DBR ON DATA

Security, Privacy and Information Governance

Category: Security



Battling Botnets – Evolving U.S. Government Policies and Frameworks to Address Security and Resiliency Challenges

Share

The Secretaries of the Department of Commerce and the Department of Homeland Security, through the National Telecommunications and Information Administration (NTIA), in early January 2018 issued a draft report to further public discussion about enhancing the resilience of the Internet and communications ecosystem against botnets and other automated distributed threats. This report continues work initiated under Presidential Executive Order 13800, “Strengthening the Cyber Security of Federal Networks and Critical Infrastructure.”  The report seeks additional public comment on known and evolving risks within and to the ecosystem and aims to forge consensus on what approaches warrant consideration for the government either to adopt or to encourage.  Commenters are asked to evaluate a range of proposed goals and actions to achieve a more resilient ecosystem as well as to address the roles various stakeholders play in achieving and maintaining resiliency of the ecosystem nationally and globally. Comments are due on the draft report by February 12, 2018 and the final report is due the president by May 11, 2018.

Six principal themes emerged from the government’s analysis of prior comments on identifying and mitigating botnet and other cyber threats, namely that:

  • Automated distributed attacks are a global problem;
  • While effective tools exist, they are not widely used
  • Products should be secured during all stages of their life cycle.;
  • Improved education and awareness are necessary;
  • Current market incentives are misaligned; and
  • Automated distributed attacks are an ecosystem-wide challenge.

Continue reading

Georgetown Law Center Releases Report on Biometric Face Scans at Airport Departure Gates

Share

The Georgetown Law Center for Privacy & Technology released a report that takes a harsh look at the Department of Homeland Security (DHS)’s “Biometric Exit” program.  The “Not Ready for Takeoff: Face Scans at Airport Departure Gates” report  highlights the myriad number of privacy and fairness issues associated with the use of biometric data for screening and other purposes.   The Biometric Air Exit program uses biometric data to verify travelers’ identities as they leave the U.S. and has been deployed at Boston’s Logan International Airport and eight other airports.  The program is operated by DHS and uses photographs of passengers taken at the gate while boarding to verify travelers’ identities as they leave the country.  Prior to departure of an outbound international flight, DHS prepopulates the Traveler Verification Service (TVS) with biometric templates from the travelers expected on the flight.  TVS either confirms the travelers face or rejects the face as a “non-match.”  Non-matched travelers credentials will then be checked manually.

Continue reading

DOJ Settlement with Netcracker Technology Corporation Highlights Cybersecurity and Export Control Best Practices for Government Contractors and Information Technology Companies

Share

This week the U.S. Department of Justice (DOJ) and Netcracker Technology Corporation (NTC) announced that they had settled charges that NTC had violated U.S. controls on foreign access to sensitive data. The settlement underscores many of the export control and related compliance risks surrounding the provision and use of cloud computing services and global networks. At the same time, the Enhanced Security Plan issued by NTC and DOJ as part of the settlement provides a helpful set of benchmarks and best practices for companies that may be considering the use of cloud services and network infrastructure to house and transmit their most sensitive data.

According to DOJ’s settlement announcement, NTC had worked as a subcontractor on two federal government contracts with the Defense Information Systems Agency (DISA), a combat support agency of the U.S. Department of Defense (DoD), and performed some product support work from locations outside the United States, including Russia. DOJ alleged that by failing to maintain adequate controls on the cloud and network infrastructure supporting these contracts, NTC had threatened the security of sensitive data about individuals, DoD projects, networks and critical U.S. domestic communications infrastructure. DOJ further asserted that uncleared NTC foreign national employees in Russia and Ukraine worked on the DISA projects and were aware of the sensitive nature of the projects and the data stored and transmitted through the network managed by DISA.

Continue reading

NAIC Adopts Insurance Data Security Model Law

Share

The National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law (“Model Law”) in October 2017.  The purpose of the Model Law is to establish standards for data security and the investigation of and notification to the Insurance Commissioner of a Cybersecurity Event[1], but is not intended to create a private right of action.

The Model Law is based largely on the New York Department of Financial Services’ Cybersecurity Regulations, 23 NYCRR 500 (“NYDFS Cyber Regulations”), which took effect on March 1, 2017. [2]  In fact, a drafting note to the Model Law indicates that compliance with the NYDFS Cyber Regulations is intended to constitute compliance with the Model Law.

Continue reading

Another State-Lead Data Breach Action Results in High Fines and Strict Compliance Requirements

Share

Massachusetts Attorney General Maura Healey and Multi-State Billing Services (MSB), a Medicaid billing company that provided processing services for 13 public schools, signed a no-fault consent judgment settling a 2014 data breach resulting from a stolen laptop that put 2,618 children at risk for identity theft and fraud.   The MSB laptop contained unencrypted personal information, including names, social security numbers, Medicaid identification numbers and birth dates.

The settlement requires MSB to pay $100,000 and implement improved security practices after an investigation by the attorney general’s office determined it violated state consumer protection and data security laws.  More specifically, the judgment requires MSB to continue to develop, implement and maintain a written and comprehensive information security program and review and update its existing policies and procedures for compliance with data security laws.  It must also train its staff on how to protect personal information and regularly report on its compliance with such requirements to the state attorney general’s office.

Continue reading

Investigation Continues After Massive Data Breach at Henry Ford Health System

Share

An unknown hacker gained access to 18,470 patients’ personal health information via employee emails at Detroit-based Henry Ford Health System (HFHS).

According to the press release, HFHS first learned of the incident on October 3, 2017, after becoming aware that the email credentials of a group of employees were compromised.  Even though the emails were name and password protected by encryption, they remained vulnerable to such illegal access.  The email accounts contained patient health information, including:

  • Patient name
  • Date of birth
  • Medical record number
  • Provider’s name
  • Date of service
  • Department’s name
  • Location
  • Medical condition
  • Health insurer

Continue reading

« Older posts

© 2018 Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

Disclaimer/Privacy Policy