Cross-posted from Carpe Datum Law

Recently, a widespread global ransomware attack has struck hospitals, communication, and other types of companies and government offices around the world, seizing control of affected computers until the victims pay a ransom.  This widespread ransomware campaign has affected various organizations with reports of tens of thousands of infections in as many as 99 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in as many as 27 different languages.  The latest version of this ransomware variant, known as WannaCryWCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly.

The risk posed by this ransomware is that it enumerates any and all of your “user data” files like Word, Excel, PDF, PowerPoint, loose email, pictures, movies, music, and other similar files.  Once it finds those files, it encrypts that data on your computer, making it impossible to recover the underlying user data without providing a decryption key.  Also, the ransomware is persistent, meaning that if you create new files on the computer while it’s infected, those will be discovered by the ransomware and encrypted immediately with an encryption key.  To get the decryption key, you must pay a ransom in the form of Bitcoin, which provides the threat actors some minor level of anonymity.  In this case, the attackers are demanding roughly $300 USD.  The threat actors are known to choose amounts that they feel the victim would be able to pay in order to increase their “return on investment.”

The ransomware works by exploiting a vulnerability in Microsoft Windows.  The working theory right now is that this ransomware was based off of the “EternalBlue” exploit, which was developed by the U.S. National Security Agency and leaked by the Shadowbrokers on April 14, 2017.  Despite the fact that this particular vulnerability had been patched since March 2017 by Microsoft, many Windows users had still not installed this security patch, and all Windows versions preceding Windows 10 are subject to infection.

The spread of the malware was stemmed on Saturday, when a “kill switch” was activated by a researcher who registered a previously unregistered domain to which the malware was making requests.  However, multiple sources have reported that a new version of the malware had been deployed, with the kill switch removed.  At this time, global malware analysts have not observed any evidence to substantiate those claims.

You should remain diligent and do the following:

  • Be aware and have a security-minded approach when using any computer. Never click on unsolicited links or open unsolicited attachments in emails, especially from sources you do not already know or trust.
  • Ensure that your antivirus and anti-malware are up-to-date.
  • Apply Security Updates! Enable automatic updates and reboot weekly.  Systems that are receiving automatic updates should already be protected against this malware.  If you aren’t sure, visit https://support.microsoft.com/en-us/help/3067639/how-to-get-an-update-through-windows-update
  • Backup your data! The risk of malware is losing your data.  If you perform regular backups, you won’t have to worry about ransomware.  Make sure you utilize a backup system that is robust enough to have versioning so that unencrypted versions of your files are available to restore.  Make sure your backup system isn’t erasing your unencrypted backups with the encrypted ones!

If your organization is the victim of a ransomware attack, please contact law enforcement immediately.

  1. Contact your FBI Field Office Cyber Task Force  immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
  2. Report cyber incidents to the US-CERT and  FBI’s Internet Crime Complaint Center.

shutterstock_506771554Cross-posted from Carpe Datum Law

Another week, another well-concocted phishing scam.  The most recent fraudulent activity targeted businesses that use Workday, though this is not a breach or vulnerability in Workday itself.  Specifically, the attack involves a well-crafted spam email that is sent to employees purporting to be from the CFO, CEO, or Head of HR or similar.   Sometimes the emails include the name, title, and other personal information of the “sender” that we believe might be harvested from LinkedIn or other business databases.  The email asks employees to use a link in the phishing email or attached PDF to log into a fake Workday website that looks legitimate.  The threat actors who run the fake Workday website then use the user name and password to log into the Workday account as the employee and change their direct deposit bank/ACH information to another bank, relatable Green Dot, or similar credit card.

The fraud is typically only discovered when the employees contact HR inquiring as to why they did not receive their direct deposit funds.  Unfortunately it appears that spam filters and other controls are failing to prevent this email from infiltrating the organization’s network.

In order to prevent this from happening to your organization, Workday has posted several “best practice” tips on their customer portal.  The most impactful mitigation techniques include enabling and enforcing two factor authentication on your organization’s Workday instance, and changing your Workday settings to force administrative approval upon employee requests for direct deposit account change.  Both of these will help secure your Workday environment and avoid employee loss of paychecks.   Finally, always remember to train employees on fraudulent email identification through training and security drills/tests.

shutterstock_519689296Seyfarth Shaw is pleased to announce the launch of Carpe Datum Law, a one-stop resource for legal professionals seeking to stay abreast of fast-paced developments in eDiscovery and information governance, including data privacy, data security, and records and information management. Seyfarth’s eDiscovery and Information Governance (eDIG) practice group created Carpe Datum Law to serve as a timely and unique resource for executives and corporate in-house counsel to obtain reports on developments, trends and game-changing decisions in these data-driven areas of the law.

Click here to access the new Carpe Datum Law blogsite.

The Carpe Datum Law blog takes a comprehensive view of the legal and practical aspects of corporate data challenges, reflecting the broad strength across the spectrum of data law by Seyfarth’s veteran 14-lawyer eDIG practice group, which has served clients since 2004. Regular readers will benefit from its comprehensive perspective and guidance on how the law is adapting to the interrelated challenges of keeping corporate data secure and in compliance with data privacy laws, adapting to new best practices in information governance, and maintaining defensible data preservation, collection and review when eDiscovery is required.

Carpe Datum Law is a must-read for anyone expected to stay ahead of the curve on how best to manage the growing risks in these areas, in particular:

  • C-Level Executives whose portfolios of responsibility include managing risks with respect to their corporate data
  • In-House Counsel responsible for eDiscovery, data and cybersecurity, data privacy compliance and/or the enterprise’s information governance
  • eDiscovery, IT, IT Security and Privacy Managers who work closely on these issues with their organization’s executives and legal teams
  • Consultants, Academics and Thought Leaders who must stay up-to-speed on legal developments in order to serve their organizational clients

Whether steering policy or implementing it, Carpe Datum Law provides well-informed news and analysis that will keep you and your team up-to-speed. From judicial decisions implementing the new eDiscovery amendments to the Federal Rules of Civil Procedure to guidance on compliance with the upcoming European Union General Data Protection Regulation, Carpe Datum Law provides the news and seasoned analysis you would expect from Seyfarth’s eDIG group.

Carpe Datum Law can be accessed at www.carpedatumlaw.com.

shutterstock_196544378Cross Posted from Carpe Datum Law.

China has finalized a broad new Cyber Security Law, its first comprehensive data privacy and security regulation.  It addresses specific privacy rights previously adopted in the European Union and elsewhere such as access, data retention, breach notification, mobile privacy, online fraud and protection of minors.

There is plenty in the new law to irritate international businesses operating in China.  It requires in general that Chinese citizens’ data be stored only in China, for starters, possibly requiring global corporations to maintain separate IT systems for Chinese data.  Most of the privacy enhancements benefiting citizens align with those required in the European Union, but it is unclear how the Chinese will expect compliance, particularly since, as with many Chinese laws, its language is vague as to its scope, application and details.  This vagueness leaves interpretation to the State Council, the chief administrative authority in China, headed by Premier Li Keqiang.

The law expands Chinese authorities’ power to investigate even within a corporation’s Chinese data systems, and provides for draconian penalties for non-compliance by business entities or responsible individuals  include warnings, rectification orders, fines, confiscation of illegal gains, suspension of business operations or the revocation of the entity’s business license. Continue Reading China Finalizes New Cyber Security Law

CaptureDo you and your firm have adequate cybersecurity to prevent yourself (and your confidential client data) from getting hacked?

On Wednesday, December 7, at 11:00 a.m. Pacific, Richard Lutkus, a partner in Seyfarth Shaw’s eDiscovery and Information Governance Practice; and Joseph Martinez, Chief Technology Officer and Vice President of Forensics, eDiscovery & Information Security at Innovative Discovery, will present “A Big Target: Cybersecurity for Attorneys and Law Firms.”

This webinar will cover any considerations that attorneys should take into account when in possession of any client data from an information security perspective. Coverage will include both technical considerations, best practices and policies, as well as practical advice to steer clear of ethical violations.

This program will specifically address the following topics:

  • Information storage, retention, and remediation
  • Device management
  • Phishing and social engineering
  • Security considerations
  • Cloud storage and ethical considerations

Please join us for this informative webinar.

register

Cross Posted from Employment Law Lookout

PokemonYour employees may be on a quest to catch ‘em all. Over 15 million people have downloaded the Pokémon GO game since its release two weeks ago. In this augmented reality game, players use their mobile devices to catch Pokémon characters in real-life locations captured by the camera in a user’s cellular phone. Though the game is very popular with Pokémon GO players, employers may not like the game quite so much.

Data And Security Concerns

There are data security concerns that arise from use of the Pokémon GO app.

First, users that want to play Pokémon Go must sign in to the app. There are two ways to do so—through an existing Google account, or through an existing Pokémon Trainer Club Account. Up until very recently, the Pokémon website did not allow users to sign up for Pokémon Trainer Club Accounts due to overwhelming demand. Thus, for most people, the only way to play Pokémon GO was by signing in to the app with their Google accounts. Even though the option to create a Trainer Club Account is now available, doing so requires more time and effort than signing in through an existing Google account. Continue Reading Pokémon NO: New App Creates Risks For Employers

Cross Posted from California Peculiarities Employment Law Blog

Hernandez v. Sprouts Farmers Market, Inc., a case stemming from a phishing scam, emphasizes the need for California employers to implement comprehensive data protection and data breach notification policies and practices for personal employee information under the CDPA.

A story of a company suffering a data breach tops newspaper headlines almost daily. So how can you stay out of the “fuego,” and stay compliant with California laws about your employees’ and customers’ data?

California’s Data Protection Act—“Army Of One”

In 2003 California passed the nation’s first data breach notification statute: the CDPA. Since then, over 30 states have enacted similar statutes, but California remains the national leader in privacy and data security standards.

The CDPA mandates that any business that “owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” And it requires a company to notify affected individuals of a data breach “in the most expedient time possible and without unreasonable delay.” Continue Reading Phishing: Data Breach Is “Chalkdust Torture”

In his “Data Is a Toxic Asset” blog post, Bruce Schneier argues that data is a toxic asset and that the lesson all the recent data breaches are teaching us is that storing this asset is “dangerous,” because it makes companies vulnerable to hackers, the government, and employee error. Schneier suggests addressing data breaches through stronger regulation at every stage of the data lifecycle and through personal liability of corporate executives. “Data is a toxic asset,” concludes Schneier, “We need to start thinking about it as such, and treat it as we would any other source of toxicity. To do anything else is to risk our security and privacy.”

Calling data a “toxic asset” sensationalizes the data-security conversation into alarmist territory. The term “toxic asset” has a certain meaning in financial circles and typically refers to assets that become illiquid when they no longer can be sold on a secondary market. This hardly applies to data, which is more of a lifeblood for corporations than toxic asset. Continue Reading Is Data Really a “Toxic” Asset?

The U.S. Financial Crimes Enforcement Network (FinCEN) and the China Anti-Money Laundering Monitoring and Analysis Center (CAMLMAC) recently signed a Memorandum of Understanding (MOU) to create a “framework to facilitate expanded U.S.-China collaboration, communication, and cooperation” between each agency’s financial intelligence units (FIUs). News Release (December 11, 2015).

In announcing the MOU, FinCEN Director Jennifer Shasky Calvery stated that “this MOU provides an important foundation for a reciprocal exchange of extremely valuable financial information to help thwart terrorism and money laundering in these perilous times…. Building this mutually beneficial bridge of cooperation will serve each country’s vital interests and help protect the citizens of both of our countries from the damage that criminals and terrorist financiers can inflict.”

As an increasing amount of business is conducted between the United States and China, the MOU serves important investigative interests shared by both countries, namely, to allow for the sharing of “extremely valuable information to provide leads, expose criminal networks, and help thwart illicit activity in the vast and interconnected global economy,” as stated by the FinCEN press release.  For China, signing the MOU is also an important action to push forward its domestic anti-corruption campaign, internationally.

Those with questions about any of these issues or topics are encouraged to reach out to the authors, your Seyfarth attorney, or any member of the White Collar, Internal Investigations, and False Claims Team.

In an interim final rule published on October 2, another layer has been added to the compliance landscape for defense contractors. In addition to complying with breach notification requirements in as many as 47 different states in the event of a breach involving personally identifiable information, Department of Defense contractors now have to comply with the rapid notification rules issues by DOD in the even of a cyber incident involving covered defense information. These rules are noteworthy in that they require DOD contractors to report cyber incidents within 72 hours of discovering the incident. Most state breach notification statutes do not require that individuals be notified of a breach within a specific number of days and the few state statutes that do have such a requirement contain a much more lenient timeframe of 45 to 90 days. Continue Reading Defense Contractors – Under the DOD’s Interim Rule, It Is Time Once Again To Update Your Data Breach Response Plans