Tag Archives: security

5 Proactive Steps For Employers and Businesses in a Post-Equifax World

Posted on by
Reply

Companies should proactively prepare for changes in consumer behavior and corporate responsibility.

By now, most people have heard about the massive data breach at Equifax, one of the four US credit bureaus along with Experian, TransUnion and Innovis, affecting 143 million people. Credit bureaus (also known as consumer reporting agencies) compile and keep a file containing a person’s credit history, including things like the types of credit, how long credit accounts have been open, how much available credit is utilized/available, whether bills are paid on time, late payments/collection notices/foreclosure notices, and public records such as liens and bankruptcies, as well as personal information such as Social Security Number (SSN), date of birth (DOB), and current and previous addresses. Credit bureaus make a report of a person’s credit history (their “credit report”) available to that person, and to employers and other businesses.

Employers and businesses often want to base decisions on whether to offer a person their products or services such as a loan/mortgage/credit offer, the interest rate to charge on that offer, a cell phone plan, an insurance policy, etc., or extend that person an offer of employment or a lease, on as much available relevant information as possible.  This often includes a review of that person’s credit history. Credit reporting agencies monetize accumulated credit history and associated personal information by making credit reports available to employers, insurers, service providers and other businesses for a fee, as permitted by applicable law. If an employer or business wants to obtain your credit report, they obtain your permission to access your report as required by law and ask you to provide certain sensitive personal information about you which they will use to request your report, and they pay a fee to one or more of the credit bureaus to receive a copy of your credit report.

Many employers and businesses rely on easy access to credit reports.  However, this may be one of the more likely casualties of the Equifax breach. As noted earlier, 143 million Americans may now be at risk for identity theft using their sensitive personal information from this one breach event alone. Unlike a credit card number, which can be changed in the event the data is compromised, SSNs and DOBs (which were compromised in the Equifax breach) can’t be changed. This is why the Equifax breach is so significant – unlike most previous breaches, the scale of this breach and the nature of information compromised mean that consumers will be at risk for, and must remain vigilant for, identity theft for the rest of their lives, which will likely drive changes in the way people monitor and manage their credit reports and sensitive personal information.

Most of the advice and guidance regarding the Equifax breach to date has been consumer-focused – what consumers can and should do to protect themselves in the post-Equifax world. This includes recommendations for more robust use of credit freezes currently offered by the credit bureaus and use of third party monitoring services which alert consumers to (or require the consumer’s approval for) changes in their credit report, representing a shift in the spectrum towards consumer identity protection and away from access to easy credit such as point-of-sale, “save 20% if you open an account today”-type offers requiring an instant check of your credit. It is also likely the earthquake caused by the Equifax breach will result in additional security and legal requirements not just for credit bureaus, but for all companies possessing sensitive personal information such as SSNs and DOBs, as well as industry-driven or legislatively-mandated enhanced best practices and/or new ways for consumers to help them control access to their credit reports in an effort to minimize identity theft, such as a tool to manage security freezes at all three credit bureaus simultaneously and make it easier to impose, and temporarily lift, such freezes. The Equifax breach is also likely to increase consumer acceptance of more complex login processes, such as multi-factor authentication.

Employers and businesses should start thinking about how they can and should adapt to the coming post-Equifax changes in consumer and credit bureau behavior, and increases in corporate responsibility with respect to security and collection/use of sensitive personal information. By taking proactive steps, companies can demonstrate to their employees and customers that they are sensitive to the importance of identity protection and security. Here are 5 proactive steps companies may want to consider:

1. Address consumer credit freeze/release approval in the new employee hiring process and other processes requiring a consumer credit check (such as point-of-sale credit offers).

While implementing a credit freeze will help protect a person from identity theft, it’s not without its drawbacks. As of today, these drawbacks include the need to separately implement or lift freezes on a per-credit bureau basis, and the fact that the freeze must be lifted (temporarily or permanently) before an employer or business can perform a credit check. Despite this drawback, more people will likely implement credit freezes in the post-Equifax world, which will impact companies’ ability to easily complete background checks or receive point-of-sale credit offers.

  • Employers and other businesses performing a consumer credit check should anticipate this and consider proactively modifying their credit check process by adding a question to their credit report authorization form asking whether a person has a credit freeze, or whether that person’s approval is required for the release of their credit report. If that person answers “yes,” the employer or business should have a standard exception process to work with that person to ensure the freeze is temporarily lifted, or approval for the credit check is given, so the employer or business can perform the credit check.
  • Retailers offering point-of-sale credit offers should consider ensuring their offer disclosures include a statement that people with credit freezes may not be eligible for the offer due to the inability to verify their credit history. For those businesses which use sales associates to offer point-of-sale promotions, consider requiring them to ask whether the consumer has a credit freeze in place, and if so notify them if the freeze renders them ineligible for the offer.

Employers and businesses should also know which credit bureau(s) they use for background checks, and be prepared to provide this information to make it as easy as possible for a prospective employee or customer to implement a temporary lift of the credit freeze. It may be worth having a short URL handy which can be provided to a prospective employee or customer who wants to temporarily lift their credit freeze to enable them to take advantage of the offer on the spot or at a later time.

2. Enable multi-factor authentication for access to online services and consumer portals.

Most businesses use a username and password as access credentials. Some, but not all, have moved to a more secure authentication mechanism known as multi-factor authentication. Multi-factor authentication requires a user to provide not only a username, but two or more of the following “authentication elements” to validate the user’s identity: (1) something you know (e.g., a password, the answer to a challenge question), (2) something you have (e.g., a one-time PIN or password or a code delivered specifically through the user’s mobile device), and/or (3) something you are (e.g., facial recognition or fingerprint). Each factor must be independent of the other so that knowing one factor does not reveal another. Other data, such as geolocation information or time-based access requirements, can be used as well. The most commonly-known type of multi-factor authentication is two-factor authentication, where two authentication elements (of which one is typically a password) are required. Multi-factor authentication helps reduce the chance a bad actor could successfully exploit a username and password obtained through a security breach, through phishing, or through other social engineering attack vectors. Companies can use multi-factor authentication to demonstrate to its users (and potential users) that it places a high value on security.

Some companies argue that the burden of providing additional verification does not outweigh the simplicity of a username/password, especially where the company is not collecting any sensitive personal information. However, multi-factor authentication is an industry standard in certain areas, such as under the current Payment Control Industry Data Security Standard (PCI-DSS) for companies that are required to be PCI compliant, and will likely continue to gain traction as an industry standard, or customer expectation, in other areas. The National Institute of Standards and Technology (NIST) recommends using multi-factor authentication wherever possible. For companies where multi-factor authentication is not an industry standard or legal requirement, consider offering multi-factor authentication anyway, or offering it as an enhanced security option to customers concerned about protecting access to their accounts.

3. Evaluate whether there is a true need to collect SSNs and DOBs from consumers, and/or other creative ways to validate SSN and DOB information.

Companies which collect Social Security Numbers or dates of birth from their users should consider whether the collection of this information is truly required. One of the core tenets of data privacy is the Collection Limitation principle, which advocates for limits on companies’ collection of personal data. HIPAA takes this a step further and applies a “minimum necessary standard” – companies should limit the use and disclosure of collected personal information to the minimum necessary to accomplish the intended purpose. Companies should consider following HIPAA’s “minimum necessary standard” even if they are not subject to HIPAA. With respect to sensitive personal information such as SSN and DOB, companies should look carefully at whether they truly need to collect this information, and for what purpose. If there is another way to accomplish the same goal without collecting the information, consider implementing that alternative approach. Here are two examples:

  • With respect to SSNs, instead of asking for a user’s SSN for validation purposes considering asking for the sum of the digits in their SSN,or the sum of the digits in their SSN plus the digits in their home street address.This provides a strong identity validation mechanism without the need to capture and store SSNs.
  • With respect to DOBs, if validating a user’s age (e.g., for COPPA purposes), consider whether the month and year is sufficient, and keep a flag indicating that the age information was verified instead of the month/year information itself.

4. Review and freshen (or implement) their incident response and incident communications plan(s).

To many, Equifax’s response has been a lesson in how not to manage communications regarding a security breach. Companies should take the opportunity to learn from Equifax’s missteps and review and freshen up their incident response and incident communication plan(s). For companies still without an incident response/incident communications plan, now is the time to ensure one is in place. A few things to consider:

  • According to press reports, the Equifax breach allegedly stemmed from the failure to timely implement a security update to the Apache Struts Web Framework. As part of incident response preparedness, work with IT to ensure that your company is actively monitoring for hardware/software security patches, and is applying them as quickly as possible following release.
  • There have been numerous reports regarding sales of Equifax stock valued at $1.8 million by three senior Equifax executives within days of Equifax’s discovery of the breach. While Equifax has stated that the executives were not aware of the breach, whether or not the executives (including the CFO and President of US Information Systems) had knowledge doesn’t really matter – the perception and optics of it are awful in the eyes of the public, the SEC, and state attorneys general. Consider ensuring that the entire senior team is notified immediately in the event of a security breach, and have your General Counsel or external breach counsel discuss with them the risks of continuing with any automated stock sale programs in light of the breach.

5. Consider offering credit monitoring as an employee benefit.

Finally, employers may want to consider adding credit monitoring as an employee benefit, by offering subsidized or free credit monitoring services to their employees through a partnership with a credit bureau or a third-party provider such as AllClear ID. While there are some questions as to the value of credit monitoring in protecting against identity theft, services that notify you and/or require your approval before a new account is opened can be very valuable in fighting identity theft. As the possibility of identity theft is becoming a fact of life in the 21st century, companies may find it beneficial to help their employees guard their identity. Among other benefits to companies, minimizing identity theft reduces the time employees need to take away from work, whether as PTO or lost productivity, to deal with the repercussions of having their identity stolen, and provides employees with increased peace of mind with respect to identity protection.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

Key Security Provisions for Vendor/Partner Contracts

Posted on by
Reply

One of the most important lessons from the 2013 Target breach was that hackers will look for the weakest link in a company’s security chain when seeking a point of entry. Often, that weakest link is the vendors and partners which integrate with your IT infrastructure or have login credentials to your systems. Target’s HVAC vendor suffered a phishing attack that resulted in hackers obtaining access credentials to Target’s network which they used as their point of entry. Companies are increasingly doing security diligence on their vendors and partners to ensure that if they have access to the company’s network or systems, they will meet minimum security requirements.  It’s critical that your vendors and partners agree to minimum contractual security commitments as well. I often use a “security addendum” with controlling language to ensure that my standard provisions control over any conflicting provisions in the vendor/partner agreement, but will sometimes embed them directly into the contract.

Here are some of the provisions I like to include in vendor and partner agreements:

  • Definitions of Personal Information and Financial Account Information.  It’s important to define what “personal information” and “financial account information” mean.  In many cases, your vendor/partner’s definition of these terms may differ from yours. Ensuring you’re on the same page (e.g., you may consider IP addresses to be personal information, they do not) can be critical in the event there is an unauthorized release of information.  Be careful using a list of information types as the list may change over time; instead, consider a broad definition with examples.
  • Credentials. If you are providing credentials to your vendor/partner to access your network or systems, or that of a third party (e.g., a marketing service, a cloud hosting environment, etc.), ensure they will only use them as required by the contract.  Ensure they fall under the contractual definition of Confidential Information and will be treated as such.  Access to credentials should be limited to those with a “need to know.”
  • Safeguards. I like to include a requirement to implement and follow administrative, physical and technical safeguards (no less rigorous than industry standard) designed to protect information and credentials.  This can be a good catch-all that can be leveraged if the vendor/partner has a problem later on and did not use industry standard security safeguards.  I also like to call out the importance of installing security software patches immediately to reduce the risk of an exploitable security hole.  If the vendor/partner has obtained security certifications (e.g., SSAE16, ISO 27001, etc.) that you are relying on, ensure they provide evidence of current certification upon request and do not let certifications lapse during the term of the Agreement.
  • Anti-Phishing Training.  Over 90% of hacking attacks start with a “phishing” attack. Consider specifically requiring your vendors/partners to provide anti-phishing training to all employees.
  • Payment Account Information.  If the vendor/partner will not be handling payment account information, add an affirmative obligation that the vendor/partner will not access, use, store, or process payment account information. If you are afraid that information might be inadvertently provided to the vendor/partner, consider adding a provision stating that if any payment account information is inadvertently provided to the vendor/partner, as long as they destroy it immediately and notify your company the vendor/partner will not be in breach of the affirmative obligation not to use payment account information.  If your vendor/partner will handle payment account information, ensure you have appropriate language that covers both current and future PCI-DSS (Payment Card Industry Data Security Standard) versions.  If appropriate, add language making clear that payment account information will be stored in active memory only, and not stored or retained on the vendor/partner’s servers (e.g., where the payment information is “tokenized” and/or securely transmitted to your company’s own servers at the time the transaction is processed).
  • Information Security Questionnaire.  Include the right to have the vendor/partner complete a written security questionnaire once a year signed by a corporate officer. Requiring an annual questionnaire can help identify whether your vendors/partners are on top of emerging threats and risks. If you have limited resources to conduct audits, the responses to the questionnaires can help you identify which vendors/partners may be best to audit.  As part of the questionnaire, ask for copies of the vendor/partner’s disaster recovery plan and business continuity plan, and certificate of insurance for the vendor/partner’s cyber security policy if your company is named as an additional insured.
  • Audit Rights.  Include a right to do a security audit of a vendor/partner’s information technology and information security controls. This should include the right to conduct penetration testing of the vendor/partner’s network, ideally on an unannounced basis.  Make sure the vendor/partner is obligated to correct any security discrepancies found at their expense; if they don’t make corrections to your reasonable satisfaction, you should be able to exit the contract.  Ensure you can use internal and third party resources to conduct the training. In addition to a right to audit on a regular basis (e.g., once per year), allow the right to audit after a security breach so you can do your own analysis of how well the vendor/partner has bulletproofed their systems in light of a breach.
  • Security Breach.  Define what a “security breach” is (consider a broad definition that includes security incidents as well).  Ensure the vendor/partner promptly notifies your company in the event of a security breach, ideally by email to a “role” mailbox or to your CIO/CTO.  The vendor/partner should take any triage steps necessary to close the immediate security hole and then thoroughly review and bulletproof its systems and networks.  The vendor/partner should agree to work with your company and any government entities in any investigation of the breach.  Ensure that your company, not the vendor/partner, decides whether and how to communicate with affected individuals.  Ensure the vendor/partner bears the costs associated with a security breach.
  • Preservation Notices and E-Discovery.  If the records of the vendor/partner may be important if litigation is brought against your company, consider adding a clause ensuring that the vendor/partner will comply with any document preservation/litigation hold notice you provide, and that the vendor/partner will reasonably assist with electronic discovery requests.  A “friendly” clause like this can help avoid issues and strain on the partnership if litigation occurs.

Once you have these provisions in your agreement, don’t forget to tie them into your risk allocation provisions. If the vendor/partner carries insurance to protect against security breaches, ensure you are an additional insured and ask for a certificate of insurance annually. Ensure your indemnification section fully covers any breach of security obligations, and consider excluding these from your limitation of liability to the greatest extent possible.

FTC opens their nationwide tour to promote Start with Security

Posted on by
Reply

It’s not the latest group on tour with a band name and album name that needed a lot more thought.  Earlier this year, the FTC announced that they would be releasing guidance for businesses on data security.  In June, they did just that, releasing a guide called Start with Security: A Guide for Business.  It’s subtitled “Lessons Learned From FTC Cases” for a reason — it uses the 50+ FTC enforcement actions on data security to provide ten lessons companies should learn when approaching to security to avoid others’ missteps that led to enforcement actions, and practical guidance on reducing risks.  The lessons are:

  1. Start with security.  The FTC has long advocated the concept of “privacy by design,” meaning companies should bake an understanding of and sensitivity to privacy into every part of the business, making it part of the design process for new products and processes.  The FTC is advocating a similar concept of “security by design.” Guidance:  don’t collect personal information you don’t need (the RockYou enforcement action); don’t use personal information when it’s not necessary (Accretive and foru International); don’t hold on to information longer than you have a legitimate business need for it (BJ’s Wholesale Club).
  1. Control access to data sensibly.  Keep data in your possession secure by controlling access to it – limit access to those with a need to know for a legitimate business purpose (e.g., no shared user accounts, lock up physical files). Guidance: don’t let employees access personal information unless they need to access it as part of their job (Goal Financial); don’t give administrative access to anyone other than employees tasked administrative duties (Twitter).
  1. Require secure passwords and authentication.  Use strong password authentication and sensible password hygiene (e.g., suspend password after x unsuccessful attempts; prohibit common dictionary words; require at least 8 characters; require at least one upper case character, one lower case character, 1 numerical character, and 1 special character; prohibit more than 2 repeating characters; etc.)  Guidance: require complex and unique passwords (Twitter); store passwords securely (Guidance SoftwareReed ElsevierTwitter); guard against brute force attacks (Lookout ServicesTwitter, Reed Elsevier); protect against authentication bypasssuch as predictable resource location (Lookout Services).
  1. Store sensitive personal information securely (“at rest”) and protect it during transmission (“in motion”). Use strong encryption when storing and transmitting data, and ensure the personnel implementing encryption understand how you use sensitive data and can determine the right approach on a situation-by-situation basis.  Guidance: Keep sensitive information secure throughout the data life-cycle (receipt, use, storage, transmission, disposal) (Superior Mortgage Corporation); use industry-tested and accepted methods (ValueClick); make sure encryption is properly configured (FandangoCredit Karma).
  1. Segment your network and monitor who’s trying to get in and out.  Be sure to use firewalls to segment your network to minimize what an attacker can access.  Use intrusion detection and prevention tools to monitor for malicious activity.  Guidance: segment your network (DSW); monitor activity on your network (Dave & Buster’sCardsystem Solutions).
  1. Secure remote access to your network. Make sure you develop and implement a remote access policy, implement strong security measures for remote access, and put appropriate limits on remote access such as by IP address and revoking remote access promptly when no longer needed.  (The compromise of a vendor’s system via phishing, leading to remote network access, is how the Target breach started.)  Guidance: ensure remote computers have appropriate security measures in place, e.g., “endpoint security” (Premier Capital LendingSettlement OneLifeLock); put sensible access limits in place (Dave & Buster’s).
  1. Apply sound security practices when developing new products. Use “security by design” to ensure data security is considered at all times during the product development life-cycle.  Guidance: Train engineers in secure coding (MTS, HTC America, TrendNet); follow platform guidelines for security (HTC AmericaFandangoCredit Karma); verify that privacy and security features work (TRENDnetSnapchat); test for common vulnerabilities (Guess?).
  1. Make sure your service providers implement reasonable security measures. Make sure you communicate your security expectations to your service providers and vendors, and put their feet to the fire through contractual commitments and auditing/penetration testing. Guidance: put it in writing (GMR Transcription); verify compliance (Upromise).
  1. Put procedures in place to keep your security current and address vulnerabilities that may arise.  Data security is a constant game of cat-and-mouse with hackers – make sure to keep your guard up.  Apply updates to your hardware and software as they are issued, and ensure you are spotting vulnerabilities in, and promptly patching, your own software. Have a mechanism to allow security warnings and issues to be reported to IT.  Guidance: update and patch third-party software (TJX Companies); heed credible security warnings and move quickly to fix them (HTC AmericaFandango).
  1. Secure paper, physical media, and devices.  Lastly, while the focus these days seems to be on cybersecurity, don’t forget about physical security of papers and physical media.  Guidance: securely store sensitive files(Gregory NavoneLifelock); protect devices that process personal information(Dollar Tree); keep safety standards in place when data is en route (AccretiveCBR Systems); dispose of sensitive data securely (Rite Aid,CVS Caremark,Goal Financial).

As this guidance is based on what companies did wrong or didn’t do that led to FTC enforcement actions, it will be interesting to see how the FTC treats a company that suffers a data breach but demonstrates that they used reasonable efforts to comply with the FTC’s guidance.  I suspect the FTC will take a company’s compliance with this guidance into consideration when determining penalties in an enforcement action. The guidance is very high-level, so companies must rely on their IT and Legal teams to determine what steps, processes and protocols need to be implemented in alignment with the FTC’s guidance.

In addition to publishing the guide, the FTC has embarked on a conference series aimed at SMBs (small and medium-sized businesses), start-up companies, and developers to provide information on “security by design,” common security vulnerabilities, secure development strategies, and vulnerability response.  The first conference took place September 9 in San Francisco, CA; the second will take place November 5 in Austin, TX.

The FTC also announced a new website at which they’ve gathered all of their data security guidance, publications, information and tools as a “one-stop shop”.  You can find it at http://www.ftc.gov/datasecurity.

Don’t get Hooked by Phishing or Spear Phishing

Posted on by
Reply

Cyber attacks such as the Anthem breach, the Home Depot breach, and the Target breach are becoming almost commonplace.  Major cyber attacks compromising information about millions of people often start not with a bang, but a whisper – a “phishing” or “spear phishing” email through which an attacker tries to acquire login credentials that can be used to launch a sophisticated and crippling attack. Over 90% of cyber attacks take the form of, or start with, a spear phishing attack, and phishing attacks are also very common. These attacks happen both in the office and at home. Phishing and spear phishing attacks can happen at any time, and can target any person or employee.

What is “Phishing?In a “phishing” attack, an attacker uses an email sent to a broad group of recipients (and not targeted to a specific group) to impersonate a company or business in an effort to get you to reveal personal information or login IDs/passwords, or to install malware or exploit a security hole on your computer.  It generally uses an official-looking email and website to gather information, and often contains the logo(s) of the company it is impersonating.

What is “Spear Phishing?In a “spear phishing” attack, an attacker uses an email tailored for a specific group of recipients (e.g., a group of employees at a specific business), often impersonating an individual such as someone from your own company or business, in an effort to get you to reveal personal information, login IDs/passwords, to steal money or data, or to install malware or exploit a security hole on your computer.

How do I spot a phishing or spear phishing email?Look for one or more of these key indicators that an email in your inbox is actually a phishing or spear phishing attack.

  • The email has spelling or grammatical errors. A phishing or spear phishing email often contains spelling or grammatical errors, and does not appear to be written by a business professional.
  • You do not recognize the sender’s email address. If you get an email asking you to click on a link or open an attachment, look carefully at the email address of the sender.  Be especially alert for email addresses that are similar to, but not the same as, your company’s email address (e.g., “joe.johnson@microsoft.co” instead of “joe.johnson@microsoft.com”).
  • The email contains links that don’t go where they say they do. Before you click on a link in an email you don’t recognize, “hover” your mouse cursor over the link. A pop-up will appear showing you where the link will go.  If they don’t match, it’s probably a phishing or spear phishing attempt.  In this example, this innocuous-looking link actually goes to a malicious website:

Bad link sample

  • The email asks you to open an attachment you don’t recognize. Many spear phishing emails ask you to open an attachment or click on a link.  If an email you don’t recognize asks you to open an attachment you weren’t expecting or that doesn’t look familiar, or to click on a link you don’t recognize, don’t click on it or open it, and check with your IT or Security department if you want to know for sure.
  • The email seems to be a security-related email, or asks you to take immediate action. Watch out for emails that state that your account will be suspended; ask you to reset, validate or verify your password, account information or personal information, or otherwise ask you to take immediate action to prevent something from happening.
  • The email relates to a current news event. Many phishing emails use a current news event, such as a natural disaster or security breach, to get you to provide information, click a link or open an attachment.
  • The email contains information from your social media accounts or other public information. Spear phishing attackers will often look at your public social media accounts (e.g., your Facebook feed, LinkedIn profile, tweets, etc.) and other public sources (e.g., Google searches) and use information about you or your friends to make a spear phishing email seem authentic.  If an email contains personal information about you other than your name and email address, take a close look to ensure it’s not a spear phishing attempt.

If you think an email you received is a phishing or spear phishing attempt, (1) do NOT click or open any links or attachments in the email, (2) if you are at work, immediately contact your Security or IT department to report it, especially if you clicked on an attachment or link or otherwise took action before you realized this (failing to report it will be much worse, so don’t be embarrassed); and (3) delete the email immediately.