1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

FTC Announces New Guidance on Ransomware

On November 10, 2016, the U.S. Federal Trade Commission (FTC) released new guidance for businesses and consumers on the impact of, and how to respond to ransomware.  Ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data hostage until the victim pays a ransom.  Ransomware incidents have increased over the past year, including a number of high-profile attacks on health care organizations.

Business Guidance

For businesses, the FTC released Ransomware – A closer look with a companion video Defend against Ransomware.  A copy of both can be found here.

According to the FTC, if your business holds consumers’ sensitive information “you should be concerned about the threat of ransomware.”  The FTC notes it can impose “serious economic costs on businesses because it can disrupt operations or even shut down a business entirely.”

In order to defend against ransomware attacks, the FTC recommends businesses invest in prevention through:

  • Training and education: Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
  • Cyber hygiene:  Practice good security by implementing basic cyber hygiene principles (including updating software, and implementing new procedures for users).
  • Backups:  Backup data early and often.
  • Planning:  Plan for an attack.  Develop and test incident response and business continuity plans.

For those businesses hit with a ransomware attack, the FTC recommends organizations take the following steps:

  • Implement the continuity plan:  Have a tested incident response and business continuity plan in place.
  • Contact law enforcement:  Immediately contact law enforcement, such as a local FBI field office, if an attack is discovered.
  • Contain the attack:  Keep ransomware from spreading to networked drives by disconnecting the infected device from the network.

Consumer Guidance

For consumers, the FTC released How to defend against ransomware.  A copy of this guidance can be found here.  The FTC recommends consumers take the following steps to protect against ransomware:

  • Update your software:  Use anti-virus software and keep it up to date.  Set your operating system, web browser and security software to update automatically, and on mobile devices do it manually.
  • Think twice before clicking on links or downloading attachments or applications:  You can get ransomware from visiting a compromised site or through malicious online ads.
  • Back up files:  Back up files whenever possible, and make it part of your routine.

If you are a victim of a ransomware attack, the FTC recommends:

  • Disconnecting the infected devices from the network;
  • Restoring the infected device where possible; and
  • Contacting law enforcement.

Next Steps

If you or your organization becomes a victim of ransomware, or you are interested in developing a comprehensive prevention plan, Dentons’ Privacy and Cybersecurity Group is ready to help.

FTC Announces New Guidance on Ransomware

Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress

On October 21, 2016, a domain name service host and internet management company experienced at least two waves of a distributed denial of service (DDoS) attack that impacted at least 80 websites, including those belonging to Netflix, Twitter and CNN.  The attack was launched by infecting millions of American’s Internet of Things (IoT) connected devices with a variation of the Mirai malware.  The Mirai malware primarily targets IoT devices such as routers, digital video records and webcams / security cameras by exploiting their use of default usernames and passwords and coordinating them into a botnet used to conduct DDoS attacks.  The U.S. Federal Bureau of Investigation (FBI) does not have confirmation of a group or individual responsible for the attack.  In September 2016, two of the largest IoT DDoS attacks using the same malware disrupted the operations of a gaming server and computer security blogger website.

In light of these attacks, there has been an increased focus on IoT security at the FBI, the U.S. Department of Homeland and Security (DHS), the National Institute of Standards and Technology (NIST) and Capitol Hill.

FBI Guidance

Five days after the October 21, 2016 attack, the FBI issued a Private Industry Notification, providing a list of precautionary measures stakeholders should take to mitigate “a range of potential DDoS threats and IoT compromise,” including but not limited to:

  • Having a DDoS mitigation strategy ready ahead of time and keeping logs of any potential attacks;
  • Implementing an incident response plan that includes DDoS mitigation.  The plan may involve external organizations such as law enforcement;
  • Implementing a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location;
  • Reviewing reliance on easily identified internet connections for critical operations, particularly those shared with public facing web servers;
  • Ensuring upstream firewalls are in place to block incoming UDP packets;
  • Changing default credentials on all IoT devices; and
  • Ensuring that software or firmware updates are applied as soon as the device manufacturer releases them.

A copy of the FBI Notification can be found here.

DHS Guidance

On November 15, 2016, the DHS issued its own non-binding guidance for prioritizing IoT security, aimed at IoT developers, IoT manufacturers, service providers, industrial and business-level consumers.  According to the DHS, there are six non-binding principles that, if followed, will help account for security as stakeholders develop, manufacture, implement or use network-connected devices.

Principle #1 – Incorporate Security at the Design Phase

The DHS notes that security should be evaluated as an integral component of any network-connected device.  Building security “in at the design phase reduces potential disruptions and avoids the much more difficult and expensive endeavor of attempting to add security to products after they have been developed and deployed.”  To that end, the DHS suggests the following practices:

  • Enable security by default through unique, hard to crack default user names and passwords.
  • Build the device using the most recent operating system that is technically viable and economically feasible.
  • Use hardware that incorporates security features to strengthen the protection and integrity of the device.
  • Design with system and operational disruption in mind.

Principle #2 – Advance Security Updates and Vulnerability Management

Even when security is included at the design stage, vulnerabilities may be discovered in products after they have been sent to market.  The DHS notes these flaws can be mitigated through patching, security updates, and vulnerability management strategies.  Suggested practices include:

  • Consider ways to secure the device over network connections or through automated means.
  • Consider coordinating software updates among third-party vendors to address vulnerabilities and security improvements to ensure consumer devices have the complete set of current protections.
  • Develop automated mechanisms for addressing vulnerabilities.
  • Develop a policy regarding the coordinated disclosure of vulnerabilities, including associated security practices to address identified vulnerabilities.
  • Develop an end-of-life strategy for IoT products.

Principle #3 – Build on Proven Security Practices

According to the DHS, many tested practices used in traditional IT and network security can be applied to IoT, and can help identify vulnerabilities, detect irregularities, respond to potential incidents and recover from damage or disruption to IoT devices.  The DHS recommends NIST’s framework for cybersecurity risk management, which has widely been adopted by private industry and integrated across sectors.  Other suggested practices include:

  • Start with basic software security and cyber security practices, and apply them to the IoT ecosystem in flexible, adaptive and innovative ways.
  • Refer to relevant Sector-Specific Guidance, where it exists, as a starting point from which to consider security practices (e.g., the National Highway Traffic Safety Administration recently released guidance on Cybersecurity Best Practices for Modern Vehicles and the Food and Drug Administration released draft guidance on Postmarket Management of Cybersecurity in Medical Devices).
  • Practice defense in depth.
  • Participate in information sharing platforms to report vulnerabilities and receive timely and critical information about current cyber threats and vulnerabilities from public  and private partners.

Principle #4 – Prioritize Security Measures According to Potential Impact

The DHS recognizes that risk models differ substantially across the IoT ecosystem, and the consequences of a security failure will vary significantly.  The DHS therefore recommends:

  • Knowing a device’s intended use and environment, where possible;
  • Performing a “red-teaming” exercise where developers actively try to bypass the security measures needed at the application, network, data or physical layers; and
  • Identifying and authenticating the devices connected to the network, especially for industrial consumers and business networks.

Principle #5 – Promote Transparency Across IoT

Where possible, the DHS recommends that developers and manufacturers know their supply chain, and whether there are any associated vulnerabilities with the software and hardware components provided by vendors outside their organization.  This increased awareness could help manufacturers and industrial consumers identify where and how to apply security measures or build in redundancies.  Recommended practices include:

  • Conduct end-to-end risk assessments that account for both internal and third party vendor risks, where possible.
  • Consider the creation of a publicly disclosed mechanism for using vulnerability reports.
  • Consider developing and employing a software bill of materials that can be used as a means of building shared trust among vendors and manufacturers.

Principle #6 – Connect Carefully and Deliberately

The DHS notes that consumers, particularly in the industrial context, should “deliberately consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption.”  To that end, suggested practices include:

  • Advise IoT consumers on the intended purpose of any network connections
  • Making intentional connections.
  • Build in controls to allow manufacturers, service providers, and consumers to disable network connections or specific ports when needed or desired to enable selective connectivity.

A copy of the DHS guidance can be found here.

NIST Guidelines

On November 15, 2016, NIST released its own guidance advising IoT manufacturers and developers to implement security safeguards and to monitor those systems on a regular basis.  NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems.  The new NIST Special Publication 800-160 is the product of four years of research and development, and focuses largely on engineering actions that are required to ensure connected devices are able to prevent and recover from cyber attacks, and lays out dozens of technical standards and security principles for developers to consider.

A complete copy of the NIST guidance can be found here.

Congressional Hearing

One day after the DHS and NIST guidance was released, on November 16, 2016, the House Committee on Energy and Commerce’s Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a hearing on “Understanding the Role of Connected Devices in Recent Cyber Attacks.”  The witnesses were Dale Drew of Level 3 Communications, Kevin Fu of Virta Labs and the University of Michigan, and Bruce Schneier from the Berkman Klein Center at Harvard University.

The witnesses uniformly recommended that while the DDos attack in October was just on popular websites, and not critical infrastructure, attacks toward critical infrastructure, including public safety and hospital systems, are likely.  Each witness stressed the importance of addressing the vulnerabilities at the onset of developing technology, and urged greater oversight by lawmakers.

A video of this hearing can be found here.

Internet of Things (IoT) Security Takes Center Stage At FBI, DHS, NIST and Congress

Germany to audit 500 companies on data transfers

Germany to audit 500 companies

The German data protection authorities have announced today that they have chosen 500 companies throughout Germany to audit their transfer of personal data to the US and other countries (eg. India).  The targets were chosen by random and cover small, medium-size and also large companies known to transfer data of their customers or employees from Germany to the US. Cloud computing and office software applications are in their focus. The different approach towards data privacy in the US – especially made apparent by Snowden –  has made many EU authorities criticize the US use of personal data as not being adequate to the data protection level of the EU.

Context

The Safe Harbor self-certification option for commercial entities in the US, a commonly used tool agreed between the EU Commission and the US Department of Commerce to safeguard an EU data protection level at US companies, was declared void by the CJEU in its Schrems decision. The new regime known as the “EU US Privacy Shield” went live is August. Also, companies have the option to agree bilateral EU Standard Contractual Clauses or to establish binding corporate rules.

Beware Cloud and SaaS

Now, the German authorities want to audit German companies and German branches of companies from abroad to check if and how they are complying. Especially it is expected that they want to investigate if there are transfer regimes in place and if the old Safe Harbor approach is still in use. Use of the cloud and SaaS vendors will be a focus.

Once more this is a warning sign that authorities of EU Member States are using their administrative authorities to enforce EU data protection law especially of consumers but also employees. Germany is being particularly active.

What happens next?

The German data protection authorities will approach companies by sending a letter requesting information on their practice of data transfer to the US. Depending on the response, the German authorities make more requests or site inspections may follow. The authorities will also likely direct the companies’ in-house Data Protection Officers to assist them with their requests.

If companies have received such requests they should carefully draft their response. As these requests usually provide for sufficient time to react, there may still be time to establish safeguards like EU Standard Contractual Clauses.  But planning now is key.

Prepared by Christian Schefold, Christoph Zieger and Ariane Loof of Dentons Germany

Germany to audit 500 companies on data transfers

First Data gains approval for its Processor BCRs

Dentons has advised First Data Corporation (“First Data“), a global leader in payment technology and service solutions, in successfully obtaining approval for its Binding Corporate Rules (“BCRs“) for Data Processors. BCRs are a company-wide privacy policy to guarantee that a company’s practices are consistent with European data protection law. They are widely considered the platinum standard for compliance with the European Data Protection Directive.

Here are our 5 big takeaways from this story:

  1. First by the ICO – First Data is the first company to obtain authorisation for BCRs for Processors under the leadership of the UK’s Information Commissioner’s Office (“ICO“). The only other DPAs to have led a successful application for Processor BCRs are the Dutch DPA and the French CNIL.
  2. First payment processor – First Data is the only payments technology company to obtain such authorisation. First Data will no longer need to enter into model contracts with many of its clients, simplifying the contractual process. This should give it a competitive advantage in a marketplace that is increasingly sensitive to privacy issues.
  3. Dual approval – First Data is one of only five companies worldwide that has completed this rigorous process for information processed both as a Data Processor and as a Data Controller.
  4. 2 Year project – The Data Processor authorisation is the culmination of a two-year project. If you are considering making an application, this is a guide to the timescales you should be expecting (although this was the first application and the process may be streamlined).
  5. Easier for Data Controllers – The BCRs approval will open the door to a streamlined process for Data Controllers wanting to rely on the BCRs to enable their data to be shared across borders.

If you would like any more information on this application, you can find First Data’s press release here, or you can contact Scott Singer, Nicola Harding or me directly.

, , , , ,

First Data gains approval for its Processor BCRs

FTC steps up enforcement action

Last week, the FTC announced that it had settled with a gaming company that falsely claimed to be certified under the US Safe Harbor.  The Safe Harbor agreement is a self-certification arrangement under which you can transfer personal data from Europe to the US without “tripping up” on the EU data export prohibition.  It is a critical plank in the platform for global companies who need to transfer personal data across borders.  Think about how many companies operate globally or who use cloud-based storage solutions and you can see how important it is to be able to transfer data internationally in a legally compliant manner.

Are we seeing a new pattern of enforcement?

Only last month, the FTC announced enforcement action against 12 companies who also falsely claimed to be Safe Habor certified. So this is starting to look like a deliberate move to be more pro-active on Safe Harbor infringers. This has mostly been for failure to certify. Annual re-certification is required under the Safe Harbor for it to be valid.  By the way, failing to hold a current certification doesn’t mean that you are guilty of any actual privacy law breach.  So the companies had not suffered a data leak or hack and were not, necessarily, guilty of ignoring any individual rights in relation to privacy.  Perhaps this is a sign of a new willingness to take enforcement action.

Why are we seeing additional privacy enforcement?

If you asked the FTC, they will tell you that enforcement of the Safe Harbor is a top priority and should send a signal to companies that they cannot pretend to be in the program when this is not the case.  But there may be a political reason too.  The recent Snowdon revelations are still bubbling in Europe and elsewhere and there is a real concern among European consumers that their data may be at risk if it is held in the US or by US companies. This is being stoked by the media and politicians although it is not quite clear who is more to blame. One of the longstanding criticisms of the US position is that enforcement of Safe Harbor or companies falsely claiming that they are participants has been limited. So the FTC’s latest enforcement action takes this criticism head on.  It also must be one of the most efficient ways to demonstrate a willingness to ensure companies are complying with the Safe Harbor without fighting long or complex disputes with alleged offenders.  Failing to self-certify is a fairly binary issue and easy to prove.

Of course, if you were going to be cynical, you would probably compare and contrast the US FTC enforcement action with equivalent action taken by supervisory authorities in Europe in relation to unlawful data exports.  While the EU supervisory authorities have been hot on many other enforcement issues, enforcement in relation to data exports has been pretty fragmented.  Suddenly the FTC looks like a rather more effective enforcer of privacy rights than some of the EU supervisory authorities would like to admit.  We are watching the FTC’s enforcement action and enthusiasm for Safe Harbor with great interest.

FTC steps up enforcement action