1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

DHS Warns Congress On Mobile Device Security

On May 4, 2017, the US Department of Homeland Security (DHS) submitted a new study to Congress that detailed current and emerging threats to the Federal government’s use of mobile devices and provided recommendations for security improvements. The DHS Science and Technology Directorate in coordination with the National Institute of Standards and Technology (NIST) and its National Cybersecurity Center of Excellence were responsible for the study.

Overview of Study

The study found that threats to the mobile device ecosystem are growing, and that security of mobile computing is improving. The study also found that threats to the Federal government’s use of smartphones and tablets running mobile operating systems were prevalent across the mobile device ecosystem, and presented a separate and distinct threat from those impacting desktop workstations. The study found that threats to mobile devices range from those perpetrated by nation-states to those committed by organized crime or hackers, and that Federal government mobile devices may be targeted specifically because of their public nature.

Key Recommendations

The study provides a series of recommendations to enhance the Federal government mobile device security measures. A number of these recommendations could be helpful for business to adopt as well:

  • Adopt a framework for mobile device security based on existing standards and best practices.
  • Coordinate the adoption and advancement of mobile security technologies into operational programs to ensure that future capabilities include protection and defense against mobile threats.
  • Develop cooperative arrangements and capabilities with mobile network operators to detect, protect against, and respond to threats.
  • Create a new defensive security research program to address vulnerabilities in mobile network infrastructure and increase security and resilience.
  • Develop policies and procedures regarding U.S. Government use of mobile devices overseas based on threat intelligence and emerging attacker tactics, techniques, and procedures.

This new study highlights the vulnerabilities present in mobile device usage in the workplace. The Dentons Privacy and Cybersecurity team can help you and your business develop a robust and comprehensive mobile defense strategy, and update your existing policies to guard against the growing threats presented to the mobile device ecosystem.

DHS Warns Congress On Mobile Device Security

Workplace Performance Concerns Lead to Privacy Violation

A recent Order of the Office of the Information and Privacy Commission of Alberta (OIPC) provides guidance on potential privacy traps when managing performance issues in the workplace.

Two coworkers of the complainant were concerned about the complainant’s workplace performance. The reasons are opaque but there may have been health issues such as substance abuse requiring rehabilitation. The coworkers who were friends of the complainant emailed and texted the parents of the complainant. At least one of the coworkers also provided information to the employer apparently at the request of the employer.

Ultimately, the adjudicator concluded that the coworkers were acting in a personal capacity when communicating with the parents (this was more by luck than design in one case). But, the employer was found to have violated the Alberta Personal Information Protection Act (PIPA) by failing to have a policy or otherwise notifying the complainant on the circumstances in which it might collect performance-related personal information from coworkers.

Were the communications to the parents in the course of employment?

If the coworkers communicated personal information about the complainant to her parents, this would have violated PIPA, as a disclosure without consent. The organization argued that the coworkers were not acting on behalf of the employer when they wrote to the complainant’s parents and disclosed information about her performance at work and their concerns about the complainant’s personal life. One of the emails was sent using the coworker’s work email address. However, the adjudicator concluded that this was not determinative since the coworker said that she was writing from that email account so that it would appear legitimate and provided her personal email account address as contact information.

The text messages were more complicated. The coworker sending those messages initially conveyed personal information about the complainant. However, in subsequent messages, this coworker relayed information about the steps the employer intended to take to address the complainant’s work performance and that the employer wanted to arrange a meeting with the complainant, the complainant’s mother and the coworkers. Ultimately the adjudicator concluded that the personal information that was disclosed in the text messages was done in the context as a friend of the coworker and not as a representative of the employer. As for the subsequent texts, the adjudicator concluded it was possible that the coworker was acting as an employee of the employer (with or without authority) but at that point the discussions were about a meeting and did not reveal further personal information.

Was providing the information to the employer done in the course of employment?

The adjudicator accepted that a coworker might provide personal information about another employee in their personal capacity rather than in the course of their employment. The adjudicator concluded that the key issue was the circumstances in which the information was provided. The adjudicator concluded that “[w]hen the information is provided in the workplace, and especially where it is solicited by someone in the organization that has the ability to deal with performance issues (as the employer does here), it seems to be reasonable to assume that the information is being provided as an employee, and not in a personal capacity.”

Did the employer violate the complainant’s privacy?

The adjudicator accepted that the complainant’s personal information at issue was information that would be useful in managing the employment relationship with the complainant and, therefore, the information was employee personal information. This was significant because there is more latitude to use and disclose employee personal information without consent. However, in order to use or disclose employee personal information without consent, the employer must provide reasonable notice to the individual. The notification must be given before the information is used and disclosed.

The adjudicator accepted that reasonable notice could include a policy on how an organization deals with performance or disciplinary issues or when feedback may be requested from coworkers, provided the policy was brought to the attention of employees. Alternatively, in this case, the employer could have approached the complainant first to discuss the performance concerns and advising the complainant that the employer may need to seek input from the coworkers. The employer failed to do so.

Key Takeaways

Employers should make sure that employee privacy policies or codes of conduct contain explicit reference to the need to gather information from coworkers in some cases in order to manage performance issues and how the employer will respond to unsolicited performance concerns by coworkers. This case did not involve an investigation into a harassment or other violation and so the exceptions for investigations did not apply.

This case also provides another reason to educate employees on obligations under personal information legislation. One could easily imagine other scenarios in which well-intentioned employees may be found to be acting in the course of their employment when communicating with family members or other friends of a coworker.

, ,

Workplace Performance Concerns Lead to Privacy Violation

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

On March 22, 2017, the FBI issued a Private Industry Notification, warning that criminal actors are actively targeting File Transfer Protocol (FTP) servers operating in “anonymous” mode and associated with medical and dental facilities to “access protected health information (PHI) and personally identifiable information (PII) in order to intimidate, harass, and blackmail business owners.” FTP’s are used to transfer information between various parties. When an FTP is placed in anonymous mode, it allows a user to authenticate the FTP server with a common username such as “anonymous” or “ftp” without submitting a password or by submitting a generic password or e-mail address.

The FBI warns that cyber criminals could use an FTP server in anonymous mode to store malicious tools or launch targeted cyber attacks. Therefore, “any misconfigured or unsecured server operating on a business network on which sensitive data is stored or processed exposes the business to data theft and compromise by cyber criminals who can use the data for criminal purposes such as blackmail, identify theft, or financial fraud.”

The FBI recommends medical and dental healthcare entities request their respective IT services personnel to check networks for FTP servers running in anonymous mode. If businesses have a legitimate use for operating a FTP server in anonymous mode, administrators should ensure sensitive PHI or PII is not stored on the server.

The FBI encourages businesses to report information concerning suspicious or criminal activity to their local FBI office or the FBI’s 24/7 Cyber Watch.

A copy of the notification can be found here.

 

FBI Warns Cyber Criminals Are Targeting Unsecured FTP Servers In The Healthcare Industry

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

On April 4, 2017, Tennessee Governor Bill Haslam signed into law an amendment to the state’s data breach notification law, making two substantive changes to the statute:

  1. Adding a technically specific safe harbor encryption provision; and
  2. Adding a 45 day window to complete breach notification, when required.

Overall Summary of Breach Notification Law

Tennessee’s data breach notification law applies to any person or business conducting business in Tennessee that owns or licenses computerized data that contains “personal information.” “Personal information” is defined under the statute as a person’s first name or initial and last name combined with:

  • Social security number;
  • Driver’s license number; or
  • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

“Personal information” does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Covered entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 or the Health Insurance Portability and Accountability Act of 1996, as expanded by the Health Information Technology for Clinical and Economic Health Act, are exempt from the law.

The statute requires covered entities to disclose a “breach in the security of the system” to any resident of Tennessee whose personal information was, or is reasonably believed to have been, acquired by an “unauthorized person.”

New Encryption Requirements

Under the new law, the phrase “breach in the security of the system” has been amended to read “breach of system security,” and is defined to mean the acquisition of: (1) unencrypted computerized data; or (2) encrypted computerized data and the encryption key that contains personal information by an unauthorized person that materially compromises the security, confidentiality, or integrity of personal information maintained by the information holder. The new statute defines encrypted to mean “computerized data that is rendered unusable, unreadable, or indecipherable without the use of a decryption process or key and in accordance with the current version of the Federal Information Processing Standard (FIPS) 140-2[.]” FIPS 140 is a US government standard that defines minimum security requirements for cryptographic modules in products and systems, as set forth in Section 5131 of the Information Technology Management Reform Act of 1996. Therefore, under the new amendment, if the information acquired was encrypted pursuant to the FIPS 140-2 standards, and the encryption key was not compromised, notification is likely not required.

Notification Clarification

The new amendment also imposes a specific time frame for completing notification, when required. Disclosure now must be made no later than 45 days from the discovery or notification of the “breach of system security,” unless a longer period of time is required due to the legitimate needs of law enforcement. Specifically, notification may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. This change makes Tennessee the eighth state to enact a statute that puts a specific time period on the notification requirement. The majority of states only require notification in the “most expedient time possible” or “without unreasonable delay.”

Takeaways

Cyber threat preparation and monitoring remains the first and best line of defense against data breaches. Dentons helps companies prepare for breach by formulating written incident response plans, conducting table-top exercises with key members of the incident response teams, and advising companies on compliance with data notification reporting requirements, such as the new requirements now applicable in Tennessee. Our team is ready to help you or your business navigate this complicated area of the law, and help with the growing need for encryption requirements.

Tennessee Adds New Encryption And Timing Requirements To Its Data Breach Notification Law

HHS Issues Warning About Phishing Campaign Disguised As Official Communication

As part of its efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) engages in audits of covered entities and their business associates.

On November 28, 2016, the OCR issued an alert warning covered entities about a phishing e-mail that is being circulated on mock HHS Departmental letterhead under the signature of OCR’s Director, Jocelyn Samuels.  The e-mail purportedly prompts the receiver to click a link regarding possible inclusion in the HIPPA Privacy, Security, and Breach Rules and Audit Program, and directs the recipient to a non-governmental website.  The phishing e-mail originates from the e-mail address OSOCRAudit@hhs-gov.us and directs individuals to http://www.hhs-gov.us.  This is a slight difference from the official e-mail address for the HIPAA audit program, OSOCRAudit@hhs.gov, and the official HHS website http://www.hhs.gov.

The OCR advises covered entities and their business associates to alert employees of this issue and take note that official communications regarding the HIPAA audit program are to be sent to selected auditees from the official e-mail address OSOCRAudit@hhs.gov.

A copy of the OCR alert can be found here.

If you or one of your entities has received this phishing e-mail, the Dentons Privacy and Cybersecurity Law Group is available to help you navigate next steps.

HHS Issues Warning About Phishing Campaign Disguised As Official Communication