Invasion of the Data Snatchers

As you’ve probably heard by now, this week Capital One became the latest company to experience a massive breach of consumer information. According to the company, the breach includes the compromised data of over 100 million individuals. Those effected includes both Capital One customers and those who submitted a credit card application within the past 14 years. Most notably, the information stolen includes about 140,000 Social Security number and 80,000 bank account numbers. However, information such as names, addresses, reported income, and credit scores were also compromised in the attack.  

One of the most interesting aspects of the breach is that the hacker reportedly responsible for breach, once worked for Amazon Web Services, which hosts the Capital One database that was compromised. Paige Thompson, the woman allegedly responsible for the attack, gained access to the database by making use of credentials for the web application’s firewall. This makes the attack just the latest in a long list of breaches involving insider threats via a third-party.  It is also the latest in a long line of breaches where the access was gained through a web application.

Too Early for Key Takeaways Except for One Big Takeaway

A lot remains unknown about the role Ms. Paige was playing, how she moved through the AWS space (Capital One was not the only company she gained access to) and what her motives were.  However, it does show that Capital One’s Incidence Response team was prepared to move quickly once the incident was made known.  In some cases, being very good at dealing with a crisis is perhaps your strongest (and maybe only) defense.

New York Isn’t Sleeping on Consumer Privacy

Two years later the impact of Equifax’s massive data breach continues to be felt. As we reported last week, the FTC announced a $700 million settlement with Equifax. Then on Thursday, in reported response to the settlement, New York governor Andrew Cuomo signed two new data privacy bills into law.  

Here is a quick run down of the two privacy laws New York passed last week and how they could impact your business:

Senate Bill S3582

The first bill passed into law last week concerns consumer credit reporting agencies. Under the new law, all credit reporting agencies that have experienced a data breach are required to offer effected consumers free identity theft prevention and mitigation services for up to five years. The law additionally gives effected customers the right to freeze their credit at no cost.  

SHIELD Act

The second and by far most impactful of the laws passed is the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act). While the focus is simply on breach notification procedures, the law is noticeable for the expanded scope of the regulation and the broadened definitions it introduces. 

In short, the new law requires businesses to report any breach of personal information that an organization hasWhat is notable, however, is that the SHEILD Act doesn’t just apply to businesses operating within New York. Instead, any organization that owns the personal information of New York residents must now comply with the reporting requirements.  

What’s more, the law expands the definition of what counts as a data breach. Traditionally, data breaches are understood as an instance where someone actually takes an organization’s data. The SHIELD Act, however, expands this definition to also include instances where the data has simply been accessed by an outside entity. The definition of personal information has also been expanded by thnew law to include biometric data and a usernames or email addresses in combination with a password or security question.  

In addition to notification requirements, the law requires businesses with the personal information of New York residents to implement “reasonable” security requirements. These include compliance with regulations such as HIPPA and GLBA as well as “reasonable administrative, technical and physical safeguards.” 

Lastly, the law lays out a new penalty framework for organizations that fail to properly report data breaches. Under the SHEILD Act, action against businesses will be pursued by the State Attorney General rather than through individual or class action civil suits. The law also increases the maximum penalty for organizations from $150,000 to $250,000.  

Signs of Regs to Come

These two new laws solidify the impression that New York is working hard to strengthen its stance on cyber security and data privacy. Just last month state senator Kevin Thomas introduced the New York Privacy Act, considered by some to surpass even the GDPR in the privacy rights it gives consumers. Perhaps the most unique feature the bill proposes is the concept of Information Fiduciaries. 

While the Privacy Act has a long way to go before passing into law, the ease with which these two laws were enacted may be a sign of things time.  

Keeping Standards High: PCI Compliance

When processing customer’s payments, you are asking them to trust you with some of the most sensitive information they have. It’s essential to ensure that data is being properly secured. One of the main ways organizations can ensure data security is by complying with the Payment Card Industry Data Security Standard (PCI DSS). While PCI DSS is not government mandated, it is required by Visa, American Express, MasterCard, Discover, and JCB International before handling any amount of payment cards by these companies. So, if you process payments cards by any of these brands you’ll need to be in compliance.  

The PCI DSS outlines 12 privacy-focused requirements for companies. These requirements include both operational and technical components ranging from encryption of card holder data, to regular vulnerability tests, to the development of a comprehensive Information Security Policy. You can find an overview of all 12 requirements here.   

Compliance Validation for Processors 

While all companies processing any amount of payment card information need to meet the 12 PCI DSS requirements, the method of validating compliance differs. Reporting requirements are based primarily on processing volume (amount of payment cards processed) and whether a company has suffered data breach in the past. Each credit card company has slightly different reporting requirements, but in general compliance reporting breaks down as follows:  

  • Organizations handling large amount of transactions or who have suffered a breach will be required to have an onsite assessment completed by an external, Qualified Security Assessor (QSA). 
  • Organizations with smaller processing volume can instead opt-in to file a Self-Assessment Questionnaire. The specific questionnaire required depends on several variables, such as whether you are an e-commerce merchant, type of payment terminal used, and whether processing is outsourced to third-party. 
  • All organizations must complete quarterly network scans through an Approved Scan Vendor (ASV) 

Again, you’ll need to check with specific card providers to understand your merchant level. Here are links to each brand’s validation requirements: VisaMasterCardAmerican ExpressDiscoverJCB International 

Compliance Requirements If You Use Third-Party Processors

Using a third-party can help streamline payment processing but does not exempt organizations from PCI compliance and reporting requirements. Organizations that outsource processing are still ultimately responsible for ensuring secure processing. This requires a self-assessment questionnaire that evaluates your security posture. Typically, this would either be PCI SAQ-A or SAQ A-EP.  In addition, you should vet third-party vendors before working with them, create detailed agreements with policies and procedures that outline each party’s responsibilities in maintaining compliance, as well as regularly monitor your vendor’s compliance statues. Full information on using third-party vendors can be found here. 

Credit card fraud can be a devastating experience. So when a customer chooses to hand over payment information, they are putting an extreme about of trust in your organization to handle that information with care. Whether you process the information yourself, or use a third-party, at the end of the day you are responsible for ensure that your customer’s sensitive information is completely secure. PCI DSS compliance is one of the most useful tools for doing this

Writing a Privacy Policy You’ll Actually Want To Read

Creating a privacy policy is necessary for any business collecting or processing personal information and is essentially a legal agreement between you and people visiting your website. And more often than not privacy policies are thought of as just that: a legal buffer. But with more users mistrusting the services they use, these policies should instead be seen as an opportunity to build trust with customers, establish a level of transparency, and show that your respect their privacy.  

Here is a short primer on what should be included in a privacy policy, and how to write it in a way that is accessible to users.  

The What

What information you collect 

It’s important to be upfront about all type of information you may collect about your users. This not only includes personal information (name, email, phone number, etc.), but also things like usage and analytics data, as well as the first- and third-party cookies.  

How you collect information 

Listing the methods used to collect data is another important aspect of a privacy policy. Is it information that they are freely providing? Is it automatically collected through your browser? Is it collecting through a script or plug-ins on your website? Providing this information will help users make informed decisions on how to navigate your site in a way that fits their privacy needs.  

How you use information 

It’s essential that you inform users not only of what you’re collecting, but how youre using that information. In many cases, it can help explain why it’s important that you collecting this information in the first place. Examples include customer service, payment processing, and improving site experience. On top of these, you’ll also need to state if you’re using data for marketing and joint marketing purposes. 

What information you share and why 

You’ll also want to state any information that you share with others. This might be for something like third-party advertising but can also include other companies related by common ownership, non-affiliates that market to you, or even non-profits using the data for research studies. Today, users are concerned about understanding who has access to their data, so this information is especially important.   

How that information is secured  

This is something you’ll definitely want your users to know about. Listing what security systems and practices you have in place will go a long way to show users that you care about their privacy and are taking the necessary steps to ensure it’s secure. 

What privacy options do users have 

It’s become more common for websites to give users some choice with regards to their privacy. This includes whether they can access the data that has been collected, the ability to change what information they want to share, whether they can delete data previous collected, as well as the ability to decide how long you hold on to their information. If you allow users these options, you want to explicitly state that they have those abilities.  

Who users can contact about privacy concerns 

Another component to your privacy policy should be a contact person that users can contact when they have questions or concerns regarding the policy or any other privacy-related issues. It’s important that users have someone they can reach out to when they have concerns.  

Regulation Compliance 

Lastly, depending on where you operate and even where your servers are located, you may be subject to certain privacy regulations that require you to both include certain components in your policy as well as explicitly state your compliance with these regulations. Two big regulations that could effect your privacy policy is the California Consumer Privacy Act (CCPA) (effective in 2020) and the EU’s General Data Protection Regulation (GDPR). Another important regulation is the Children’s Online Privacy Protection Act (COPPA) which requires certain privacy controls and parental consent before collecting data on children under 13. 

The How

Above all, when it comes to writing your privacy policy, it should be readable. 

Your users shouldn’t need a law degree to understand what’s in the policy. Write in plain English. Keep it as short as possible. While there is a lot of information to include, you should stay as concise as possible. If need be, you can layer the policy, meaning have basic language that provides a general overview and link else for details about different sections. Lastly, you want to ensure that the policy itself is easily accessible to users. It shouldn’t be tucked away in tiny font. Place it somewhere prominent that users to find whenever they’d like to refer back to it. 

This is especially important if you need to comply with the GDPR. Not only does the regulation require you to include certain information in your privacy policy, but also includes requirements to ensure your policy is sufficiently clear. The GDPR’s website provides some guidance on privacy policy best practices that you can find here 

Even if you’re not subject to the GDPR, it’s probably a good idea to try and follow their guidelines as well. Again, your privacy policy isn’t just a legal safeguard. It should be understood as a way to communicate to your users about their privacy and ensure them you’re being transparent about your data collection.  

Learn Your BECs

In March of 2018, the director of the Dutch branch of the Pathé film company received an email from the CEO: “We are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai. The transaction must remain strictly confidential. No one else has to be made aware of it in order to give us an advantage over our competitors.” 

After some back and forth, the employee transferred 800,000. The days after, more requests were made a subsequently filled, resulting in a total of 19 million transferred. Only after did they discover these emails weren’t sent from the CEO at all, but instead from a spoof email address set up to impersonate Pathé’s chief executive.  

Situations like this are more common than you might think

While there were certainly a number of red flags that Pathé’s employee could have picked up on, business email compromise (BEC) schemes are actually a common form of cyberattack — and often successful 

This month, the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of Treasury, released an updated advisory on BEC schemes. The new advisory reflects just how easy it is for someone gather information on an organization and pose as a boss in order to mislead employees into transferring funds to outside account. 

In fact, instances of email scams are increasing. As the report states, the number of successful email scams have more than doubled between 2016 and 2018, with an average of over $300 million per month in attempted thefts. What’s more, the advisory shows these attacks are moving beyond traditions wire-transfer schemes to include virtual currency payments, automated clearing house transfers and even purchases of gift cards.  

How it Happens 

According to the advisory, scammers have become successful in impersonating leaders within an organization by identifying vulnerabilities within the targeted company. They accomplish this in two main ways. 

The first method is by gathering publicly available information. This could include information listed on an organization’s website, or even employee information found on LinkedIn and other social media sites.  

The second method is more nefarious, including “cyber-related reconnaissance efforts.” In other words, scammers gather more intimate information on an organization through methods such as phishing campaigns and malware.  

What You Should Do 

Of course, organizations cannot respond to these risks by closing themselves off to the outside world. Publicizing what your business does and speaking with potential customers is an important part of how business grow. However, there are common sense steps organizations can take to prevent the success of these email schemes. 

The FinCEN advisory suggests all organizations should assess their risk around business processes and practices. They suggest all organizations put in place a multi-faceted verification process for all electronic transactions. For instance, before any funds are transfered, steps need to be taken to verify all participants in the transactions are who they say they are. This includes using multiple means of communication (email, phone, etc.) and contacting others authorized to conduct transactions. Organizations should also put in place a step-by-step policy for transferring funds both within and outside the organization.  

The bottom line is that mail schemes succeed because someone’s been tricked. All organizations need to invest in proper training and awareness-building. In fact, after the attack, Pathé’s CFO stated that the company “never trained or instructed him to identify fraud.”  

BEC schemes can target employees at any level of your organization. Taking the time to teach all employees to identify fraudulent emails, and even simulating phishing campaigns can go a long way to prevent email scams from taking place.