RansomwareRansomware Activity Targeting the Healthcare and Public Health Sector

Ransomware Activity Targeting the Healthcare and Public Health Sector

Beckage is notifying organizations in the healthcare sector of a potential threat that may occur this weekend. We will continue to monitor this situation and provide updates as they occur.

Late last night the Federal Bureau of Investigations (FBI), Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about an imminent cybercrime threat to hospitals and healthcare providers. These organizations have credible information to suggest that there will be a widespread Ryuk ransomware attack this weekend. The threat is currently being investigated by the FBI, DHS and the NSA’s Cybersecurity Threat Operations Center.

What We Know

The cybercrime organization Ryuk is targeting the Healthcare and Public Health sector with Trickbot malware that may lead to ransomware attacks, data theft, and the disruption of healthcare services, a particularly concerning possibility considering the nation is still grappling with the COVID-19 pandemic.

Based on what we know about Ryuk, it is possible that the targeted healthcare entities have already implemented the encryption malware on healthcare organizations’ systems and the threat actors just have not commanded it to activate.  Given the threat, we urge all healthcare organizations to review the measures recommended by the FBI as consider some practical incident response measures.

What To Do Next

Beckage recommends that hospitals and healthcare providers implement several preventative steps to safeguard their organization including of the following measures: reviewing current incident response protocols and processes within the next 24 hours, and carefully crafting internal drafting internal and external messaging and FAQs with an experienced data breach attorney to help minimize legal risk as well as making sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage is available to discuss additional best practices that should be taken over the next 24 to 72 hours. Our team will continue to monitor this for new developments and provides updates as appropriate.  If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

*Attorney advertising. Past outcomes do not predict future results.

Subscribe to our Newsletter.

ransomwareWhat To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

What To Do If A Ransomware Incident Means Your Business Cannot Avoid Paying Ransom: OFAC Weighs In

While ransomware was already a growing global issue before the pandemic, COVID-19 has thrown jet-fuel on that fire.  As a result, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory statement on October 1, 2020.  The advisory specifically details the risk of sanctions related to paying a ransom and reflects the greater reality that as new wrinkles in attacks become common, including exfiltration of data for later extortion or deletion back up files, more businesses than ever are considering ransom payment.  OFAC wants your business to remember that paying ransom to certain groups is a sanctionable event.  

Beckage is very familiar with many ways to avoid paying ransom, but we remain informed of all the regulations and advisory guidance related to ransom payment.

A high-level review of a ransomware event can provide perspective on what role OFAC and its advisory mean to your business:

The Incident

Ransomware is a type of malicious software that infiltrates computer networks, locking and blocking access unless a ransom is paid.  When your business encounters ransomware, your Incident Response Plan (IRP) should direct leadership to immediately initiate contact with previously identified parties whose work is focused on just this sort of matter, including counsel such as Beckage, and your cybersecurity insurance carrier.

Common Questions

In the first minutes and hours after ransomware is detected, we hear common questions, such as: Is paying ransom a viable path forward?  Is it allowed?  And if there are no other options for remediation and restoring from backups, how is it done?

The Response to Ransom Demands

Depending on the situation, ransoms are sometimes paid.  This is not a default position, but can be the necessary and most logical step in response to a ransomware incident.  Your business does not suddenly have to figure out how to pay an unknown party the ransom; your tech lawyers will be familiar with third parties that specialize in incident response, including investigating the background of the threat actor and exploring payment.  Such a third-party will take steps to secure cryptocurrency, such as Bitcoin, for paying a ransom, work with counsel to understand how anti-money laundering laws apply to a transaction, and gauge whether the actor behind the ransomware is a sanctioned group or tied to a sanctioned group. 

OFAC’s Impact

The OFAC advisory reminds us that the U.S. Government does not qualify ransom payment as illegal, but ransom payments are not favored resolutions.  The advisory serves as a reminder of existing practices and policies:

  • Fines can follow any violation of the International Emergency Economic Powers Act (IEEPA), Trading with the Enemy Act (TWEA), Specially Designated Nationals and Blocked Persons List (SDN List) or embargoes with jurisdictions such as Iran, North Korea, and Syria. Your counsel, insurers and third parties involved in ransom. payment should all be familiar with the requirements therein.
  • Businesses are encouraged to implement and maintain a compliance program to avoid sanction-related violations, which can help mitigate civil monetary penalties in the event of a sanctions-related violation.
  • Businesses should routinely review with their insurers and brokers if and how the ransom payment process is impacted by this and any future advisory.
  • Sharing ransomware incident information with relevant government agencies, including OFAC and the FBI, is highly encouraged but not required.  Cooperation is critical to not only threat actor identification efforts, but, like a formal compliance program, can mitigate penalty in the event of an enforcement action for a sanctions-related violation.

The Result

OFAC’s advisory continues an established narrative of best practices for any company affected by ransomware, and those are the practices of our firm.  If your company finds itself under attack, look to experienced incident response lawyers, like Beckage, to help.  As noted in the advisory, “there was a 37 percent annual increase in reported ransomware cases [from 2018 to 2019] and a 147 percent annual increase in associated losses from 2018 to 2019,” and these numbers are expected to continue to rise.  By looking to experienced tech lawyers in incident response, you help your business mitigate risks associated with ransomware, including business interruption, reputational harm, and non-compliance with government standards for ransom payment.

Have your technology and incident response lawyers help establish, formalize, and update your corporate Information Security Practices and Incident Response Plan, to address legal requirements and changes in the law and to help your business avoid ransomware, or at least be fully prepared to respond to an incident.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

0
Small BusinessData Breach Risks for Small & Medium Sized Businesses

Data Breach Risks for Small & Medium Sized Businesses

Today, small and medium sized businesses (SMBs) are sometimes at a greater risk of cyber-attacks and security breaches than large enterprises and corporations. Seventy-one percent of cyber-attacks happen at businesses with less than one hundred employees due to less secure networks, lack of time, budget constraints, and limited resources for proper security. Other factors, such as not having an IT network specialist, being unaware of risks associated with cyber security, lack of employee training on cyber security practices and protocols, failure to update security programs, outsourcing security, and failure to secure endpoints may play a role in the increased cyber-attacks on SMBs.

Common Cyber Attacks on SMBs:

  1. Advanced Persistent Threats. These are passive cyberattacks in which a hacker gains access to a computer or network over a long period of time with the intent to gather information.
  • Phishing. Criminals utilize phishing, via email or other communication methods, to induce users to perform a certain task. Once the target user completes the task, such as opening a link or giving personal information, the hacker can gain access to private systems or information.
  • Denial of Service Attacks (DoS, DDoS). Hackers will deny service to a legitimate user through specially crafted data that causes an error within the system or flooding that involves overloading a system so that it no longer functions. The hacker forces the user to pay a fee in order to regain working order of the system.
  • Insider Attacks. An insider attack may occur when employees do not practice good cyber safety resulting in stolen and/or compromised data.
  • Malware. Malware may be downloaded to the computer without the user knowing, causing serious data or security breaches.
  • Password Attacks. Hackers may use automated systems to input various passwords in an attempt to access a network. If successful in gaining network access, hackers can easily move laterally, gaining access to even more systems.
  • Ransomware. Ransomware is a specific malware that gathers and encrypts data in a network, preventing user access. User access is only restored if the hacker’s demands are met.

To help ensure your business is protected, it is important to know and understand the different ways hackers can gain access to a network and pose a threat to the data security of the business.

Some Ways SMEs Can Help Avoid Being a Victim of Cyber-Attacks

  1. Understand Legal Requirements

Often, SMBs are unaware of cybersecurity best practices, so they rely on vendors without first determining what their legal obligation is to have certain cybersecurity and data privacy practices in place. Some laws dictate what steps an organization are required to take. Thus, it is prudent for a company to develop a plan with legal counsel and then identify the ideal vendors to help execute that plan.

  • Use a Firewall

Firewalls are used to prevent unauthorized access to or from a private network and prevent unauthorized users from accessing private networks connected to the internet, especially intranets. The Federal Communications Commission (FCC) recommends all SMBs set up a firewall, both externally and internally, to provide a barrier between your data and cybercriminals.

  • Document Cybersecurity Policies

It is critical as a business to document your cybersecurity protocols. As discussed above, there may even be legal obligations to do so. There are many sources available that provide information on how to document your cybersecurity. The Small Business Administration (SBA) Cybersecurity portal provides online training, checklists, and information specific to protecting small businesses. The FCC’s Cyberplanner 2.0 provides a starting point for security documents and the C3 Voluntary Program for Small Businesses contains a detailed toolkit for determining and documenting the cybersecurity practices and policies best suited for your business.

  • Plan for Mobile Devices

With technology advancing and companies allowing employees to bring their own devices to work, it is crucial for SMBs to have a documented written policy that focuses on security precautions and protocols surrounding smart devices, including fitness trackers and smart watches. Employees should be required to install automatic security updates and businesses should implement (and enforce) a company password policy to apply to all mobile devices accessing the network.

  • Educate Employees on Legal Obligations and Threats

One of the biggest threats to data security is a company’s employees, but they also can help be the best defense. It is important to train employees on the company’s cybersecurity best practices and security policies. Provide employees with regular updates on protocols and have each employee sign a document stating they have been informed of the business’ procedures and understand they will be held accountable if they do not follow the security policies. Also, employees must understand the legal obligations on companies to maintain certain practices, including how to respond to inquiries the business may receive from customers about their data.

  • Enforce Safe Password Practices

Lost, stolen, or weak passwords account for over half of all data breaches. It is essential that SMB password policies are enforced and that all employee devices accessing the company network are password protected. Passwords should meet certain requirements such as using upper and lower-case letters, numbers, and symbols. All passwords should be changed every sixty to ninety days.

  • Regularly Back Up Data

It is recommended to regularly back up word processing documents, electronic spreadsheets, databases, financial files, human resource files, and accounts receivable/payable files, as well as all data stored on the cloud. Make sure backups are stored in a separate location not connected to your network and check regularly to help ensure that backup is functioning correctly.

  • Install Anti-Malware Software

It is vital to have anti-malware software installed on all devices and the networks. Anti-malware software can help protect your business from phishing attacks that install malware on an employee’s computer if a malicious link is clicked.

  • Use Multifactor Identification

Regardless of precautions and training, your employees will likely make security mistakes that may put data at risk. Using multifactor identification provides an extra layer of protection.

Both technology and cybercriminals are becoming more advanced every day. Cyber security should be a top priority for your SMB. The right technology experts can help identify and implement the necessary policies, procedures, and technology to protect your company data and networks.

Beckage is a law firm focused on technology, data security, and privacy. Beckage has an experienced team of attorneys, who are also technologists, who can help educate your company on the best practices for data security that will help protect you from any future cyber-attacks and data security threats.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to our Newsletter.

DFSLessons Learned from DFS’s First Enforcement Action Under the DFS Cybersecurity Regulation

Lessons Learned from DFS’s First Enforcement Action Under the DFS Cybersecurity Regulation

The DFS Cybersecurity Regulation 22 NYCRR 500 (“Regulation”) requires businesses operating under NY banking, insurance, and finance laws to implement and maintain certain cybersecurity practices, including risk assessments, documentation of security policies, management of third-party providers, and set strict requirements for data breach reporting.  Even though the Regulations were issued in March 2017, they did not become fully effective until March of 2019, following a two-year phased implementation process.

On Wednesday, July 22, the Department of Financial Services (“DFS”) filed its first enforcement action against a leading title insurance provider alleging multiple violations of the Regulation.  This enforcement action provides important guidance to those covered entities subject to the Regulation and signals that the DFS is now ready to actively begin enforcing it.  This, of course, comes at an interesting time given the heightened risks and challenges organizations face because of the COVID-19 pandemic.

Enforcement Action Summary

The enforcement action at issue alleges that a vulnerability resulted in the exposure of millions of files that included consumers’ bank account numbers, mortgage and tax records, social security numbers, wire transaction receipts, and driver’s license images.  Of note, the DFS alleges that the respondent:

1. Failed to follow its own policies to conduct a security review and risk assessment of the vulnerability and the exposed information.

2. Misclassified the vulnerability within the system as “low” severity and failed to investigate the vulnerability within its own defined time period.

3. Failed to conduct a reasonable investigation into the scope and cause of the exposure after the data exposure was discovered.

4. Failed to follow the recommendations of its internal cybersecurity team to conduct a further investigation into this vulnerability.

5. Did not implement centralized and coordinated training to protect against the unauthorized exposure of sensitive information.

The DFS alleges that these errors not only led to a data exposure that lasted a few years but also violated six provisions of the DFS’s Cybersecurity Regulation including:

1. Section 500.02 requiring a cybersecurity program informed by risk assessment

2. Section 500.03 requiring a written policy approved by a senior officer of the board of directors

3. Section 500.07 requiring access controls

4. Section 500.09 requiring periodic risk assessments

5. Section 500.14(b) requiring regular training

6. Section 50015 requiring encryption in transit and at rest

The Regulation is pursuant to Section 408 of the Financial Services Law, which carries penalties of up to $1,000 per violation in respect to a financial product or service, including title insurance. The DFS alleges that each instance of Nonpublic Information within the charges constitutes a separate violation carrying up to $1,000 in penalties per violation.  This action is scheduled for a hearing before NYDFS beginning on October 26, 2020.

The full DFS press release on its enforcement action is available here.

Lessons Learned

Businesses should follow their own policies, focus on employee training, and employ people who are well adverse in data security and privacy.

-Businesses should not underestimate the level of risk associated with vulnerabilities.

-Business must follow their own cybersecurity policies and related internal policies and procedures.  If representations are made throughout policies, it is critical that they are adhered to.  For example, if the policy commits to performing a risk assessment, it is imperative that the business carry out its commitment and perform the risk assessment.

-Vulnerabilities must be regularly reviewed and identified.  They must be taken seriously, and any security lapses must be addressed.

At Beckage, our lawyers are also technologists and are highly knowledgeable in cybersecurity and data privacy and regulatory compliance. We have worked with numerous businesses on DFS inquiries and regulatory compliance efforts including policy development and training.  Our team can help your company mitigate risks, while assessing the effectiveness of your cybersecurity program. Beckage will help you better understand the Regulation’s requirements and legal implications while also helping reduce risk and manage privacy matters.

*Attorney Advertising. Prior results do not guarantee a similar outcome.*

Subscribe to our newsletter.

Social MediaSocial Media in the Workplace? Here’s How to Make it Work.

Social Media in the Workplace? Here’s How to Make it Work.

Twitter, Instagram and Facebook are now an everyday part of our lives, and that includes in the workplace. But while social media can be an excellent communication and marketing tool for businesses, personal use of social media at work can interfere with productivity and pose some serious data and cybersecurity risks. So how can businesses mitigate these risks and help make sure the company isn’t trending for all the wrong reasons?

Create an Acceptable Media Use Policy

Make sure you have a clearly outlined social media use policy in place, such as an Acceptable Media Use Policy. These policies typically warn employees that they:

o May not divulge trade secrets or confidential or proprietary information online

o Can be held accountable for content they post on the Internet—whether in the office, at home or on their own time—particularly if something they post or share violates other company policies

o May need approval (from a specific person or department) before posting certain types of information that could be associated with the organization, employees or customers

The most successful social media use policies also:

o Explain employee productivity expectations in conjunction with social media habits

o Provide examples of policy violations

o Explain disciplinary measures for policy violations

Overall, employees need to understand that they are ambassadors for the organization’s corporate brand. What they write on social media could be disseminated to the world—even if they only share it with their “friends.” Encourage employees to think twice before posting comments they would not say out loud or that they would not want their CEO or grandparents to see. Employees should be encouraged to use disclaimers and speak in the first person to make it clear that any opinions expressed are not those of their employer.

A note for unionized workforces: Employers operating in union environments need to be mindful of additional requirements that may impact their policies under the National Labor Relations Act (NLRA).  Under the NLRA, policies that are too broad or too restrictive might interfere with a workers’ right to complain about their employer and discuss the terms and conditions of employment with other employees. Always review any policies with counsel before implementing to make sure they are suitable for your particular circumstance.

Make Training Mandatory

Even the best social media policies won’t go far if employees aren’t properly trained on social networking’s benefits and pitfalls. Training should be succinct and interactive, including real -examples and table-top exercises on both the specifics of your social media use policy and more general best practices for using social media responsibly.

At Beckage, we encourage employers to leverage training such as Cybersecurity Best Practices 101, which covers topics like network security and protecting confidential and proprietary information. Organizations must educate employees about how a downloaded application or even a simple click can infect computers and the network at large. A critical concern about social networking platforms is that they encourage people to share personal information. Even the most cautious and well-meaning people can give away the wrong kind of information on company-approved social networking platforms.

Address Negative Incidents Promptly

If it seems like an employee is misusing social media at work or there’s a negative incident, it’s important to promptly investigate, document all conversations, review internal policies and procedures and take disciplinary action if warranted.

But be aware that workers’ speech is protected in certain situations. In addition to the National Labor Relations Act, federal and state employment laws protect employees who complain about harassment, discrimination, workplace safety violations and other issues.

Be Careful Using Social Media During the Hiring Process

Employers must exercise caution when using social networks during the recruiting or hiring processes. Social media can play a role in the screening process, but employers should consider when and how to use social media this way and weigh potential legal pitfalls.  For example, a candidate could claim that a potential employer did not offer a job because of legally protected information found on a social networking site (such as race, ethnicity, age, associations, family relationships or political views)

In short, successfully managing social media in the workplace comes down to the employer’s policy: in today’s workplace all employers should have a robust policy, train on it annually, and then consistently enforce it. If you’re not sure where to start, turn to experienced legal counsel to craft a social media policy that works for your company culture and brand. The experienced team at Beckage PLLC can help navigate state and federal laws, pinpoint potential social media pitfalls, and ultimately set your employees on the path to social media savvy.

*Attorney Advertising. Prior results do not guarantee a similar outcome.

Subscribe to our newsletter.

1 2 3