BLOGS: Privacy and Data Protection

Thursday, July 6, 2017, 4:24 PM

Preparing For and Responding to the Petya Ransomware Attack

By Allen O'Rourke

While still reeling from last month’s WannaCry attack, organizations worldwide were hit with another global ransomware attack yesterday, June 27, 2017. The infection began inside the Ukraine but has quickly spread across four continents and over 65 countries, affecting many thousands of computers. The growing list of corporate victims includes a large Danish shipping company, the biggest advertising agency worldwide, a French construction material company, Russia’s largest oil producer, a major U.S. pharmaceutical company, and a multinational law firm. Numerous public and private institutions in the Ukraine are also affected, including everything from bank ATM’s to the Chernobyl Nuclear Power Plant.

Variously called “Petya,” “GoldenEye,” “Petrwrap,” and “NotPetya” by different cybersecurity researchers, the current cyberattack’s malware is an offshoot of earlier Petya ransomware that began circulating last year. The new Petya variant encrypts a computer’s hard drive – making it inoperable – and demands $300 in Bitcoin to regain access. Victims are instructed to make payment into a specified Bitcoin wallet and then email confirmation to – although that email account has now been deactivated by German email provider Posteo. About 36 ransom payments were made on June 27, 2017 – according to Blockchain analysis – but by the following morning no one had reported regaining access to infected computers.

Petya ransomware appears similar to WannaCry but more resilient and destructive. It uses wormlike propagation to spread quickly across a computer network and has multiple attack vectors in addition to the “EternalBlue” exploit to Windows that WannaCry used, such as Word documents laced with malicious macros and compromised updates for accounting software called “MeDoc.” Unfortunately, Petya contains no known “kill switch” similar to what curtailed WannaCry’s spread. As Wired’s Lily Hay Newman put it, “while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.”

Petya’s ongoing threat reflects a new reality for businesses today. With periodic leaks of alleged NSA hacking tools such as EternalBlue, cheap “Ransomware as a Service” being offered on dark web forums, and well-funded cybercriminal groups linked to organized crime and foreign governments, we are just going to see more and more ransomware and other cyberattacks targeting business operations and infrastructure. In other words, today’s cybercrime targets not only sensitive data stored on computers but also the integrity of computer systems that we rely upon every day.

Accordingly, business leaders and corporate officials such as in-house counsel need to be informed and prepared. Even after weathering a ransomware attack, an organization may still face expensive regulatory enforcement actions and civil litigation, not to mention reputational damage and lost business. With that in mind, the following are some basic action items to consider in preparing for and responding to ransomware attacks:

Preparing for Ransomware
  • Maintain a backup copy of your organization’s computer system that can be used in the event that your system becomes encrypted by ransomware.
  • Identify operating systems and software in your network that may be vulnerable and install appropriate security patches. Also implement measures to ensure that new security patches are promptly installed going forward.
  • Deploy updated antivirus software and consider using automated software tools to detect and mitigate cyberattacks.
  • Develop or update your organization’s incident response plan to address ransomware. This includes not only planning for rapid investigation, containment, and remediation of an attack, but also planning for business continuity, public relations, cybersecurity insurance, and legal compliance implications.
  • Establish contacts with law enforcement, outside counsel, a cybersecurity remediator, your insurance company, and anyone else with whom you will need to coordinate when responding to a ransomware attack.
  • Implement ongoing training of computer users on basic cybersecurity hygiene, including not clicking on suspicious links or opening suspicious email attachments.
Responding to Ransomware

  • Wherever possible, incident response measures should be taken at the direction of counsel in order to preserve attorney-client privilege and minimize legal risk.
  • Work with a cybersecurity remediation company to rapidly contain and remediate the ransomware attack. Among other things, this might include disabling the infected computer, restoring backup files, or counteracting the ransomware.
  • Fully investigate the ransomware attack, engage with law enforcement as appropriate, and implement cybersecurity measures to defend against additional follow-up attacks.
  • Ensure that key stakeholders stay informed, including corporate executives and boards of directors.
  • Determine the extent of harm to data subjects and consumers, comply with applicable breach notification obligations, and take other steps to minimize legal risk.

Canadian Government Suspends Implementation of Private Right of Action Under CASL

By Doug Bonner & Taylor Ey

Our previous alert regarding changes to Canada’s Anti-Spam Legislation (“CASL”) previewed two important changes that were to come into effect as of July 1, 2017:
  • The end of the transition period under CASL, during which companies could rely on implied consent for sending “commercial electronic messages” in certain instances; and
  • A private right of action for violations of CASL
On June 2, 2017, the Government of Canada suspended the implementation of the private right of action provision.  The private right of action will not come into effect unless and until the government takes further action to implement it.  According to its press release on June 7, 2017, the Canadian Government will ask a parliamentary committee to review the private right of action provision, and hopes to strike a balance between consumer protection and legitimate business marketing activity, that is, protecting Canadians from spam while allowing entities such as businesses, charities and non-profits to communicate with Canadians electronically. 
The government’s action does not impact the termination of the transition period, which will become effective on July 1, 2017. 

FCC Slams Serial Robocaller With $120 Million Proposed Fine for "Spoofing" Numbers

By Rebecca Jacobs, Marty Stern & Doug Bonner

We all get them.  Repeated marketing calls to our mobile and home phones with the incoming phone number altered to make it appear that it’s a local call, when in fact, the call is from a robo-scammer using IP technology to “spoof” the phone number.  As it turns out, there’s a federal law that makes such spoofing illegal, the Truth in Caller ID Act of 2009 (“TICIDA”), and in its first enforcement action under TICIDA, the FCC hit an alleged serial robocaller, Adrian Abramovich and his companies (together, Abramovich) with a whopping $120 million Notice of Apparent Liability for allegedly originating nearly 100 million such calls.
The Commission also issued a Citation and Order  to Abramovich for alleged violations of the Telephone Consumer Protection Act (“TCPA”) for making unauthorized prerecorded telemarketing calls to emergency phone lines, wireless phones and residential phones without obtaining the required prior express written consent from the called party.  While TICIDA allows the Commission to directly fine first-time violators through its NAL authority, which it did here, in TCPA FCC enforcement actions involving entities and individuals that do not hold Commission authorizations, the Commission must first issue a citation, and then can only proceed with a fine if the recipient repeats the violation.  That still leaves Abramovich open to potentially monumental TCPA class action exposure.   The Citation and Order also notified Abromovich that he had violated the federal wire fraud statute by transmitting or causing to be transmitted, by means of wire, misleading or false statements with the intent to perpetrate a fraud.
According to the Commission, Abramovich ran a scheme where his spoofed calls appeared to originate from local numbers and offered, via a pre-recorded message, holiday vacations and cruises claiming to be associated with well-known American travel and hospitality companies.  The pre-recorded messages would prompt customers to “press 1” to secure their reservation.  Once a customer pressed “1”, the customer was transferred to a call center where live operators pushed vacation packages typically involving timeshare presentations, that were not affiliated with the well-known brands used in the recorded messages.  The Commission characterized Abramovich’s schemes as “one of the largest – and most dangerous – illegal robocalling campaigns the Commission has ever investigated.”  According to the Commission, in addition to defrauding consumers, the robocalling campaign also caused disruptions to an emergency medical paging service, which provides paging services for emergency room doctors, nurses, emergency medical technicians, and other first responders.
While significant in absolute terms, the $120 million proposed fine, according to the Commission, was significantly below the penalty that could have been proposed in the NAL.   Rather than fine the statutory maximum of $11,052 for each spoofing violation, or three times that amount for each day of a continuing violation, the Commission calculated the base forfeiture amount at $1,000 per unlawful spoofed call, since this was the first time the Commission used its TICIDA forfeiture authority.
Mr. Abromovitz now has an opportunity to respond to both the NAL and Citation.  Stopping illegal robocalling has been a key priority for Chairman Pai, and no doubt the Commission is expecting that the threat of huge monetary forfeiture penalties against the industry will provide a powerful incentive for roboscammers to look for other ways to make a buck.  Given the Commission’s struggle with fashioning tools to go after serial robocallers that do not have the effect of increasing TCPA exposure for established companies engaging in legitimate customer communications, we do not expect the Commission to back down from its proposed penalty, and expect this to be the start of a new enforcement initiative using TICIDA and its direct penalty provisions.

Wednesday, June 28, 2017, 10:11 AM

Nadia Aram Examines Updates to COPPA Guidance, New Developments in Children’s Privacy Law

Many of today’s toys contain Internet-connected technology alongside of molded plastic and foam stuffing.  But while Internet-connected toys may increase the fun for kids, they create additional privacy risks for businesses.

With that in mind, the Federal Trade Commission just updated its guidance for complying with the Children’s Online Privacy Protection Act (COPPA). Womble Carlyle attorney Nadia Aram has written a client alert on the COPPA changes. Read the full alert at this link.

Monday, May 15, 2017, 3:21 PM

Important Steps to Prepare for the WannaCry Ransomware Attack

By Ted Claypoole, Allen O'Rourke & Claire Rauscher

Your business may have been victim to the latest ransomware attack, or it may be caught in the next wave. Womble Carlyle can help manage the attack and can prepare you to beat the next one.

In May 12, 2017, the “WannaCry” ransomware attack compromised over 70,000 organizations in nearly 100 countries. The attack encrypted people’s computer files – making them inaccessible – and demanded a ransom of about $300 worth of Bitcoin to release them. The malicious software exploited a known vulnerability in Windows that Microsoft had patched two months ago. Microsoft has also issued emergency patches for unsupported, outdated versions of Windows.

If your organization runs Windows, it is important to make sure that all appropriate patches have been installed. Another important step is to create backups of your computer files that can be used in the event that your system becomes encrypted by ransomware.

Finally, if you do not have one already, this would be a good time to develop a cybersecurity incident response plan.

Womble Carlyle’s Cyber & Privacy Law attorneys are poised to help clients develop such incident response plans, implement cybersecurity preparedness measures, and respond to any incidents that may occur.

Thursday, April 27, 2017, 10:08 AM

Rite Aid Wins Summary Judgment in TCPA Action Involving Prerecorded, Automated Call for Flu Shot Reminder

By Doug Bonner

In an outright win for pharmacies, the U.S. District Court for the Southern District of New York, in the attached opinion, granted Rite Aid’s motion for summary judgment in a class action alleging violations of the TCPA. 

The lawsuit arose from a single prerecorded, automated call made in 2014 by Rite Aid to the Plaintiff’s cell phone alerting him to the availability of flu shots at Rite Aid pharmacies. 

The court ruled that under the FCC’s Health Care Rule exception to the Telemarketing Rule, even if a call is telemarketing, if it delivers a “health care message” on behalf of a covered entity or its business associate as defined under HIPAA regulations, it is exempt from the prior written express consent requirement  for calls to cellular phones under the Telemarketing Rule.  Therefore such a call could be made merely with “prior express consent”  such as the plaintiff providing Rite Aid with his cell phone number, which was undisputed. 

The court’s ruling confirms that whenever a call is made that conveys a health care message, even if it includes telemarketing or advertisements, it is exempt from the Telemarketing Rule, and can be made with merely prior express consent rather than the heightened prior express written consent requirement that generally applies for all automated or prerecorded calls to wireless numbers that include a telemarketing message.

Wednesday, November 2, 2016, 2:36 PM

Federal Banking Agencies Propose “Enhanced Cyber Risk Management Standards” For the Largest Banks

By Doug Bonner, Steve Dunlevie and Richard Garabedian

In a major new cybersecurity initiative the federal banking agencies have issued an advanced notice of proposed rulemaking (“APNR”) seeking comment on enhanced cybersecurity standards for banking entities with $50 billion or more in total assets. The standards will apply to U.S. bank and savings and loan holding companies and their subsidiary institutions as well as to foreign bank holding companies with $50 billion or more in U.S. assets. The goal of the joint rulemaking by the Federal Reserve Board, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation (the “Agencies”) is to establish standards making the largest banking entities, and the U.S. financial system itself, more operationally resilient in the event of a cyber attack or disruption experienced by any one such entity. The Agencies are also considering applying the standards to third party servicers that serve the covered entities. Comments on the APNR are due by January 17, 2017.

A cyber-attack or disruption at one or more of these entities could have a significant impact on the safety and soundness of the entity, other financial entities and the U.S. financial sector. The Agencies are considering applying the enhanced standards to these entities on an enterprise-wide basis because cyber risks in one part of an organization could expose other parts of the organization to harm as well.

Though the Agencies already supervise information security at banking organizations, which are required to implement information security programs under the "Interagency Guidelines Establishing Information Security Standards" established pursuant to the Gramm Leach Bliley Act, the Agencies are concerned that "opportunities for high-impact technology failures and cyber-attacks" are increasing as a result of growing reliance on technology in the financial sector. For example, depository institutions play an essential role in payment, clearing and settlement arrangements and provide access to credit to households and businesses. The Agencies are intent upon securing these sector-critical systems by imposing the most stringent standards on the largest covered entities in a tiered manner.

The enhanced standards would emphasize the need for covered entities to demonstrate effective cyber risk governance; continuously monitor and manage their cyber risk within the risk appetite and tolerance levels approved by their boards of directors; establish and implement strategies for cyber resilience and business continuity in the event of a disruption; establish protocols for secure, immutable, transferable storage of critical records; and maintain continuing situational awareness of their operational status and cybersecurity posture on an enterprise-wide basis. The Agencies are considering establishing a two-tiered approach, with the proposed enhanced standards applying to all systems of covered entities and an additional, higher set of expectations, or "sector-critical standards," applying to those systems of covered entities that are critical to the financial sector. The "sector-critical standards" would require covered entities to substantially mitigate the risk of a disruption due to a cyber event to their sector-critical systems.

The ANPR addresses five categories of new cyber standards: (1) cyber risk governance; (2) cyber risk management; (3) internal dependency management; (4) external dependency management; and (5) incident response, cyber resilience, and situational awareness. Among the more potentially significant proposed standards, the Agencies request comment on:

(1) Cyber Risk Governance - the enhanced standards would require the institution's Board of Directors, or an appropriate Board committee, to develop and approve a written, enterprise-wide cyber risk management strategy and to hold senior management accountable for implementing appropriate policies to effectuate the strategy. This would include requiring senior leadership with cyber risk oversight responsibility to have direct Board access and to be independent of business line management.

(2) Appropriate Cyber Risk Management – the enhanced standards would require the covered entities to integrate cyber risk management into at least three independent functions (such as the three lines of defense risk management model), with checks and balances. As part of this proposed enhanced standard, business units would be required to adhere to procedures and processes necessary to comply with the covered entity’s cyber risk management framework. The agencies are also considering a requirement that covered entities incorporate enterprise-wide cyber risk management into the responsibilities of an independent risk management function. In addition, the agencies are considering explicitly requiring the audit function to assess whether the cyber risk management framework of a covered entity complies with applicable laws and regulations and is appropriate for its size, complexity, interconnectedness and risk profile.

(3) Internal Dependency Management – the enhanced standards would require that covered entities have effective capabilities to be able to identify and address cyber risks associated with their workforce, data, technology, and facilities. These capabilities require ongoing assessment and improvement needed to reduce cyber threats. This could include a requirement to integrate an internal dependency management strategy into an overall strategic risk management plan.

(4) External Dependency Management - policies, standards, and procedures for external dependency management oversight would be required to be established and regularly updated, with appropriate controls, for due diligence, contracting and subcontracting, onboarding, ongoing monitoring, change management, and offboarding. This emphasis on third party access points appears to be in part a reaction to hackers gaining access to financial institutions such as a foreign bank through the Society for Worldwide Interbank Financial Telecommunication (SWIFT), and access to a major retailer's payment card systems through an HVAC vendor. These policies and procedures could introduce new tensions in dealings with third party vendors.

(5) Incident Response, Cyber Resilience, and Situational Awareness - covered entities would be required to be capable of operating critical business functions following cyber attacks and to maintain “enterprise-wide cyber resilience” and incident response programs, including, effective escalation protocols, cyber contagion containment procedures, and communication strategies. The Agencies are specifically considering requiring covered entities to establish a recovery time objective (“RTO”) of two hours for their sector-critical systems, validated by testing, to recover from a disruptive cyber attack.

Whatever action is adopted by the Agencies, whether in the form of a new banking regulation, guideline, or guidance, it will likely become a standard for liability, with the Board of Directors -- and third party vendors-- playing a very direct and active role in establishing, enterprise-wide, the banking entity's cybersecurity management framework.
back to top