Monthly Archives: April 2015

HHS Reaches Settlement with Pharmacy Over Disposal Issues

The Department of Health and Human Services (“HHS”) recently announced a resolution agreement and $125,000 settlement with Cornell Prescription Pharmacy (“Cornell”) in connection with the disposal of prescription records in an unsecured dumpster on Cornell’s premises. After receiving a report from a Denver television station regarding Cornell’s disposal practices, the HHS’ Office for Civil Rights (“OCR”) investigated Cornell and found several HIPAA Privacy Rule violations, including that Cornell had failed to:

  • reasonably safeguard protected health information (“PHI”);
  • develop and implement policies and procedures to comply with the HIPAA Privacy Rule; and
  • provide appropriate training to its workforce.

In the resolution agreement, Cornell agreed to pay a $125,000 settlement to HHS and enter into a Corrective Action Plan that requires Cornell to:

  • develop and maintain HIPAA Privacy Rule policies and procedures that state that “paper PHI intended for disposal shall be shredded, burned, pulped, or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed;”
  • submit those policies and procedures to OCR for review and approval, and distribute them thereafter;
  • provide training for its workforce;
  • report any events of noncompliance with its HIPAA Privacy Rule policies and procedures; and
  • submit annual compliance reports to HHS for a period of two years.

In the Bulletin accompanying the resolution agreement, OCR Director Jocelyn Samuels stated that “[r]egardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons.”

The settlement with Cornell highlights the importance of the proper disposal of pharmacy records and comes just three months after Safeway settled a case in California that involved the disposal of its pharmacy customers’ confidential information in the company’s dumpsters.

View the resolution agreement.

Sotto Named Among National Law Journal’s “Outstanding Women Lawyers”

Hunton & Williams LLP announces Lisa J. Sotto, head of the firm’s Global Privacy and Cybersecurity practice and managing partner of the New York office, has been named to The National Law Journal’s “Outstanding Women Lawyers” list. The listing, composed of 75 of the most accomplished female lawyers today, includes women who have surpassed their peers based on their excellence in professional practice, development of new areas of law, leadership roles and influence.

“Lisa is a trailblazer in the field of privacy law and an invaluable asset to our firm and our clients,” said Wally Martinez, managing partner of Hunton & Williams. “This recognition is well deserved and we congratulate her.”

Sotto had the foresight more than a dozen years ago to build what has become one of the world’s best-known privacy and data security practices and to co-found the Centre for Information Policy Leadership, a think tank within Hunton & Williams that works with member companies and data protection authorities worldwide to develop the next generation of information privacy rules.

Read the full press release.

ICO Publishes Summary of Responses to its Big Data Report

On April 10, 2015, the UK Information Commissioner’s Office (“ICO”) published a summary of the feedback received from its July 28, 2014 report on Big Data and Data Protection (the “Report”). The ICO plans to revise its Report in light of the feedback received on three key questions and re-issue the Report in the summer of 2015. Below are key highlights set forth in the summary, entitled  Summary of feedback on Big Data and data protection and ICO response (“Summary of Feedback”).

Question 1: Does the paper adequately reflect the data protection issues arising from big data or are there other relevant issues that are not covered? If so, what are they?

  • Assessing the impacts and benefits of big data analytics is important and plays a critical role in determining whether processing is fair. The impact on individuals depends on the sensitivity of the intended data use.
  • There was agreement that big data requires a regulatory focus on the use, rather than collection, of data. Respondents expressed, however, that while applying data protection principles, such as providing notice or seeking consent, in the context of big data is challenging, it is still necessary. They also found that regulation should focus on data use and on potential harms.
  • The Report focuses too much on consent as a condition to processing personal data and there is not enough recognition of the relevance of the “legitimate interests” condition for processing. According to the Summary of Feedback, the ICO did not mean to imply that consent is the only or the most important condition for processing.
  • The Report lacks clarity on the distinction between public sector and private sector uses of big data.
  • Anonymization is an important issue in connection with big data analysis, in part because decisions based on the analysis of anonymized data can impact individuals.

Question 2: Should the ICO produce further guidance documents to help organizations that are doing big data analytics to meet data protection requirements? If so, what should they cover?

In response to this question, the main items raised by respondents included:

  • Cost benefit analysis in the context of big data
  • Practical and technical guidance on particular technologies
  • What the EU General Data Protection Regulation will mean for big data analytics
  • Encryption and deletion of records in the cloud
  • How to communicate future data uses in privacy notices

Question 3: Are additional practical measures and tools (in addition to anonymization, privacy impact assessments, privacy by design, privacy notices, data portability and privacy seals) needed to help protect data privacy in the context of big data analytics? If so, what are they?

  • Privacy engineering to implement privacy by design
  • Technical security measures to protect data
  • The assessment of impact and benefits and privacy risk assessments

The ICO plans to hold a seminar on privacy and big data later in 2015.

Data Security Act Introduced in New York State Assembly

On April 8, 2015, a New York Assemblyman introduced the Data Security Act in the New York State Assembly that would require New York businesses to implement and maintain information security safeguards. The requirements would apply to “private information,” which is defined as either:

  • personal information consisting of any information in combination with one or more of the following data elements, when either the personal information or the data element is not encrypted: Social Security number; driver’s license number or non-driver identification card number; financial account or credit or debit card number in combination with any required security code or password; or biometric information;
  • a user name or email address in combination with a password or security question and answer that would permit access to an online account; or
  • unsecured protected health information (as that term is defined in the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule).

The Data Security Act obligates entities to develop an information security program that includes:

  • administrative safeguards, such as conducting risk assessments, training employees and selecting service providers capable of maintaining appropriate safeguards;
  • technical safeguards, such as assessing risks in network and software design and regularly testing and monitoring the effectiveness of key controls; and
  • physical safeguards, such as disposing of electronic media so that the information cannot be read or reconstructed.

The Data Security Act deems certain specific entities in compliance with the law’s requirements, such as financial institutions that comply with the Gramm-Leach-Bliley Act, HIPAA-regulated entities, and entities that comply with NIST Standards. Entities that comply with the latest version of NIST Special Publication 800-53 are also immune from any civil liability under the Act.

The Data Security Act establishes a rebuttable presumption that an entity that obtains an independent third party certification complies with the requirements of the law. The New York Attorney General is empowered to enjoin any violations of the Data Security Act, and can obtain civil penalties of $250 for each person whose private information was compromised, up to a maximum of $10 million. For knowing and reckless violations, these amounts can increase to $1,000 for each affected person up to a total of the higher of $50 million or three times the aggregate amount of any actual costs and losses.

The Data Security Act also amends New York’s breach notification law by using the expanded definition of “private information” discussed above. Previously, New York’s law did not cover breaches involving biometric information, user names and passwords, or protected health information.

Privacy Group Requests D.C. Circuit Review Regarding Lack of Privacy Rules in the FAA’s Proposed Drone Regulations

On March 31, 2015, the Electronic Privacy Information Center (“EPIC”) filed a petition (the “Petition”) with the U.S. Court of Appeals for the District of Columbia Circuit accusing the Department of Transportation’s Federal Aviation Administration (“FAA”) of unlawfully failing to include privacy rules in the FAA’s proposed framework of regulations for unmanned aircraft systems (“UAS”), otherwise known as drones. The Petition stems from the FAA’s November 2014 denial of another EPIC petition calling for the FAA to address the threat of privacy and civil liberties associated with the deployment of aerial drones within the U.S.

On February 23, 2015, the FAA published a notice of proposed rulemaking that proposes a framework of regulations (the “Proposed Framework”) to allow the routine use of certain small UAS in the National Airspace System (“NAS”). The Proposed Framework was promulgated under the FAA Modernization and eform Act of 2012, which directed the Secretary of Transportation to (1) issue a final rule on small unmanned aircraft systems that will allow for civil operations of such systems in the NAS, and (2) determine whether certain UAS may operate safely in the NAS, and if so, to establish requirements for the safe operation of such UAS. The FAA’s Proposed Framework does not, however, include privacy requirements, finding that privacy concerns are beyond the scope of the rulemaking and pointing to state privacy laws and other legal protections as a potential recourse.

In the Petition, EPIC accuses the FAA of unlawfully failing to create drone privacy rules, which EPIC claims was required under the FAA Modernization and Reform Act of 2012. The Petition requests that the circuit court set aside the Proposed Framework and instruct the FAA to conduct further proceedings to explicitly address privacy concerns in the Framework.

Although not addressed in the Proposed Framework, drone privacy concerns have not gone unnoticed. In conjunction with the Proposed Framework, on February 15, 2015, the White House released a Presidential Memorandum addressing the privacy, civil rights and civil liberties concerns associated with UAS, and tasking the Department of Commerce with establishing a multistakeholder engagement process to develop a framework regarding privacy, accountability and transparency for commercial and private UAS use. On March 4, 2015, the U.S. Department of Commerce’s National Telecommunications and Information Administration announced a new multistakeholder process seeking comments on best practices concerning privacy, transparency and accountability issues related to the use of commercial and private UAS.

Antivirus Pro 2015

Antivirus Pro 2015 is a fake Antivirus tool. It is from the same rogue family as AntiVirus Plus 2014, Smart Security, Internet Security, Privacy Protection, Security Protection, Malware Protection, Spyware Protection, Advanced Security Tool 2010, Security Central, Home Personal Antivirus, XP Deluxe Protector, Win PC Antivirus, Win PC Defender, XP Police Antivirus, IE-Security, WinDefender 2009 and Total Secure 2009.

The rogue detects fake infections and prevents legit softwares execution, displaying alert messages to scare users.


House of Representatives Passes Two Cybersecurity Bills

The House of Representatives passed two complimentary bills related to cybersecurity, the “Protecting Cyber Networks Act” (H.R. 1560) and the “National Cybersecurity Protection Advancement Act of 2015” (H.R. 1731). These bills provide, among other things, liability protection for (1) the use of monitoring and defensive measures to protect information systems, and (2) the sharing of cybersecurity threat information amongst non-federal entities and with the federal government. With the Senate having just recently overcome disagreement on sex trafficking legislation and the Attorney General nomination, that body is now expected to consider similar information sharing legislation entitled the “Cybersecurity Information Sharing Act” (S. 754) in the coming weeks. Assuming S. 754 also is passed by the Senate, the two Chambers of Congress will convene a Conference Committee to draft a single piece of legislation which will be then voted on by the House and Senate, before heading to the President’s desk. The White House has not committed to signing any resulting legislation, but has signaled some positive support.

H.R. 1560, passed by the House on April 22, provides liability protection for companies and other non-federal entities that share cybersecurity threat information with each other and with civilian agencies in the federal government – in other words, agencies other than the Department of Defense (“DoD”) and its National Security Agency (“NSA”). H.R. 1560, however, also authorizes a government agency receiving cybersecurity threat information to instantly share that information with any other appropriate federal agency, including the DoD and NSA. Sponsored by Representatives Devin Nunes (R-CA) and Adam Schiff (D-CA), the Chairman and Ranking Member of the House Intelligence Committee, H.R. 1560 enjoyed strong bipartisan support throughout the legislative process, reflected in the House’s 307-116 vote. Representatives Joe Barton (R-TX) and Diana DeGette (D-CO), the co-chairs of the Congressional Bipartisan Privacy Caucus, both voted against the bill, however, as did Congressman Jared Polis (D-CO), who said H.R. 1560 “falls short of its goals and likely does more than good . . . [by] raising enormous concerns about the inappropriate sharing of personal information and surveillance on Americans’ private lives.”

The next day, the House passed H.R. 1731, a bill sponsored by Representative Michael McCaul (R-TX), Chairman of the House Homeland Security Committee, which designates the U.S. Department of Homeland Security’s (“DHS”) National Cybersecurity and Communication Integration Center as the lead federal civilian interface for cybersecurity threat information sharing. As with H.R. 1560, H.R. 1731 also allows DHS to instantly share cybersecurity threat information it receives with any appropriate federal agency, including the NSA. Strong bipartisan support allowed the House to pass information sharing legislation with an overwhelming majority, 355 to 63. During consideration of the bill, a series of amendments were adopted, including one refining the definition of cyber “incident” to explicitly restrict information sharing to incidents that are directly related to protecting information systems.

House leadership’s decision to act on H.R. 1560 and H.R. 1731 as part of the House’s “Cyber Week” comes amid concern that upcoming Congressional action to reauthorize PATRIOT Act provisions set to expire on June 1 could bog information sharing legislation down in debate on NSA reform. Notably, information sharing legislation was effectively foreclosed in the last Congress when an NSA reform bill was voted down in the Senate late in 2014. As noted by H.R. 1560’s co-sponsor Rep. Schiff, however, himself a privacy advocate, “[t]he prospects for successful passage of cyber legislation has gone up dramatically.”

FTC Reaches Settlement in First Enforcement Action Against a Retail Tracking Company

On April 23, 2015, the Federal Trade Commission (“FTC”) announced that Nomi Technologies (“Nomi”) has agreed to settle charges stemming from allegations that the company misled consumers with respect to their ability to opt out of the company’s mobile device tracking service at retail locations. The settlement marks the FTC’s first Section 5 enforcement action against a company that provides tracking services at retailers.

Nomi provides a customer analytics service called “Listen” to brick and mortar retailers through the use of mobile device tracking technology. As part of this service, Nomi deploys sensors to its clients’ retail locations to help track consumers’ movements through their stores. According to the FTC complaint, these sensors detect the media access control (“MAC”) address of mobile devices searching for WiFi networks at the locations in order to collect information about customer traffic. Notably, the FTC alleged that despite Nomi using a hashing technique to obfuscate the MAC address of each consumer’s mobile device, the hash still constituted a persistent unique identifier for that mobile device that allowed the company to track consumers.

According to the FTC’s complaint, Nomi collected information on about nine million mobile devices within the first nine months of 2013. The complaint also alleged that during this time, consumers had the ability to opt out of Nomi’s service through the company’s website, but could not opt out at the retail locations that used the Listen service despite an explicit promise in Nomi’s privacy policies that consumers could opt out at the retail locations. From at least November 2012 until October 22, 2013, Nomi’s privacy policies on its websites allegedly represented that the company “pledges to . . . [a]lways allow consumers to opt out of Nomi’s service on its website as well as at any retailer using Nomi’s technology.”

Based on this single statement in the company’s privacy policies, the FTC claimed that Nomi had engaged in unfair or deceptive acts or practices in violation of Section 5 of the FTC Act as a result of the company’s failure to (i) provide an in-store opt-out mechanism for its tracking service at its clients’ retail locations, and (ii) disclose to consumers that the service was being used at a retail location.

The FTC’s vote to issue the complaint and accept the proposed consent order was 3-2, with Commissioners Maureen K. Ohlhausen and Joshua D. Wright dissenting. The consent order prohibits Nomi from misrepresenting consumers’ options for controlling whether information is collected, used, disclosed or shared about them or their computers or other devices, as well as the extent to which consumers will be notified about the company’s information practices.

FCC Joins Asia Pacific Privacy Forum

On April 15, 2015, the Federal Communications Commission (“FCC”) announced that it has joined the Asia Pacific Privacy Authorities (“APPA”), the principal forum for privacy authorities in the Asia-Pacific Region. APPA members meet twice a year to discuss recent developments, issues of common interest and cooperation. The FCC now joins the Federal Trade Commission as the U.S. representatives to APPA.

Travis LeBlanc, Chief of the FCC’s Bureau of Enforcement, said in the FCC’s press release that “threats to consumer privacy and data security do not respect international borders” and “it is critical that we collaborate closely with law enforcement and privacy authorities in the United States and around the globe.” The APPA platform will allow the agency “to leverage regional expertise and exchange ideas about data protection, cross-jurisdiction law enforcement, and the management of consumer privacy complaints.”

The FCC’s decision to join APPA is the latest in a number of initiatives to increase its visibility in consumer privacy and data security issues both domestically and abroad. The FCC also is a part of the Global Privacy Enforcement Network, a network of approximately 50 privacy enforcement authorities from around the world. In April 2015, the FCC settled its largest privacy and data security enforcement action to date when it reached a $25 million settlement with AT&T Services, Inc.’s stemming from allegations that the company failed to protect the confidentiality of consumers’ personal information.

A new option to stem the tide of nefarious Twitter images…

Smoothwall's team of intrepid web-wranglers have recently noticed a change in Twitter's behaviour. Where once, it was impossible to differentiate the resources loaded from twimg.com, Twitter now includes some handy sub-domains so we can differentiate the optional user-uploaded images from the CSS , buttons, etc.

This means it's possible to prevent twitter loading user-content images without doing HTTPS inspection - something that's a bit of a broad brush, but given the fairly hefty amount of adult content swilling around Twitter, it's far from being the worst idea!

Smoothwall users: Twitter images are considered "unmoderated image hosting" - if you had previously made some changes to unblock CSS and JS from twimg, you can probably remove those now.

French Data Protection Authority Unveils 2014 Annual Activity Report

On April 16, 2015, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2014 (the “Report”) highlighting its main accomplishments in 2014 and outlining some of the topics it will consider further in 2015.

The Report presents the results of the inspections conducted by the CNIL to assess compliance with its cookie law guidance issued in December 2013. The inspections revealed that most websites with a wide audience posted a cookie banner and obtained users’ consent for the use of cookies and similar technologies by following a two-step approach, as recommended by the CNIL. However, the inspections also revealed that cookies are almost always placed on users’ devices as soon as users visit a homepage and in the absence of any action from users indicating that they consent to the use of cookies. In addition, the CNIL noted that several websites still advise users that they may opt out of having cookies on their website by simply blocking all cookies in their web browser. In the CNIL’s view, such a solution is inadequate since users must be able to (1) accept or refuse cookies based on the purpose or type of cookie and (2) use the website even if they refuse cookies. Further, the CNIL noted that many cookies had a lifespan equal or exceeding 2 years, whereas the CNIL’s guidance makes it clear that cookies should be programmed to expire 13 months after they are placed on a user’s device.

Topics the CNIL will examine further in 2015 include connected vehicles and the role of personal data in the cultural and entertainment content market.

Other key highlights from the Report include:

  • In 2014, the CNIL received 5,825 complaints (a slight increase of 3% compared to 2013). 39% of these complaints (which is a plurality of the complaints) concerned the Internet sector and were related to e-reputation issues, such as deleting text, photographs, videos, contact information, comments, fake online profiles, and the reuse of publicly available data on the Internet. 16% of the complaints concerned marketing issues, such as de-listing from advertising registers, objections to receiving marketing emails, and the retention of banking data. 14% of the complaints were filed by employees or trade unions in relation to HR issues, such as video or cyber surveillance, geolocation, and access to an employee’s professional file. In all sectors, the main causes for complaints were the objection to appearing in a register and the difficulties individuals faced in obtaining a copy of their personal data. The number of complaints is likely to grow in 2015 because, since April 2015, the CNIL has extended the possibility for individuals to file their complaints online (such as those that deal with the difficulty of having their personal data deleted from websites, blogs, forums, social networks or search engines, or in the case of employee monitoring).
  • In 2014, the CNIL conducted 421 inspections of organizations, including 58 online inspections. Only 18 proposed penalties were examined by the CNIL (compared to 14 proposed penalties in 2013) and eight fines were imposed since, in most cases, organizations decided to comply with French data protection law following a complaint or an inspection.

Finally, the Report also discusses further developments at the national and international levels, including the implementation of the right to be de-listed from search results and the slight progress made on the Proposed EU General Data Protection Regulation.

Betabot retrospective

Some of you know Betabot.. if you don't: http://www.ic3.gov/media/2013/130918.aspx

1.0.2.5 panel:
Dashboard:

extended information:

Search options:

Tasks:

Remove bot:

Terminate bot till next reboot:

Botkill:
Socks4:
Set browser homepage:

Visit URL option:

Update bot option:
Download file option:
DDoS cmd option:

Formgrabber logs:

logins:

users:

Settings:
IP blacklist:


List of dns recod to modify:


Help:

1.5.0.0:

Tasks:

Statistics:

Files:

Users notice:

AV Checker:

1.7.0.1:

The botmaster was running a support site at the url betabot.ru that i've monitored since... i don't know almost the begining till the end.
I've really collected a lot of datas and was constantly flagging new C&C urls even before they was active.


Inquiries sent to the betabot team (before they started the support forum):

Site structure:

Some clients kits:

Finally some people got busted using these informations..
If you want an example.. 'Spit Fyre' ex super moderator at Trojanforge who reside in the same country as me.
If you wonder why he disappeared you know why now.

Spit Fyre requesting an admin of Hackyard to delete his account after he got cops at door:

Some of his domains:
• dns: 1 ›› ip: 124.248.205.104 - adress: DARKNESS.SU
• dns: 1 ›› ip: 124.248.205.104 - adress: WEED.SU
• dns: 1 ›› ip: 124.248.205.104 - adress: MEZIAMUSSUCEMAQUEUE.SU
• dns: 1 ›› ip: 124.248.205.104 - adress: UMBXD15896.SU
• dns: 1 ›› ip: 124.248.205.135 - adress: STYXB1TCH35.SU
• dns: 1 ›› ip: 124.248.205.135 - adress: J1NXFYR3.SU

Anyway it's useless to talk about him and others betabot clients who had visits, the current status of betabot is stalled now and someone even made a builder for the 1.7.0.1 version.
Betabot was a creative malware, plagued by bugs though.

Washington State Senate Approves Amendment to Data Breach Notification Law

On April 13, 2015, the Senate of Washington State unanimously passed legislation strengthening the state’s data breach law. The bill (HB 1078) passed the Senate by a 47-0 vote, and as we previously reported, passed the House by a 97-0 vote.

The bill includes the following amendments to Washington’s existing data breach notification law:

  • Requires notification to the state attorney general in the event of a breach;
  • imposes a 45-day deadline for notification to affected residents and the state attorney general;
  • mandates content requirements for notices to affected residents, which must include (i) the name and contact information of the reporting business, (ii) a list of the types of personal information subject to the breach, and (iii) the toll-free telephone numbers and address of the consumer reporting agencies;
  • expands the current law to cover hard-copy data as well as “computerized” data;
  • introduces a safe harbor for personal information that is “secured,” which is defined to mean the data is encrypted in a manner that “meets or exceeds” the National Institute of Standards and Technology standard or is otherwise “modified so that the personal information is rendered unreadable, unusable, or undecipherable by an unauthorized person”; and
  • adds federal preemption language that would exempt certain covered entities from having to comply with Washington’s breach law.

The bill will now head to Governor Jay Inslee for consideration.

Update: On April 23, 2015, Governor Jay Inslee signed the bill into law.

Canada Joins the APEC Cross-Border Privacy Rules System

On April 15, 2015, the Asia-Pacific Economic Cooperation (“APEC”) Electronic Commerce Steering Group issued a press release announcing Canada’s participation in the APEC Cross-Border Privacy Rules (“CBPR”) System. The U.S. Department of Commerce’s International Trade Administration also released an official press statement.

The Findings Report of the Joint Oversight Panel for the APEC CBPR system, which confirmed that Canada had met the conditions for participation, was released earlier on April 1, 2015. Canada now joins the U.S., Mexico and Japan as a participant in the APEC CBPR system. Other APEC economies are in the process of determining how and when they may join.

Canada submitted its Letter of Intent to participate in the CBPR system to the Joint Oversight Panel in August 2014. As required by the applicable CBPR governance rules, Canada confirmed in its Letter of Intent that the Privacy Commissioner of Canada is a participant in the APEC Cross-Border Privacy Enforcement Arrangement, and indicated that it intends to make use of at least one APEC-recognized “Accountability Agent.” Accountability Agents are third party organizations that review and certify businesses for participation in the CBPRs. Canada also provided a description of its domestic laws and enforcement mechanisms that would apply to a Canadian Accountability Agent’s CBPR-related activities, as well as the required “APEC CBPR System Program Requirements Enforcement Map,” which describes how the CBPRs are enforceable under Canadian law.

The APEC CBPR system is a regional, multilateral, cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. Although all APEC economies have endorsed the system, in order to participate, individual APEC economies must officially express their intent to join and satisfy certain requirements.

American Chamber of Commerce in China Publishes Policy Spotlight Report on Protecting Data Flows between China and the U.S.

On April 14, 2015, the American Chamber of Commerce in China (“AmCham”) published a report, entitled Protecting Data Flows in the US-China Bilateral Investment Treaty (the “Report”). The Report is part of AmCham’s Policy Spotlight Series. While in principle addressed to the U.S. and Chinese teams that are currently negotiating the Bilateral Investment Treaty, the Report has been made public. It thereby provides insight into the emerging issue of data localization for the benefit of a much wider audience.

The Report analyzes the impact of data localization policies, challenging the widely held (but potentially false) belief that greater data security can be achieved through local storage of personal data. In challenging this belief, the Report highlights the magnitude of the possible adverse economic impact of data localization policies and their potential effect on innovation. The Report contrasts data localization policies against the more liberal policies that are intended to foster freer international flows of personal information, which have been adopted in several jurisdictions in the Asia-Pacific region. The Report concludes by advocating against the adoption of data localization policies, recommending instead the inclusion in the Bilateral Investment Treaty of provisions that would foster and protect international transfers of data by service providers.

Hunton & Williams and its Centre for Information Policy Leadership (“CIPL”) participated closely in the drafting of the Report. The final document reflects policy positions taken from the international perspectives frequently advocated by CIPL and lawyers at Hunton & Williams. The Report also includes a clear reference to the Accountability principle, a concept CIPL helped develop as a guiding principle to govern cross-border data flows. In addition, the Report conspicuously references the APEC Cross-Border Privacy Rules system.

The Report was publicly released at a panel discussion event held at AmCham’s facility in Beijing on April 14.

In May and June of this year, delegations from CIPL will travel to Singapore and Hong Kong to meet with data protection authorities, and further expound upon and advocate the adoption internationally of the Accountability principle. These will be the next steps in CIPL’s continuing advocacy for robust cross-border data flows, and against data localization policies, in the Asia-Pacific region.

UN Human Rights Council Establishes Special Rapporteur on the Right to Privacy

On March 26, 2015 the United Nations Human Rights Council (the “Council”) announced that it will appoint a new position as special rapporteur on the right to privacy for a term of three years. The position, which is part of the Council’s resolution, is intended to reaffirm the right to privacy and the right to the protection of the law against any interference on a person’s privacy, family, home or correspondences, as set out in Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights.

Some of the tasks of the special rapporteur will include:

  • Gathering information on international privacy developments and challenges;
  • Submitting recommendations to the Council on how to better promote privacy protection in the face of rising challenges in the digital age;
  • Reporting on any violations to the right to privacy set out in in Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights;
  • Receiving and responding to information gathered by the UN and all of its agencies and relevant stakeholders;
  • Participating in and contributing to any relevant international conferences; and
  • Submitting an annual report to the Council and the General Assembly.

The International Conference of Data Protection and Privacy Commissioners welcomed the announcement and Conference Chair John Edwards, Privacy Commissioner of New Zealand, stated that “Data Protection and Privacy Authorities everywhere welcome the United Nations taking a lead in seeking to ensure the promotion and protection of privacy, especially given the challenges posed by new technologies.” The Council is expected to appoint an individual to serve as the special rapporteur for the first three-year team in June 2015.

FTC Announces Settlements with Debt Brokers Who Posted Consumers’ Information Online

On April 13, 2015, the Federal Trade Commission announced that it has settled charges with two debt brokers who posted consumers’ unencrypted personal information on a public website. The settlements with Cornerstone and Company, LLC (“Cornerstone”), Bayview Solutions, LLC (“Bayview”), and the companies’ individual owners resulted from initial complaints about the debt brokers in 2014. Cornerstone and Bayview allegedly had posted the personal information of their debtors in unencrypted Excel spreadsheets on a publicly accessible website geared to buyers and sellers of consumer debt. The information included consumers’ names, addresses, credit card numbers, bank account numbers and debt amounts.

The FTC’s complaints against the debt collectors alleged numerous harms caused by the disclosure of the consumers’ sensitive personal information. In addition to harms associated with potential identity theft, invasion of privacy and loss of income, the complaints also alleged that consumers could be exposed to “other persons or entities attempting to collect the purported debt unlawfully even though those entities will not have purchased or acquired the authority to collect the debt.” As a result of the FTC’s complaints, a federal court ordered the debt brokers to notify affected consumers and forced the website that hosted the information to immediately remove the data.

In each Stipulated Final Order for Permanent Injunction, the companies and their respective owners are obligated to:

  • establish and implement comprehensive information security programs;
  • obtain initial and biennial assessments of their security programs from an independent third party;
  • retain records relevant to compliance with the FTC’s orders;
  • cooperate with the FTC in any investigations related to the transactions or occurrences that are the subject of the complaint;
  • distribute the orders to relevant officers, employees and others; and
  • submit compliance reports on a periodic basis or upon request by the FTC.

The settlements with Cornerstone and Bayview come two months after the FTC sent a letter to the Consumer Financial Protection Bureau that highlighted these cases among other FTC efforts in the debt collection arena.

Community news and analysis: March 2015

Featured news

Google cracks down on Chrome extensions that inject ads and degrade users’ browsing experiences (31 March). Google also added information about unwanted software to their Safe Browsing API last month (24 March).

Automattic: Five ways to secure WordPress plugins (27 March), preventing cross-site scripting in JavaScript (25 March), and a blind SQL injection vulnerability found in Yoast’s popular WordPress SEO plugin (13 March).

Three cheers for open information: Check out DreamHost’s first ever Transparency Report!

Malware news

ESET analyses “Casper” malware used against Syrian targets and likely developed by the same group behind the Babar and Bunny malware (5 March).

SiteLock demonstrates what it looks like to infect a website (19 March).

Sophos on the new TeslaCrypt ransomware targeting gamers running Windows (16 March) and developments in Microsoft Office malware (6 March).

A couple pieces of interesting Sucuri analysis: WordPress malware causes pseudo-DarkLeech infection (26 March); ‘inverted WordPress Trojan’ adds useful features along with malware (11 March).

Other security news

Mozilla on memory scanning for server security (12 March) and revoking trust in one CNNIC intermediate certificate (23 March).

Qualys: GHOST remote code execution exploit (17 March).

Fortinet: Cross-site scripting vulnerability discovered in WordPress Photo Gallery plugin with 12 million downloads (20 March).

FTC Proposes Settlement with Two Companies Over False Safe Harbor Certification Claims

On April 7, 2015, the FTC announced proposed settlements with TES Franchising, LLC, an organization specializing in business coaching, and American International Mailing, Inc., an alternative mail transporting company, related to charges that the companies falsely claimed they were compliant with the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks.

The FTC’s complaints against TES Franchising and American International Mailing alleged that the companies’ websites indicated that their Safe Harbor certifications were current, when in reality their certifications had expired years prior. In addition, with respect to TES Franchising, the FTC alleged that the company had misrepresented the nature of its Safe Harbor dispute resolution procedures to its customers by stating on its website that disputes would be settled by arbitration in Connecticut with costs split between the consumer and TES Franchising, while indicating in its Safe Harbor certification that disputes would be resolved through the European data protection authorities, which do not require in-person hearings or any costs to consumers.

The U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework are cross-border data transfer mechanisms that enable certified organizations to move personal data from the European Union or Switzerland to the United States in compliance with European data protection laws. To join the Safe Harbor Framework, a company must self-certify to the Department of Commerce that it complies with seven privacy principles (notice, choice, onward transfer, security, data integrity, access and enforcement) and related requirements that have been deemed to meet the EU’s adequacy standard.

The proposed settlement agreements would prohibit TES Franchising and American International Mailing from misrepresenting the extent to which each “is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by the government or any other self-regulatory or standard-setting organization.” TES Franchising is also prohibited from misrepresenting its “participation in, or the rules, processes, policies, or costs of, any alternative dispute resolution process or service, including, but not limited to, arbitration, mediation, or other independent recourse mechanism.”

In the press release accompanying the proposed settlements, FTC Chairwoman Edith Ramirez said that the FTC remains “strongly committed to enforcing the U.S.-EU and U.S.-Swiss Safe Harbor Frameworks” as such cases “send an important message that businesses must not deceive consumers about whether they hold these certifications, and by extension, the ways in which they protect consumers.”

Update:  On May 29, 2015, the FTC announced that it has approved the final settlement orders with TES Franchising and American International Mailing.

Cyber scams that target senior citizens in India


A senior citizen’s primary gadget is a mobile phone which in earlier years was used to make/ receive calls and SMSes. With rising Internet penetration, children living in different cities and countries, video calls and rising costs; senior citizens have begun to use alternate communication channels like Whatsapp and Skype. Senior citizens have become easy targets for cybercriminals given their trusting nature and poor understanding on how voice and data services work.  Cybercriminals and Spammers target these four types of communication channels (voice, instant messaging, SMS and internet telephony) to defraud senior citizens. The three most prevalent types of scams are:

Missed Call or One Ring Telephone Scams

The most popular one is the “missed call” scam. A missed call from an international number is made to a senior citizen’s phone. When the senior citizen calls back, the call is connected to a premium rate number where the bill rates are significantly higher as there is a third party service charge for these services added to the bill. Senior citizens end up with large postpaid bills or find their prepaid credit wiped out. The modus operandi of these missed call scams is to ensure that once a call back is received, the caller is kept on the line for several minutes. The longer the duration the more money the scammer makes. To do so, either the caller is looped in an interactive voice response system which tells the caller to wait while the call is connected or the caller is connected to a recorded adult phone message. One senior citizen was so perturbed that she wanted to call the police because she heard a woman being beaten and screaming for help. Fortunately for her, she had limited prepaid credit and the call ran out. Many senior citizens become anxious and literarily rush to their telecommunication service provider only to receive a stoic response that they are not responsible for any calls made or received. To resolve their excess charge they are advised to take up the matter with the third party service provider, usually a dubious adult chat firm in a third world country. For the small sum of money lost, the cost of this pursuit would make it an unviable option with no guarantee of refunds.

Senior citizens can protect themselves by:

1.    Restricting outbound international calling,  if there is no necessity to make overseas call

2.    Ignore short duration missed calls from international destinations

3.    Checking the international dial code for missed numbers before returning the call. If the number originates from a country where they do not expect a call from, then it would be best not to return them

Lottery Type Scams 

In fake lottery scams, senior citizens receive SMSes or Whatsapp messages congratulating them on having won a “big lottery” and asking them to quickly claim their money.  One senior citizens though this was a valid claim because “it was not classified as spam” by the service provider. 40% of spam is not blocked by spam filters and spam filters only help but do not guarantee that a communication is legitimate. Once a request for redeeming the claim is made these scams always ask for either personal information or the payment of an advance fee, which when paid is either followed by a further request for money and the eventual disappearance act by the scamster.

 Senior citizens must not share personal data online and always avoid requests made for money to process a lottery win or to release a parcel, or to send a free gift as these are sure signs of fraudulent behavior. Senior citizens should also consult knowledgeable family members or friends before responding.

Disclosure of Personal Information

Extracting personal information which can later be sold or used to access online back accounts is another type of scam. Scammers pose as officials in position of authority (banks, police, and income tax) or as sellers of credits cards/personal loans using these “roles” to exert sufficient pressure to extract personal and financial data.

Senior citizens should always remember that however convincing the callers are information like bank accounts, financial records and passwords are never sought by authorities or banks.

AT&T Enters into Largest Data Breach Settlement with FCC to Date

On April 8, 2015, the Federal Communications Commission announced a $25 million settlement with AT&T Services, Inc. (“AT&T”) stemming from allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia and the Philippines. The breaches, which took place over 168 days from November 2013 to April 2014, involved unauthorized access to customers’ names, full or partial Social Security numbers and certain protected account-related data, affecting almost 280,000 U.S. customers.

In addition to the $25 million civil penalty, the Consent Decree requires AT&T to:

  • notify all affected customers;
  • pay for credit monitoring services for customers who were affected by the breaches in Colombia and the Philippines;
  • bolster its privacy and data security practices, including by appointing a senior compliance manager, conducting a privacy risk assessment, implementing an information security program, and training employees on its privacy policies; and
  • file regular compliance reports with the FCC.

This settlement is the FCC’s largest privacy and data security enforcement action to date and according to FCC Chairman Tom Wheeler, demonstrates that “the Commission will exercise its full authority against companies that fail to safeguard the personal information of their customers.”

Video: In Depth – Sotto Details Who, What, Why of Today’s Cyber Threat Landscape

From Wall Street to Main Street to Hollywood, steering clear of a data breach is challenging in a world where it is no longer a question of if but rather a matter of when your company will be hit. Hunton & Williams’ Chair of the Global Privacy and Cybersecurity practice Lisa Sotto speaks in depth with associate Brittany Bacon about three groups of attackers, how they are infiltrating IT systems, what they are looking for, and how you can prepare. Today, Sotto says, cybersecurity is a legal issue, a risk issue and a governance issue, and one that matters to shareholders, boards of directors and regulators. View the video segment.

UK Court Ruling Allows Claims Against Google for Misuse of Private Information

On March 27, 2015, the England and Wales Court of Appeal issued its judgment in Google Inc. v Vidal-Hall and Others. Google Inc. (“Google”) appealed an earlier decision by Tugendhat J. in the High Court in January 2014. The claimants were users of Apple’s Safari browser who argued that during certain months in 2011 and 2012, Google collected information about their browsing habits via cookies placed on their devices without their consent and in breach of Google’s privacy policy.

The Court of Appeal ruled on two important issues. The first issue was whether there is a tort of “misuse of private information” under English law. In order to serve proceedings in an English Court on Google (in California), the claimants’ arguments had to satisfy one of a limited number of “gateways.” The relevant gateway in this case required the claimants to show that their claims relate to an actionable tort. Because there is existing case law holding that there is no general tort of invasion of privacy, the claimants argued that the High Court should explicitly recognize a tort of misuse of private information. The High Court agreed and Google appealed the decision. The Court of Appeal upheld the High Court’s decision, and affirmed that there is a tort of misuse of private information under English law. The Court of Appeal stated that this was not a new cause of action, but that it “simply gives the correct legal label to one that already exists.”

The second issue was whether damages under Section 13(2) of the Data Protection Act 1998 (the “Act”) can be awarded in circumstances in which the claimant has not suffered any financial harm. The claimants argued that they had suffered anxiety and distress, but did not allege that they suffered financial harm. This case was unusual because the UK Information Commissioner’s Office (the “ICO”) made submissions to the Court of Appeal as an intervening party. In those submissions, the ICO argued that its previous guidance on Section 13 (which indicated that damages were not available except in cases of financial harm) was incorrect, and that damages should be available in this case. The Court of Appeal accepted the ICO’s submissions but held that, using a literal interpretation, Section 13(2) does not permit damages in the absence of financial harm. The Court of Appeal also noted, however, that Section 13(2) of the Act did not appear to be compatible with EU Data Protection Directive 95/46/EC, which appears to permit claims for damages without financial harm. Expanding upon the evolution of English case law in this area over the last decade, the Court of Appeal held that the claimants could recover damages from Google without showing financial harm, regardless of the contrary language in Section 13(2). It is not yet clear whether Google will appeal this decision.

The consequences of the case may be significant. For Google, it means that the claimants can bring their claims in English Courts directly. This may result in large numbers of such claims, although the Court of Appeal noted that any damages likely will be “relatively modest.”

In a wider context, where any company fails to fulfil its obligations under the Act (e.g., if it suffers a data breach or fails to comply with its own privacy policy) it may face claims for damages brought by the affected individuals (e.g., its customers or employees) if those individuals can demonstrate that they have suffered material anxiety or distress, even if they have not suffered any financial loss. In addition, in some circumstances, such claims may be brought in English Courts, regardless of whether the company is established outside of the UK.

The International Conference of Data Protection and Privacy Commissioners Announces Its First Permanent Website

The International Conference of Data Protection and Privacy Commissioners (the “Conference”) has launched a new permanent website. The new website fulfills the agreement made between Commissioners “to create a permanent website in particular as a common base for information and resources management” in the Montreux Declaration adopted in 2005. The Executive Committee Secretariat called the website a “one-stop-shop for permanent Conference documentation,” and will be a resource for members and the public to explore upcoming Conference events and newsfeeds.

GPEN Releases First Annual Report

On April 1, 2015, the Global Privacy Enforcement Network (“GPEN”) released its 2014 annual report (the “Report”). This Report marks the first time that GPEN has issued an annual report highlighting the network’s accomplishments throughout the year. GPEN is a network of approximately 50 privacy enforcement authorities from around the world, including the Federal Trade Commission and the Federal Communications Commission.

According to the Report, GPEN saw a growth in members and participation in 2014, which included hosting 18 teleconferences in the Atlantic and Pacific regions. The organization also experienced global cooperation between privacy enforcement authorities in “The Sweep” of mobile apps, which was followed by a signed joint open letter to seven major app marketplaces. In addition, with the enhancement of the GPEN website came greater opportunities for online discussion and dialogue between privacy enforcement authorities. The Report also lays out a broad work plan for 2015.

President Obama Issues Executive Order Enabling Treasury to Impose Sanctions on Cyber-Enabled Activities

As reported in Bloomberg BNA, on April 1, 2015, the White House announced that President Obama has signed a new executive order providing the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, the ability to impose sanctions on individuals and entities that engage in certain cyber-enabled activities. The signed executive order, entitled Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities (the “Executive Order”), focuses on blocking the property or interests in property located in the United States of persons engaging in cyber-enabled activities that cause a significant threat to the national security, foreign policy, economic health or financial stability of the U.S. (collectively, the “Significant Threat”).

The Executive Order enables the Secretary of State to sanction any person who is responsible for, complicit in, or has engaged in cyber-enabled activities stemming from outside of the U.S. that have likely caused a Significant Threat and have the purpose or effect of:

  • harming, or significantly compromising the provision of services by, a computer or network that supports one or more entities in a critical infrastructure sector;
  • significantly compromising the provision of services by one or more entities in a critical infrastructure sector;
  • causing a significant disruption to the availability of a computer or network; or
  • causing a significant misappropriation of funds or economic resources, trade secrets, personal identifiers or financial information for commercial or competitive advantage or private financial gain.

In addition, the Executive Order empowers the Secretary of the Treasury, in consultation with the Attorney General and the Secretary of State, to sanction an individual or entity for attempting to engage in, or aiding and abetting, the activities described in the Executive Order, as well as for engaging in certain activities in connection with the misappropriation of trade secrets through cyber-enabled means.

Hunton & Williams LLP Unveils New Mobile-Responsive Privacy and Information Security Law Blog

Hunton & Williams is pleased to announce the release of its newly designed and mobile-responsive Privacy and Information Security Law Blog, www.huntonprivacyblog.com.

“Our award-winning blog has served the entire privacy community — from companies and practitioners to international regulators,” said Lisa Sotto, who heads the firm’s global privacy and cybersecurity practice. “This new version of Hunton & Williams’ privacy blog offers our audience greater access to information in real time and more interactive features, which are critical in this fast-changing arena.”

Begun in January 2009, Hunton & Williams’ Privacy and Information Security Law Blog has become a go-to resource for news and analysis on privacy and cybersecurity issues. The blog features information and legal commentary on a range of topics in the news, breaking U.S. federal and state privacy and data security legislation, recent court and regulatory decisions, international data protection law updates, and other news and analysis.

The blog is managed by Sotto, members of Hunton & Williams’ global privacy team and principals of the firm’s Centre for Information Policy Leadership, who are known throughout the world for their leadership in this field.

Hunton & Williams’ global privacy and cybersecurity practice helps companies manage data at every step of the information life cycle. The firm has been ranked as a top law firm for privacy and data security by Chambers and Partners and The Legal 500. Computerworld magazine recognized Hunton & Williams as the best global privacy advisor for the past four consecutive years. Hunton & Williams also was selected for one Fortune 100 client’s 2013 Law Firm Award for its privacy work, noting that the privacy team’s “laser focus on the issues resulted in a flawless execution.”

Read the full news release.

“Fancybox for WordPress Has Expired” Infection

Today I began to notice quite a massive and very unusual attack that leverages vulnerabilities in older versions of the FancyBox for WordPress plugin.

As you might know, versions 3.0.2 and older of this plugin allowed anyone to craft special POST requests to /wp-admin/admin-post.php or /wp-admin/admin-ajax.php and change values of specific plugin options in WordPress database. The plugin uses the modified options to build its own JavaScript code. As a result, the malicious content gets injected into generated WordPress pages.

A typical malicious injection looks like this:

Fancybox infection

Such attacks use the documented exploit code to inject malicious code into the “padding” value.

The exploited vulnerability had been fixed on February 4th. Nonetheless, many blogs failed to update the plugin and hackers routinely find such blogs and infect them.

The today’s attack also uses this exploit and modifies the “padding” value, but the code it injects cannot be called malicious:

Fancybox expired warning

When visitors load such “infected” pages, they see this warning:

WARNING: This version of the Fancybox for WordPress plugin has expired!
Please upgrade to the latest version!

And when they click on the “OK” button, they automatically get redirected to the Fancybox for WordPress changelog page in the official WordPress plugin repository.

On one hand, this infection makes blogs unusable since it redirects visitors to WordPress plugin repository before they can read anything. On the other hand, it is very hard to ignore such a warning — if site owners want people to visit their sites they have to upgrade (or remove) the vulnerable version of the plugin ASAP.

Now is the time to check if your blog shows such warnings. If you don’t see them, it’s not a reason to relax and wait for such a hard push to upgrade. Make sure all your themes and plugins are up-to-date now.