• Marriott acquired Starwood in September of 2016, but Marriott continued to operate Starwood’s guest database separately from Marriott’s until a few weeks after the breach incident was announced.
• The unauthorized intrusion into Starwood’s database occurred in 2014, but was not discovered by Starwood nor by Marriott later during the course of its acquisition of Starwood.
• The guest information compromised in the incident included name, address, phone number, email address, passport number, preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preference, and in some instances, payment card numbers and expiration dates. It was ultimately reported by Marriott’s forensic assessment provider the 383 million records were affected.

These facts underscore several crucial considerations for hotel companies regarding how guest data is collected, secured and retained. Some of these considerations aren’t ones that our industry normally associates with data security concerns. Here are some of the key takeaways:

1. Data Security/Privacy is a Critical Due Diligence Consideration. In any merger or acquisition there are due diligence checklist items for the surviving entity. In the case of the Marriott/Starwood transaction the security breach of Starwood’s database was not discovered prior to closing, but had it been, the implications for the deal could have been extremely significant. At the very least, action could have been taken to remediate the compromise at that time. In this day and age, cyber due diligence should be part of any merger or acquisition.
2. Retention of Large Amounts of Personal Information Carries Risk. Personal data is valuable for many reasons, but that value has to be balanced against the risk that accumulated caches of personal data become rich targets for data thieves. For example, there were over 5 million unique unencrypted passport numbers and more than 20 million encrypted passport numbers that were compromised over the course of the Starwood data incident. The value to Starwood and Marriott of retaining that passport information is unclear, but the liability of replacing more than 25 million passports is enormous.
3. With GDPR and CCPA, the Definition of Protected Data Has Expanded. Before the effective date of the General Data Protection Regulation (GDPR) in May of 2018, most of the data involved in the Starwood incident would not have enjoyed any special protection. Under U.S. state law in most jurisdictions, even today, a person’s name, address, phone number, and email address are not considered Personally Identifiable Information or “PII.” However, GDPR and the new California Consumer Privacy Act (CCPA) (effective January 1, 2020) have greatly expanded the scope of protected personal data to include virtually any item of information that can be used to identify an individual. A name, address, phone number or e-mail address are indisputably “personal data” under the GDPR.
4. Guest Reservation Systems Are Vulnerable On Both Ends. In branded hotels, franchise agreements always require that the hotels utilize the brand’s reservation and management system, including brand-mandated hardware, software, portals and connections. This arrangement gives data thieves multiple targets from which to select when seeking to steal guest information. The Wyndham data incident of 2008/2010 was the first notable attack on a brand’s central guest information database. While most hotel guest information data incidents in the past decade have occurred at individual hotels or discrete groups of properties, the Starwood incident proves that a brand’s guest information database is still vulnerable.

2018 also saw a rash of low-tech social engineering attacks against individual hotels, and this type of attack has continued into 2019. Criminals commence these attacks by posing as brand systems support personnel and making phone calls to hotel employees. The employees are asked to provide their login credentials for the reservation management system.

Cybercriminal: Hello, I’m calling from [brand] system support. We’re having difficulty with the reservation process on your end, and we need to check it. Can you please log in for me?
Employee: Sure. [Logs in]
Cybercriminal: We’re still having an issue. Can you please give me your username and password so I can try it on our end.
Employee: No problem. My username is … and my password is …

Using the stolen credentials, the criminal remotely accesses the reservation management system and retrieved information about recent guest bookings, including guest names, addresses, phone numbers, reservation dates, and partial payment card information. Although the systems typically show only partial credit card number, in some cases the criminals are able to unmask the obscured numbers.

The criminal then calls guests with future reservations:

Cybercriminal: Hello, I’m calling from [hotel name] regarding your reservation from to [check-out date]. We’re having a problem processing your credit card. The last four numbers are [XXXX]. Could you please provide me with your full credit card information, including security code, so we can get that taken care of.

Because the criminal has accurate information about the reservation, the guest is more likely to fall for the scam. Once the guest has supplied the card information, the criminal quickly racks up fraudulent charges. Fortunately, most guests don’t trust these calls, but they are bad for the reputation of the hotel and brand. Depending on what information is exposed, the unauthorized access to the reservation management system may legally be considered a data breach that requires notification to affected individuals and regulators.

To help protect your organization from these types of social engineering attacks:

• Change employee passwords at frequent intervals.
• Alert employees to this type of attack and train them in how to respond.
• If possible, implement multi-factor authentication for any access to the reservation management system.
• Audit which employees have access to the reservation management system and disable access for employees who have no business need for it, including employees who have been terminated or who have changed roles.
• Protect partial payment card information so obscured numbers can’t be unmasked.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

In addition to being annoying, computer pop-ups or notifications are often the first step a cyber-criminal uses to victimize unsuspecting users. Be cautious of any notification or pop-up messages. Examples include emails that say you have to download something in order to see a greeting card or a message that says your computer is infected. Don’t click on anything in these pop-ups, including the “x” inside the pop-up itself. Your best response to remove the pop-up safely is to hold down three keys “CTL+ALT+DEL” to exit a pop-up safely on a Windows computer. Use “CMD+ Option+Escape” on a Mac. Then run your antivirus software to see if there is any malware on your computer that caused the pop-up.

HOW TO RESPOND TO FAKE EMAIL MESSAGES

Be careful where you click. Don’t click on links or attachments in e-mails from an unknown sender, a suspicious sender or emails that don’t make sense. Remember that a friend’s email account can become compromised and that attackers can “spoof” someone’s email address to appear to be from anyone they choose. Remember-don’t react emotionally to an email. Pause and think before clicking. Hackers count on this emotional response to overcome logic and force us into making bad cyber-decisions.

RANSOMWARE

Ransomware is a form of malware that restricts access to data by encrypting files or locking computer screens. The criminal behind the ransomware infection then attempts to extort money from the victim by asking for a “ransom”, usually in the form of cryptocurrencies like Bitcoin or in the form of the gift cards from sources like iTunes whereby the cyber-criminal asks the victim to scratch off the back of the gift card and email the card codes in exchange for access to data.

How it begins.

In a ransomware attack, victims open an email addressed to them and may click on an attachment that appears legitimate, like an invoice or notification of a missed delivery. If the victim clicks on a link in that email, it may cause malicious ransomware code to install on their computer.

What happens next.

Once the infection is present, the malware begins encrypting files on a victim’s computer. Users are generally not aware they have been infected until they can no longer access their files or until they begin to see computer messages advising them of the attack and the demand for a ransom payment in exchange for the decryption key.

How to stay safe.

Be careful where you click. Always backup the content on your computer. If you are infected by ransomware, you can have your system wiped clean and then restore your files from your backup. Because ransomware can infect all hard drives, disconnect the backup drive when not in use or use cloud backup.

The bad guys are getting creative with hybrid giftcard / CEO Fraud scams. There is a campaign underway where they are impersonating an executive and urgently ask for gift cards to be bought for customers. The numbers need to be emailed or texted to the boss, after they are physically bought at stores. Never comply with request like that and always confirm using a live phone call to make sure this is not a scam. Sometimes it’s OK to say “no” to the boss!

About KPM Law
Kalbaugh Pfund & Messersmith, PC is a top-rated civil litigation firm with four locations serving the the mid-Atlantic since 1990. As a progressive civil litigation firm with more than 25 years of dynamic multi-jurisdictional practice, Kalbaugh, Pfund & Messersmith, top-rated by Martindale-Hubbell, is recognized as experienced, client-centered, value-driven, and outcome-oriented. Having focused the practice on legal matters that speak to the collective strength and experience of their dynamic team of attorneys, KPM provides unparalleled acuity in their field while employing strategies that increase efficiencies, enhance outcomes, and benefit their clients both legally and financially. With four strategically located offices, KPM practices in the states of Virginia, Maryland, West Virginia, North Carolina, and the District of Washington, representing a variety of insurance carriers, international corporations, national and regional companies, self-insured businesses, and individuals — clients who rely on KPM’s experienced professionals, progressive philosophies and proven track record to meet their litigation needs in the mid-Atlantic area.

But rather than dwell on the seemingly endless armed conflict, it’s worthwhile to take a look at the hotel bombing and emphasize once again the critical need for hotel operators to implement effective and smarter security controls aimed at detecting and neutralizing non-traditional or “asymmetric” threats to the sector. It is not enough to erect barriers outside the entrance or to have guests pass through a magnetometer, however inconvenient that may be. A wholesale rethinking of hotel security practices is necessary. Such re-crafting of the process cannot be accomplished using a “one size fits all” approach; rather, a carefully calibrated protocol must be established and implemented for each property bearing in mind the threat environment in which the establishment operates.

Last September’s mass shooting at the Mandalay Bay Resort in Las Vegas was a clarion call for the hospitality sector to take a more proactive approach to security. In the case of Las Vegas, or other tourist and convention oriented cities in the US and Europe, current protocols need to be strengthened and non-traditional measures need to be adopted. A good look at who is checking in-what is he or she about and does the potential guest mesh with the established demographic-should be priority questions. In other words, if you operate a five-star hotel and charge close to $400 per night, should you be concerned about a 21-year-old man who checks in alone? What about a single female of the same age group? And a group of student back-packers?

The answer in our view is while no particular concerns may be apparent at the time of check-in, a person who clearly looks out of place in your property may be a good candidate for a little extra screening. What type of screening can be accomplished to allay concerns about the person? Consider adopting some of the following measures:

• While not possible in every case, a cursory background computer check (think “Google”) can reveal issues that a reservationist, front desk clerk or your hotel website cannot detect at the time of reserving. Has the person got multiple weapons arrests or has he or she been cited for domestic abuse? Has the person been of concern to authorities for any reason, but especially for making threats? You are not required to house each and every guest that has a reservation and you can unilaterally cancel a reservation for security concerns.
• Has the person requested some sort of non-routine access? For example, if the guest asks for a tour of the kitchen or the back office “just to see how it operates”, that is a flag that should immediately go up. Is this pre-operational “casing”? Is it an attempt to discover employee or security protocols? Is there a robbery being planned? Many questions should come to mind here. Clear disobedience of security protocols-for example, unauthorized access to the roof, electrical boxes or rooms, fire alarms or equipment-could be cause for immediate expulsion from the property.
• That “do not disturb” sign on the exterior door handle of the guest room is of concern if it is present for more than say 8 hours at a time. The guest could be amassing weapons, as in the case of the Stephen Paddock, the Las Vegas mass shooter. Or, there could be other illegal activity taking place therein, such as prostitution or drug dealing. Remember that frequent entries and exits of unregistered visitors to the room could be a sign of either. Ensure that hotel management knocks on the door periodically, even if the sign is present. You are not required to provide 100% privacy and safety concerns must take precedence.
• More frequent, overt or covert security rounds are a great source of intelligence on guest activity. Try checking in an “undercover” employee as a guest and allow him or her to mingle with others at the bar, in restaurants, at the pool. The astute person will be able to gather a good deal of information on guest activity. An overt addition to security could be the use of trained canines to detect explosive compounds or the chemical remnants of gunpowder, which is left on weapons, magazines and clothing as a by-product of shooting ammunition. If this had been done in Las Vegas, the presence of dozens of weapons and thousands of rounds of ammunition in the shooter’s guest room might have been discovered in time to prevent the tragedy.

Finally, if you do observe or otherwise detect suspicious activity, the hotel has the right to take quick action to ensure the safety of guests and employees. An innocent person who is expelled from the hotel might be able to raise a valid claim against the property, but a reasonable expulsion of someone who just does not seem “right” or is acting in a way incompatible with security may make the difference between a safe stay for all and a tragedy of immense proportions.

There is no hard and fast, right or wrong protocol in implementing non-traditional and proactive security measures at hospitality locations. Those that are most appropriate will be dictated by events on the ground, intelligence gathered, local and national law enforcement liaison and a good deal of thinking outside the box. The important thing is to not rely exclusively on barriers and door locks. As the threat evolves, so must your security protocols.

Simply storing an employee’s name, email address and date of birth will be enough to trigger state regulation around access and disclosure of such information. For organizations handling information subject to the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), it is even more important to understand the restrictions. Even after determining that such regulated information can be stored in the cloud, you still must make sure that the cloud provider will be HIPAA and/or GLBA compliant. For example, when deleting or disposing of information subject to HIPAA, the cloud provider must certify in writing that it was properly disposed. More importantly, upon receiving your organization’s protected health information, even if encrypted, the cloud provider will become a business associate under HIPAA. At a minimum, the cloud provider will need to sign a Business Associate Agreement, but you should conduct a thorough risk analysis to determine whether they can comply with the regulatory requirements for these types of information.

In Assessing Risk, Don’t Forget Your Proprietary Data and Intellectual Assets

Your organization may find several benefits in moving to cloud services, but before you sign up to transmit and store any of your data that is currently on premise, you should analyze your data’s sensitivity. Information relating to HIPAA or GLBA or other similar information that subjects your organization to a heightened security standard is clearly sensitive, but what about your organization’s intellectual property?

The trend for traditionally on-premise solutions to move to the cloud means that your organization’s trade secrets, unpatented inventions and other proprietary information may be stored in the cloud. This valuable information — especially trade secrets — requires protection when on-premise, so maintaining the security of such information is just as crucial when stored in the cloud. In considering whether to use a cloud application or storage solution for proprietary information, ask:

• What can your organization do to limit the potential disclosures of IP?
• What can the cloud provider do to protect your IP against outside threats?

While more than 25 percent of cybercriminals are IP spies, most IP breaches actually involve former or current employees, and the single biggest reason for IP breaches is the abuse of system access and privileges. Another prominent risk is employee negligence in handling an organization’s IP. With that in mind, the first step in protecting your IP in the cloud is to ensure that only certain people have access to confidential IP, by:

• Monitoring access for employees whose jobs require access.
• Ensuring ex-employees cannot access files, including files emailed to themselves.
• Implementing security policies and procedures to help employees avoid accidental disclosures (e.g., ensuring all files are encrypted, or reviewing your mobile device policies and procedures to ensure sensitive IP cannot be accessed).

The upside is that a reputable cloud provider may be in a better position to safeguard your information than your organization’s traditional network servers, so long as the provider employs suitable security practices. You may ask the cloud computing provider how it plans to control access rights and whether it will create a chain of custody for every person who may touch the intellectual property. If the cloud provider can provide an audit trail to monitor all access to your trade secrets and other sensitive and proprietary information, you may be able to preemptively stop an attack, or at least catch it early. With the right cloud computing provider and a solid contract clearly defining security measures, it’s possible that a cloud provider can keep your trade secrets and proprietary confidential information more secure than your own organization could, but you must be sure. Once a trade secret is discovered, it may be too late.

Customer and Vendor Contracts

Finally, don’t forget about your customer or vendor contracts. With the prevalence of cloud computing use and seemingly never-ending data breaches, many of your vendors or customers may prevent your organization from using cloud services to store or transmit their information. Additionally, vendors or customers may even require that you receive security guarantees or other specific representations from cloud vendors who are handling their information. You must know and understand your obligations to your existing suppliers and customers in order to negotiate a sound contract with a cloud provider, so do some due diligence before signing up.

1. Host applications, thereby eliminating the need to install and run applications on users’ own computers or data centers (known as Software-as-a-Service, or SaaS).
2. Host the hardware and software on its own infrastructure, thereby eliminating the need to install in-house hardware and software needed to develop or run a new application (known as Platform-as-a-Service or PaaS).
3. Provide virtualized computing resources, thereby eliminating the need to install and run hardware, software, servers, storage or other infrastructure in the user’s own facility (known as Infrastructure-as-a-Service or IaaS).

Knowing Where Your Data is Stored is Mission-Critical

Don’t let the term “cloud” fool you into thinking that the information is not in a specific location. It is, and it’s important to know the exact geographic location of the server where your data will be stored, including any back-up locations.

First, your legal obligations relating to the information can completely change according to the geographic location of where your information is stored. For example, if the cloud provider sends your organization’s personally identifiable information (PII) to a server in the European Union, you will be subject to the ultra-strict privacy rules of the General Data Protection Regulation (GDPR), set to take effect in May 2018.

Second, your information may not be as secure if the privacy and security laws in the server’s location are not as protective as in the United States. Servers in India, for example, are subject to India’s Information Technology Act , which allows the Indian government to intercept and demand decryption of information with serious fines and/or imprisonment for non-compliance.

Third, with some countries’ data localization laws, you may be required to store certain information within a specific country, and you may be prevented from exporting it out of that country. Russia’s localization law, for example, requires a multinational organization to host data concerning Russian citizens only on a server in Russia, which may mean creating a new data center in Russia.

Depending on the type of information you are sharing, you may also have to comply with U.S. export control regulations. This is an especially important contract consideration for information relating to items classified as “dual use,” or technology with encryption functionalities that are subject to Export Administration Regulations. Storage of such information outside the United States may lead to serious sanctions if required licenses are not obtained.

Finally, in the event of a data breach, U.S. and foreign law enforcement agencies have broad rights to obtain subpoenas to information stored in the cloud. However, rules surrounding a data breach vary from country to country and even state to state — some states, for example, exempt organizations from disclosing a data breach if the data is encrypted, and the encryption key was not exposed.

Conclusion

While cloud computing offers many benefits to organizations, it also introduces its own legal obligations and risks, many of which are tied closely to the geographic location of the stored data. As such, organizations must work proactively to understand the particular data privacy regulations applicable to their cloud computing arrangement. This due diligence will help organizations determine if they should engage with a cloud vendor or continue to store their data on-site.

Thomas J. Posey, Partner
Faegre Baker Daniels LLP
311 S. Wacker Drive, Suite 4300
Chicago, IL 60606, USA
Main:  (312) 212-5500
Direct:   (312) 212-2338
Email:  thomas.posey@faegrebd.com

Types of cybercrime incidents                                                           

Data breach and other cyberthreats come from all quarters and they affect individuals and organizations of all sizes. Given the recent news about the Central Intelligence Agency and the National Security Agency being the subject of now infamous data thefts, including the CIA losing control of its own toolbox of hacking tricks, many employers are likely to think that there is little that can be done when the government agencies tasked to defend our country’s cybersecurity and armed with a government-sized budget have proven vulnerable. But the size and scope of cyberthreats are not exaggerated and require vigilance and defenses regardless of your organization’s size.

So-called “Black Hat” hackers and cybercriminals are after all types of information that are useful to further a hacking scheme or that can be monetized easily and anonymously, making it an attractive crime. Phishing attacks, which prey on human psychology, are attempts to get a victim unwittingly to click on a link in an email or otherwise provide information that can be used to unleash malware in an organization’s network or to provide an entryway for theft of critical or confidential information. Ransomware attacks steal access to business data by encrypting the content of company-owned devices preventing users from accessing it until a ransom is paid. The advent of Bitcoin and other cyber-currencies, which allow for anonymous transactions over the Internet, have only emboldened ransomware schemes by making them very difficult to trace. Both types of attacks are designed to exploit weaknesses in human psychology more than technical weaknesses in software or hardware. Simple theft or loss also can be a source of data breach. Employees now carry around huge troves of business data in their mobile phones, laptops, and other devices. The theft of a mobile phone or the loss of a laptop by leaving it behind at airport security can be an event that causes all kinds of headaches for an employer.

Data breach incidents have a panoply of repercussions for businesses that suffer them. Not only is there the threat of liability for the damage, but also the reputational harm with client relationships and in the marketplace. Retailer Target Corporation, which was the subject of a 2013 data breach, reported $61 million in losses from the breach and received only $44 million in insurance coverage for the fourth quarter of 2013, when the breach was announced. Those figures do not include the costs of litigation, fraud claims, and investigation expenses that Target continued to incur well after the breach was announced. In 2015, Target paid a settlement of approximately $10 million to settle a class action suit by consumers affected by the data breach. And the data does not include the lost sales that may have been attributable to the lost confidence in Target’s security.

What information do you have that you need to protect?

Even organizations that are not specifically tasked with handling or protecting sensitive data should carefully consider what kinds of information they possess that requires protection and where it is located. A firm does not need to be a financial services company or a healthcare provider to have sensitive data that may subject it to legal liability if the information is lost or compromised through a data breach incident. Small businesses of all types will have personnel information about their employees, customer lists, and other intellectual property that should be kept from prying eyes either because it is personal information or it contains the trade secrets for the business. Employee and benefits files with information about payroll, tax withholding, insurance, and retirement plans likely will contain personal identifying information that is subject to federal and state law governing protection of data, such as social security numbers, bank account numbers, and dates of birth. The electronic payment systems at retailers large and small can be an avenue for stealing the credit card numbers of customers.

Employers also need to think about where their data is located and how it moves around. Company data is not just on company personal computers and servers. It now moves around on a wide variety of devices and storage locations. Mobile phones, tablets, and laptops all carry company data and files and travel with your employees. Cloud-based services also may hold data. And employees may use their own devices or download company files to their home computers and networks or use their own cloud-service providers such as DropBox, Google Drive, or iCloud. Some of this data may even be replicated or stored in unforeseen ways by data backup systems that move data to other storage formats or locations. Moreover, most businesses rely on many vendors that provide services for which confidential information needs to be passed back and forth and that transmission can be a weak spot that is susceptible to exploitation. Examples of these vendors are banks, payroll processing companies, accountants, bookkeepers, lawyers, IT consultants, or any Internet-services vendors, such as an Internet service provider or a cloud-based software provider.

Click here for the full article.

Roughly 6.4 billion things will be connected to the Internet in 2016, at a rate of 5.5 million new things per day, according to Gartner. More than 20 billion devices will be in use by 2020.

As a result, everyone must be more cognizant of cyber-risks, including risks to businesses; utilities; heating, venting and air conditioning systems; autos; and homes.

The IoT is at risk of being ensnared in a tangled web of legal and security issues, as I noted in a column last year.

The FBI recently gave us another wake-up call via a Public Service Announcement on the Internet of Things’ vulnerability to cybercrime.

We’re Surrounded

• The list of IoT devices the FBI identified as being at risk for cybercrime activities drives home just how personally exposed we all are:
• Automated devices that remotely or automatically adjust lighting or HVAC
• Thermostats
• Wearables, such as fitness devices
• Smart appliances, such as smart refrigerators and TVs

Criminals “can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety,” reads the FBI PSA.

Following is a synopsis of some of the IoT’s risk areas, according to the FBI PSA.

IoT Health Risks: It now is common for medical devices to monitor people who are ill, and some actually dispense medication on a prescribed basis. Cybercriminals could “possibly change the coding controlling the dispensing of medicines or health data collection.” This is a life-or-death risk.

Baby Monitors and Day Care Centers: Closed circuit television and other devices constantly watch children, whether they are sleeping in a nursery or at play in a day care center. What if cybercriminals were to take control of these monitoring devices and stream video of young children?

Automated Devices at Home and Work: Cyberattacks may be directed at “security systems, garage doors, thermostats and lighting,” which potentially would allow criminals to “access the home or business network and collect personal information, or remotely monitor the owner’s habits and network traffic.”

IoT in Gas Pumps: Think about the amount of damage that could result from a cyberattack on gas pumps. Cybercriminals “could cause the pump to register incorrect levels, creating either a false gas shortage or allowing a refueling vehicle to dangerously overfill the tanks, creating a fire hazard, or interrupt the connection to the point-of-sale system allowing fuel to be dispensed without registering a monetary transaction.”

As the IoT device list grows, cyberattacks surely will keep pace. It is in your best interest to heed the warning of the FBI. Share the PSA with your employees, friends and colleagues.

Also, it is important to report cyberattacks to the Internet Crime Complaint Center, or IC3, which is a partnership of the FBI and the National Center for White Collar Crime. The IC3 collects data on criminal acts to try to find patterns of cybercrime, of which IoT crime is just one facet.

Cybersecurity for the Future?

The FBI’s identification of risks suggests that criminals around the world might see vast cyberopportunities with the IoT — and in particular, with companies that have Bring Your Own Device programs, since many employers have little or no control over what employees do with the devices they bring.

Microsoft has announced new security efforts with its Windows 10 IoT Core, focused on offering enterprise-grade security to IoT and targeted small “embedded devices that may or may not have screens.”

Dell reported the results of a mobile security survey that suggests businesses are getting the message about how important it is for them to do a better job in supporting security for BYOD.

Other companies are trying to stay ahead of cybercrime as well. Believe it or not, GE, AT&T and Texas Instruments, among others, this spring sponsored a hackathon, dubbed “Hack the Home,” in the spirit of spurring innovation. More than 200 teams competed for more than US$60,000 in cash and other prizes.

Events like the hackathon help guide businesses to design better technologies to protect homes connected to the IoT. Let’s hope they succeed.

Almost every day there are reports of cyberintrusions, attacks and related security breaches. If your company does not have the right insurance, it could be even more of a disaster. For example, according to regulatory filings, at the time of Target’s cyberbreach in 2014, it had about US$100 million in insurance coverage with a $10 million deductible, but that did not even make a dent in the estimated losses of $1 billion.

What company can afford not to have insurance for a potential cyberdisaster? Let’s look at some protective measures that can be taken to safeguard your business.

As a practical matter, you or your chief risk officer should examine your current insurance policies to see if you have insurance protection for these cyberrisks

• Network and information security liability
• Communications and media liability
• Crisis management event expenses
• Security breach remediation and notification expenses
• Computer program and electronic data restoration expenses
• Computer fraud
• Funds transfer fraud
• E-Commerce extortion

Of course, each business has its own insurance needs, so you will need to make your own decisions about the right coverage. For instance, if your company is in the healthcare industry, specific coverage for HIPAA data should be included.

Inspect Your Policies

Some insurance companies offer cyberprotection as an add-on policy to general commercial liability, while other insurance companies include cyberprotection in policies for cybercrime.

It would be wise to take a look at what coverage your company has, what is available, and make sure you do have cyberinsurance coverage.

Whether cyberinsurance is deemed a part of certain GCL policies is the subject of a declaratory judgment complaint brought by Travelers Indemnity Company in the U.S. District Court in Connecticut in October 2014. The Complaint alleged that P.F. Chang’s restaurant chain did not have cybercoverage with Travelers. Because there was no cybercoverage, Travelers claimed “that it is not obligated to defend or indemnify P.F. Chang’s…under GCL insurance policies issued by Travelers.”

It appears that Travelers filed the claim for two reasons. First, P.F. Chang’s had filed a claim for insurance coverage under its Travelers GCL policy for a cyberbreach involving seven million customers’ credit and debit cards. Second, class action cases were brought by P.F. Chang’s customers in several states, accusing P.F. Chang’s of failure to prevent the breach, and breach of implied contract.

Interestingly, the breach itself began on Sept. 18, 2013. However, P.F. Chang’s was unaware of the breach until nine months later, on June 10, 2014.

It will be interesting to follow this case to see how the Court views the CGL coverage.

Examples of Cyberinsurance Coverage

AIG, one of the largest insurance companies in the world, offers CyberEdge, which provides coverage for security or data breach losses as follows:

• Direct first-party costs resulting from a breach
• Lost income and operating expense resulting from a security or data breach
• Threats to disclose data or attack a system to extort money
• Online defamation

Travelers, another large insurance company, offers CyberFirst, which includes a number of related insurance coverage provisions:

• Technology errors and omissions liability
• Network and information security liability
• Communications and media liability
• Employed legal professional liability
• Expense reimbursement

How to Assess a Cyberincident

Most IT leaders plan for cyberattacks by constructing firewalls and installing related security hardware and software. However, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom and assets are missing. This obviously puts a burden on the IT leadership — CIOs, CISOs and CTOs — to do an immediate assessment of what transpired:

• Identify malware within their networks
• Review logs to see when and where the cyberintruders came in
• Determine what if any data was remotely accessed
• Determine what if any data was sent off the network
• Determine whether backup files can be used to reconstruct encrypted data

Following the assessment, companies may need to report to customers, as well as to their own employees, under a variety of laws in 47 states. Plus, in addition to everything else that violoated companies must do, if credit card or banking information has been compromised, they may have a legal duty to provide credit protection services for up to one year. This happens more often than people want to know.

Report the Cyberincident — It May Be a Crime

Of course, it is important that the U.S. government learns about all cyberincidents so they can investigate in order to find the bad guys. The incidents should be reported to the Internet Crime Complaint Center which is a partnership between the FBI and the National White Collar Crime Center. The IC3 defines Internet crime:

…as any illegal activity involving one or more components of the Internet, such as websites, chat rooms, and/ or email. Internet crime involves the use of the Internet to communicate false or fraudulent representations to consumers. These crimes may include, but are not limited to, advance-fee schemes, non-delivery of goods or services, computer hacking, or employment/business opportunity schemes.

If your company has a cyberintrusion, consult your lawyer first to be sure you take the appropriate steps, including making a timely cyberinsurance claim.

Verizon 2014 Data Breach Investigations Report

Traditional approaches to cybersecurity that focus on compliance and technology are not providing companies with the resilience that is required to seize new opportunities in the digital and hyper-connected world. Having originally developed as an offshoot of information technology security, cybersecurity is struggling to escape its origins and reshape itself in an effective form — in a world where company perimeters have become fluid, porous, and insecure.

Emerging Trends and Associated Risks

1. Expansion of the corporate perimeter – As available bandwidth and connectivity continue to increase, we are seeing an explosion in the volume of interconnected devices and advanced applications that employees, suppliers and customers are using to stay connected. The expansion of the traditional secure perimeter is bringing new challenges to protecting company data that resides on users’ personal mobile devices, laptops, tablets, and even smart watches. New legal hurdles are emerging as to what a corporation can or cannot do to secure its fluid perimeters and corporate data.

1. Sweeping industrial espionage – 3D printing technology is becoming economical and more accessible to large numbers of users, creating the possibility for thieves to readily recreate complex objects based on stolen industrial designs. These technologies will likely trigger a significant increase in the theft of intellectual property, which in turn will drive a new black market for counterfeit products.

1. Massive data aggregation – Companies will continue to migrate to cloud-based applications and vendors for managing employee and customer information. The aggregation of this data in “the Cloud” will provide criminals with tempting targets for theft of aggregated information and will trigger massive jumps in financial and reputational liabilities. Traditional defenses will be rendered inadequate.

1. Cyber terrorism and death – Our lives will become more dependent on complex technologies such as driverless vehicles, personalized genetic-level medical treatment, and advanced communication technologies. There will be unimaginable benefits with these advances, and governments will need to rethink how to license and regulate them. Sadly, many of the new technologies will also attract the attention of cybercriminals or terrorists, which could result in widespread havoc.

1. Increased regulation and legislation – The combination of increased attacks and breaches will drive stricter regulation in cybersecurity, with privacy a key focus. However, in many countries regulation will be a knee-jerk reaction to attacks, which will result in poorly designed directives that make it extremely difficult for multinational companies to comply with the standards and regulations across all jurisdictions.

1. Digital forensics and law enforcement – New, powerful technologies that will be adopted by consumers and businesses will offer the same advantages to criminals, potentially hampering investigations and rendering many traditional law enforcement techniques obsolete. Already, encryption — a powerful tool that is necessary to protect company data — has become an essential part of the modern criminal’s toolbox.

Balancing Cyber Risks with Business Opportunities

There are important implications for all businesses:

• Every organization will encounter a crisis and needs to be prepared.
• Attacks will cause massive leaps in financial and reputational liabilities, and render traditional defenses mostly inadequate.
• All corporate leaders must own the company’s cyber risks and need to be cyber savvy.

Cybersecurity is an enterprise risk. But risk isn’t bad — it is part of seizing opportunity. Cybersecurity is a strategic issue that has to be understood and led by boards and executive management. To manage and pilot the organization effectively, tomorrow’s leaders must be equipped to own technology risks and business risks — rather than handing off the cybersecurity “problem” to the chief information officer. Boards will need to be actively engaged and need to recognize how strategic plans may be exposing the business to new cyber threats.

The Chief Information Security Officers in this new age will be digital natives, born and raised in a hyper-connected world, and comfortable with the rapid pace of change. These essential skills will help them to deal with cybersecurity challenges that will have only increased in the years between now and then.

At the root, the thinking and approach around cybersecurity needs to shift from the traditional, narrow terrain of “Are we protected?” to the new and broader landscape of “Have we detected and are we aware of our security threats, and have we planned accordingly?” Once the company has a sound understanding of all of the cyber risks that it faces, then — and only then —it can develop the right cyber strategy that will generate demonstrable and measurable business benefits.

How Can Companies Prepare Today for the Uncertainties of the Future?

Four key questions:

1. How will your company’s business model evolve in the future, and what cybersecurity opportunities / risks will it present?
2. How will you identify and measure cybersecurity-related risks and evaluate them together with other business risks?
3. What is your level of preparation with regard to resilience, and what needs to happen when incidents occur?
4. How will you ensure compliance with cybersecurity regulations and standards, while not losing sight of other important cybersecurity issues?

Conclusion

A core principle of a modern and effective cyber strategy — and one that many organizations will struggle to accept — is the inevitability that attackers will get through company defenses and that breaches will occur, in ways that may elude existing indicators and warning bells.

Thus, defending against future cyber risks demands a focus on much more than technology. Truly protecting organizations against cyber threats requires deep business and operational understanding, and a pervasive risk-aware culture across and between organizations.

So why does cybersecurity need to be transformed? Put simply, as businesses have evolved, the threats to businesses have also evolved. However, cybersecurity has not kept pace with the risks, and the gap is widening.

___________________________________________________

Authors:
William Beer, Managing Director : He brings more than 25 years of diverse international consulting experience advising on and managing cyber and information risk and fraud for large global clients.

Art Ehuan, Managing Director: His expertise focuses on information / data protection, privacy, risk management, advisory services and governance, and Computer Emergency Response Team (CERT).

Malware is running rampant on the Internet, affecting smartphones, tablets and personal computers. Relatively new malware allows bad guys to encrypt devices until a ransom is paid. Usually the ransom is required in bitcoin, rather than U.S. currency, as it cannot be traced.

What are the legal and other risks associated with ransomware?

Ransomware is largely directed at personal devices and small businesses, particularly since larger companies tend to have better Internet hygiene for their devices — like regular backups and requiring that passwords be stored in a safe place rather than on a device.

Following are just a few examples of the data at risk from ransomware, which can plague you if you cannot immediately cleanse your device, or set up a new one and restore your data with an up-to-date backup:

• Tax information. What if you keep all of your tax records on your hard drive using Quicken or another program? Losingtax records and financial information will make it very difficult to do your taxes, or prove expenses if you are audited.
• Client work. If you are relatively paperless and store your work on the computer, you may lose valuable time or work.
• Passwords. If you are locked out of your bank accounts and other sites, it will take time to restore access, or you may lose access altogether.

How Can You Protect Yourself?

First, take steps to avoid ransomware in the first place. It is, after all, malware. So, do not click on attachments or go to websites if you are not sure of the sources.

Second, get a good app for your smartphone or tablet, and a software program to protect your personal computer in real time. Be good to your devices: Install security tools and regularly run scans. If you think your smartphone or tablet has been infected with malware, think twice about plugging it into your computer.

Third, back up your hard drives to the cloud or to a portable hard drive. Of course, cloud storage has its own set of risks. For example, when you use a free cloud service, you run the risk that your data may not be available when you need it.

What Exactly Is Ransomware?

Ransomware is specialized malware that “immediately makes its presence known by encrypting files and demanding payment for the keys to unlock them.” The Department of Homeland Security (DHS) issued an alert last fall that includes this description:

“Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This type of malware, which has now been observed for several years, attempts to extort money from victims by displaying an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of [100-300 US dollars], and is sometimes demanded in virtual currency, such as Bitcoin.

“Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically spread through similar methods, and has been spread through Web-based instant messaging applications.”DHS discourages paying the ransom:

“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.” Notwithstanding DHS’ advice, the Dickson County (Tennessee) Sheriff subsequently paid a $500 bitcoin ransom to get back files on a corrupted computer, after consulting the Tennessee Bureau of Investigation and the FBI. Paying the ransom, they concluded, was the best way to deal with the problem at hand.

Ransomware Reports

Dell SecureWorks last summer issued a report about CryptoWall Ransomware. Between March and August 2014, “nearly 625,000 systems were infected with CryptoWall. In that timeframe, CryptoWall encrypted more than 5.25 billion files,” it states.

This type of ransomware is run by botnet operators, so there is no pattern to suggest which victims might be targeted for attacks.The report notes the following:

“Ransoms ranging from $200 to $2,000 have been demanded at various times by CryptoWall’s operators. The larger
ransoms are typically reserved for victims who do not pay within the allotted time (usually 4 to 7 days). In one case,
a victim paid $10,000 for the release of their files.”

Bromium recently released a report entitled “Understanding Crypto-Ransomware — In- Depth Analysis of the Most Popular
Malware Families.” Its introduction makes the following observation:

“This threat is called crypto-ransomware (ransomware) and includes at least a half-dozen variants, including CryptoLocker and CryptoWall. Ransomware shows no sign of abating since traditional detection-based protection, such as antivirus, has proven ineffective at preventing the attack. In fact, ransomware has been increasing in sophistication since it first appeared in September 2013, leveraging new attack vectors, incorporating advanced encryption algorithms and expanding the number of file types it targets.”

In Conclusion

Ransomware is a rapidly growing problem, and there is not yet a solution.

Until a solution to fully protect against malware is found, traditional advice still applies: Protect your computers and other devices with antimalware apps and software, back up regularly, and store your passwords in a safe place.