Monthly Archives: November 2016

HHS Announces HIPAA Settlement with UMass

On November 22, 2016, the Department of Health and Human Services (“HHS”)  announced a $650,000 settlement with University of Massachusetts Amherst (“UMass”), resulting from alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. 

On June 18, 2013, UMass reported to HHS’ Office for Civil Rights (“OCR”) that one of its computer systems at its Center for Language, Speech, and Hearing (the “Center”) had been infected by a malware program, resulting in the unauthorized disclosure of electronic protected health information (“ePHI”) of 1,670 individuals, including names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes. OCR investigated and discovered that:

  • As a “hybrid” entity, UMass failed to designate all of its health care components that fall within the scope of HIPAA, incorrectly determining that some components, including the Center where the breach occurred, were not covered components. Because UMass did not designate the Center as a covered health care component, UMass failed to implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rule.
  • UMass did not have firewalls in place to guard against unauthorized access to ePHI transmitted over an electronic communications network.
  • UMass did not conduct an accurate and thorough risk analysis until September 2015.

The resolution agreement requires UMass to pay $650,000 to OCR, which is reflective of the fact that UMass operated at a financial loss in 2015. The resolution agreement also requires UMass to enter into a Corrective Action Plan that obliges UMass to:

  • Conduct an enterprise-wide risk analysis, subject to approval by HHS, that evaluates the risks to ePHI on all of its electronic equipment, data systems and applications controlled, administered or owned by UMass or any UMass entity that contains, stores, transmits or receives ePHI.
  • Develop and implement an enterprise-wide risk management plan, subject to approval by HHS, to address and mitigate security risks and vulnerabilities identified in the risk analysis.
  • Revise its policies and procedures to comply with the HIPAA Privacy and Security Rules and submit those policies and procedures to HHS for approval.
  • Train staff who have access to ePHI on the revised policies and procedures.

OCR Director Jocelyn Samuels stated that “[e]ntities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”

France Adopts Class Action Regime for Data Protection Violations

On November 19, 2016, the French government enacted a bill creating a legal basis for class actions against data controllers and processors resulting from data protection violations. The bill, which aims to facilitate access to justice for French citizens, establishes a general class action regime and includes specific provisions regarding data protection violations. These provisions go beyond the class action provisions already in place for consumers by adding, within the context of the French Data Protection Act of 1978 (“Loi Informatique et Libertés”), a right to class actions for data protection violations regardless of industry sector.

In practice, in accordance with the new law, class actions can now be initiated before civil or administrative courts in France when several individuals in a similar position incur damages resulting from a data controller’s or data processor’s infringement of its obligations under the French Data Protection Act of 1978. Although the new class action right does not allow individuals to seek financial compensation, it does allow litigants to obtain injunctive relief. This new class action framework for data protection, which follows the German example, will result in enhanced scrutiny of the information practices of companies operating in France and a brighter spotlight on those companies that fail to comply with data protection law. Together with the changes to French data protection law ushered in by the recent Digital Republic Bill, the French government is sending a clear signal to companies regarding the importance of data protection as the compliance deadline for the GDPR approaches.

UK Information Commissioner Confirms Forthcoming Regulatory Guidance on GDPR

On November 21, 2016, against the backdrop of the EU General Data Protection Regulation (“GDPR”) and Brexit, UK Information Commissioner Elizabeth Denham delivered a keynote speech at the Annual Conference of the National Association of Data Protection and Freedom of Information Officers. During the address, Denham discussed the UK ICO’s ongoing preparations for the GDPR, reiterating the government’s position that the GDPR will be implemented in the UK. 

Denham confirmed that the first regulatory guidance on priority areas of the GDPR will be published by the Article 29 Working Party (the “Working Party”) before the end of 2016. This guidance will address a number of key aspects of the GDPR, including the role of the Data Protection Officer, the new right to data portability and how to identify an organization’s main establishment and lead supervisory authority. Furthermore, Denham confirmed that the Working Party is also developing guidance for publication in February 2017 regarding the concept of risk under the GDPR and carrying out Data Privacy Impact Assessments. The Working Party is also working on guidance regarding certifications under the GDPR, but Denham provided no further detail or timeframe for publication of that guidance. Beyond regulatory initiatives at the EU level, Denham also confirmed that the UK ICO is currently working on a revised version of its guidance on Big Data, which is expected to be published by the end of 2016, as well as guidance on consent and profiling, which is expected to be completed by the end of January 2017.

Hack Naked News #102 – November 29, 2016

WordPress security gets another black mark, free transit rides for all in San Francisco, routers are hacked again, NTP is vulnerable, why buy when you can rent....a botnet, that is, backdooring Android, and a popular porn site is the victim of a data breach. Stay tuned!

Take the Security Weekly Survey:

Full Show Notes:


Merkel Calls for Balanced Approach to Data Protection Regulation

Recently, German Chancellor Angela Merkel spoke at Germany’s 10th National IT Summit, and called for EU Member States to take a pragmatic approach to the application of EU data protection laws. Chancellor Merkel warned that a restrictive interpretation of data protection laws risks undermining the development of big data projects in the EU. Ahead of the introduction of the General Data Protection Regulation throughout the EU in May 2018, Merkel argued that, more than simply preventing the excesses of personal data use, data protection law should serve to enable emerging data developments. Chancellor Merkel’s comments are significant given that Germany typically has taken a hard-line approach to data protection law interpretation and enforcement, particularly with respect to data minimization requirements that can pose challenges to big data developments in the digital economy.

Dutch Court Decides WhatsApp Data Protection Case

On November 23, 2016, Bloomberg BNA reported that the Hague Administrative Court in the Netherlands upheld a decision by the Dutch Data Protection Authority that WhatsApp was in breach of the Dutch Data Protection Act (the “Act”) on account of its alleged failure to identify a representative within the country responsible for compliance with the Act, despite the processing of personal data of Dutch WhatsApp users on Dutch smartphones. WhatsApp reportedly faces a fine of €10,000 per day up to a maximum of €1 million.

Toolsmith – GSE Edition: Scapy vs CozyDuke

In continuation of observations from my GIAC Security Expert re-certification process, I'll focus here on a GCIA-centric topic: Scapy. Scapy is essential to the packet analyst skill set on so many levels. For your convenience, the Packetrix VM comes preconfigured with Scapy and Snort, so you're ready to go out of the gate if you'd like to follow along for a quick introduction.
Scapy is "a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more." This includes the ability to handle most tasks such as scanning, tracerouting, probing, unit tests, attacks or network discovery, thus replacing functionality expected from hping, 85% of nmap, arpspoof, tcpdump, and others.
If you'd really like to dig in, grab TJ O'Connor's  Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers (you should already have it), as first discussed here in January 2013. TJ loves him some Scapy: Detecting and Responding to Data Link Layer Attacks is another reference. :-)
You can also familiarize yourself with Scapy's syntax in short order with the SANS Scapy Cheat Sheet as well.
Judy Novak's SANS GIAC Certified Intrusion Analyst Day 5 content offers a nice set of walk-throughs using Scapy, and given that it is copyrighted and private material, I won't share them here, but will follow a similar path so you have something to play along with at home. We'll use a real-world APT scenario given recent and unprecedented Russian meddling in American politics. According to SC Magazine, "Russian government hackers apparently broke into the Democratic National Committee (DNC) computer systems" in infiltrations believed to be the work of two different Russian groups, namely Cozy Bear/ CozyDuke/APT 29 and Fancy Bear/Sofacy/APT 28, working separately. As is often the case, ironically and consistently, one the best overviews of CozyDuke behaviors comes via Kaspersky's Securelist. This article is cited as the reference in a number of Emerging Threats Snort/Suricata rules for CozyDuke. Among them, 2020962 - ET TROJAN CozyDuke APT HTTP Checkin, found in the trojan.rules file, serves as a fine exemplar.
I took serious liberties with the principles of these rules and oversimplified things significantly with a rule as added to my local.rules file on my Packetrix VM. I then took a few quick steps with Scapy to ensure that the rule would fire as expected. Of the IOCs derived from the Securelist article, we know a few things that, if built into a PCAP with Scapy, should cause the rule to fire when the PCAP is read via Snort.
  1. CozyDuke client to C2 calls were over HTTP
  2. Requests for C2 often included a .php reference, URLs included the likes of /ajax/index.php
  3. was one of the C2 IPs, can be used as an example destination IP address
The resulting simpleton Snort rule appears in Figure 1.

Figure 1: Simple rule
To quickly craft a PCAP to trigger this rule, at a bash prompt, I ran scapy, followed by syn = IP(src="", dst="")/TCP(sport=1337, dport=80, flags="S")/"GET /ajax/index.php HTTP/1.1", then wrote the results out with wrpcap("/tmp/CozyDukeC2GET.pcap", syn), as seen in Figure 2.

Figure 2: Simple Scapy
Then a quick run of the resulting file through Snort with snort -A console -q -K none -r /tmp/CozyDukeC2GET.pcap -c ../etc/snort.conf, and we have a hit as seen in Figure 3.

Figure 3: Simple result

Scapy is ridiculously powerful and is given no justice here, hopefully just enough information to entice you to explore further. With just the principles established here, you can see the likes of options to craft and manipulate with ls(TCP) and ls(IP).
Figure 4: ls()

If you're studying for the likes of GCIA or just looking to improve your understanding of TCP/IP and NSM, no better way to do so than with Scapy.
Cheers...until next time.

Winner at the Great British Entrepreneur Awards 2016

I am thrilled to have won the Great British Entrepreneur of the Year Award for cyber security at a gala event at the Lancaster Hotel in London last night. Thanks to the judges for selecting us ahead of finalists from companies such as Sophos, DarkTrace, Becrypt and others.

Cybercrime Surges in Q3

young man with glasses sitting in front of his computer, programming. the code he is working on (CSS) can be seen through the screen.

PandaLabs Q3 Report indicates that incidences of cybercrime continue to increase, with 18 million new malware samples captured this quarter – more than 200,000 samples daily.

The Quarter at a Glance

Cybercrime continues to grow at an exponential rate, fuelled by the opportunity for large financial rewards.

Hackers have taken to developing new variants of successful Ransomware such as Locky, and the development of a model known as Ransomware-as-a-Service (RaaS), whereby developers create Ransomware for distributors, these distributors then target and infect victims – allowing both parties to achieve greater profits.

Another key development was the occurrence of DDoS attacks. Most natably that of Cyber Security journalist Brian Krebs. Krebs exposure of vDoS lead to the arrest of its key members and subsequently made Krebs’ site the target of a massive DDoS attack that saw Google step in to restore the site. As one of the largest attack of its kind, hackers leveraged IoT devices to send 620GB of data per second – at its peak – to the site.
This quarter cyber-attacks targeted multiple gaming sites, gaining access to millions of users’ personal information. These attacks were largely launched using botnets composed of smartphones, and effected users of Overwatch, World of Warcraft and Diablo 3. Further attacks saw more than 3.5 million users exposed when Dota 2 and mobile game Clash of the Kings were targeted. These highlight just a few incidences in the Gaming world in the last 3 months.

The Banking sector remained a target for hackers as attacks on ATM’s, POS terminals and Bitcoin wallets continue to become more frequent and more advanced.

A Taiwanese ATM attack this quarter indicated just how advanced cybercriminals have become when they were able to hack the banks internal network and withdraw over R28 million without even touching the ATM itself.

Another big victim was Yahoo – one of the biggest attacks of its kind revealed this quarter indicated that 500 million user accounts had been comprised in a 2014 attack.

Finally, Q3 saw the largest Bitcoin robbery to date, when R 84 billion worth of Bitcoin was stolen by hackers.

View the full PandaLabs Q3 Report for more detail on specific attacks and find out how you can protect yourself and your business from the advanc

The post Cybercrime Surges in Q3 appeared first on

Hacking WPA Enterprise with Kali Linux

Admittedly, somewhat of a click-bait blog post title - but bear with us, it's for a good reason. Lots of work goes on behind the scenes of Kali Linux, tools get updated every day and interesting new features are added constantly. Most of these tool updates and feature additions go unannounced, and are then discovered by inquisitive users - however this time, we had to make an exception.

U.S. and APEC Leaders Reaffirm Implementation of the APEC CBPR

On November 20, 2016, the heads of state of the 21 member economies of the Asia-Pacific Economic Cooperation (“APEC”) forum reaffirmed the APEC Cross-Border Privacy Rules (“CBPR”) system in their Leaders’ Declaration at the APEC Leaders’ Meeting in Lima, Peru as follows: “We recall the APEC Leaders 2011 Honolulu Declaration and recognize the importance of implementing the APEC Cross-Border Privacy Rules System, a voluntary mechanism whose participants seek to increase the number of economies, companies, and accountability agents that participate in the CBPR system.” The fact that the CBPR system is mentioned in the Leaders’ Declaration reflects its priority status on the APEC agenda.At the same meeting, Chinese Taipei announced its intention to join the CBPR system and that it will finalize its domestic review process to join the system in 2017.

The APEC CBPR system was initially endorsed by the APEC economies in the 2011 Leaders’ Declaration in Honolulu. The current participants in the system are the United States, Mexico, Canada and Japan. Last month, the U.S. and Japan held bilateral meetings in which they committed to stepping up their efforts to broaden the participation of additional APEC economies. Additional APEC economies are taking active steps to join, or are considering joining, the CBPR system in the near future.

During his press conference at the Leaders’ Meeting, President Obama personally reminded the audience of the CBPR by stating, “With regard to the digital economy, we endorsed rules to protect the privacy of personal information as it crosses borders.”

The 2016 APEC Ministerial Meeting in Lima that immediately preceded the Leaders’ Meeting also addressed the CBPR in the context of “Next Generation Trade and Investment Issues,” as follows: “We recognize the importance of the APEC Cross Border Privacy Rules System…and we support enhanced cooperation in this area, including through promoting capacity building.”

The APEC CBPR system is a regional, multilateral, cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. Although in 2011, all 21 APEC economies endorsed the system in principle, in order to participate, individual APEC economies must officially join and satisfy certain requirements. More information about the CBPR system can be found at

CIPL Issues White Paper on the DPO’s Role under the GDPR

On November 17, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Ensuring the Effectiveness and Strategic Role of the Data Protection Officer under the General Data Protection Regulation (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the GDPR’s provisions relating to the role of the Data Protection Officer (“DPO”).

The White Paper was developed in the context of CIPL’s ongoing GDPR Implementation Project, a multi-year initiative involving research, workshops, webinars and white papers, supported by over 70 private sector organizations, with active engagement and participation by many EU-based data protection and governmental authorities, academics and other stakeholders.

The purpose of the White Paper is twofold: (1) to serve as formal input to the Article 29 Working Party’s work on developing further guidance on the proper implementation of the DPO role under the GDPR, which is expected to be finalized by the end of December; and (2) to provide guidance for companies that must comply with the GDPR’s DPO provisions by May 25, 2018 (i.e., the date the GDPR becomes effective).

The White Paper encourages a flexible and pragmatic implementation of the GDPR’s DPO provisions to ensure that they work for organizations of all sizes and types, from large multinational organizations to SMEs, start-ups, NGOs and public authorities. It identifies challenges posed by specific DPO requirements and proposes sensible interpretations and “best practices” for (1) implementing them and (2) maximizing the potential of the DPO to drive the dual goals of compliance and accountability on the one hand, and the strategic and beneficial use of data on the other.

The specific issues addressed in the White Paper include:

  • mandatory vs. non-mandatory DPOs;
  • processor DPOs;
  • EU-wide harmonization of DPO designation criteria;
  • sanctions for DPO violations;
  • personal liability;
  • DPO expertise, skills and certifications;
  • the DPO’s location;
  • internal, external and part-time DPOs;
  • the strategic and business enabling roles of the DPO and other non-compliance roles;
  • independence, protected status and reporting to the “highest management level”;
  • duties of secrecy and confidentiality;
  • proper and timely DPO involvement in data processing operations;
  • the DPO’s access to resources;
  • conflicts of interest; and
  • cooperation and consultation with DPAs and serving as a contact point for individuals.

Next, CIPL will issue a white paper on the roles of risk, high risk and Data Protection Impact Assessments under the GDPR, followed by a white paper on the roles of GDPR certifications, seals and marks. CIPL will address additional GDPR topics in the course of 2017.

Argentina DPA Issues New Regulation on International Transfer of Personal Data

On November 18, 2016, the Argentina Data Protection Agency (“DPA”) announced that it had issued DNPDP Disposition 60 –  a new regulation on international transfers of personal data (the “Regulation”). 

The Regulation approves two model forms for the international transfer of data – one for use with transfers to a data controller and another for use with transfers to a data processor, for rendering services. This model is based partly on the EU model; if the data controller wishes to use a different model, the controller must file a request for approval with the DPA within 30 days. The Regulation also lists countries that are considered “adequate” for purposes of cross-border data transfers, using the list of countries recognized as adequate by the EU.

This post will be updated as more information becomes available.

UK Parliament Approves Investigatory Powers Bill

On November 16, 2016, the UK Investigatory Powers Bill (the “Bill”) was approved by the UK House of Lords. Following ratification of the Bill by Royal Assent, which is expected before the end of 2016, the Bill will officially become law in the UK. The draft of the Bill has sparked controversy, as it will hand significant and wide-ranging powers to state surveillance agencies, and has been strongly criticized by some privacy and human rights advocacy groups. 

The Bill was initially proposed by the current UK Prime Minister, Theresa May, during her previous tenure as UK Home Secretary. The Bill allows intelligence and law enforcement agencies to require telecommunications service providers to retain and hand over communications data. Telecommunications service providers also will be required to store individuals’ browsing histories over the previous year in real time, and submit bulk datasets to intelligence services and law enforcement agencies where those agencies have obtained a warrant from the Secretary of State. The Bill also will permit both targeted and bulk equipment interference (i.e., obtaining data from an electronic device) by intelligence services and law enforcement agencies where authorized by a lawfully-issued warrant.

The Bill’s entry into law could potentially complicate Brexit negotiations between the UK and EU with regard to privacy and data protection issues. Revelations that U.S. intelligence agencies engaged in bulk surveillance practices similar to those contemplated by the Investigatory Powers Bill ultimately led to the demise of the U.S.-EU Safe Harbor data transfer framework. With the UK planning its exit from the EU, the Investigatory Powers Bill could create similar issues for the UK in the context of negotiating a cross-border data transfer framework with the EU.

FINRA Fines Brokerage Firm $650,000 After Cyber Attack

On November 14, 2016, Lincoln Financial Securities Corp. (“LFS”), a subsidiary of Lincoln Financial Group, entered into a settlement (the “Settlement”) with the Financial Industry Regulatory Authority (“FINRA”), requiring LFS to pay a $650,000 fine and implement stronger cybersecurity protocols following a 2012 hack into its cloud-based server.

In 2012, hackers with foreign IP addresses accessed LFS’s cloud server and stole confidential records of approximately 5,400 customers. The stolen records included account applications and other brokerage records containing customers’ nonpublic personal information, including Social Security numbers. LFS timely notified affected individuals and FINRA about the breach and, to date, there is no evidence of any misuse of customer information resulting from the theft. In the Settlement, however, FINRA alleged that LFS failed to implement and maintain adequate cybersecurity procedures, including written supervisory procedures, designed to protect confidential customer information stored on electronic systems in violation of FINRA Rules 3110 and 2010. FINRA alleged that when LFS began storing records on cloud-based servers in 2011, LFS failed to ensure that the third-party vendor retained to configure the cloud system properly installed antivirus software or data encryption for the confidential information, and that this failure led to the 2012 hack.

Under the terms of the Settlement, LFS will pay a $650,000 penalty to FINRA. In addition, LFS is required to review its written supervisory procedures and security systems and implement all necessary changes to enhance security. LFS previously was fined $450,000 by FINRA in 2011 for failing to establish adequate procedures to protect confidential customer information stored on its web-based electronic portfolio management system.

Hack Naked News #100 – November 16, 2016

Chinese company installed secret backdoor on hundreds of thousands of phones, hacking team back for your Android, major linux holes gapes open, and much more, here on Hack Naked News!

Full Show Notes:

Take the Security Weekly Survey:

Visit to get all the latest episodes!

NIST Issues Guidance on Cybersecurity for Internet-Connected Devices

On November 14, 2016, the National Institute of Standards and Technology (“NIST”) published guidance on cybersecurity for internet-connected devices, Systems Security Engineering: Considerations for A Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems (the “Guidance”). Citing “the continuing frequency, intensity, and adverse consequences of cyber-attacks,” the Guidance “addresses the engineering-driven perspective and actions necessary to develop more defensible and survivable systems.”

The Guidance emphasizes the importance of engineering Internet-connected devices such that security systems are directly built into the design and manufacturing processes. The Guidance outlines steps at each phase of the engineering process that may improve cybersecurity functions, more effectively identify stakeholder assets and protection needs, and reduce risk by building “trustworthy secure systems capable of protecting stakeholder assets.” According to the Guidance, “[t]he objective is to address security issues from a stakeholder protection needs, concerns, and requirements perspective and to use established engineering processes to ensure that such needs, concerns, and requirements are addressed with appropriate fidelity and rigor, early and in a sustainable manner throughout the life cycle of the system.”

The Guidance is voluntary and was drafted to allow for organizational flexibility in implementing security solutions from an engineering perspective. Although the target audience for the Guidance is systems engineers, the Guidance states that cybersecurity analysts, government agencies and private sector entities may benefit from the materials as well.

Russia Set to Block Access to LinkedIn

This post has been updated. 

On November 10, 2016, the Court of Appeal for Moscow’s Taginsky District upheld an August 2016 decision by the district’s lower court that LinkedIn had violated Russian data protection laws. Access to the professional networking site is now set to be blocked across Russia.

The court’s decision, which followed a complaint from the Russian data protection regulator, Roskomnadzor, found that LinkedIn violated Russian data protection law on two counts:

  • not storing data about Russians on servers located in Russian territory; and
  • processing information about individuals who are not registered on the LinkedIn website and who have not signed the company’s user agreement.

This is thought to be the first time Russia’s data localization law has been enforced since its entry into force in September 2015. The law requires that data relating to Russian citizens be stored on servers physically located inside Russia’s borders. Although LinkedIn does not have a physical presence in Russia, it operates a Russian-language version of its website, which was enough to convince Roskomnadzor and the court that the company is subject to Russian data protection legislation.

Media reports have cited Roskomnadzor’s claim that it contacted LinkedIn to inquire about its data localization practices, but did not receive a substantive response. LinkedIn, however, has argued that Roskomnadzor communicated with its U.S. office instead of LinkedIn Ireland, the entity responsible for the data of non-U.S. citizens. LinkedIn is reportedly eager to enter into dialogue with Roskomnadzor to find a solution to the issue, and also has the option to appeal the decision to the Russian Supreme Court.

Roskomnadzor has the power to block Russian individuals’ access to websites, and has stated that it plans to block access to LinkedIn. The site will be entered into a special registry of websites operating in violation of the data localization law, and will be blocked three business days after being entered into the registry.

UPDATE: On November 17, 2016, the Russian data protection regulator, Roskomnadzor, officially blocked access to LinkedIn for its alleged violation of Russian data protection law.

Startup Security Weekly #16 – I’m Not Paul

Michael is joined by Joshua Marpet and Scott Lyons to talk about their experience building and supporting security startups. In the news, Owler's Cryptzone profile, Illumio releases new templates that offer better security, and why the top entrepreneurs are seeking corporate venture money. Stay tuned!

Adobe Settles Multistate Data Breach Enforcement Action

On November 7, 2016, Adobe Systems Inc. (“Adobe”) entered into an assurance of voluntary compliance (“AVC”) with 15 state attorneys general to settle allegations that the company lacked proper measures to protect its systems from a 2013 cyber attack that resulted in the theft of the personal information of millions of customers. Under the terms of the AVC, Adobe must pay $1 million to the attorneys general and implement new data security policies and practices.

The AVC stems from a 2013 breach of one of Adobe’s public-facing servers that allowed an attacker to steal data from Adobe’s network. The stolen data included names, addresses, telephone numbers, usernames, email addresses, encrypted and unencrypted passwords, plain text password hints and encrypted payment card numbers and expiration dates. Adobe notified more than 3.1 million customers whose credit or debit card information was stolen, and nearly 33 million active users whose passwords were stolen.

Led by Connecticut Attorney General George Jepsen, the state attorneys general alleged that Adobe failed to (1) employ reasonable security measures to protect its systems from attack and the unauthorized exfiltration of personal information, and (2) promptly detect and respond to unauthorized activity on its network. According to the AVC, these failures contradicted Adobe’s representations to customers that it took reasonable steps to protect their personal information.

In addition to the $1 million fine, the AVC requires Adobe to review, at least twice per year, its existing internal security policies and procedures and amend them where necessary. Adobe also must implement other data security measures, including segregating payment card information from access by public-facing servers, employing tokenization for merchant ID payment card numbers, performing ongoing risk assessments and penetration testing, and training employees on security policies.

Privacy Blog Nominated – Vote to Help Us Win!

Only Three Days Left to Vote!

Hunton & Williams LLP is proud to announce our Privacy & Information Security Law Blog has been nominated in The Expert Institute’s 2016 Best Legal Blog Contest for Best AmLaw Blog of 2016. From all of the editors, lawyers and contributors that make our blog a success, we appreciate your continued support and readership, and ask that you please take a moment to vote for our blog!

The Privacy & Information Security Law Blog was ranked as the #1 Privacy & Data Security blog in LexBlog’s 2015 AmLaw 200 Blog Benchmark Report, and named PR News’ Best Legal PR Blog in 2011. It was noted that the “privacy blog influences global privacy and data security developments.”

Click to vote.

Tesco Bank Hack Illustrates Need for Robust Cyber Insurance

As reported on the Insurance Recovery blog, earlier this week, retailer Tesco Plc’s (“Tesco”) banking branch reported that £2.5 million (approximately $3 million) had been stolen from 9,000 customer bank accounts over the weekend in what cyber experts said was the first mass hacking of accounts at a western bank. The reported loss still is being investigated by UK authorities, but is believed to have occurred through the bank’s online banking system. The loss, which is about half of what Tesco initially estimated, is still substantial and serves as a strong reminder that cyber-related losses are a real threat to retailers and other industries. According to reports, Tesco spent £500 million (approximately $618 million) building up its technology platform over the past seven years. Even that very substantial expenditure was not enough, however, to prevent the recent hack, illustrating the need for robust cyber insurance as a component of any comprehensive cyber protection program.

CIPL and AvePoint Release Global GDPR Readiness Report

On November 9, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP and AvePoint released the results of a joint global survey launched in May 2016 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The GDPR replaces Directive 95/46/EC and will become applicable in May 2018.

The impetuses for the survey were the many significant changes the GDPR will bring to companies’ management and processing of personal data, their privacy compliance programs and their IT systems and infrastructure. CIPL and AvePoint decided to collaborate on this survey to help stakeholders understand the relevant, upcoming challenges and assist organizations in preparing for the implementation of the GDPR.

The survey questions focused on the GDPR topics most relevant to everyday business and compliance concerns. The survey received 233 responses from predominantly multinational organizations, of which 93 percent operate in Europe, more than half operate in the U.S. and less than half operate in South America and Asia. Telecommunication and technology companies were the most represented respondents, followed by insurance and financial services companies, as well as pharmaceutical and healthcare companies. The survey respondents were a mix of both data controllers and data processors, with 57 percent controllers and 43 percent processors. Finally, respondents’ annual revenue size ranged from less than $1 million to more than $100 billion.

The survey results reveal that most respondents have started to assess the impact of the GDPR on their operations, devise company-wide implementation plans and evaluate the need for additional resources. The survey results showed the following key trends:

  • GDPR Impact: Respondents believe that the GDPR requirements that will have the largest impact on their organizations include the requirement to implement a comprehensive privacy management program and obligations with respect to processor contracts, data security and breach notification. As expected, senior management is most concerned about the GDPR’s enhanced sanction regime and the data breach notification requirements, as well as how the GDPR will impact their data strategy and ability to use data.
  • GDPR Readiness: Respondent organizations appear to be in varying stages of preparation for the GDPR. Most have appointed a data protection officer (“DPO”), and many are either increasing resources in preparation for the GDPR’s implementation or are in the process of considering additional resources to meet the increased obligations.
  • Consent and Legitimate Interest: At present, respondent companies rely heavily on the consent of individuals for the processing of their personal data, but results show that only a minority of respondents would be able to meet the enhanced requirements for consent under the GDPR using their current methods. Almost one-third of respondent organizations say that once the GDPR is implemented, they will rely more on the legitimate interest for processing legal basis than they currently do.
  • Data Privacy Impact Assessment (“DPIA”) and Privacy by Design: The majority of respondent organizations already carry out, or are preparing to carry out, DPIAs in the circumstances required by the GDPR. More than 36 percent of those organizations have a framework to identify risks to individuals, while another 36 percent are working on developing such a framework. The vast majority of respondent companies tend to incorporate privacy and security by design into the development of new products and services regularly or some of the time.
  • Controller/Processor Relationships and Agreements: A majority of respondent organizations’ standard processing agreements already reflect some of the new GDPR requirements. Only 32 percent of respondent organizations are currently undertaking a review or renegotiation of their processing agreements. Apart from the contractual requirements, processors will be most impacted by the GDPR requirement to document all data processing activities and adhere to the restrictions on data transfers outside the EU.
  • Data Transfers Outside the EU: Respondent organizations currently appear to use a wide variety of mechanisms for transfers of employee, customer and vendor data. According to the responses, most will continue to do so after the GDPR is implemented. The most popular mechanisms currently used are, in descending order: Model Contracts, consent, the legal basis of necessity and the EU-U.S. Privacy Shield. Once the GDPR is implemented, in addition to Model Contracts, there is expected to be an increase in the use of Binding Corporate Rules, the legitimate interest for processing derogation and the EU-U.S. Privacy Shield.
  • Data Breach Notification: The majority of respondent companies currently have a procedure for reporting breaches, as well as an internal response plan and team. This will help them comply with the new requirements to notify data protection authorities and affected individuals after a breach. Only a minority of respondents, however, conduct “dry runs” of their breach notification plans, maintain cyber insurance or retain public relations and forensic experts.
  • Compliance Technology Tools and Software: Currently, respondent organizations do not appear to widely use, or have access to, technology tools and software to aid with data privacy compliance tasks. Only a minority of respondents use technology to automate and industrialize their DPIAs, data classification and tagging policies, data processing inventories and delivery of the new data portability right.
  • Company-wide Approach to GDPR Implementation: Because of the interdependencies among data privacy compliance, IT systems and infrastructure, and organizations’ data strategy, GDPR implementation should be a company-wide change management program, which includes a concerted effort by senior leadership, including DPOs, CISOs, CIOs, CDOs and GCs.

FinCEN Issues Advisory on SAR Reporting Obligations Involving Cyber Crime

On October 25, 2016, the United States Department of Treasury’s Financial Crimes Enforcement Network (“FinCEN”) issued an advisory entitled Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime (the “Advisory”), to help financial institutions understand how to fulfill their Bank Secrecy Act obligations with regard to cyber events and cyber-enabled crime. The Advisory indicates that SAR reporting is mandatory for cyber events where the financial institution “knows, suspects or has reason to suspect a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions….” Implementing this new guidance will require increased collaboration between AML and cybersecurity or IT departments in large institutions, and may create challenges for smaller banks that are more likely to outsource their cybersecurity functions.

Reporting Cyber-Enabled Crime and Cyber Events

In addition to maintaining cyber-related SAR-filing obligations stipulated by their functional regulator, financial institutions are mandated to report suspicious “cyber events” or “cyber-enabled crime” involving or aggregating $5,000 or more in funds or other assets and conducted or attempted by, at or through the institutions. The key terms are defined as follows:

  • Cyber Event: An attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources or information.
  • Cyber-Enabled Crime: Illegal activities (e.g., fraud, money laundering, identity theft) carried out or facilitated by electronic systems and devices, such as networks and computers.

Illustrative examples provided in the Advisory indicate that the value of a cyber event to be noted in the SAR (and used to trigger the $5,000 threshold) is the amount of customer funds at risk based on the information targeted by the intrusion. Banks also are encouraged to voluntarily report “egregious, significant, or damaging cyber events and cyber-enabled crime” that may not require the filing of an SAR, such as an attack that disables an institution’s online banking services for a significant period but does not pose any risk to transactions. FinCEN states that such SAR reporting is highly valuable to law enforcement investigations even though the intelligence does not relate to specific transactions.

Read the full client alert.

IAPP Europe Data Protection Congress 2016

Join us at the International Association of Privacy Professionals (“IAPP”) Data Protection Congress in Brussels, November 9-10, 2016. Hunton & Williams privacy professionals will be featured speakers in the following sessions:

  • Addressing Risky Processing Under the GDPR: A Practical Approach
    Thursday, November 10, 1:30 p.m.
    Speakers include: Bojana Bellamy, President, Centre for Information Policy Leadership at Hunton & Williams LLP; and Hilary Wandall, General Counsel and Chief Data Governance Officer, TRUSTe.
  • Benchmarking Global Readiness for the GDPR
    Thursday, November 10, 2:45 p.m.
    Speakers include: Bojana Bellamy, President, Centre for Information Policy Leadership at Hunton & Williams LLP; Knut Mager, Head of Global Data Privacy, Novartis; Dana Simberkoff, Chief Compliance and Risk Officer, AvePoint; and Florian Thoma, Senior Director, Data Privacy, Accenture.
  • To Shield or Not to Shield? That is the Question
    Thursday, November 10, 2:45 p.m.
    Speakers include: Aaron Simpson, Partner, Hunton & Williams; Geff Brown, Assistant General Counsel, Microsoft; Udo Oelen, Head of Department, Private Sector Supervision, Dutch DPA; and Marie-Charlotte Roques-Bonnet, Director, EMEA Privacy Policy, Microsoft.

In addition to these panels, stop by Booth 9 in the Exhibit Hall to learn more about Hunton & Williams’ Global Privacy and Cybersecurity practice and its Centre for Information Policy Leadership. Visit the IAPP website for more information and the full conference schedule.

Final Cybersecurity Law Enacted in China

On November 7, 2016, the Standing Committee of the National People’s Congress of China enacted the final Cybersecurity Law after it held its third reading of the draft Cybersecurity Law on October 31, 2016. The first draft of the Cybersecurity Law was published for comment more than a year ago, followed by the second draft in July this year. The final Cybersecurity Law will apply from June 1, 2017.

Under the Cybersecurity Law, the term “key information infrastructure” generally refers to information infrastructure maintained by certain industry sectors which would seriously jeopardize national security and the public interest should such infrastructures malfunction, or be subject to damage or data leakages. The relevant industry sectors include public communication and information services, energy, transportation, water resources utilization, finance, public service and e-government affairs. The State Council will formulate the specific scope of “key information infrastructure” and the mandatory security protection measures that organizations that operate “key information infrastructure” will need to apply.

Operators of key information infrastructure are subject to a data localization requirement, under which they must retain, within the territory of China, critical and personal information which they collect and produce during their operations in China. They may still be able to transmit this information overseas, but only after undergoing and passing a security review. In addition, when operators of key information infrastructure procure network products or services that may affect national security, a national security inspection is required. Operators of key information infrastructure are also required to undergo a network safety assessment at least once a year.

With respect to the collection and use of personal information, the Cybersecurity Law reiterates the requirements of notice and consent and the principles of legitimacy, rightfulness and necessity. Network operators are prohibited from providing a data subject’s personal information to third parties without the data subject’s consent, except in cases where the personal information is irreversibly depersonalized such that the data does not identify particular individuals.

In addition, a data subject can request a network operator to delete their personal information if he or she discovers that its collection or use is in violation of the law or of a contract between the parties. A data subject can also request a network operator to correct any personal information that is inaccurate.

According to the Cybersecurity Law, network operators must provide technical support and assistance to public or national security agencies when conducting an investigation of a crime. Network operators are required to adopt technical measures to monitor and record their network operations, and to preserve related web logs for at least 6 months. Overseas entities or individuals that attack, invade, interfere with or destroy “key information infrastructure” in China will be subject to legal liability, and public security agencies in China may adopt sanctions against them, including freezing their assets.

The Cybersecurity Law also includes provisions regarding the punishment of cyber crimes, including cyber fraud and the online protection of minors.

Hack Naked News #99 – November 3, 2016

A popular cloud based website hosting company could become the next myspace, more powerful IoT botnet, browser vendors lack trust in 2CAs, and some, including myself about an election day hack. All that and more, so stay tuned!

Full Show Notes:

Take the Security Weekly Survey:

Visit to get all the latest episodes!

FTC Announces Settlement Over Illegal Telemarketing Calls

On November 1, 2016, the FTC announced that a group of entities known as the Consumer Education Group (“CEG”) settled FTC charges that, between late 2013 and 2015, it made millions of telemarketing calls, including pre-recorded robocalls, to consumers on the national Do Not Call (“DNC”) Registry, in violation of the Telemarketing Sales Rule (“TSR”).

The FTC’s complaint alleged that CEG created websites that allowed consumers to complete an online form to supposedly receive information about “solar panels, reverse mortgages, walk-in bathtubs and other products,” but in fact used the consumers’ names and phone numbers to call the consumers to gauge their interest in these products and then sell the information as leads to third-party merchants. More than two million calls were placed, including pre-recorded robocalls (illegal under the TSR, absent express written permission from the consumer), to consumers registered on the DNC Registry, in violation of the TSR.

The proposed order imposes on CEG a suspended $2,339,687 civil penalty, reflecting the revenue that CEG obtained through the illegal telemarketing. Due to its inability to pay the full amount, CEG will pay $100,000, but the full amount will become due if CEG is later found to have misrepresented its financial condition to the FTC. The proposed order also bars CEG from violating the TSR by, among other actions:

  • making outbound telemarketing calls to consumers registered with the DNC Registry unless they meet certain requirements;
  • making telemarketing calls to consumers who have asked CEG not to call again; and
  • making pre-recorded telemarketing robocalls to consumers absent consumers’ express written permission to do so.

The DOJ filed the complaint and proposed order on behalf of the FTC in the U.S. District Court for the District of Colorado.

UK Government Confirms Implementation of GDPR in UK

On October 24, 2016, the UK Secretary of State for Culture, Media and Sport confirmed that the UK will implement the EU General Data Protection Regulation (“GDPR”) by May 2018. The UK Information Commissioner, Elizabeth Denham, has officially welcomed this confirmation and said that the UK must stay on top of the continuing digital economy evolution. The Information Commissioner’s Office (“ICO”) will publish a revised timeline setting out what areas of guidance the ICO will be prioritizing over the next six months.

Questions regarding the continuing application of the GDPR after the UK has officially exited the European Union still remain, but the ICO has ensured consumers that they will work with government to provide advice and counsel.

UK High Court Rules Parliamentary Approval Required to Commence UK Exit from EU

On November 3, 2016, the High Court of England and Wales handed down its judgment in the case of R (on the application of Santos) v. Secretary of State for Exiting the European Union [2016] EWHC 2768 (Admin). This high-profile and closely followed case concerns the process that must be followed to trigger Britain’s exit from the European Union. In particular, the question before the court was whether the Prime Minister can wield her executive powers to trigger the exit or if she needs Parliamentary approval before doing so. In reaching its decision, the Court ruled in favor of the claimants, meaning that the Prime Minister does not have the power to trigger Britain’s exit from the European Union, but instead must first obtain Parliamentary approval.

Within hours of the decision, the UK Government confirmed that it intends to appeal the ruling, and the UK Supreme Court has set aside dates on December 7 and 8, 2016, to hear the appeal. Today’s High Court decision further complicates an already complex Brexit process, and at the very least is likely to slow down the plans for triggering Article 50, which had been anticipated to occur before March 2017.

China’s Cybersecurity Law Undergoes Third Reading

On October 31, 2016, the Standing Committee of the National People’s Congress of China held a third reading of the draft Cybersecurity Law (the “third draft”). As we previously reported, the second draft of the Cybersecurity Law was published for comment in June. The National People’s Congress has not yet published the full text of the third draft of the Cybersecurity Law.

According to the National People’s Congress of China’s website, under the third draft of the Cybersecurity Law, the term “key information infrastructures” generally refers to information infrastructures maintained by certain industry sectors which would seriously jeopardize national security and the public interest should such infrastructures malfunction, or be subject to damage or data leakages. The relevant industry sectors include public communication and information services, energy, transportation, water resources utilization, finance, public service and e-government affairs. Operators of such infrastructures would be subject to a prospective data localization requirement, and would be required to implement certain security protection measures. The State Council will formulate the specific scope of “key information infrastructures” and the required security protection measures.

The third draft also stipulates that overseas entities or individuals that attack, invade, interfere with or destroy Chinese “key information infrastructures” will be subject to legal liability, and China’s public security agencies may adopt sanctions against them, including freezing their assets.

In addition, the third draft includes provisions regarding the punishment of cybercrimes, including cyber fraud, and the online protection of minors.

CIPL Hosts Workshop on Transparency and Risk Assessment

On October 20, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP hosted a side workshop at the International Conference of Data Protection & Privacy Commissioners focused on transparency and risk assessment, entitled “The Role of Risk Assessment and Transparency in Enabling Organizational Accountability in the Digital Economy.” The workshop was led by Bojana Bellamy, CIPL’s President, and featured contributions from many leaders in the field, including the UK ICO, Belgium and Hong Kong’s Privacy Commissioners, and counsel and privacy officers from several multinational companies.

The workshop discussed several topics, including:

  • What are the real drivers for transparency?
  • How do we get beyond legal transparency?
  • How can real transparency best be delivered in a connected world where machines are learning faster than humans?
  • How should harms and benefits be identified for meaningful risk assessment?
  • What do regulators expect from “best practice” risk assessments?
  • How do regulators take risk mitigation into account?

Many ideas and insights were exchanged during the session and there was substantial consensus between regulators and businesses on a number of topics. There is a real danger that both transparency and risk management can end up as empty slogans, but the lively discussion probed beneath both concepts to come to a better understanding of how these concepts can contribute to organizational accountability in practice. For example, participants heard accounts of the efforts being made by companies like Google, Facebook, TRUSTe and Telefónica to understand and effectively implement transparency. Although legal obligations can stimulate companies’ efforts towards transparency, the real challenge is disseminating to users the right amount of information at the right time and in ways which can be easily understood and acted upon. The recent report from the Telefónica and CIPL roundtable on Reframing Data Transparency confirms the dangers of a growing gap between legal and user-centric transparency. The challenges are especially acute in observational and connected environments where personal information can be collected and used with little or no interaction with the data subject.

The Hong Kong, Belgian and UK privacy commissioners also discussed how they could use the tools at their disposal to incentivize best practices. For example, the new UK ICO Code on Privacy Notices seeks to draw the right balance between the “right time” disclosure and information overload, and provides examples of “good” and “bad” notices. In Hong Kong, the Privacy Commissioner has pioneered privacy education programs. Although information provided directly to consumers must be kept as simple and relevant as possible, participants agreed that proper accountability demands meaningful openness (often in considerably more detail) to intermediary players other than individual users – such as the media, certification and seal bodies, consumer organizations and, of course, data protection authorities.

With respect to risk management, participants agreed that many businesses struggle to shift their focus from risks and harms to their own businesses, to risks and harms to individuals. Stakeholders also must take into account benefits to individuals and society. It is important – especially as the EU GDPR comes into force – that there is maximum consistency across Europe and beyond about the interpretation, implementation and enforcement of a regulatory framework which is becoming increasingly risk-based.