Another State Strengthens Data Protection Laws: Colorado  

Just moments after compiling the latest updates for Arizona and Oregon, another data protection bill was signed! This time it was a Colorado bill signed into law by Governor John Hickenlooper. The bill will go into effect September 1, 2018.

Even now that there are 50 separate breach notification laws (plus US territories), state legislatures are continuing to change their laws to respond to widespread data breaches and address evolving technology.

Specifically, House Bill 1128, was one of three bills introduced during the 2018 Colorado legislative session looking to help consumers in the wake of high-profile data breaches affecting millions of customers. This bill passed unanimously in the legislature, signifying a bipartisan understanding that data security is a key issue for the State.

The other bills are (1) a noncontroversial bipartisan bill allowing guardians to freeze the credit reports of minors (which was signed by Gov. Hickenlooper); and (2) a bill allowing consumers to freeze their records if a company was hacked (which was defeated).

Some of the major changes under HB 1128 include:

  1. Data Disposal: HB 1128 creates more stringent requirements regarding the disposal of personal information, including a required written policy, and specified methods of destruction. Note that with respect to the data disposal requirements, “personal identifying information” (PII) is defined to include a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device. This definition is not the same as the definition of “personal information” or “PI” in Colorado’s breach notification law.

 

  1. Personal Information: The definition of “personal information” (PI) has been expanded to include first name or first initial and last name in combination with student, military, or passport identification number, medical information, health insurance identification number, or biometric data. Personal information also includes a username or email address, in combination with a password or security questions and answers, that would permit access to an online account. Finally, PI includes a Colorado resident’s account number or credit/debit card number in combination with any required security code, access code or password that would permit access to the account. The full list of personal information is listed in the new House Bill 1128.

 

  1. Breach Notification Timeline: The timeline for notification has changed from “in the most expeditious manner possible and without unreasonable delay” to “not later than 30 days after the date of determination that a security breach has occurred”. Colorado joins Florida as the only other state that requires notification of a security breach within the shortened timeframe of 30 days. And when Colorado and federal notification laws conflict, the amendment provides that “the law or regulation with the shortest time frame for notice to the individual controls.”

 

 

  1. Notification Content: The new amendment adds content requirements to the notification letter including (i) the date or estimated date range of the security breach; (ii) a description of the acquired personal information; (iii) a way for the resident to contact the organization; toll-free numbers, addresses, and websites for consumer reporting agencies (CRAs) and the Federal Trade Commission (FTC); (iv) a statement that the resident can obtain information from the FTC and CRAs about fraud alerts and security freezes; and, (v) if the acquired data included a username or email address in combination with a password or security questions and answers for an online account, a statement directing the person to promptly change the password and security questions or answers or take other steps appropriate to protect online accounts that use the same username or email address.

 

  1. Attorney General Notification: If notice of a security breach is made to 500 or more Colorado residents, the amendment adds a new requirement to notify the Colorado Attorney General within the same 30-day timeline.

 

  1. Encryption Safe Harbor Updates: The new amendment also requires disclosure when encrypted personal information is acquired with an encryption key or other means to decipher the secured information. This adjustment mirrors many of the new breach notification clarifications on encryption.

 

  1. Security Requirements Added: Brand new security requirements are listed under Section 6-1-713.5. Specifically, to “implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.” The amendment also requires data owners, maintainers, and licensors to include appropriate security measures in contracts with third-party service providers that receive personal identifying information from the covered entity and that are maintaining, storing, or processing that data on behalf of the covered entity.

 

  1. New requirements for government entities: The amendment also adds new sections to Title 24 of the Colorado Revised Statutes that create obligations for government entities similar to those discussed above.

 

For questions about this update, or other evolving breach notification laws, you can contact our privacy and security professionals at cyberteam@eplaceinc.com.

 

Oregon Strengthens Existing Data Breach Notification Law

 

Originally passed in 2007, and amended in 2015, Oregon breach notification laws have once again been changed. This new update (SB 1551) was signed by Governor Kate Brown last month, and will take effect June 2, 2018.

While some of the most significant changes include statewide trending updates, like a more stringent notification timeline, there are plenty of changes to note.

Some of the major changes include:

  1. Application expanded: The amendment expanded the definition of “person” to individuals or entities that “own, license, or otherwise possess personal information” (where previously it only applied to a those that “own or license personal information”).

 

  1. Duty to Notify: The duty to report is now triggered if an entity receives notice of a breach from a third-party contractor that maintains such information on behalf of the company, such as payroll service providers.

 

  1. Personal Information: The definition of “personal information” has been expanded to include “any other information or combination of information that a person reasonably knows or should know would permit access to the consumer’s financial account.” The full list of personal information that would trigger notification is listed in the new Senate Bill 1551.

 

  1. Breach Notification Timeline: The timeline for notification has changed from “in the most expeditious manner possible, without unreasonable delay” to “not later than 45 days after discovered or receiving notification of the breach of security”.

 

  1. Notification Content: Adding to the already extensive list of content requirements in a consumer notification (2015 amendment), an entity is now required to provide their own contact information to the affected party.

 

  1. Certain Security Freeze Charges Disallowed: Oregon will join a growing number of states that have prohibited credit reporting agencies from charging a fee to consumers for placing, temporarily lifting, or removing a security freeze on their credit reports—regardless of whether the consumer was a victim of identity theft.

 

  1. Credit Monitoring Condition Removed: The amendment also provides that if an entity offers credit-monitoring services or identity-theft prevention and mitigation services without charge to the consumer, the entity may not condition such services on receiving credit or debit card information from the affected consumer or the consumer’s acceptance of a service provided by the person for a fee.

 

  1. Attorney General Notification: While the existing law already provided for notification to the Oregon Attorney General (AG) when a breach involves over 250 residents, the new amendment now requires that the entity provide the AG with at least one copy of the notice sent to consumers or their primary or functional regulator.

 

  1. Security Requirements added: SB 1551 also amends ORS § 654A.622, which contains the Act’s information security and safeguard requirements.
  • The requirements now apply to any entity that “has control over or access to” personal information, in addition to those that “own, maintain, or otherwise possess” such information.
  • Specific information security safeguards under section (2)(d) have been thoroughly revised, providing more detailed security standards to proactively protect the personal information of Oregon residents.

 

As mentioned, the changes above will take effect June 2, 2018.

For questions about this update, or other evolving breach notification laws, you can contact our privacy and security professionals at cyberteam@eplaceinc.com.

Arizona Expands Data Breach Notification Law

 Arizona joins the growing number of states to (among other changes) expand the definition of personal information and shorten the breach notification timeline.

On April 11, 2018, Arizona Governor signed into law House Bill 2154 which updates and strengthens the state’s existing data breach notification law.

Some of the major changes include:

  1. Personal Information: The definition of “personal information” has been expanded to include health insurance identification numbers, medical or treatment information, passport numbers, taxpayer identification numbers and unique biometric data used to authenticate an individual’s access to an online account. The full list of personal information that would trigger notification is listed in the new House Bill 2154.
    1. Here’s where the new edits get tricky: The amended law also adds a definition of “personal information” to include “an individual’s user name or e-mail address, in combination with a password or security question and answer, which allows access to an online account.” If this part of the definition is the only personal information compromised, the entity suffering the breach will satisfy the notification requirements by directing the individual to promptly change their password and security question or answer, as applicable or to take other reasonable steps to protect his/her online accounts.  If an individual’s email log in credentials are breached, the entity will satisfy the notification requirement by merely requiring the individual to reset his/her password or security question and answer for that account. If the entity suffering the breach notifies the individual to change the password, they must also advise the individual to change anywhere the same password is used for other online accounts.

 

  1. Breach Notification Timeline: The timeline for notification has changed from “most expedient manner possible and without unreasonable delay” to “within 45 days after the determination” for notification to individuals, the Attorney General and the Consumer Reporting Agencies. While there is still acceptable delay for law enforcement investigations, this mirrors the trend of shortening notification timelines.

 

  1. Substitute Notice Provision: The amendment removes previous requirements that a notification must to be sent to affected individuals via email as well as notifying major statewide media.  The current language now stipulates that an entity is required to notify the Attorney General’s office in writing to demonstrate the reasons for substitute notice in addition to posting a notice on the entity’s website for at least 45 days.

 

  1. Notification Content: The new amendment adds content requirements to the notification letter including (i) the approximate date of the breach, (ii) a brief description of the personal information exposed, (iii) the toll-free numbers and addresses for the three largest Consumer Reporting Agencies and (iv) the toll-free number, address, and website address for the Federal Trade Commission or any Federal agency that assists consumers with identity theft matters.

 

  1. Harm Threshold: Under the current statute, an entity is not required to notify affected individuals if a reasonable investigation determines that a breach has not occurred. With the amendments, an entity will also not be required to make the required notifications if an independent third-party forensic auditor or a law enforcement agency determines that a security system breach has not resulted in or is not reasonably likely to result in substantial economic loss to affected individuals.

 

  1. Additional Notice Requirements: Attorney General and Consumer Reporting Agencies must be notified in writing if the breach requires notification of more than 1000 individuals.

 

  1. Penalty Cap: The Attorney General may impose up to $500,000 in civil penalties for knowing and willful violations of the law in relation to a breach or series of related breaches. The Attorney General is also entitled to recover restitution for affected individuals.

 

Separately, on April 3,2018, the Governor signed Senate Bill 1163, which amends existing law to prohibit credit reporting agencies from charging a fee to a consumer for the placement, removal, or temporary lifting of a security freeze. It also prevents credit reporting agencies from charging fees for replacing a lost personal identification number or password.

Both amendments will become effective July 20, 2018.

For questions about this update, or other evolving breach notification laws, you can contact our privacy and security professionals at cyberteam@eplaceinc.com.

 

South Carolina First to Enact Insurance Data Security Act

Late last year, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (Model Law). The Model Law created cybersecurity requirements for insurers, agents and other licensed entities (Insurers) including maintaining an information security program with ongoing risk assessments, managing third-party service providers, investigating data breaches and notifying regulators of a cybersecurity event. The NAIC intended that states would either entirely adopt the Model Law or modify it at the state’s discretion.

On May 14, 2018, South Carolina became the first state to enact a version of the Model Law when the South Carolina Insurance Data Security Act (South Carolina Act) was signed. The South Carolina Act is similar to the Model Law and will be effective January 1, 2019.

What you need to know!

Mandatory Information Security Program Continue reading South Carolina First to Enact Insurance Data Security Act

New York Reports 25% Increase in Data Breaches – What You Need to Know Now

Of all the things that are on the rise, data breach statistics should be of immediate concern to your organization. Recently, the New York Attorney General released “Information Exposed: 2017 Data Breaches in New York State” (Report). This Report highlights data breach statistics compiled from various data breach notices received by the state in 2017. The numbers are troublesome!

  • Organizations reported a record-breaking 1,583 breaches that exposed the personal records of 9.2 million New Yorkers (many as a result of the Equifax debacle). In 2016, the number of breaches was 1,281. That’s an increase of nearly 25%!
  • Hacking accounted for over 44% of breaches, up from 40% in the previous year.
  • In 73% of breaches, financial account information and Social Security numbers were exposed.
  • The majority of breaches affected one to nine people each (still too many), with about 75% of breaches affecting less than 100 people per breach (still unacceptable).

What You Should Do Now! Continue reading New York Reports 25% Increase in Data Breaches – What You Need to Know Now

BLU Settles with FTC Over Privacy and Data Security Claims

Phone manufacturer BLU reached a settlement with the Federal Trade Commission (FTC) over allegations BLU allowed a Chinese third-party service to harvest user data without user knowledge or consent. This data harvesting was first brought to light in 2016, when security firm Kryptowire reported that BLU phones were sending information to China using software from Shanghai Adups Technology Company (ADUPS), a contracted third party of BLU.

What Data Was Harvested

According to the FTC’s press release, BLU contracted with ADUPS to issue security and operating system updates to BLU products. However, the BLU devices were also sending large amounts of data – more than BLU told its users – to ADUPS in China.

The harvested data included full text messages, location-tracking, call and text logs with corresponding phone numbers and contact lists, and a breakdown of applications installed on the BLU devices.

BLU’s Response Continue reading BLU Settles with FTC Over Privacy and Data Security Claims

Canada’s Mandatory Breach Notification Takes Effect November 1

The Canadian government recently published a cabinet order laying out federal data breach reporting regulations through the Personal Information Protection and Electronic Documents Act (PIPEDA) and amendments. Similar to other breach notification requirements, these new regulations mandate that organizations that experience a “breach of security safeguards” notify all affected individuals, as well as the Privacy Commissioner and any other related organizations and governmental institutions. The order also includes fines of up to $100,000 (CAD) for noncompliance. These regulations will go into effect starting on November 1, 2018.

Continue reading Canada’s Mandatory Breach Notification Takes Effect November 1

NIST Releases Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity

On April 17th, just over four years after the initial development was released, the National Institute of Standards and Technology (NIST) has released an updated version (1.1) of the Framework for Improving Critical Infrastructure Cybersecurity. The framework, developed under the Obama administration, was to be a voluntary, risk-based guide for improving cybersecurity infrastructure in the United States.

Framework Updates & Goals

Then-President Obama’s executive order pushed for the development of standards and practices to assist organizations within the financial, health care and energy fields, among others, to protect their data from a cyber-attack.

The Cybersecurity Framework has 3 components: Continue reading NIST Releases Version 1.1 of the Framework for Improving Critical Infrastructure Cybersecurity

“Satan” Ransomware Uses Same Vulnerability as WannaCry

A “ransomware as a service” (RaaS) is available with a headline-ready name and is using EternalBlue to move through your network (similar to the BadRabbit ransomware).

Although this ransomware has been around since January 2017, it has grown and evolved, and recently has been using a recognizable exploit (EternalBlue) to spread through the network and encrypt files. Here is the “Satan” ransom note.

The ransom note above is in English, Chinese and Korean, and demands the user to pay 0.3 BTC. This threat follows a vulnerability that was identified last summer (MS17-010), and is a great example of how ransomware evolves.  If you paid attention to the news and patched your systems – you should be good.  But there is a critical mass of people who haven’t applied it or hackers wouldn’t still be using EternalBlue as the heart of their exploit kit.

This new ransomware also uses DoublePulsar to perform command injection. DoublePulsar uses a flaw in the Windows kernel to allow it to bypass every single application-level protection to operate in the space of the lowest-level code on the system, that which interfaces directly with the hardware. At that level, privileges are infinite. Executing a command in kernel-space allows you to run and override all protections or permissions checks.

How to Protect Yourself:

  • Enable UAC
  • Enable Windows Update, and install updates (especially verify if MS17-010 is installed)
  • Install an antivirus, and keep it up-to-date and running
  • Restrict, where possible, access to shares (ACLs)
  • Create backups! (and test them)

How to Disinfect:

You may also want to verify that none of the following files or folders exist in your environment:

  • C:\sts.exe
  • C:\Cryptor.exe
  • C:\ProgramData\ms.exe
  • C:\ProgramData\client.exe
  • C:\Windows\Temp\KSession

Key Takeaway:

“Satan” is not the first ransomware to use EternalBlue (WannaCry, EternalRocks, PetrWrap), but it does appear that the hackers are continuously improving and adding features to their ransomware. Ransomware is evolving, and if you haven’t updated your system and applied patches, do so immediately! Prevention is always better and easier than disinfection/decryption.

If you have any questions about ransomware and how to protect your organization, you can contact our privacy and security professionals at cyberteam@eplaceinc.com.

 

Massachusetts Improves Patient Privacy with PATCH Act

Medical records and patient information are particularly sensitive topics for a lot of people.

Recently, Massachusetts Governor Charlie Baker signed into law the Protecting Access to Confidential Healthcare (PATCH) Act that extends privacy protection to cover the explanation of benefits (EOB) summaries mailed by health insurers.

Privacy Concerns of EOB Summaries

Health insurers regularly send out an EOB summary to the policy’s primary subscriber detailing the type and cost of medical care performed under the policy. Supporters of the PATCH act say EOB summaries violate HIPAA privacy rights of patients who are young adults, minors or spouses because their information is exposed to the primary subscriber through the EOB summary. Continue reading Massachusetts Improves Patient Privacy with PATCH Act