It seems like managing data breaches has become a part of doing business these days. From the October denial of service attack on Dyn (a company that provides core internet services to companies like Twitter, Spotify and Netflix) to the recent hacks of the Clinton campaign’s emails, data breaches are increasing in frequency, scope and cost. The average cost of a data breach increased to $4 million in 2015, and the 2016 Cost of Data Breach Study: Global Analysis published by IBM and the Ponemon Institute places the likelihood of a company having a material data breach involving 10,000 lost or stolen records in the next 24 months at 26 percent.
In this political season, much has been made about late-night Twitter rants targeting women and other social media attacks on individuals and celebrities. Although these harsh online critiques create a more hostile cyber community, more imminent danger may arise from the safety risks that accompany online activity in general. Law-enforcement officials have long warned users against disclosing travel plans on social media to would-be thieves by, for example, posting pictures of a boarding pass from that long-awaited trip to Barcelona. But what about apps and services like Find My Friends, where users can share their location with up to 50 friends, or Snapchat, which shows a user’s location when posting an image or video? With a culture focused on sharing and instant access to information via social media feeds, it bears considering if location-revealing apps engender some inherent danger, whether the app developers disclose potential risks, and what steps can be taken to protect personal safety.
Today’s online world is all about engaging and staying connected with others via social media. For businesses, establishing a presence on various social media platforms is an enticing way to connect with current customers as well as foster new business.
Yet the immense popularity of social media sites can also draw unwanted attention to its users. Just as businesses are drawn to popular social medial sites to market their brands and products, so, too, are potential cybercriminals interested in targeting those who engage with these sites. On many of these platforms, user engagement is public. In other words, when a user chooses to “follow” a company or leave a comment, not only does the business take notice of the user, but everyone else on the platform can, as well, including those who are not themselves following the business. This provides a would-be cybercriminal a target-rich group upon whom to practice new (and old) scams.
Since my last post on the subject (“LinkedIn Grapples with the Ripples of a 2012 Data Breach”), there have been several developments related to LinkedIn’s 2012 data breach. First, in May, LinkedIn announced it has finished the process of invalidating passwords at risk, specifically LinkedIn accounts that had not reset their passwords since the 2012 breach:
A robust cybersecurity strategy involves sophisticated, overlapping protections. Along with up-to-date technology, well-trained employees and vigilant IT professionals, comprehensive insurance coverage is an often necessary ingredient of any protective “moat” shielding a company from damaging cyberattacks. Yet does a company’s cyber insurance package actually protect it from one of the most common forms of cyberattack—when a hacker goes phishing? In her post “Phishing for Insurance Coverage” on Pillsbury’s Policyholder Plus insurance blog, our colleague Peri Mahaley examines a variety of surprising phishing-related exclusions one might discover in a company’s cyber coverage.
Last week on the official LinkedIn blog, the company’s chief information security officer, Cory Scott, reported the company had become aware of an additional set of data that has just been released consisting of e-mail and hashed password combinations of more than 100 million LinkedIn members. This recent release is related to a 2012 unauthorized access and disclosure of LinkedIn members’ passwords:
Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach. –Linkedin Official Blog, May 18, 2016
On April 29, 2016, Judge Ross issued his ruling on Ashley Madison’s motion for a protective order, prohibiting Plaintiffs from using the leaked documents, reports quoting the leaked documents, and information “stolen from Avid” in drafting their consolidated class action complaint. The result was largely policy driven, with Judge Ross stating broadly, “the Court cannot and will not allow Plaintiffs to take advantage of the work of hackers to access documents outside the context of formal discovery. To do so would taint these proceedings and, if left unremedied, potentially undermine the integrity of the judicial process.” The Court also ruled that it had inherent authority to issue a protective order with respect to documents obtained outside the course of normal discovery, and distinguished cases cited by the Plaintiffs in opposition. Rejecting Plaintiffs’ First Amendment argument, Judge Ross notes, “[j]ournalists … are in a completely different position than parties involved in private litigation. No doubt exists that the news media enjoy the freedom of ‘the press;’ however, the conduct of attorneys is informed by their ethical responsibilities as officers of the Court.” The amici briefs submitted by other Ashley Madison users made an impact on the Court as the Court found that the leaked information could not truly be considered “readily available to the public” due to the efforts of the other users to protect their privacy following the leak, as asserted in their briefs. Ultimately, Judge Ross emphasized the need to “protect the integrity of the internet and make it a safer place for business, research and casual use.”
We’ve previously written about the distinctions between hacking credit and other financial data in comparison to hacking private information. (See Ashley Madison and Coming to “Terms” with Data Protection.) The issue of how much protection the latter receives when it relates to attorney-client communications is currently before the District Court of the Eastern District of Missouri in the multi-district litigation arising from the July 2015 Ashley Madison leaks. Plaintiffs—former users of the site who claim that Ashley Madison defrauded the public by creating fake female profiles to lure male users—hope to use leaked information in their consolidated complaint against the site, due to be filed June 3 of this year. The leaked information sought to be used includes references and citations to emails between Ashley Madison’s parent company, Avid Dating Life, and its outside counsel.
Recently, the Fourth Circuit handed down one of the first appellate-level decisions involving insurance coverage for a cyber-related event. The ruling is likely to create ripples among both carriers and company insureds, as it establishes the possibility that, under a general liability policy, a carrier may still be on the hook to cover cyberattacks or data breaches that are the result of a company’s negligence (as opposed to those stemming from a criminal attack, in which the company is the victim). In their Client Alert on the Fourth Circuit’s ruling, colleagues James Bobotek, Peri Mahaley and Benjamin Tievsky break down the ruling and its takeaways.
Recently, we noted vulnerability issues from use of the Internet of Things and how that has come to impact the health industry. Recent events continue to highlight this development. Since the start of the year, there have been cyber attacks targeting hospitals. Perhaps recognizing the extensive disruption and potential privacy concerns to patients, the hackers have targeted these institutions to either make a point or seek large sums in exchange for returning access to the hospital data. In January, Hurley Medical Center, based in Flint, Mich., was attacked, although a spokesperson stated that policies and protocols were followed and patient care was not compromised. The hacktivist group Anonymous released a video with the hashtag #OpFlint prior to the cyber attack and suggests responsibility for the breach to make a point regarding the city’s water crisis, although no confirmation has been made.