or a lot of them — in the process.

Here are 10 tips from the Federal Communications Commission to help guard your company’s data:

  1. Train employees in security principles
    Establish basic security practices and policies for employees, such as requiring strong passwords, and establish appropriate Internet use guidelines that detail penalties for violating company cybersecurity policies. Establish rules of behavior describing how to handle and protect customer information and other vital data.
  2. Protect information, computers and networks from cyber attacks
    Keep clean machines: having the latest security software, web browser, and operating system are the best defenses against viruses, malware, and other online threats. Set antivirus software to run a scan after each update. Install other key software updates as soon as they are available.
  3. Provide firewall security for your Internet connection
    A firewall is a set of related programs that prevent outsiders from accessing data on a private network. Make sure the operating system’s firewall is enabled or install free firewall software available online. If employees work from home, ensure that their home system(s) are protected by a firewall.
  4. Create a mobile device action plan
    Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
  5. Make backup copies of important business data and information
    Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly and store the copies either offsite or in the cloud.
  6. Control physical access to your computers and create user accounts for each employee
    Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
  7. Secure your Wi-Fi networks
    If you have a Wi-Fi network for your workplace, make sure it is secure, encrypted, and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
  8. Employ best practices on payment cards
    Work with banks or processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations pursuant to agreements with your bank or processor. Isolate payment systems from other, less secure programs and don’t use the same computer to process payments and surf the Internet.
  9. Limit employee access to data and information, limit authority to install software
    Do not provide any one employee with access to all data systems. Employees should only be given access to the specific data systems that they need for their jobs, and should not be able to install any software without permission.
  10. Passwords and authentication
    Require employees to use unique passwords and change passwords every three months. Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account.

To learn more about how to safeguard your data, attend the Wyoming Cybersecurity Symposium, scheduled from 8 a.m. to 7 p.m. on May 18 at the Little America in Cheyenne.

The FCC’s CyberSecurity Hub has more information, including links to free and low-cost security tools.

 

 

Article source: http://www.wyomingbusinessreport.com/data-breach-shows-you-can-never-be-too-safe/

,

No Comments

Is ransomware considered a health data breach under HIPAA?

With a total number of 112 million data breaches of healthcare records spanning more than 250 separate incidents last year, it’s safe to say that information security is on people’s minds. The deluge of breaches has raised an important question about a particular kind of incident: does ransomware constitute as a data breach under HIPAA?

Dan Munro, author at  Forbes, and Jack Danahy, author at  HealthIT Security,  recently a look at what qualifies a ransomware attack as a data breach under HIPAA.

“Ransomware does represent a new legal ambiguity to the federal legislation known as HIPAA, which was designed to protect patients against the loss, theft or breach of their protected health information (PHI),”  according to Monro. “In some ransomware cases–-depending on the actual type of ransomware–-PHI is never accessed, so there is technically no breach of PHI data.”

Regulators may not yet have a grasp of how serious a threat ransomware poses. With each attack, hackers are able to crash hospital systems and force them to return to the slow and outdated process of paper. Monro suggested that a ransomware attack should not be considered to have violated the PHI disclosure restrictions in HIPAA because the PHI is never accessed and the lack of security in the healthcare system makes it all the easier for hackers.

Danahy had a different way of seeing the potential of ransomware attacks and believes they do indeed qualify as a breach under HIPAA. “Over 100 of the disclosed breaches, representing hundreds of thousands of records, were reported because a system that contained PHI came under the control of a criminal,”  wrote Danahy . “There is no need to verify that the information stolen in this manner is ever accessed or used; the existence of this important information in the hands of a criminal is enough of a threat that it must be reported.”

He argues that even if PHI is sometimes never accessed, just the fact that it came under the control of a criminal is cause enough for it to be considered a breach by HIPAA. Danahy defines ransomware as the system being accessed, along with the PHI they contain, by someone who is not the healthcare provider and HIPAA must disclose the breach as a result of the loss of security.

While both parties argue on what constitutes ransomware as a breach under HIPAA guidelines they can agree that the healthcare industry must find a way to avoid these attacks. Advising to collect data on spending and costs of the attacks to justify investments in prevention to the enormous risk that ransomware poses.

Article source: http://www.cmio.net/topics/policy/ransomware-considered-health-data-breach-under-hipaa

,

No Comments

Is ransomware considered a health data breach under HIPAA?

With a total number of 112 million data breaches of healthcare records spanning more than 250 separate incidents last year, it’s safe to say that information security is on people’s minds. The deluge of breaches has raised an important question about a particular kind of incident: does ransomware constitute as a data breach under HIPAA?

Dan Munro, author at  Forbes, and Jack Danahy, author at  HealthIT Security,  recently a look at what qualifies a ransomware attack as a data breach under HIPAA.

“Ransomware does represent a new legal ambiguity to the federal legislation known as HIPAA, which was designed to protect patients against the loss, theft or breach of their protected health information (PHI),”  according to Monro. “In some ransomware cases–-depending on the actual type of ransomware–-PHI is never accessed, so there is technically no breach of PHI data.”

Regulators may not yet have a grasp of how serious a threat ransomware poses. With each attack, hackers are able to crash hospital systems and force them to return to the slow and outdated process of paper. Monro suggested that a ransomware attack should not be considered to have violated the PHI disclosure restrictions in HIPAA because the PHI is never accessed and the lack of security in the healthcare system makes it all the easier for hackers.

Danahy had a different way of seeing the potential of ransomware attacks and believes they do indeed qualify as a breach under HIPAA. “Over 100 of the disclosed breaches, representing hundreds of thousands of records, were reported because a system that contained PHI came under the control of a criminal,”  wrote Danahy . “There is no need to verify that the information stolen in this manner is ever accessed or used; the existence of this important information in the hands of a criminal is enough of a threat that it must be reported.”

He argues that even if PHI is sometimes never accessed, just the fact that it came under the control of a criminal is cause enough for it to be considered a breach by HIPAA. Danahy defines ransomware as the system being accessed, along with the PHI they contain, by someone who is not the healthcare provider and HIPAA must disclose the breach as a result of the loss of security.

While both parties argue on what constitutes ransomware as a breach under HIPAA guidelines they can agree that the healthcare industry must find a way to avoid these attacks. Advising to collect data on spending and costs of the attacks to justify investments in prevention to the enormous risk that ransomware poses.

Article source: http://www.cmio.net/topics/policy/ransomware-considered-health-data-breach-under-hipaa

,

No Comments

Berkeley chiropractor warns of patient data breach

BERKELEY — A chiropractic office is urging its patients to get in touch, as well as contact credit reporting agencies and take precautions against unauthorized use of their personal data, following a break-in last month.

Vibrant Body Wellness, at 2002 Addison St. near Milvia Street, was burgled over the weekend of March 5, the company announced on its website (vibrantbodywellness.com) and in a news release Friday. Stolen items include a laptop and a backup hard drive.

“Though (the devices) were password-protected and the data on them encrypted, according to the law patient privacy was breached with the loss of the equipment,” an announcement reads in part.

“The information stored on the electronic equipment is not easily accessible,” the news release states. “However, personal information may have been compromised, including patients’ name, address, date of birth, contact information, diagnosis, and billing information.”

Some 600 patients are potentially affected.

Vibrant Body Wellness invites patients to call its staff at 510-981-8348, consult the company website for more information, and to direct questions to the owner, Dr. Teresa Lau, at [email protected]

Lau expressed regret over the incident, and pledged her company’s commitment to prevent future occurrences.

“Since the robbery, we’ve been working with police and (the U.S. Department of) Health and Human Services to respond to the robbery and the consequences of our encrypted electronic devices being stolen,” Lau said, adding that the process is time-consuming and is required to be accomplished within 60 days.

Check back for updates.

Contact Tom Lochner at 510-262-2760. Follow him at Twitter.com/tomlochner.

Article source: http://www.mercurynews.com/bay-area-news/ci_29831350/berkeley-chiropractor-warns-patient-data-breach

,

No Comments

Verizon Releases 2016 Data Breach Investigations Report

You are responsible for reading, understanding and agreeing to the National Law Review’s (NLR’s) and the National Law Forum LLC’s  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be  a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.

The National Law Review – National Law Forum LLC 4700 Gilbert Ave. Suite 47 #230 Western Springs, IL 60558  Telephone  (708) 357-3317 If you would ike to contact us via email please click here.

Article source: http://www.natlawreview.com/article/verizon-releases-2016-data-breach-investigations-report

,

No Comments

After a Data Breach, When Do the Feds Blame the Victim Companies?

Regulators have ramped up enforcement actions in recent years against companies that have failed to adequately protect their customer information. These actions have drawn criticism from companies, who say it’s frustrating to be the victim of a breach, and also get punished by the government for it.

Agencies like the Federal Trade Commission and Securities and Exchange Commission, however, say their mission isn’t to blame the victim, but to go after companies that don’t even do the bare minimum to protect their computer networks. When a company has virtually no network security in place and then has its data stolen by hackers, the consumers are the real victims, regulators say.

At a cybersecurity panel on Friday, Mark Eichorn, an assistant director at the FTC’s Bureau of Consumer Protection, gave several examples of the kind of corporate behavior that justifies regulators’ attention. He ​pointed to a recent case where the FTC charged a computer hardware maker called ASUSTeK Computer, whose default login for every router had “admin” as the username and “admin” as the password. The security flaws allowed hackers to gain access to ASUS routers in consumers’ homes, the FTC said.​

An ASUS representative did not immediately respond to a request for comment.

Every agency has its own rules, so it’s difficult to say when companies that have been breached could become targets for an enforcement action.

Last year, R.T. Jones Capital Equities Management Inc., an investment adviser, paid a $75,000 penalty to settle charges that it failed to establish the proper cybersecurity protocols ahead of a 2013 data breach, which ended up compromising the personal information of approximately 100,000 individuals. According to the SEC, which brought the charges, R.T. Jones failed to do a few basic things, like ​install a firewall or encrypt the sensitive information stored on its server.

An R.T. Jones representative did not immediately respond to a request for comment.

​Separately, ​the panelists Friday, which also included regulators from the SEC and Financial Industry Regulatory Authority, warned that hackers are ho​m​ing in especially on the Internet of Things, which refers to ordinary objects outfitted with the ability to send and receive data, like fitness trackers and home thermostats. For example, hackers last year demonstrated that they were able to take control of a moving Jeep Cherokee using its wireless communications system. ​​

Article source: http://blogs.wsj.com/law/2016/04/29/are-the-feds-blaming-victims-in-cybercrime-cases/

,

No Comments

Bernie Sanders drops lawsuit against DNC after data breach

Bernie Sanders’ presidential campaign announced Friday that it has withdrawn its lawsuit against the Democratic National Committee (DNC) after it restricted the campaign’s access to voter files after a data breach late last year.

“With the investigation behind us, the campaign has withdrawn its lawsuit against the DNC today but continues to implore the DNC to address the systemic instability that remains in its voter file system,” the campaign said in a statement.

The campaign went on to say that the DNC should make it a top priority to prevent future data security failures with its voter file system.

This decision comes after the Sanders campaign said an independent investigation found that his campaign never stole any voter file data as Hillary Clinton’s campaign and the DNC had suggested.

“The Sanders campaign never “exported” any unauthorized voter file data; and the Sanders campaign certainly never had access to the Clinton campaign’s “strategic road map,” the campaign said.

The campaign then blamed the unauthorized access by four campaign staffers on “the DNC’s security failures.” One of those staffers was immediately fired at the time.

“During that time, the four users conducted 25 searches using proprietary Hillary for America score data across 11 states,” the DNC said in a statement Friday. “All of the results of these searches were saved within the VoteBuilder system, with the exception of one instance where a user exported a statistical summary of a search using HFA scoring in New Hampshire.”

Sanders said in December that they were in negotiations to move beyond the data breach.

Article source: http://www.cbsnews.com/news/bernie-sanders-drops-lawsuit-against-dnc-after-data-breach/

,

No Comments