• Marriott acquired Starwood in September of 2016, but Marriott continued to operate Starwood’s guest database separately from Marriott’s until a few weeks after the breach incident was announced.
• The unauthorized intrusion into Starwood’s database occurred in 2014, but was not discovered by Starwood nor by Marriott later during the course of its acquisition of Starwood.
• The guest information compromised in the incident included name, address, phone number, email address, passport number, preferred guest account information, date of birth, gender, arrival and departure information, reservation date, and communication preference, and in some instances, payment card numbers and expiration dates. It was ultimately reported by Marriott’s forensic assessment provider the 383 million records were affected.

These facts underscore several crucial considerations for hotel companies regarding how guest data is collected, secured and retained. Some of these considerations aren’t ones that our industry normally associates with data security concerns. Here are some of the key takeaways:

1. Data Security/Privacy is a Critical Due Diligence Consideration. In any merger or acquisition there are due diligence checklist items for the surviving entity. In the case of the Marriott/Starwood transaction the security breach of Starwood’s database was not discovered prior to closing, but had it been, the implications for the deal could have been extremely significant. At the very least, action could have been taken to remediate the compromise at that time. In this day and age, cyber due diligence should be part of any merger or acquisition.
2. Retention of Large Amounts of Personal Information Carries Risk. Personal data is valuable for many reasons, but that value has to be balanced against the risk that accumulated caches of personal data become rich targets for data thieves. For example, there were over 5 million unique unencrypted passport numbers and more than 20 million encrypted passport numbers that were compromised over the course of the Starwood data incident. The value to Starwood and Marriott of retaining that passport information is unclear, but the liability of replacing more than 25 million passports is enormous.
3. With GDPR and CCPA, the Definition of Protected Data Has Expanded. Before the effective date of the General Data Protection Regulation (GDPR) in May of 2018, most of the data involved in the Starwood incident would not have enjoyed any special protection. Under U.S. state law in most jurisdictions, even today, a person’s name, address, phone number, and email address are not considered Personally Identifiable Information or “PII.” However, GDPR and the new California Consumer Privacy Act (CCPA) (effective January 1, 2020) have greatly expanded the scope of protected personal data to include virtually any item of information that can be used to identify an individual. A name, address, phone number or e-mail address are indisputably “personal data” under the GDPR.
4. Guest Reservation Systems Are Vulnerable On Both Ends. In branded hotels, franchise agreements always require that the hotels utilize the brand’s reservation and management system, including brand-mandated hardware, software, portals and connections. This arrangement gives data thieves multiple targets from which to select when seeking to steal guest information. The Wyndham data incident of 2008/2010 was the first notable attack on a brand’s central guest information database. While most hotel guest information data incidents in the past decade have occurred at individual hotels or discrete groups of properties, the Starwood incident proves that a brand’s guest information database is still vulnerable.

2018 also saw a rash of low-tech social engineering attacks against individual hotels, and this type of attack has continued into 2019. Criminals commence these attacks by posing as brand systems support personnel and making phone calls to hotel employees. The employees are asked to provide their login credentials for the reservation management system.

Cybercriminal: Hello, I’m calling from [brand] system support. We’re having difficulty with the reservation process on your end, and we need to check it. Can you please log in for me?
Employee: Sure. [Logs in]
Cybercriminal: We’re still having an issue. Can you please give me your username and password so I can try it on our end.
Employee: No problem. My username is … and my password is …

Using the stolen credentials, the criminal remotely accesses the reservation management system and retrieved information about recent guest bookings, including guest names, addresses, phone numbers, reservation dates, and partial payment card information. Although the systems typically show only partial credit card number, in some cases the criminals are able to unmask the obscured numbers.

The criminal then calls guests with future reservations:

Cybercriminal: Hello, I’m calling from [hotel name] regarding your reservation from to [check-out date]. We’re having a problem processing your credit card. The last four numbers are [XXXX]. Could you please provide me with your full credit card information, including security code, so we can get that taken care of.

Because the criminal has accurate information about the reservation, the guest is more likely to fall for the scam. Once the guest has supplied the card information, the criminal quickly racks up fraudulent charges. Fortunately, most guests don’t trust these calls, but they are bad for the reputation of the hotel and brand. Depending on what information is exposed, the unauthorized access to the reservation management system may legally be considered a data breach that requires notification to affected individuals and regulators.

To help protect your organization from these types of social engineering attacks:

• Change employee passwords at frequent intervals.
• Alert employees to this type of attack and train them in how to respond.
• If possible, implement multi-factor authentication for any access to the reservation management system.
• Audit which employees have access to the reservation management system and disable access for employees who have no business need for it, including employees who have been terminated or who have changed roles.
• Protect partial payment card information so obscured numbers can’t be unmasked.

This article is part of our Conference Materials Library and has a PowerPoint counterpart that can be accessed in the Resource Libary.

HospitalityLawyer.com® provides numerous resources to all sponsors and attendees of The Hospitality Law Conference: Series 2.0 (Houston and Washington D.C.). If you have attended one of our conferences in the last 12 months you can access our Travel Risk Library, Conference Materials Library, ADA Risk Library, Electronic Journal, Rooms Chronicle and more, by creating an account. Our libraries are filled with white papers and presentations by industry leaders, hotel and restaurant experts, and hotel and restaurant lawyers. Click here to create an account or, if you already have an account, click here to login.

Why is the hospitality industry such a frequent target? What makes this industry uniquely vulnerable to information threats? This article will examine those questions and suggest certain measures that hotel and restaurant companies can employ to try to mitigate the risks to information that they own or possess.

Multiple Parties Are Involved In The Equation

Hotel companies and many restaurant companies face unusual problems when it comes to cyber security and vulnerability to data theft/loss due to traditional ownership/management/franchise structures as well as the way hotels and restaurants tend to operate.

For branded hotels (and many branded restaurants) there are typically at least three parties are involved in a functioning hotel business: the franchisor or “brand,” the owner (or owners’ group) and the operator a/k/a the management company. Each of those entities plays a particular role in the function of the hotel as a business, and each may have its own computer systems or stored information:

Franchisor

• Owns the “flag” of the brand and in exchange for use of its marks and marketing services, can impose its own standards for hotel features, including the process for booking rooms;
• Typically mandates that the owner install a particular hardware/software suite to handle the reservations functions;
• Maintains ownership and control of that system through contractual means; and
• Typically claims ownership of guest data that is input into the reservations system by hotel employees or others.

Owner

• Typically not the brand; could be individuals, investor groups or major asset holding companies, including investment funds, insurance companies, banks;
• May have varying degrees of involvement in operational issues that include guest or employee data; and
• May own separate “point of sale” payment card systems for food/beverage/retail outlets situated within the hotel; and

Operator

• If independent from Owner, will usually have a management agreement with the Owner that establishes an agency relationship with Owner for purposes of all day-to-day hotel operations;
• Third party operators are usually the formal employers of hotel personnel and maintain all employee data (including Social Security Numbers);
• May collect guest data prior to inputting same into the reservations and management system owned by the franchisor, if the hotel is branded; and
• May obtain and maintain payment card information associated with group bookings.

Sometimes the complex relationship between franchisors, owners and operators requires that information be shared, or that separate computer systems be tied to each other. For example, as indicated above, major hotel brands require all of their franchised hotels to utilize the brand’s reservations and management computer system when booking or checking in all guests. Thus, hotel owners and operators are forced to have their own on-site personnel utilize the computer system of another company when transacting business with guests. In addition, hotels, like restaurants and other consumer businesses, often permit interfacing between their own computer systems and those of third party vendors or credit card processors.

All of this means that hotel and restaurant systems are to some extent dependent upon the security measures and practices of other entities which the hotels and restaurants do not control. A classic example of this is the Wyndham Worldwide breaches which occurred 2008 and 2010, where hackers were able to penetrate Wyndham’s central reservations database through a hack of a single franchised hotel, and then use the Wyndham system’s connections to dozens of other individual franchised hotels to steal hundreds of thousands of sets of credit card data.

The Hospitality Industry Does Business By Payment Card

Credit and debit card data has long been a preferred target of data thieves. Payment by card is the mainstay of most hotels and restaurants.. Therefore, hotels and restaurants represent a tantalizing treasure chest of data for cyber criminals to try to crack open.

The Wyndham Worldwide series of data breaches, where the brand’s reservations system was the subject of the attacks, were certainly notorious in the world of hotel data incidents, but statistically most credit card data theft in hotels occurs due to malware affecting point-of-sale (“POS”) systems, rather than the brand reservations systems for guest room bookings. Of the twenty-one most high-profile hotel company data breaches that have occurred since 2010, twenty of them were a result of malware affecting point-of-sale systems in hotel restaurant, bar and retail outlets. This is also true for the recent restaurant data breaches affecting Wendy’s, Arby’s, Landry’s and Noodles & Company, which were all the result of malware affecting point-of-sale systems in several locations.

Cyber criminals, through a variety of methods, are able to infect POS systems with credit card data-scraping malware that captures personal account data at some point during the payment process. This malware is often capable of moving between connected systems and may infect groups of hotels and restaurants that are either related by common brand or by a common third party operator and may often operate for several months or even years before being detected by the operator.

Some hotel credit card compromises are not high-tech in nature. Many hotels still tend to receive faxed credit card authorization forms for company bookings or group bookings, and often the faxed paper forms, which contain credit card numbers and expiration dates, are kept in a non-secure manner, such as in binders behind the hotel front desk. These paper forms are susceptible to being lost or stolen, and while many state breach notification laws do not expressly cover loss or theft of paper data, a growing number of state laws do. For example, the data breach laws of California, Hawaii and Alaska all protect data in any form, including paper, that contains personally identifying information.

In addition to these “paper” breaches, the hotel industry is also vulnerable to identity thieves targeting guests who may be unfamiliar with the area or the hotel. The thieves use various schemes including calling hotel guests, posing as the front desk, to ask for updated credit card information or leaving fliers for pizza delivery with phone numbers directed to thieves who take down the guest’s credit card information.

Employee Turnover and Fluidity Contribute to Security Problems

In the hospitality world there tends to be a high degree of movement of employees in and out of particular locations. Hotel operators will transfer their skilled employees to other locations where they may be needed. Employees in less skilled positions tend to come and go frequently as well. Hotel or restaurant owners may decide to change third-party operating companies, and the new operator will bring in its own management-level employees to manage the location. Maintaining a consistently trained workforce can be a challenge for both the hotel industry shares with the restaurant industry.

In recent years many information security industry experts have identified a company’s employees as its most vulnerable point from a data security perspective. A fluid workforce means that it is more difficult to train employees in the secure receipt and treatment of personal information, in complying with privacy and security policies, in protecting and changing user access credentials, and in being alert for social engineering attempts. Keeping up with which employees have access to different levels of information is also challenging when there are frequent changes of personnel at particular job levels. Only certain job functions within a hotel setting require access to guest or employee personally identifying information, and hotel companies (as well as companies in other industries) are not always as careful as they should be about controlling access by job grade/description and making sure access is eliminated when an employee moves out of a particular position or is terminated.

How Can Hospitality Companies Better Prepare for and Combat Cyber Threats?

While hospitality companies have unique problems that tend to make them more vulnerable to threats of compromise and theft of personal information, there are ways that these companies can prepare for and mitigate against such risks, and there are lessons to be learned from looking at prior data security incidents. In analyzing recent breaches, it is likely that utilization of the following practices could have mitigated or prevented such incidents.

• Contractual Risk-Shifting and Secure Handling Requirements: Franchisors, owners and operators, in their dealings with each other and third parties such as vendors and contractors, can help to control the risks inherent in sharing systems or information with others. Requiring specific cyber incident indemnification, where negotiating leverage permits, is useful to protect hotel companies from the economic consequences of a breach incident caused by or contributed to by another party. In addition, contract provisions requiring compliance with minimum information security standards (e.g., compliance with Payment Card Industry Data Security Standards a/k/a “PCI-DSS”) or mandating third party compliance with a hotel company’s own security policies can reduce the risk
  of cyber incidents.
• Employee Policy Enforcement and Training: Despite the fluidity of management and staff employees that is attendant to operating a hotel or restaurant, operators can and should consistently update their employee policies on data security and rigorously train employees who have access to data or systems. Where employees do not require access to personal information to perform their job functions, that access should be terminated. Policies concerning use of mobile devices, external information storage devices and internet usage should be enforced. In addition, to protect against identity thieves, employees should be trained on how to advise guests on potential risks and how to identify suspicious behavior and when to report suspected identity theft or data breaches.
• Guard Guest and Customer Card Data: Considering that POS malware attacks are a very common type of cyber incident affecting hotels and restaurants, operators and owners should take extra care in selecting their POS system vendors and credit card processors. Agreements with those entities should be vetted and, if possible, modified to add protection and minimum data handling standards for the outside vendor. Compliance with PCI-DSS not only helps to ensure that data security software, hardware and practices are safer, but also helps to protect against fines and penalties which may be levied against hotels by the credit card industry for noncompliance with PCI-DSS when a breach occurs.

Authors

Sandy Brian Garfinkel Mr. Garfinkel is a member with the law firm of Eckert Seamans Cherin & Mellott, LLC. He maintains a busy and diverse business litigation practice with a particular emphasis in the hospitality industry. As part of his work in the hospitality world he regularly assists hotel management and ownership companies in preparing for and responding to breaches of data security. He is also the founder and chair of the firm’s Data Security & Privacy Practice Group.Mr. Garfinkel can be reached at 412.566.6868 or at sgarfinkel@eckertseamans.com.

Malgorzata “Gosia” Kosturek Ms. Kosturek focuses her practice on hospitality law and general corporate law. She assists clients in numerous types of corporate transactions, including acquisitions, mergers, and financings, primarily in the hospitality industry. She is also a member of the firm’s Data Security & Privacy Practice Group. Ms. Kosturek can be reached at 412.566.6180 or at gkosturek@eckertseamans.com.

Auto Infotainment Systems: The Next Hacking Frontier

According to a recent article published by the webzine Motherboard, cars are a potential treasure trove of unsecured data just waiting for a hacker to claim it. A security software engineer discovered that his car’s infotainment system did not use modern security software principles, yet it stored an unbelievable amount of personal data obtained from his phone – including contact information, texts, emails, call histories, as well as directory listings that had been synchronized with his car via Bluetooth and other similar connections. Worse, he discovered this information was being stored on the car’s infotainment system in plain, unencrypted text.

He surmised that unscrupulous hackers could gain access to this information remotely through his in-car internet connection, a quickly growing technology, or directly through the car’s USB port. Although mobile operating systems like Google Android and Apple iOS use highly effective security protections, these protections could be undone simply by pairing mobile devices to the car’s infotainment system.

We don’t know to what extent the issue exists among the various car models manufactured each year, but this revelation should raise several concerns for your business. If employees sync their mobile devices to a company car’s infotainment systems, they could be unintentionally storing personal data on the car’s system, making it susceptible to hackers. Similarly, if an employee uses a company-issued or personal mobile device for work that is paired to a company car, or even a personal vehicle, sensitive company information such as customer lists and contact info may be stored in the car and, therefore, vulnerable.

What Should You Do?

How should you deal with this apparent security risk? Unfortunately, there are no easy fixes at present. Car manufacturers are just now beginning to discuss how to address data security issues created by their cars. For companies with a fleet of cars, however, you should contact the car manufacturers to inquire about the security of the firmware (the embedded software) used in the cars. You should remain in contact with the car manufacturers to make certain you will be notified if there are tech-related updates or recalls. If the manufacturer indicates the car’s firmware needs updating, ensure this is done as soon as possible, even it means taking the car to the dealership.

If employees are responsible for company car maintenance, or if they use their personal cars for work, you should have a policy requiring employees to update the car’s firmware within a set period of time following the release of the update. You may also want to consider prohibiting employees from syncing their mobile devices to company vehicles or syncing company-issued mobile devices to their personal vehicles.

In this age of car connectivity, auto manufacturers are working on developing more secure systems to protect the data collected by cars. Until those systems are a reality, however, you need to be aware of the potential data security risks posed by some cars and take whatever steps you can to help reduce that risk.

For more information, contact the author at MGomsak@fisherphillips.com or 502.561.3972. This article originally appeared on the Fisher Phillip’s Employment Privacy Blog.

1. Update all passwords for increased safety and security

This one may seem obvious, but many people forget about it. We’re all guilty of mindlessly typing in a random, easy-to-remember password. The simpler your password is, the easier it is to hack. Create a combination for your accounts that ensures increased safety. The more numbers, upper and lowercase letters and symbols you add, the more secure your password becomes. Don’t make the same password for every account. If you’re worried about forgetting, there are apps available such as 1Password and Keeper where you can securely store passwords and confidential information.

2. Monitor your bank and credit card statements

Keep track and check all your statements on a regular basis, especially in the months after traveling. If you’re still getting charges from Boston even though you’re back home in Seattle, obviously something isn’t right. In these situations, contact your bank immediately so they can take proper measures to ensure the cancellation of your card. Also notify your bank of any upcoming travels. This way, your card won’t be frozen if your bank is aware you are traveling and they can keep an eye out for any fishy transactions that may occur during or after your trip.

3. Update the way you pay

It might also be time to think about using an updated way to pay. Services such as Apple Pay, Android Pay and Paypal encrypt credit cards with new tokens each time you pay. Your actual number is never used or given out to any retailers, which means your information is less likely to be exposed in the event of a breach. Not every retailer has this feature enabled yet; however, it’s continuing to grow as more stores, hotels and even online retailers are realizing the benefits that it produces.

For business travelers, check to see if your travel management company offers a secure virtual payment option. For instance, Travel and Transport’s Secure Pay generates a virtual, on-time use credit card for hotel bookings. Secure Pay significantly cuts down on the risk of fraudulent activity that can occur with a ghost card by assigning a new card number for each hotel booking.

4. Ditch the PIN

If you need to use a debit card, ask the cashier to run your card as credit and sign for your purchase instead of typing in a PIN number. Hackers who gain access to PIN numbers can print out a copy of your card and actually take money out of an ATM.

5. Make sure it’s secure

Are you interacting with a business online? Make sure that any personally identifiable information you transmit via a website or form is secure. This includes anything from credit card numbers to even your name, address, phone number and email. A recent airline data breach was related to a customer contact form. Look for the “https://” prefix in your browser’s address bar, and you can even click the little lock symbol to find out more about the type of encryption that is used. This is a tip directly from Travel and Transport’s own data security department and all of our forms meet this standard. Contact us and see for yourself!

6. When in doubt? Pay cash

If these options still aren’t protective enough, put away your credit card and use cash whenever possible. Although this might be considered “old school” and it isn’t always an option for business travelers who use a corporate card and have to file expenses, it can be an effective option for leisure travelers. Your information can’t be hacked if your credit card is safely tucked away in your wallet. This not only provides a safer way to pay, but it also allows you to budget your expenses accordingly if you know you only have a certain amount of cash to use.

Before you travel, take out a designated amount of cash to use when purchasing. If you need more cash, look for ATMs inside reputable businesses and banks and check to make sure that ATM skimmer devices have not been installed.  Always cover the PIN keypad with your hand to ensure that nobody watches you enter your code.

Traveling can be stressful, but don’t let credit card fraud get in the way of an otherwise enjoyable trip. Taking a few extra moments to protect your card safety can make a huge difference when it comes to securing your data.

This article was originally published by Travel & Transport. Click here to view the original article.

Cloud Is Different

The National Institute for Standards and Technology (NIST) defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resourcesthat can be rapidly provisioned and released with minimal management effort or service provider interaction.” In laypersons’ terms, the cloud is a model of computing that utilizes shared computer processing and storage resources, usually provided by a third party, which are accessible via the internet on demand from anywhere; examples to many consumers include Dropbox, Gmail and Apple’s iCloud. Convenience, ubiquity, and on-demand availability and scalability are built in to the very concept. While this is, generally speaking, a feature rather than a bug—and no doubt has contributed to the rise of the cloud as a standard approach to business computing—it carries with it certain risks that are new or heightened in the cloud age.

The most concerning of these dangers from a compliance and risk-mitigation perspective stem from the facts that: unsophisticated individuals, including employees and staff of a law firm or its client, can put data in the cloud completely unbeknownst to those in the organization with responsibility for managing information related risk; and using a cloud services provider can create the temptation to let down one’s guard, believing that the third-party provider is handling the “hard stuff,” including data security and compliance.

This article was originally published by The Legal Intelligencer. Click here to continue reading.

Travel Data Security

The UK-based TMC recommends corporates have a global data consolidation strategy in order to mitigate risks associated with data protection and privacy. It says enforcing this strategy will mean quality control assurances will be put in place to protect corporate and traveller information. HRG Group commercial director Stewart Harvey says:

“Data protection and privacy concerns have dominated the news agenda in 2013. Well publicised incidents involving compromised corporate data, and the risks this brings to personal privacy, has sharpened clients focus on the security of their travel related data.”

Travel Risk Management

HRG says corporates will increase their risk management capabilities in response to increased travel to emerging markets, particularly in South East Asia and West Africa, and concerns over traveller safety. The company recommends including a crisis response capability as these new business geographies increase the scope of both traveller safety and security requirements. Harvey adds:

Read the Full Article

The victim was a nationally branded hotel in Annapolis, Maryland. A gang of thieves from Baltimore infiltrated the hotel in 2004. An associate had applied for a front desk position, got it, and soon had access to the guest and accounting system.

The gang incorporated several businesses and opened bank accounts using previously stolen identities. They chose a bank based in New Mexico, certain that no one would fly 2,000 miles to check on a fake mailing address. Over the course of a few weeks, the group charged $850,000 to credit cards lifted from the hotel’s accounting records. Charges ranged from $10,000 to $18,000 each.

When an out-of-state guest noticed the charge and told authorities of his only time in Maryland and where he stayed, the fraud was linked back to the hotel. Soon the front desk had a storm of phone calls to contend with. Local police arrived to interview the employees, and then the Secret Service took over.

Eventually, four criminals from Baltimore were identified and prosecuted. But with every victim, official and media inquiry, the general manager and his staff had to review the entire case—what had happened, what were the next steps. It was a logistical nightmare.

About 50 people had their credit cards defrauded. The hotel staff spent months on the phone giving interviews and processing paperwork.

When all was said and done, almost a year after the attack, they had learned a few hard lessons:

• •  Limit access to customer data on a need to know basis. Not all employees should have all access to guest and accounting systems.
• •  Only record the most necessary guest information. Before this incident took place, the hotel kept customers’ full credit card numbers. Now that information is limited to only the last four digits.
• •  Create higher security access clearance for accounting records. Simply put, records with a higher level of personal information about guests or clients need a higher level of protection.
• •  Credit card companies and the law require hotels to save customer payment data for a certain amount of time, usually two or three years. After that period is up, destroy the records, and destroy them properly. In Massachusetts a hotel that used carbon copies simply threw them away and a group of dumpsterdiving identity thieves found them.
• •  Background checks on employees are a must, whatever the job. Those with extra access to guest and accounting records should be thoroughly vetted.

Finally, consider an identity theft and data breach protection service. All those phone calls, all those police interviews, all that paperwork, could have been outsourced to a reputable company that’s handled it all before. Services range from alerting customers of a breach, to dealing with law enforcement. The result is peace of mind.

Originally published on Tuesday, 14 January 2014

1199 views at time of republishing

Recognizing the need to ensure that privacy and data security protections remain effective as data collection capabilities evolve, lawmakers in the US and abroad have been active on both the regulatory and enforcement fronts. This trend is likely to continue as technology and consumer behavior combine to enable the collection and analysis of increasing amounts of detailed information about individuals.

Companies must understand how the dynamic legal framework governing this area applies to their businesses and ensure their policies and procedures are compliant. This article will address:

• The regulatory framework governing privacy and data security in the US.
• Federal Trade Commission (FTC) and other federal and state regulatory activity.
• The advertising industry’s efforts to self-regulate online behavioral advertising activities.
• High-profile privacy and data security litigation.
• Recent and proposed federal and state legislation.
• Noteworthy cybersecurity developments from regulatory authorities and the private sector.
• Selected international developments that may be significant for US companies.

To download the Trends in Privacy and Data Security article, click here.

Republished with permission of Practical Law.
Originally published on Friday, April 3, 2015
339 views at time of republishing

The rise in mobile devices is not confined to personal use; mobile devices increasingly play an integral role in many business operations. We rely on mobile devices to communicate with clients, frequently using them to exchange sensitive data. Health care professionals use mobile technology when interacting with and treating patients. Countless workplaces expect employees to be available on-demand via mobile devices. Mobile devices transmit, receive and store a treasure trove of valuable data, which, if compromised, can be used by bad actors to steal identities, access bank accounts, file false tax returns, misappropriate trade secrets and more. Safeguarding this sensitive data is important to all businesses, both to ensure client confidence and to comply with a complex patchwork of legal obligations. Therefore, businesses, including law firms and attorneys, must be cognizant of the risks involved in using mobile devices and vigilant about following best practices for mobile data security.

Mobile Data Security Risks

Mobile devices, and by extension the data stored on and transmitted by them, are uniquely vulnerable. First, by their very nature, mobile devices are more easily lost or stolen than computers. Second, because they rely on wireless connections, data transmitted by mobile devices is more vulnerable to undetected interception while in transit.

Thefts of mobile devices are on the rise. According to Federal Communications Commission Commissioner Jessica Rosenworcel, one in three robberies includes the theft of a mobile device. Moreover, it is all too easy to lose a mobile device, especially if an employee uses one device for both business and personal use, carrying it virtually everywhere he or she goes. If a mobile device is lost and not properly secured, it is relatively easy for bad actors to gain access to the device and the data stored on it, including emails and their attachments. Depending on whether employees store sensitive information like passwords and access information for other services or sites in their email folders, a thief can find a gold mine of data from just one device.

Additionally, scams to intercept wireless data transmissions are all too common. In one classic scheme—far from the only one—a bad actor will set up a free public WiFi hotspot, give it an appealing name, and simply pull down all the data that unsuspecting users transmit across it. If that data is unencrypted and includes sensitive information, the trick has been a success.

The Legal Landscape

Persons and entities that handle or store sensitive data, especially data containing clients’ financial, health or other identifying information, are subject to an ever-evolving patchwork of state and federal regulation regarding protecting this data. For example, many states, including Pennsylvania, require these entities to inform customers in the event of a breach. Pennsylvania’s Breach of Personal Information Notification Act imposes notification obligations on “any entity that maintains, stores or manages computerized data that includes personal information” in the case of a data breach. Generally, if the personal information was unencrypted, the entity must notify customers if their personal information “was or is reasonably believed to have been accessed and acquired by an unauthorized person.” However, if the data was encrypted, then notification is required only if the data was accessed in unencrypted form or if the breach involved the encryption’s security.

Currently there is no general federal data breach notification law, although several recently have been proposed. However, the Health Insurance Portability and Accountability Act of 1996 imposes a notification requirement when unsecured protected health information, like individually identifiable health information, “has been, or is reasonably believed … to have been, accessed, acquired or disclosed.” This obligation is imposed not only on health care providers and insurers, but also on their business associates that receive, handle or use protected health information.

Other federal laws also address data security and the protection of personal information. For example, the Federal Trade Commission uses its broad consumer-protection authority to protect consumer privacy and personal data from improper disclosure. The FTC enforces the Gramm-Leach-Bliley Act, which protects nonpublic personal information from unauthorized disclosure by financial institutions. Financial institutions also must comply with the FTC’s red flags rule, which obligates them to undertake periodic risk assessments to determine whether they are required to implement a written identity-theft prevention program. Finally, the FTC also brings enforcement actions against individuals and entities that have misused or improperly disclosed consumer data, or failed to take “reasonable” precautions to protect it. According to reported enforcement actions, violators frequently are required to revise or implement comprehensive privacy and data security programs, delete illegally obtained consumer information, and notify consumers whose data has been improperly disclosed.

Best Practices to Safeguard 

Mobile Data

This combination of factors— countless devices storing and transmitting vast and valuable data, vulnerability to infiltration, and a mosaic of regulation—makes mobile device security a crucial area for any business. To protect data stored on mobile devices, consider implementing the following recommendations:

• Physically encrypt mobile devices.

Device encryption and SIM card encryption are available on almost all smartphones and other mobile devices, and prevent bad actors from accessing stored data even if the device is physically dismantled. Physical encryption is stronger than simple password protection because it cannot be defeated with specialized software.

• Strong passwords still are important.

Require mobile devices to be passwordprotected, and consider requiring alphanumeric passwords or passwords longer than four characters. Discourage employees from using easy-to-guess passwords.

• Have a plan for lost devices.

Install software capable of remotely wiping data from the mobile device if it has been lost or stolen. Also train employees to notify information technology staff immediately in the event of a loss.

• Separate personal from work.

If employees are permitted to bring their own devices to work, ensure that business data is segregated and cannot be downloaded or locally saved onto the personal device. Readily available software can assist with this.

• Maintain control of settings.

Ensure that devices used for work, whether provided by the company or employees’ own devices, cannot install applications that can modify key security settings, and ensure that employees cannot modify security configurations without information technology authorization.

• Train employees to minimize risk of physical loss.

Train employees to be mindful of their devices’ security, including safeguarding them while traveling. To protect data transmitted by mobile devices, consider implementing the following recommendations:

• Do not use free public WiFi.

Data transmitted over wireless connections can be seen by the provider. Scammers frequently set up free public hotspots and intercept data transmitted by unsuspecting users.

• Encrypt email.

Many companies encrypt their email, as do major free email providers like Gmail. If not automatically encrypted, encrypt emails containing sensitive financial or protected health information. When exchanging sensitive information with business partners, determine whether they encrypt email.

• Do not text sensitive data.

Texts are the most easily intercepted messages and generally are not encrypted, making their content easily accessible by bad actors.

_________________________________________________

Authors:

ABRAHAM J. REIN is an associate in Post & Schell’s data protection/breach and internal investigations and white-collar defense practice groups in Philadelphia. He counsels corporate enterprises and individuals on the prevention of data security breaches and compliance with related state and federal regulations, and defends them in related investigations and criminal proceedings.

CAROLYN H. KENDALL is an associate in the firm’s data protection/breach and internal investigations and whitecollar defense practice groups in Philadelphia. She conducts internal investigations and defends corporations, officers and other individuals facing criminal and civil investigation, as well as counsels them on the prevention of data security breaches, and compliance with related state and federal regulations

Originally published on Saturday, July 18, 2015
44 views at time of republishing

The litigation-related duty to preserve relevant evidence, including electronically stored information (ESI), is well established and widely known in the legal community and the business world. Despite broad familiarity with this obligation, many corporate litigants have recently been subjected to severe sanctions due to an increasing judicial intolerance for the failure to preserve ESI. While some such sanctions involve the imposition of legal fees, in many instances courts have issued severe adverse jury instructions, effectively destroying a litigant’s chance of prevailing or waging an effective defense.

In today’s legal climate, even a company’s seemingly innocent delay in implementing an appropriate method to preserve ESI may be catastrophic. As a result, the duty to preserve relevant evidence, including ESI, is too important to ignore, not only for those individuals engaged in litigation on a daily basis but also for company management seeking to control costs and expenses.

This white paper guides litigants through their responsibilities to preserve evidence and provides valuable information on implementing a defensible legal hold process. While reading this paper is an important first step, there is no substitute for a thorough discussion of your specific circumstances as they relate to the matter.

Download the PDF

Originally published on Friday, December 7, 2014
2102 views at time of republishing