Monthly Archives: April 2016

Security Weekly #462 – Interview with Sean Metcalf, Microsoft Certified Master

Sean Metcalf (@PyroTek3) is a Microsoft Certified Master (MCM) / Microsoft Certified Solutions Master (MCSM) in Directory Services (Active Directory Windows Server 2008 R2) which is an elite group of Active Directory experts (only about 100 worldwide). As of 2016, he is also a Microsoft Most Valuable Professional (MVP). We ask him about his start in information security and PowerShell. Listen in now!

Parliamentary Committee Approves Denham ICO Appointment

On April 27, 2016, the UK House of Commons Culture, Media and Sport Select Committee (the “Committee”) confirmed Elizabeth Denham’s appointment as Information Commissioner. Denham, currently the Privacy and Information Commissioner for British Columbia, Canada, was announced as the UK Government’s preferred choice on March 22, 2016.

The Committee’s announcement followed a pre-appointment hearing on the same day, during which Denham fielded questions from a number of committee members. The discussion covered a broad range of topics, including:

  • a comparison of the British and Canadian data protection and freedom of information regimes;
  • Denham’s understanding of the EU framework that provides the foundation for UK data protection law;
  • the degree of responsibility that company directors should have for cybersecurity; and
  • the Information Commissioner’s Office itself, particularly its relations with parliament and its funding arrangements.

While stating her willingness to levy heavy fines for serious breaches of data protection law, she advocated an approach prioritizing proactive guidance, advice and education to those involved in data processing.

Following the hearing, the Committee published a report outlining the discussion and confirming her appointment as Information Commissioner. She will succeed Christopher Graham, whose term in office ends on June 28, 2016.

Humble Hacking Bundle from No Starch Press

No Starch Press is teaming up with Humble Bundle again to raise money for the EFF, the Electronic Frontier Foundation. Pay $15.00 to help support the EFF and receive a bundle of thirteen eBook titles.
Some of the titles are: Hacking: The Art of Exploitation, Hacking the XBox, Automate the Boring Stuff with Python, Python Crash Course, Practical Malware and The Linux Command Line.

Any amount gets you four titles and a $15.00 donation gets you all 13. You decide how much goes to EFF, No Starch or Humble Bundle.

Details are at

OCR Settles Two Key HIPAA Privacy Rule Cases Involving X-Rays and Medical Reality TV Show

The U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) recently announced resolution agreements with Raleigh Orthopaedic Clinic, P.A., (“Raleigh Orthopaedic”) and New York-Presbyterian Hospital (“NYP”) for HIPAA Privacy Rule violations.

Raleigh Orthopaedic

Following a breach notification report from Raleigh Orthopaedic in April 2013, OCR investigated and discovered that Raleigh Orthopaedic had improperly disclosed protected health information (“PHI”) to a third-party service provider without entering into a business associate agreement (“BAA”) with that service provider. Raleigh Orthopaedic had engaged the service provider to convert X-rays into electronic media and enabled the vendor to harvest the silver from the X-rays.

The resolution agreement requires Raleigh Orthopaedic to pay $750,000 million to OCR and enter into a Corrective Action Plan that requires the entity to provide OCR with a list of its business associates and copies of any relevant BAAs with such business associates. Raleigh Orthopaedic must also revise its policies and procedures to:

  • designate an official responsible for ensuring that Raleigh Orthopaedic enters into a BAA with each business associate prior to disclosing PHI to the business associate;
  • create a process to assess whether each current and future business relationship is with a business associate and enter into BAAs if required;
  • develop a process for negotiating and entering into BAAs;
  • create a standard template BAA;
  • retain documentation of the BAA for at least six years beyond the date when the business associate relationship is terminated; and
  • disclose to business associates only the minimum amount of PHI that is reasonably necessary for business associates to perform their duties.

In announcing the settlement with Raleigh Orthopaedic, OCR Director Jocelyn Samuels noted that “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”

This is the second major OCR settlement in two months against a covered entity for improperly disclosing PHI to a third party without entering into a BAA. In March, North Memorial Care of Minnesota paid a $1.55 million settlement for similar violations.


The settlement with NYP resulted from a complaint received in January 2013 that NYP had allowed a film crew from the ABC medical reality TV show “NY Med” to film two patients without their authorization, including one patient who died in the emergency room during the filming. OCR’s investigation found that NYP had allowed ABC “virtually unfettered access” to the hospital that created “an environment where PHI could not be protected from impermissible disclosure to the ABC film crew and staff.”

In the resolution agreement, NYP agreed to pay a $2.2 million settlement to OCR and enter into a Corrective Action Plan that requires NYP to develop policies and procedures that contain:

  • a specific prohibition on the use or disclosure of PHI without patient authorization by NYP workforce members, agents and business associates to any person or entity planning, coordinating or engaging in photography, video recording or audio recording for non-medical related purposes;
  • a process for evaluating and approving authorizations requesting the disclosure of PHI by NYP;
  • identification of NYP personnel or representatives who workforce members, agents or business associates may contact in the event of any inquiry or concern regarding compliance with HIPAA in relation to these activities;
  • a requirement that all photography, video recording and audio recording conducted on NYP premises be actively monitored by appropriate NYP representatives for compliance with the Privacy Rule and NYP’s policies;
  • measures that address specific Privacy Rule provisions;
  • internal reporting mechanisms; and
  • the application of appropriate sanctions against members of NYP’s workforce, including supervisors and managers, who fail to comply with NYP’s policies and procedures.

In the press release accompanying the resolution agreement, OCR Director Jocelyn Samuels stated that “OCR will not permit covered entities to compromise their patients’ privacy by allowing news or television crews to film the patients without their authorization.” This is the second HIPAA enforcement action against NYP. In 2014, NYP paid $3.3 million and Columbia University paid $1.5 million as part of a collective settlement resulting from a breach of a shared data network that linked to patient information systems.

In connection with the settlement, OCR developed an FAQ addressing this issue that states that health care providers cannot invite media crews into treatment and other areas in which patients’ PHI will be accessible in any form unless the health care providers first obtain prior written authorization from each patient. The FAQ explicitly clarifies that subsequent masking or blurring of patient identities by the media (as had been done by ABC in the case of the patient who died on NY Med) was not sufficient “because the HIPAA Privacy Rule does not allow media access to the patients’ PHI, absent an authorization, in the first place.” The FAQ indicates that the HIPAA Privacy Rule does not, however, obligate health care providers to block the media from public waiting areas or areas where the public enters or exits the facility.

Amended Nebraska Data Breach Notification Law Adds Regulator Notification Requirement

On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835 (the “Bill”), which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804. The amendments take effect on July 20, 2016.

Specifically, the Bill:

  • requires entities to notify the Nebraska Attorney General in the event of a data breach, and no later than notice is provided to Nebraska residents;
  •  adds to the definition of “personal information” a user name or email address, in combination with a password or security question and answer, that would permit access to an online account; and
  • states that data is not considered “encrypted” for purposes of avoiding notification obligations if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach.

Simulated Attack on Power Grid Highlights Need for Improved Communications

In its third simulated test of the security of the power grid, the North American Reliability Corporation (“NERC”) reported general progress across the electric utility industry in defending against physical and cyber threats, while also identifying several areas for further improvement.

The NERC exercise, dubbed GridEx III, took place over two days in November 2015 and involved more than 4,400 individuals from 364 industry, law enforcement and government organizations across the United States, Canada and Mexico. The main objectives of the exercise were to test crisis response and recovery, improve communication, identify problem areas and engage senior-level leadership in the organizations involved.

Despite broadly meeting these objectives, NERC nevertheless called for improvements in communication systems and protocols, particularly in the incident response capabilities of the Electricity Information Sharing and Analysis Center (“E-ISAC”) portal and coordination with law enforcement and other governmental agencies.

E-ISAC acts as a kind of highly-specialized “antivirus” application for the power sector, collecting and sharing information regarding malware indicators identified by electric utilities or government agencies. For the exercise, NERC created a “mirrored” version of the E-ISAC portal and found it unable to track and respond to the flood of distress calls and other inquiries it received, with critical information getting lost or buried. This made it difficult for participants to distinguish important information coming from the portal during the exercise, a problem which may have been compounded by redundancies and other inefficiencies in industry information sharing and reporting practices, according to the NERC report.

Similarly, NERC reported that the exercise revealed the need, in the event of a major and persistent disruption in electricity service, for far greater levels of coordination across federal, state and local government agencies to the power sector and aid the public at large.

Lisa Sotto Featured in SC Magazine Article – Ready to Rumble: Apple v. FBI

In a recent article published by SC Magazine, Lisa Sotto, head of Hunton & Williams LLP’s Global Privacy and Cybersecurity practice, provides commentary on the recent case, Apple v. FBI. The article analyzes privacy versus security, and Sotto tells SC Magazine, “[the case] should never have escalated to this, privacy should have been addressed” at the onset of the investigation. Sotto says the government should have “worked with tech companies to craft policies and processes” before an issue of this magnitude arose. The article provides details on the case and discusses differentiators that set the case apart from similar issues in the past, and also provides insight into legislation that could regulate privacy and security matters in the future. Many believe Congress should step in, including Sotto who says, “The courts can’t keep doing it on a piecemeal basis.”

Read the full article.

FTC Releases Interactive Tool for Mobile Health Apps

The Federal Trade Commission recently released an interactive tool for mobile health apps. The tool was developed in conjunction with several other federal agencies, including the Department of Health and Human Services’ Office for Civil Rights, the Office of the National Coordinator for Health Information Technology, and the Food and Drug Administration.

The tool is designed to provide a “snapshot” of applicable laws and regulations that apply to mobile health apps. These include the (1) Health Insurance Portability and Accountability Act (“HIPAA”); (2) Federal Food, Drug, and Cosmetic Act; (3) Federal Trade Commission Act; and (4) FTC’s Health Breach Notification Rule. The tool asks developers the following series of ten questions and explains which laws apply based on the answers to the questions:

  • Do you create, receive, maintain, or transmit identifiable health information?
  • Are you a health care provider or health plan?
  • Do consumers need a prescription to access your app?
  • Are you developing this app on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer or health plan’s wellness program)?
  • Is your app intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment or prevention of disease?
  • Does your app pose “minimal risk” to a user?
  • Is your app a “mobile medical app”?
  • Are you a nonprofit organization?
  • Are you developing this app as or on behalf of a HIPAA covered entity (such as a hospital, doctor’s office, health insurer or health plan’s wellness program)?
  • Do you offer health records directly to consumers (or do you interact with or offer services to someone who does)?

The FTC’s tool is intended to be a starting point for mobile health app developers. The tool provides links to resources which app developers may learn more in-depth information about the applicable legal requirements. The release of the FTC tool follows the March 2016 release of guidance on mobile health apps by OCR.

CNIL and GPEN Analyze Impact of Connected Devices on Privacy During Internet Sweep

On April 12, 2016, the French Data Protection Authority (“CNIL”) announced that it will participate in a coordinated online audit to analyze the impact of everyday connected devices on privacy. The audit will be coordinated by the Global Privacy Enforcement Network (“GPEN”), a global network of approximately 50 data protection authorities (“DPAs”) from around the world.

In addition to the CNIL, 29 DPAs that are members of the GPEN will participate in the audit. The joint effort will run during spring 2016. The CNIL also announced that it will conduct its audits during May 2016 and target three categories of connected devices:

  • home IoT devices (connected camera systems that can detect movements or measure air quality);
  • health connected devices (connected scales, tensiometers and glucometers intended to collect health-related data); and
  • connected devices for well-being (connected watches and bracelets that can collect geolocation data and also count the number of steps made per day, the number of calories burned and analyze the quality of sleep).

In practice, the CNIL will verify:

  • the quality of the information provided to users;
  • the level of security of the data flows; and
  • the degree of user empowerment (e.g., user’s consent, exercise of data protection rights, etc.).

The CNIL stressed that it might conduct more formal inspections and launch enforcement proceedings if its initial findings reveal serious breaches of French data protection law. The results of its audits will be issued in fall 2016. The audits will help the CNIL increase user awareness and promote best practices among stakeholders in the sector.

CIPL and AvePoint Launch Survey to Benchmark Global Readiness for the EU GDPR

With the recent adoption of the EU General Data Protection Regulation (“GDPR”) and the significant changes it will require from organizations, AvePoint has joined forces with the Centre for Information Policy Leadership (“CIPL”), a global privacy policy think tank at Hunton & Williams LLP, to launch the first global survey to benchmark organizations’ readiness for the GDPR.

The survey focuses on key issues of the GDPR, including:

  • consent;
  • age of consent for children;
  • legitimate interest;
  • data portability;
  • profiling;
  • privacy impact assessments;
  • privacy by design;
  • data protection officers;
  • data breach reporting; and
  • onwards transfer of data.

The results, which will be kept anonymous, will be analyzed and used to publish an extensive overview on GDPR readiness, broken down by factors such as industry vertical, revenue size and regions, so companies can compare their level of preparedness against their peers. This will ultimately help companies determine the best path forward and provide insight into the right resources and budgetary allocation to meet their compliance goals.

Recommendations for preparing for the immediate impact of the GDPR, including compliance best practices from industry experts, will also be included. This benchmark should provide insight not only for Chief Privacy and Data Protection Officers who are looking to ramp up their privacy programs, but also for Chief Information Officers, Chief Information Security Officers, business leaders and executive leadership within organizations. The goal is to help companies understand the task ahead, as well as key areas of investment as they bring their organizations into compliance with the GDPR.

The first report is expected to be ready June 2016, and we plan to repeat the survey annually to track progress.


Federal Court: Sony Pictures Data Breach Class Action Settlement Approved

On April 6, 2016, U.S. District Judge R. Gary Klausner approved a settlement in Corona v. Sony Pictures Entertainment, Inc., No. 14-CV-09600 (RGK). As we previously reported, the litigation centered on a data breach involving the stolen personal information of at least 15,000 former and current employees. After a partial success on its motion to dismiss, Sony still faced potential liability for negligence based on its three-week delay in notifying its employees of the data breach, as well as statutory claims under the California Confidentiality of Medical Information Act and the Unfair Competition Law.

Under the terms of the settlement, Sony will provide three years of identity theft protection, an optional service that will reimburse up to $1 million dollars and a fund for additional losses. An exact settlement amount is not available at this time. The deadline for Sony employees to sign up for the services offered in the settlement has not yet passed.

On April 14, 2016, Judge Klausner took issue with the request of $3.49 million in plaintiffs’ attorneys’ fees due to: (1) a lack of itemization and (2) the belief that fees for 17 billable hours per day, every day, during 61 weeks of litigation were unreasonable. Instead, the Court approved only 4,500 billable hours at a $509.34/hour blended rate. Consequently, $2,587,574.96 in attorneys’ fees and costs were approved as reasonable, but the Court allowed the parties to independently negotiate any fees and costs above that amount.

If a Data Breach Occurs and Nobody Accesses Customer Data, Does it Constitute “Publication”?

As reported on the Hunton Insurance Recovery Blog, data breach claims involving customer data can present an ever-increasing risk for companies across all industries. A recent case illustrates efforts to recover the costs associated with such claims. A panel of the Fourth Circuit confirmed that general liability policies can afford coverage for cyber-related liabilities, and ruled that an insurer had to pay attorneys’ fees to defend the policyholder in class action litigation in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. Syed Ahmad, a partner in the Hunton & Williams LLP insurance practice, was quoted in a Law360 article concerning the importance of this decision.

In the Portal case, the specific issue was whether the mere online availability of sensitive information constitutes “publication” for purposes of triggering an insurance policy’s personal or advertising injury coverage and its corresponding duty to defend. The appellate court ruled it does and adopted the district court’s reasoning that “[p]ublication occurs when information is ‘placed before the public,’ not when a member of the public reads the information placed before it.” That the information may not have actually been accessed does not factor into whether the information was “published” for purposes of triggering coverage. Rather, the immediate accessibility to information and the broad reach of that material is itself sufficient to amount to the requisite publication.

Bedep has raised its game vs Bot Zombies

Simulacra & Simulation - Jean Baudrillard
Featured in Matrix
Bedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014

On the 2016-03-24 I noticed several move in Bedep. 

Angler infecting a VM and integrating it into an instance of Bedep botnet
No more variable in the URI (as several month before), the protocol Key changed and in most of my manual checks, all threads were sending a strange payload in the first stream.

2ko size for Win7 64bits :
Popup shown by the first payload from Bedep Stream - Win7
(in the background Angler Landing)

48ko size for WinXP 32bits:

Popup shown by the first payload from Bedep Stream - WinXP

Looking at my traffic I thought for some time that one of the Bedep instances was split in two.

Then I understood that I got different result on my "manually" driven VM (on VMWare ESXi) and my automated Cuckoo driven one ( on VirtualBox). I suspected it was related to hardening, as this is one of the main difference between those two systems.

And I got confirmation. Here is an example on a GooNky ([1] [2] [3]) malvertising traffic in Australia :

A VM not hardened enough against Bedep got redirected to a "decoy" instance of Bedep that i will refer as :
Bedep "Robot Town" - 2016-04-12
Now look what i get instead with a VM that is not spotted as is:
Same Angler thread - VM not detected. 1st Stream get Vawtrak

I am not skilled enough to give you the list of checks Bedep is doing. But here is one of them spotted by Cuckoo :

Bedep doing some ACPI checks
I think there are multiple level of checks. Some resulting in Bedep not trying to contact the C&C, some where the positive check end up with a different seed for the Bedep DGA redirecting spotted machines in a dedicated instance. 
This is quite powerful :
- the checks are made without dropping an executable. 
- if you don't know what to expect it's quite difficult to figure out that you have been trapped
- there is a lot of things that operators can do with this list of known bots and initial Bedep thread ID. 

One of them is for instance knowing which of the infection path are researcher/bots "highway" :

Illustration for Bedep "Robot Town" from an "infection path" focused point of view

This could be just a move to perform different tasks (AdFraud only (?) ) on VMs, but my guess it that this Bedep evolution on 2016-03-24 is a fast reaction to this Proofpoint Blog from 2016-03-18 which  show how Bedep threads are additional connectable dots. 

Sharing publicly is often a difficult decision. The question is which side will benefits the most from it, in the long time.

For researchers:
In the last 3 weeks, if your VM have communicated with : (which is a Bedep ip from end of 2015 reused) || (  && http.uri.path  "ads.php?sid=1901" ) and you are interested by the "real payload" then you might want to give PAfish a run.

Image result for robot movie sad robot
Marvin - Paranoid Android
On the other hand, any of your VM which has communicated with (Bedep "standard" 18xx 19xx instance)  since the 24 of March is hardened enough to grab the real payload.

- Removed the AU focused mention on the Vawtrak. I have been told (Thanks ! ) it's US focused. Got geo 
Glitched. Maybe more about that a day or the other.
- Refine the check conditions for Researcher. IP and sid=1901...otherwise...ok :)

Acknowledgements :
Thanks Will Metcalf and Malc0de for the discussions and help on this topic
I'm sorry, but I must do it...Greetings to Angler and Bedep guys. ;) You are keeping us busy...and awake !

Reading :
Bedep’s DGA: Trading Foreign Exchange for Malware Domains - 2015-04-21 - Dennis Schwarz - ArborSert

EU General Data Protection Regulation Finally Adopted

On April 14, 2016, after four years of drafting and negotiations, the long awaited EU General Data Protection Regulation (“GDPR”) has been adopted at the EU level. Following the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs’ vote earlier this week and the EU Parliament in plenary session, the GDPR is now officially EU law and will directly apply in all EU countries, replacing EU and national data protection legislation.

The New Data Protection Landscape in Europe

The GDPR replaces the EU Data Protection Directive 95/46/EC (the “Directive”), which was enacted in 1995, and significantly changes the EU data protection landscape. The following is a summary of the key aspects of the GDPR:

  • Broader scope: The GDPR will apply to data processing activities of a data controller or a data processor established in the EU. In addition, it will apply to data controllers and data processors established outside the EU where their processing activities relate to the offering of goods and services to individuals in the EU or to the monitoring of EU individuals’ behavior.
  • Concept of personal data: Under the GDPR, location data, IP addresses and online identifiers would constitute personal data in most cases as this data could be used to identify individuals, in particular when combined with unique identifiers. Pseudonymization of personal data is considered a security measure used to limit the risk of singling out an individual during the processing. In addition, genetic data and biometric data are recognized as sensitive data requiring extra protection.
  • Data controllers, processors, joint controllers: The GDPR will introduce additional obligations for data controllers, data processors and joint controllers. Direct obligations will be imposed on data processors for the security of personal data.
  • Accountability obligations: Companies will have to implement appropriate privacy policies and robust security measures, perform data protection impact assessments in certain cases and appoint a data protection officer under specific conditions. In addition, both data controllers and data processors will have to maintain records of data processing activities, replacing the existing registration and authorization obligations with the supervisory authorities.
  • Data breach notification: The GDPR introduces a general data breach notification requirement that will apply across all industry sectors and will require data controllers to notify the competent supervisory authority within 72 hours after becoming aware of a data breach, unless they can provide a reasoned justification for the delay. If the breach is likely to result in a high risk for the individuals’ rights and freedoms, data controllers will also have the obligation to notify individuals of the breach without undue delay.
  • One-stop shop: For companies active in multiple EU countries, the GDPR will allow them to have a central point of enforcement through the one-stop shop mechanism. The supervisory authority of the main establishment or of the single establishment of the data controller or data processor in the EU will act as the lead supervisory authority, supervising all their processing activities throughout the EU. This new mechanism will allow data controllers and data processors to interact with a single lead data protection authority (“DPA”); however other DPAs may have a say for cross-border operations as the GDPR includes significant consistency and cooperation procedures. In addition, each individual supervisory authority will be competent to handle purely local complaints or deal with purely local infringements of the GDPR.
  • Consent: Consent should be a freely given, specific, informed and unambiguous indication of the individual’s wish to, either by a statement or by a clear affirmative action, agree to the processing of his or her personal data. The GDPR also provides specific protection in the context of children’s personal data by strengthening the validity conditions of children’s consent. When offering information society services directly to children under the age of 16 – or a lower age provided by EU Member State law which may not be below 13 years – consent should be given or authorized by the holder of parental responsibility.
  • Profiling: The GDPR will strengthen the protection of individuals against possible negative effects of profiling by providing them with the right not to be subject to automated decision making (including profiling), which produces legal effects concerning the individual or significantly affects the individual.
  • Privacy notices: Under the GDPR, data controllers must take appropriate measures to provide individuals with information regarding the processing of their personal data. Information will have to be provided in a concise, transparent, intelligible and easily accessible form. The GDPR also introduces the use of standardized icons as a valid way to inform individuals.
  • Data transfers: The GDPR maintains the general prohibition of data transfers to countries outside the EU that do not provide an adequate level of data protection. Consistent with the Schrems decision of the Court of Justice of the European Union, stricter conditions will apply for obtaining an “adequate” status. EU Model Clauses will remain a valid mechanism to transfer personal data outside the EU. Further, the GDPR explicitly recognizes and promotes the use of Binding Corporate Rules as a valid data transfer mechanism. Approved codes of conduct also can be used for data transfers.
  • Rights of individuals: The GDPR will expand the rights of individuals. The GDPR reinforces the existing right to request the erasure of personal data that is no longer necessary by including a “right to be forgotten.” It also introduces a right to data portability allowing individuals to transit and move personal data concerning them between providers.
  • Administrative fines: Supervisory authorities will be given significantly more powers to enforce compliance with the GDPR, including investigative, corrective, advisory and authorization powers. In addition, supervisory authorities will have the power to impose administrative fines of up to a maximum of €20 million or 4% of the data controller’s or data processor’s total worldwide global turnover of the preceding financial year, whichever is higher.

Next Steps

The GDPR will apply to all businesses in and outside Europe that deal with personal data of EU individuals. The GDPR will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all member states two years after this date, in spring 2018.

View the EU Parliament’s press release.

View the European Commission’s Joint Statement on the final adoption of the new EU rules for personal data protection.

Hunton & Williams’ Global Privacy and Cybersecurity practice lawyers also have released The EU General Data Protection Regulation, a Guide for In-House Lawyers. Download a copy.

Article 29 Working Party Releases Opinion on EU-U.S. Privacy Shield

On April 13, 2016, the Article 29 Working Party (the “Working Party”) published its Opinion on the EU-U.S. Privacy Shield (the “Privacy Shield”) draft adequacy decision. The Privacy Shield was created to replace the previous Safe Harbor framework invalidated by the Court of Justice of the European Union (“CJEU”) in the Schrems decision. The Working Party also published a Working Document on the justification for interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (European Essential Guarantees).


On October 16, 2015, the Working Party announced it would assess the consequences of the Schrems judgment with respect to all mechanisms permitting data transfers to the U.S. To this end, the Working Party inventoried and analyzed the jurisprudence of the CJEU related to Articles 7, 8 and 47 of the EU Charter of Fundamental Rights and the jurisprudence of the European Court of Human Rights related to Article 8 of the European Convention on Human Rights (“ECHR”) dealing with surveillance issues in states party to the ECHR. Following this assessment, the Working Party concluded that the requirements can be summarized in four European Essential Guarantees. The Working Document of the Working Party explains the background of the four European Essential Guarantees, and its Opinion on the Privacy Shield includes an assessment of these Guarantees for data transfers to the U.S.

In this respect, the Working Party recognized that the Privacy Shield is a significant improvement to the Safe Harbor framework and that many of the shortcomings of the Safe Harbor framework it had previously identified have been addressed by the Privacy Shield. However, the Working Party also stressed the overall complexity and lack of clarity regarding the new framework and expressed concerns with respect to both the commercial and national security aspects of the Privacy Shield.

Commercial Aspect of the Privacy Shield

With respect to the commercial aspects for data transfers from the European Union to the U.S., the Working Party has serious concerns regarding whether the Privacy Shield can ensure a level of protection that is essentially equivalent to that in the EU. In particular, the Working Party stated that the commercial part of the Privacy Shield requires further clarification on many points, including:

Data Retention
According to the Working Party’s Opinion, there is no express data retention principle mentioned in the Privacy Shield and a data retention principle cannot be clearly construed from the current wording of the Data Integrity and Purpose Limitation principle. This may give organizations the option to keep personal data as long as they wish, even after leaving the Privacy Shield, which is not in line with the EU data retention limitation principle.

Purpose Limitation
The Working Party noted that the scope of the purpose limitation concept is different under the (1) Notice, (2) Choice, and (3) Data Integrity and Purpose Limitation principles of the Privacy Shield and that there is some inconsistency among the terminology used in the three principles. According to the Working Party, it should be made clear that an organization cannot be authorized to process personal data for a purpose materially different (from the original purpose of processing) if the additional purpose is incompatible according to the Data Integrity and Purpose Limitation Principle.

Onward Data Transfers
The Working Party emphasized “that onward transfers from a Privacy Shield entity to third country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower or circumvent EU data protection principles. In case of an onward data transfer to a third country, every Privacy Shield organisation should have the obligation to assess any mandatory requirements of the third country’s national legislation applicable to the data importer, prior to the data transfer. If a risk of substantial adverse effect on the guarantees, obligations and level of protection provided by the Privacy Shield is identified, the U.S. Privacy Shield organisation acting as a Processor (Agent) shall promptly notify the EU data controller before carrying out any onward transfer.” In which case, the latter should be “entitled to suspend the transfer of data and/or terminate the contract.” If the Shield organization is acting as a data controller, it “should not be allowed to onward transfer the data, as this would compromise its duty to provide the same level of protection” as under the Privacy Shield.

In this respect, the Working Party “recalls its position that if the EU data controller is aware of an onward transfer to a third party outside the U.S. even before the transfer to the U.S. takes place, or if the EU data controller is jointly responsible for the decision to allow onward transfers, the transfer should be considered as a direct transfer from the EU to the third country outside the U.S.,” in which case the EU Data Protection Directive applies instead of the Privacy Shield onward transfer principle.

The Working Party “concludes that onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to data processors (Agents).”

EU Individuals’ Right of Redress
The Working Party has concerns that, in practice, the new redress mechanism may prove to be too complex and difficult to use for EU individuals. In order to ensure effectiveness, the Working Party recommended that the Privacy Shield allow for EU data protection authorities to represent EU individuals (the data subjects) and act on their behalf or to act as an intermediary. “Alternatively, [the Privacy Shield] should contain specific jurisdiction clauses entitling data subjects to exercise their rights in Europe.

Other concerns and requests for clarification relate to the processing of HR and pharmaceutical data and how the Privacy Shield Principles are to be applied to data processors (Agents).

National Security Guarantees of the Privacy Shield

The Working Party had the two following major concerns with respect to national security guarantees:

  • Massive and indiscriminate collection of personal data originating from the EU is not fully excluded by the U.S. authorities.
  • The establishment of the Ombudsman as a new redress mechanism is welcomed. However, the powers and position of the Ombudsperson have not been fully defined, and the Working Party “is concerned that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.”

Conclusion and Recommendations

In light of the concerns expressed by the Working Party and its requests for clarification, the Working Party urged the European Commission to resolve these concerns, identify appropriate solutions to improve its draft adequacy decision, and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that offered by European data protection laws. To that end, the Working Party recommends, in particular, (1) to introduce a glossary of terms in the Privacy Shield F.A.Q., with definitions agreed upon by the EU and the U.S., and (2) to review the Privacy Shield shortly after the EU General Data Protection Regulation (“GDPR”) becomes effective to ensure that the higher level of data protection brought by the GDPR is reflected in the Privacy Shield. Finally, with respect to the annual joint review of the Privacy Shield, the Working Party recommended that the modalities of those joint reviews be agreed in advance of the first review.

Next Steps

The Opinion of the Working Party is non-binding and the European Commission could still proceed to finalize the adequacy determination. In this respect, the European Commission still needs to consult a committee composed of representatives of the EU Member States before issuing its final decision. In the meantime, the Chairwoman of the Working Party confirmed that data transfers to the U.S. may still take place under the existing data transfer mechanisms, EU Model Clauses or Binding Corporate Rules.

EU General Data Protection Regulation Approved by LIBE Committee

On April 12, 2016, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs voted to approve the EU General Data Protection Regulation (“GDPR”) by a 54-3 vote, with one abstention. The GDPR replaces Directive 95/46/EC, enacted in 1995, and will significantly change EU data protection laws.

This development clears the way for the European Parliament to rubber stamp the GDPR at a plenary session on April 14, 2016, completing the legislative process for adoption of the GDPR. The GDPR is expected to be published in the Official Journal of the European Union within the coming weeks. Companies will then have a two-year grace period to prepare for compliance following the date of publication.

European Commission Launches Public Consultation on e-Privacy Directive

On April 11, 2016, the European Commission launched a public consultation to evaluate and review Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector, also known as the e-Privacy Directive.

Technological advances and the advent of the EU General Data Protection Regulation (“GDPR”) have prompted the European Commission to review the e-Privacy Directive, which was last updated in 2009.

The review of the e-Privacy Directive has the following three main objectives:

  • Assessing the need to further update the e-Privacy rules, which implies assessing the need to broaden the scope of those rules. The e-Privacy Directive currently applies only to traditional telecom providers, and not to over-the-top service providers that provide communications services such as Voice over IP, instant messaging and emailing over social networks.
  • Ensuring consistency between the e-Privacy Rules and the future GDPR, including assessing any overlaps between the two (e.g., the notification of data security breaches) and ensuring more uniform implementation and consistent enforcement of the e-Privacy rules (e.g., applying the One-Stop Shop and consistency mechanisms of the GDPR to a new e-Privacy instrument, providing for specific fines in light of the GDPR, etc.).
  • Enhancing security and confidentiality of communications throughout the EU, which implies assessing the need for additional legal measures to enforce security obligations. This also implies reviewing the effectiveness of the existing rules, in particular the consent requirement for storing information, or accessing information already stored, on a user’s device (e.g., by facilitating users’ ability to consent by other means) and the list of exceptions to that consent requirement.

The reform of the e-Privacy rules was discussed at a stakeholder workshop organized by the European Commission in Brussels on April 12. The European Commission has encouraged all relevant stakeholders to respond to the consultation through the European Commission’s consultation webpage. The consultation will be open through July 5, 2016. The European Commission also announced that it will conduct a Eurobarometer survey on e-Privacy to determine how European citizens feel about their privacy and confidentiality as well as possible policy actions.

Nuclear Industry Pursues Aggressive Defense Against Cyber Threats

On March 30 through April 1, 2016, the 2016 Nuclear Industry Summit meetings took place in Washington D.C. In the nuclear industry, the issue of cybersecurity has grown steadily in importance over the past decade. This has been most apparent in the increasing attention and effort paid to cyber-based threats under the biennial Nuclear Industry Summit and its international meetings.

The 2016 Nuclear Industry Summit’s Working Group on Managing Cyber Threat identified five conclusion statements to guide its work on cybersecurity issues:

  • The threat of cyber attacks is substantial and continues to increase over time.
  • The threat encompasses not only sensitive nuclear information, but also Plant Control Systems managing and controlling the nuclear processes within nuclear facilities.
  • Developing robust defenses against cyber attacks is about more than meeting regulatory requirements.
  • Transparency must be promoted to ensure that the trust of the society is maintained.
  • The nuclear industry is advised to move from a culture of compliance to a culture of excellence in cybersecurity.

The Working Group’s report, issued in conjunction with the Nuclear Industry Summit’s meeting, elaborates upon these recommendations.

Hunton Releases 2016 EU General Data Protection Regulation Guide for In-House Lawyers

After much debate, the final version of the EU General Data Protection Regulation (“GDPR”) is expected to be adopted by the European Parliament this week and to take effect in early 2018. The GDPR will significantly change EU data protection law in several areas, affecting all businesses in the energy, financial, health care, real estate, manufacturing, retail, technology and transportation industries, among others. To assist in-house lawyers and privacy professionals with understanding the new GDPR and planning ahead for implementation, Hunton & Williams’ Privacy and Cybersecurity practice lawyers have released The EU General Data Protection Regulation, a Guide for In-House Lawyers covering these strategic areas:

  • jurisdiction and territorial scope
  • enforcement, sanctions and penalties
  • supervisory authorities
  • accountability
  • notices
  • privacy by design and by default
  • profiling
  • data breach reporting
  • obligations of processors
  • processing conditions
  • anonymization and pseudonymization
  • cross-border data transfers
  • binding corporate rules
  • seals, certifications and codes of conduct
  • other areas remaining unharmonized

Download a free copy of the guide.

Hunton & Williams Launches Cyber and Physical Security Task Force

Team helps companies devise legal strategies to enhance security and mitigate threat risk.

On April 4, 2016, Hunton & Williams LLP announced the formation of a Cyber and Physical Security Task Force to assist companies in minimizing the risks and consequences of a serious security incident. The task force is being led by global privacy and cybersecurity head Lisa Sotto, cybersecurity partner Paul Tiao, and energy partner Kevin Jones, and includes lawyers from a wide range of practice groups within the firm.

“Companies everywhere are facing the unfortunate reality of increased cyber and physical security threats, and they must address these risks and safeguard mission-critical assets while also navigating an increasingly complex legal and policy environment,” said Lisa Sotto. “The creation of a dedicated, multidisciplinary task force will enable us to help clients address these evolving challenges even more effectively and comprehensively.”

“Operators of critical infrastructure can no longer rely on traditional programs and procedures for risk management and crisis response,” said Paul Tiao, who is a former Assistant U.S. Attorney and Senior Counselor for Cybersecurity and Technology to the Director of the Federal Bureau of Investigation. “They must engage in a comprehensive and coordinated form of planning, preparation and response that covers the entire life cycle of an incident, and addresses the associated legal, regulatory, policy and political issues,” added Tiao.

In launching the Cyber and Physical Security Task Force, Hunton & Williams is building on the success of its existing cybersecurity legal team. The task force will advise companies in all sectors on legal and regulatory compliance, cyber and physical security risk minimization, strategic engagement with key government agencies, comprehensive incident response, insurance coverage, and dispute resolution arising from law enforcement investigations, government enforcement actions, and private litigation.

Hunton & Williams is a pioneer in the security space, having launched its award-winning Global Privacy and Cybersecurity practice more than 15 years ago.

CVE-2016-1019 (Flash up to and Exploit Kits

Spotted in a "degraded" version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack, Adobe was really fast at fixing  this vulnerability with the patch released on the 2016-04-07 bringing Flash Player to version

It's not the first time a "0day" exploit is being used in a "degraded" state.
This happened before with Angler and CVE-2015-0310 and CVE-2014-8439

You'll find more details about the finding on that Proofpoint blog here :
"Killing a zero-day in the egg: Adobe CVE-2016-1019"
and on that FireEye blog here:
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit
Note : we worked with Eset, Kaspersky and Microsoft as well on this case.

Nuclear Pack :
2016-03-31 "Degraded"
Identification by  Eset, Kaspersky and FireEye (Thanks)
Exploit sent to Flash Player by Nuclear Pack on the 2016-03-31
CVE-2016-1019 inside

Sample in that pass:  301f163644a525155d5e8fe643b07dceac19014620a362d6db4dded65d9cad90
Out of topic example of payload dropped that day by that instance of Nuclear : 42904b23cff35cc3b87045f21f82ba8b (locky)

Note the string "CVE-2016-1001" in the Nuclear Pack, explaining why maybe this exploit is being used in a degraded state.

CVE-2016-1001 string spotted by Denis O'Brien (Malwageddon), the 2016-04-05 in Nuclear Pack exploit

Magnitude :
2016-04-02 "Degraded" to
Identified as is by FireEye
[2016-04-07: TrendMicro told me they found some hits for this exploit in Magnitude back from 2016-03-31 as well]

Magnitude exploiting Flash with CVE-2016-1019 the 2016-04-02 in the morning.
Payload is Cerber.

Side note : the check on the redirector in front of Magnitude ( ) which might have been fixed with the CVE-2015-2413 was in Magnitude landing itself from September to end of November 2015.
res:// onload check features unobfuscated at that time in Magnitude Landing 2015-09-29

Sample in that pass: 0a664526d00493d711ee93662a693eb724ffece3cd68c85df75e1b6757febde5
Out of topic payload: 9d92fb315830ba69162bb7c39c45b219cb8399dd4e2ca00a1e21a5457f92fb3c Cerber Ransomware

Note: I got successful pass with Windows 8.1 and Flash as well and Windows 10 build 1511 (feb 2016) via Flash on Internet Explorer 11. Edge seems not being served a landing.

2016-04-11 - "degraded" as well it seems. (at least didn't got it to work on Flash 21.x)
CVE id by @binjo and Anton Ivanov (Kaspersky)
Neutrino successfully exploit Flash with CVE-2016-1019
Fiddler : Sent to vt
Out of topic payload: 83de3f72cc44215539a23d1408c140ae325b05f77f2528dbad375e975c18b82e

Reading :
Killing a zero day in the egg : CVE-2016-1019 - 2016-04-07 - Proofpoint
CVE-2016-1019: A new flash exploit included in Magnitude Exploit Kit - 2016-04-07 -  Genwei Jiang - FireEye
Zero-Day Attack Discovered in Magnitude Exploit Kit Targeting CVE-2016-1019 in Older Versions of Adobe Flash Player - 2016-04-07 - Peter Pi, Brooks Li and Joseph C. Chen - TrendMicro

Hack Naked TV – April 7, 2016

This week Paul takes the place of Aaron Lyons who is busy fighting Ninja Lamas. Paul discusses Car future Malware, Ubuntu Patches Kernel Vulnerabilities, OSVDB Shuts Down For Good, Flash zero-day in the wild to be fixed by Adobe, and FBI: $2.3 Billion Lost to CEO Email Scams. Check out the Security Weekly Wiki for more information!

FTC Releases OECD’s Recommendation on Consumer Protection in E-Commerce

On April 6, 2016, the Federal Trade Commission formally welcomed the updated Recommendation on Consumer Protection in E-commerce (the “Recommendation”) issued by the Organization for Economic Cooperation and Development (“OECD”) on March 24, 2016, endorsing the Recommendation’s broadened scope and increased consumer protections that “are designed to strengthen consumers’ trust in the expanding electronic marketplace.”

The OECD, an international forum founded in 1961 by a host of nations including the U.S., adopted the Recommendation to address new developments in technology and e-commerce that did not exist or were not consumer protection concerns when the first iteration of its e-commerce guidelines were released in 1999.

The Recommendation aims to address several privacy and consumer protection concerns, including:

  • Increased Use of Plain Language Disclosures. The OECD recommends adoption of requirements for e-commerce sellers to use a single language to use simple terms in consumer agreements and notices, and to avoid overly complicated language that does not clearly describe the terms. In particular, OECD expresses concern about (1) adaptability for all different platforms, including mobile devices, and (2) digital content product disclosures that would clearly state limitations on functionality and interoperability.
  • Reducing Privacy and Security Risks. The OECD’s recommendations include added protection for consumer data. The last several years have seen a rise in “free” digital content exchanged for access to personal data, which is often resold. Furthermore, consumer data is central to much of the business transacted online. The Recommendation highlights these privacy concerns and calls on governments to offer consumer redress for breaches relating to information gathered by such free services.
  • Increased Payment Protection. The OECD recognizes that payment protection levels largely depend on the payment mechanism (including mobile payments) and the service provider. Thus, the OECD recommends that governments work with inter-industry stakeholders “to develop minimum levels of consumer protection across payment mechanisms.”
  • Expansion of Product Safety Recommendations. The Recommendation attempts to provide some uniformity by encouraging governments to extend their product safety regulations beyond brick-and-mortar retail to e-commerce products.

EU Council Accelerates the Process for Adoption of the EU General Data Protection Regulation

On April 8, 2016, the Council of the European Union (the “Council”) will adopt its position on the EU General Data Protection Regulation (“GDPR”). The General Secretariat of the Council of the EU sent a Note (the “Note”) asking the Permanent Representatives Committee to use the “written procedure” to adopt the Council’s position. The adoption of the Council’s position was initially planned for a vote on April 21, 2016, during the next Justice and Home Affairs Council, but the Council has decided to expedite the process for adoption by using the “written procedure,” which is an exceptional procedure that does not include public deliberation.

The Note explains that “[g]iven the need to send the Council’s position at first reading to the European Parliament during its April I plenary, it will only be possible to adopt the Council’s position at first reading within this very short deadline via the written procedure, which would be launched on Thursday 7 April 2016 and would end on Friday 8 April 2016, at midday. Delegations’ attention is drawn to the exceptionally short duration of this written procedure.”

Next Steps

Once adopted, the Council’s position will be sent to the European Parliament, which will acknowledge receipt during the next plenary session that will take place on April 11-13, 2016. Then, the Parliament’s Civil Liberties Committee (“LIBE”) will vote on a recommendation to Parliament regarding acceptance of the Council’s position. The LIBE recommendation will be used as a basis for the Parliament’s adoption of the GDPR in one of the upcoming plenary meetings.

Data Protection Law Passes Turkish Parliament

On March 24, 2016, the Grand National Assembly of Turkey approved the Law on Personal Data Protection, which is Turkey’s first comprehensive data protection legislation. The law will become effective once it is ratified by Turkey’s President and published in the Official Gazette of the Republic of Turkey.

Key provisions of the law include the following:

  • With limited exceptions, express consent is required to process personal data, defined as any information relating to an identified or identifiable living individual; or sensitive data, defined as personal data of a sensitive nature, including information relating to racial or ethnic origin, political opinions, religious beliefs, health, sexual life, criminal records, punitive measures and biometric data.
  • A legislative structure that includes a Data Protection Authority and a Data Controller Board.
  • Before actively processing data, data controllers must register with the Data Controller Registry (which will be established within six months of the law becoming effective).
  • Organizations and individuals that collect or store personal data must implement certain technical and administrative measures to protect data.
  • Data controllers are required to notify the newly-established Data Controller Board in the event of a data breach.
  • The Data Protection Authority will have the authority to impose fines of up to €300,000 and prison sentences of up to four years.

Once the law becomes effective, it will immediately apply to newly collected data, and data collectors will have two years to become compliant with respect to information collected prior to the law’s adoption.

Amended Tennessee Breach Notification Law Tightens Timing Requirement

On March 24, 2016, Tennessee Governor Bill Haslam signed into law S.B. 2005, as amended by Amendment No. 1 to S.B. 2005 (the “Bill”), which makes a number of changes to the state’s data breach notification statute, Tenn. Code § 47-18-2107. The amendments take effect on July 1, 2016.

The Bill:

  • Requires businesses and state agencies to notify affected individuals “immediately, but no later than 45 days from the discovery or notification of the breach, unless a longer period of time is required due to the legitimate needs of law enforcement.” Before the amendment, the statute required notification “in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement.”
  • Eliminates a provision from the statute which triggered notification obligations only where there had been access to, or acquisition of, unencrypted personal information. Under the Bill, notification obligations may be triggered even where the accessed or acquired data elements are encrypted.
  • Defines “unauthorized person” for purposes of triggering notification obligations, to specifically include “an employee of the [business or agency] who is discovered by the [business or agency] to have obtained personal information and intentionally used it for an unlawful purpose.”