Online Privacy in Australia Takes a Major Hit. Who’s Next?

The latest law passed by Australian Parliament has outraged global privacy advocates. The Assistance and Access Bill (AA Bill) essentially allows Australian officials to access the content of end-to-end encrypted communications. While it may be an Australian law, global privacy advocates predict it will impact global privacy rights, and other countries may follow suit.

Here’s what you need to know. The most controversial parts of the AA Bill are the “frameworks for voluntary and mandatory industry assistance to law enforcement and intelligence agencies” that allow the Australian government to access encrypted communication content.

  • What does “industry assistance” mean?

It means the Australian government can force “designated communication providers” to use known capabilities to intercept communications or build a new interception capability.

  • Who is a “designated communication provider?”

In short, anyone who touches hardware, software, or data used in end-to-end communication, including online services like websites. Continue reading Online Privacy in Australia Takes a Major Hit. Who’s Next?

Agari Turns the Table on ‘London Blue’ Hacking Campaign

A hacker group known as “London Blue” has compiled a list of 35,000 chief financial officers, including some at the world’s biggest banks and mortgage companies, with the intent to target them with bogus requests to transfer money.

CFO-Targeting Phishing Campaign

The “London Blue” hackers are the latest group to specialize in “business email compromise” (BEC) campaigns, according to the cyber threat detection company Agari, which found a list of 50,000 targets, mostly accounting department employees.

This past July the FBI warned that this type of scam, where a chief financial officer is rushed into transferring money to an unknown account, is on the rise and had cost companies more than $12 billion since 2013; with the total number of victims reaching over 78,000. Continue reading Agari Turns the Table on ‘London Blue’ Hacking Campaign

OCR Announces Six-Figure HIPAA Settlement

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $125,000 settlement with Allergy Associates of Hartford, P.C., a three-physician allergy practice in Connecticut, for HIPAA Privacy Rule violations.

Alleged HIPAA Violation

According to OCR’s press release and corrective action plan, a patient of Allergy Associates contacted a reporter about a dispute between the patient and a doctor regarding the patient’s service animal. The reporter contacted the doctor for comment and the doctor was alleged to have impermissibly disclosed the patient’s protected health information to the reporter.

While the allergy practice had HIPAA policies and procedures in place, the physician did not adhere to the policies.  Further, once OCR uncovered the issue, it also found that the practice failed to sanction the physician involved in accordance with its policies. Continue reading OCR Announces Six-Figure HIPAA Settlement

Ransomware: A Crippling and Ever-Present Threat

Ransomware continues to cast a long shadow, dominating the cyberthreat landscape for small and medium-sized businesses (SMBs), according to a recent report from Datto.

Ransomware was the most common cyberattack experienced by SMBs in 2018, with companies facing these attacks more than viruses or spyware.

Datto’s Report

The report surveyed 2,400 managed service providers (MSPs) that provide IT support for roughly half a million SMBs worldwide. It found that ransomware attacks occur frequently and are, unsurprisingly, expected to increase.

More than 55% of those surveyed said their clients experienced a ransomware attack in the first six months of 2018, and 35% said their clients were attacked multiple times – often in the same day. 92% of MSPs said they predict the number of attacks will continue at current or increased rates. Continue reading Ransomware: A Crippling and Ever-Present Threat

Data in the Clouds: Cloud Storage Offers Businesses Flexibility & Convenience

Is on-premise storage a thing of the past? Is all storage inevitably moving to the cloud? If you’re in IT, you are no doubt keeping a close eye on the shift taking place in data storage infrastructure.

Organizations are increasingly adopting cloud storage options because they need more capacity, flexibility and a better way to manage storage costs. Additionally, many industries are taking advantage of remote-work options, giving their employees the ability to complete their tasks from home or while on the go.

It’s not surprising then that many businesses are supplementing their current storage with cloud data storage. Continue reading Data in the Clouds: Cloud Storage Offers Businesses Flexibility & Convenience

Survey Shows Data Breaches Lead to Poor Customer Retention

Data breaches are a common occurrence, with organizations large and small falling victim to online attackers. The impact of a data breach is not just the economic loss of data; a breach also leads to the loss of customer loyalty as well.

Ping Identity recently released the results of its 2018 Consumer Survey: Attitudes and Behavior in a Post-Breach Era, unveiling consumer sentiments and behaviors toward security and brands impacted by data breaches.

Survey Results

The collected data highlights the importance of protecting customer data, with the survey finding that 78 percent of respondents would stop engaging with a brand online after a data breach. Continue reading Survey Shows Data Breaches Lead to Poor Customer Retention

Get “Incident Response” Ready with Help from the DOJ

Being ready and able to effectively respond to a cyber incident is vital in terms of minimizing the resulting damages, but do you know what to do or where to look for assistance?

An effective response means having a plan before a cyber incident occurs. To help with your incident response planning efforts, the U.S. Department of Justice (“DOJ”) recently released a revised version of its “Best Practices for Victim Response and Reporting of Cyber Incidents” (Guidance). The DOJ’s Guidance was based on the real-life lessons learned by federal officials with input from private companies who managed cyber incidents.

The Guidance consists of four sections: Continue reading Get “Incident Response” Ready with Help from the DOJ

New Data Breach Reporting Requirements in Canada

The Office of the Privacy Commissioner of Canada (OPC) recently released official guidance for reporting data breaches pursuant to Canada’s new data breach reporting law. A change in Canada’s law, effective November 1st, requires companies subject to Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) to report data breaches in certain instances and keep records of all breaches. The guidance relates to how to determine what breaches must be reported to the OPC, and what kind of notice you need to give individuals. The guidance also relates to the obligation to keep records of breaches and what information needs to be included.

Qualifying a Reportable Breach

A “breach of security safeguards” refers to the loss of, unauthorized access to or unauthorized disclosure of personal information resulting from a breach of a company’s security safeguards or a failure to establish security safeguards. Continue reading New Data Breach Reporting Requirements in Canada

Cathay Pacific Airline Breach Affects 9.4 Million Customers

Hong Kong-based Cathay Pacific airline recently announced that its computer systems were compromised. The data breach was detected in March and compromised the personal data of roughly 9.4 million passengers. The exact attack vector is unknown.

Airline’s Response

Cathay, who is currently investigating the incident, confirmed information such as phone numbers, dates of birth, passport numbers, and frequent flier numbers were exposed. Additionally, the airline added that 27 credit card numbers had also been acquired in the breach.

“We are very sorry for any concern this data security event may cause our passengers. We acted immediately to contain the event, commence a thorough investigation with the assistance of a leading cybersecurity firm, and to further strengthen our IT security measures,” said the airline’s chief executive, Rupert Hogg. Continue reading Cathay Pacific Airline Breach Affects 9.4 Million Customers

OCR Releases Improved HIPAA Security Risk Assessment Tool

Under the HIPAA Security Rule, a covered entity or business associate must perform risk assessments to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. Failing to conduct risk assessments is a common basis for significant fines.

Risk assessments, however, can be a taunting task, particularly for smaller organizations with limited resources. In an effort to help organizations perform risk assessments and comply with the HIPAA Security Rule, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool.

The SRA Tool is designed for small to medium sized health care practices (up to 10 health care providers) and business associates to help them identify ePHI risks and vulnerabilities. Continue reading OCR Releases Improved HIPAA Security Risk Assessment Tool