1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

NIST Announces Privacy Framework Effort

On September 4, 2018, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) announced the start of a collaborative project to develop a voluntary privacy framework to help organizations manage privacy related risk. The envisioned privacy framework will provide an enterprise-level approach to help organizations prioritize strategies for “flexible and effective privacy protection solutions so that individuals can enjoy the benefits of innovative technologies with greater confidence and trust.” Parallel with this effort, the U.S. Department of Commerce’s National Telecommunications and Information Administration is developing a domestic legal and policy approach for consumer privacy in coordination with the department’s International Trade Administration.

NIST kicked off the privacy framework effort with a public workshop on October 16, 2018 in Austin, Texas held in conjunction with the International Association of Privacy Professionals’ Privacy, Security, Risk 2018 conference. NIST will be holding a live webinar and Q&A session on the privacy framework on November 29, 2018.

NIST is a non-regulatory federal agency within the U.S. Department of Commerce whose mission is to “promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.”  NIST is perhaps most well known for its 2014 Cybersecurity Framework, which has been widely adopted by private and public enterprises to manage against cybersecurity risk. Previous posts addressed NIST’s prior efforts at issuing new maritime cybersecurity rules, focus on Internet of Things technology, and update to its 2014 Cybersecurity Framework.

The adoption of a privacy framework by NIST will have a significant impact on business. It will also represent a welcome effort in light of the rapidly changing privacy frameworks facing industry, including the European Union’s General Data Protection Regulation (GDPR) and California’s new Privacy Law  (which we analyze here) going into effect January 1, 2020.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkThe Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

NIST Announces Privacy Framework Effort

HHS Announces New Health Sector Cybersecurity Coordination Center

On October 29, 2018, Deputy Secretary of the U.S. Department of Health and Human Services (HHS) Eric Hargan announced the official opening of the Health Sector Cybersecurity Coordination Center (HC3). HC3 is an operational cybersecurity center designed to support and improve the cyber defense of the Healthcare and Public Health (HPH) sector of critical infrastructure. The HPH sector is compromised of hundreds of public and private enterprises, including healthcare delivery organizations and medical device manufacturers. The HPH sector of critical infrastructure is one of 16 sectors of critical infrastructure recognized by the U.S. Department of Homeland Security as critical because the assets, systems, and networks within those sectors are so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, national economic security, and/or national public health.

According to the HHS, the role of HC3 is to “work with the sector, including practitioners, organizations, and cybersecurity information sharing organizations to understand the threats it faces, learn the bad guys’ patterns and trends, and provide information and approaches on how the sector can better defend itself.”

HC3 replaces the Healthcare Cybersecurity and Communications Integration Center (HCCIC), which was announced in April 2017. Leaders on the House Energy and Commerce Committee raised concerns about the HCCIC, noting that stakeholders “no longer understand whether the HCCIC still exists, who is running it, or what capabilities and responsibilities it has.” HHS noted that in developing HC3, stakeholders were directly consulted in the process.

The opening of HC3 highlights a growing focus by the federal government on cybersecurity more generally, including within the HPH sector of critical infrastructure. Other agencies, including the Food and Drug Administration and Department of Homeland Security, are also focusing on cybersecurity issues within their sphere of control and influence, including entering into a new memorandum of understanding and issuing new guidance on cybersecurity issues relating to medical devices.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkThe Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

HHS Announces New Health Sector Cybersecurity Coordination Center

DHS And FBI Issue Joint Warning – Hackers Have Targeted Critical Sector Industries Since March 2016

On March 15, 2018, the US Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) issued a joint Technical Alert (TA18-074A) warning “network defenders” in critical sector industries that “Russian government cyber actors” have been intentionally targeting U.S. government entities and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors since at least March 2016. These threat actors, according to the joint alert, have used this campaign to engage in reconnaissance missions and to obtain operational control of industrial control processes and systems.

The joint alert identifies two targets of the ongoing attack: “staging” and “intended” targets. Staging targets are those “peripheral organizations such as trusted third-party suppliers with less secure networks.” The threat actors use the “staging” targets’ networks as “pivot points and malware repositories when targeting their final intended victims,” the intended targets. Once compromised, the staging targets are used to download source code from intended targets’ websites and to remotely access infrastructure such as corporate web-based email and virtual private network (VPN) connections. The threat actors ultimately seek to gain information from the intended target on “network and organizational design and control system capabilities within organizations.”

The joint alert identifies a variety of tactics used by the threat actors, including spear-phishing campaigns, watering-hole domain attacks, and collecting publicly available information:

  • Spear-Phishing. Through spear-phishing, the threat actors use email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server, which allows the threat actor to gain access to user credentials. With user credentials, and using a password-cracking technique, “the threat actors are able to masquerade as authorized users in environments that use single-factor authentication.”
  • Watering-Hole. Through watering-hole attacks, the threat actors compromise “the infrastructure of trusted organizations to reach intended targets. Approximately half of the known watering holes are trade publications and informational websites related to process control, ICS, or critical infrastructure.” These watering-holes host legitimate content developed by reputable organizations, but the threat actor alters the website to contain and reference malicious content. The threat actors use legitimate credentials to access and directly modify the website content. Once on the website, the victim provides credentials.
  • Public Information. The threat actors review information “posted to company websites, especially information that may appear to be innocuous, [to gain access to] operationally sensitive information.” In one example, the threat actors downloaded a small photo from a publicly accessible human resources page, which when expanded was “a high-resolution photo that displayed control systems equipment models and status information in the background.”

Once threat actors gain access to the network, the DHS and FBI warn they conduct “reconnaissance operations within the network,” including “identifying and browsing file servers within the intended victim’s network.” Perhaps most troubling, the DHS and FBI identified in multiple instances “the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities.” This access would allow the threat actors to control operations within the organization, including control of certain energy sectors.

Takeaways

The new joint alert highlights the dynamic threat landscape facing organizations. Although the alert provides technical advice concerning the identification and deterrence of the ongoing attacks, it also provides best practices applicable to the campaign. Many of the recommendations apply outside of the critical sector industries, and provide a timely reminder that all organizations should review their cybersecurity practices and policies on an ongoing basis. Some of the recommended best practices include:

  • Reviewing your existing third party contracts to determine cybersecurity vulnerabilities and protections;
  • Monitoring VPN logs for abnormal activity;
  • Deploying web and email filters on the network;
  • Ensuring proper training to inform end users on proper email and web usage;
  • Establishing a complex password policy;
  • Using multi-factor authentication;
  • Assigning appropriate personnel to review logs;
  • Completing “independent security (as opposed to compliance) risk review”; and
  • Preparing a robust incident response plan.

If you or your organization is looking to create new, or update existing cybersecurity policies or practices, or you have any questions about this joint alert and how your organization may be impacted, please reach out to the Dentons cybersecurity team to discuss how our cost effective strategies can help mitigate your risk and provide an assessment of your overall cybersecurity readiness.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkThe Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

DHS And FBI Issue Joint Warning – Hackers Have Targeted Critical Sector Industries Since March 2016

IRS Warns About New Cyber Scam Targeting Taxpayers

Last month, the United States (US) Internal Revenue Service (IRS) issued a warning to US taxpayers that cyber criminals are increasing their efforts to steal more detailed financial information from taxpayers in order to provide a more detailed, realistic tax return and better impersonate legitimate taxpayers. These efforts include targeting tax professionals, human resource departments, businesses, and other enterprises that store large amounts of sensitive financial information. To mitigate against this threat, the IRS recommended that taxpayers and businesses that store taxpayer information take three steps:

  • Use Security Software. Use security software with firewall and anti-virus protections, and ensure the security software is always turned on and can automatically update. Encrypt sensitive files stored electronically, such as tax records, and use strong and unique passwords for each account.
  • Watch Out For Scams. Recognize and avoid phishing emails, threatening calls and texts from individuals posing as legitimate organizations, such as banks or credit card companies, or even the IRS. Do not click on links or download attachments from unknown or suspicious emails.
  • Protect Personal Data. Don’t routinely carry Social Security cards and make sure tax records are secure. Shop at reputable online retailers. Treat personal information like cash – don’t leave it lying around.

Recently, the IRS issued a specific warning of a quickly growing scam involving erroneous tax refunds being deposited into taxpayer bank accounts. Specifically, after stealing client data from tax professionals and filing fraudulent tax returns, cyber criminals are using taxpayers’ real bank accounts for the deposits and then using various tactics to reclaim the refund from taxpayers. In one version of the scam, criminals posing as debt collection agency officials acting on behalf of the IRS contact taxpayers to say a refund was deposited in error, and ask the taxpayers to forward the money to their collection agency. In another version, the taxpayer who receives the erroneous refund gets an automated call with a recorded voice saying the person is from the IRS. That person then threatens the taxpayer with criminal fraud charges, an arrest warrant and a “blacklisting” of their Social Security Number. The recorded voice gives the taxpayer a case number and a telephone number to call to return the refund.

In its new warning, the IRS repeats its call for tax professionals to increase the security of sensitive client tax and financial files, and outlines steps impacted individuals and enterprises may follow in the wake of a breach, including those outlined in Tax Topic Number 161-Returning an Erroneous Refund and the Taxpayer Guide to Identity Theft.

These new threats highlight the way cyber criminals are uniquely attempting to access sensitive personal information. As businesses increase their encryption and security efforts, these unique efforts by malicious actors will only increase. If you or your enterprise stores or transmits sensitive personal information, such as taxpayer identifying information, you should take time to audit your current practices surrounding how that data is secured, and how your relationships with third parties may impact that security. The Dentons cybersecurity team is prepared to help in those efforts.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

IRS Warns About New Cyber Scam Targeting Taxpayers

PIPEDA: Substantial Amendments Proposed by Parliamentary Committee

Since February 2017, the House of Commons Standing Committee on Access to Information, Privacy and Ethics has been reviewing Canada’s federal privacy statute – Personal Information Protection and Electronic Documents Act (PIPEDA) – including public meetings and submissions from stakeholders. A year later, the Committee issued its report outlining its recommendations that would see a significant overhaul of PIPEDA.

In the report titled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act, 19 recommendations are proposed to the Government of Canada that would see significant changes to the operation of, and individual rights, around personal information. It’s clear in the report and the recommendations themselves that Europe’s General Data Protection Regulations were an influence.

Some of the Committee’s recommendations include:

  • to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, and with a view to implementing a default opt-in system regardless of purpose
  • providing measures to improve algorithmic transparency
  • an examination of the best ways of protecting depersonalized data
  • providing for a right to data portability
  • a framework for a right to erasure based on the model developed by the E.U. The model would, at minimum, include a right for young people to have information posted online either by themselves or through an organization taken down
  • modernizing the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral
  • clarification of the terms under which personal information can be used to satisfy legitimate business interests
  • a framework for the right to de-indexing
  • to give the Federal Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance
  • to give the Federal Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate

During his September 2017 annual report to Parliament, Daniel Therien, Canada’s Federal Privacy Commissioner, emphasized the urgency to revisit PIPEDA in order to meet the realities of today’s world, including requesting the new enforcement powers. Organizations have been equally considering how Canada’s status as an adequate country will be affected as a result of the GDPR.

Click to read the report in full Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act.

 

PIPEDA: Substantial Amendments Proposed by Parliamentary Committee