1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

IRS Warns About New Cyber Scam Targeting Taxpayers

Last month, the United States (US) Internal Revenue Service (IRS) issued a warning to US taxpayers that cyber criminals are increasing their efforts to steal more detailed financial information from taxpayers in order to provide a more detailed, realistic tax return and better impersonate legitimate taxpayers. These efforts include targeting tax professionals, human resource departments, businesses, and other enterprises that store large amounts of sensitive financial information. To mitigate against this threat, the IRS recommended that taxpayers and businesses that store taxpayer information take three steps:

  • Use Security Software. Use security software with firewall and anti-virus protections, and ensure the security software is always turned on and can automatically update. Encrypt sensitive files stored electronically, such as tax records, and use strong and unique passwords for each account.
  • Watch Out For Scams. Recognize and avoid phishing emails, threatening calls and texts from individuals posing as legitimate organizations, such as banks or credit card companies, or even the IRS. Do not click on links or download attachments from unknown or suspicious emails.
  • Protect Personal Data. Don’t routinely carry Social Security cards and make sure tax records are secure. Shop at reputable online retailers. Treat personal information like cash – don’t leave it lying around.

Recently, the IRS issued a specific warning of a quickly growing scam involving erroneous tax refunds being deposited into taxpayer bank accounts. Specifically, after stealing client data from tax professionals and filing fraudulent tax returns, cyber criminals are using taxpayers’ real bank accounts for the deposits and then using various tactics to reclaim the refund from taxpayers. In one version of the scam, criminals posing as debt collection agency officials acting on behalf of the IRS contact taxpayers to say a refund was deposited in error, and ask the taxpayers to forward the money to their collection agency. In another version, the taxpayer who receives the erroneous refund gets an automated call with a recorded voice saying the person is from the IRS. That person then threatens the taxpayer with criminal fraud charges, an arrest warrant and a “blacklisting” of their Social Security Number. The recorded voice gives the taxpayer a case number and a telephone number to call to return the refund.

In its new warning, the IRS repeats its call for tax professionals to increase the security of sensitive client tax and financial files, and outlines steps impacted individuals and enterprises may follow in the wake of a breach, including those outlined in Tax Topic Number 161-Returning an Erroneous Refund and the Taxpayer Guide to Identity Theft.

These new threats highlight the way cyber criminals are uniquely attempting to access sensitive personal information. As businesses increase their encryption and security efforts, these unique efforts by malicious actors will only increase. If you or your enterprise stores or transmits sensitive personal information, such as taxpayer identifying information, you should take time to audit your current practices surrounding how that data is secured, and how your relationships with third parties may impact that security. The Dentons cybersecurity team is prepared to help in those efforts.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. The Dentons Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

IRS Warns About New Cyber Scam Targeting Taxpayers

PIPEDA: Substantial Amendments Proposed by Parliamentary Committee

Since February 2017, the House of Commons Standing Committee on Access to Information, Privacy and Ethics has been reviewing Canada’s federal privacy statute – Personal Information Protection and Electronic Documents Act (PIPEDA) – including public meetings and submissions from stakeholders. A year later, the Committee issued its report outlining its recommendations that would see a significant overhaul of PIPEDA.

In the report titled Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act, 19 recommendations are proposed to the Government of Canada that would see significant changes to the operation of, and individual rights, around personal information. It’s clear in the report and the recommendations themselves that Europe’s General Data Protection Regulations were an influence.

Some of the Committee’s recommendations include:

  • to explicitly provide for opt-in consent as the default for any use of personal information for secondary purposes, and with a view to implementing a default opt-in system regardless of purpose
  • providing measures to improve algorithmic transparency
  • an examination of the best ways of protecting depersonalized data
  • providing for a right to data portability
  • a framework for a right to erasure based on the model developed by the E.U. The model would, at minimum, include a right for young people to have information posted online either by themselves or through an organization taken down
  • modernizing the Regulations Specifying Publicly Available Information in order to take into account situations in which individuals post personal information on a public website and in order to make the Regulations technology-neutral
  • clarification of the terms under which personal information can be used to satisfy legitimate business interests
  • a framework for the right to de-indexing
  • to give the Federal Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance
  • to give the Federal Privacy Commissioner broad audit powers, including the ability to choose which complaints to investigate

During his September 2017 annual report to Parliament, Daniel Therien, Canada’s Federal Privacy Commissioner, emphasized the urgency to revisit PIPEDA in order to meet the realities of today’s world, including requesting the new enforcement powers. Organizations have been equally considering how Canada’s status as an adequate country will be affected as a result of the GDPR.

Click to read the report in full Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act.

 

PIPEDA: Substantial Amendments Proposed by Parliamentary Committee

NIST Releases Draft Update To Cybersecurity Framework

In 2014, the National Institute of Standards and Technology (NIST) released its first version of the Framework for Improving Critical Infrastructure Cybersecurity (Cyber Framework). The Cyber Framework was originally developed as a voluntary framework to help private organizations and government agencies manage cybersecurity risk in the critical infrastructure space (e.g., bridges, power grid, etc.). Since then, it has been widely adopted across industry as a benchmark standard for measuring an enterprise’s cybersecurity readiness.

Following feedback NIST received in December 2015 from a Request for Information, and comments from attendees at the Cybersecurity Framework Workshop in 2016 held at the NIST campus in Maryland, NIST released a draft update to the Cyber Framework in January 2017 called Version 1.1. Some of the key changes in the draft update included:

  • Adding a new section on cybersecurity measurement to discuss the correlation of business results to cybersecurity risk management metrics and measures;
  • Expanding the use and understanding of cyber supply chain risk management frameworks;
  • Accounting for authentication, authorization, and identity proofing in the access control section of the framework; and
  • Better explaining the relationship between the various implementation tiers and profiles.

Last week, NIST released a second draft of Version 1.1, which is open for public comment through January 20, 2018. The new draft expands on issues such as supply chain security and vulnerability disclosure programs. It also emphasizes the need for companies using the framework to develop metrics to quantify their progress. NIST says it hopes to finalize Version 1.1 in the spring of 2018.

If you are interested in submitting comments on the new draft of Version 1.1, or learning more about its proposed changes that will likely take effect in 2018, the Dentons Privacy and Cybersecurity Group is ready to assist.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral NetworkDentons’ Privacy and Cybersecurity Group operates at the intersection of technology and law, and has been singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

NIST Releases Draft Update To Cybersecurity Framework

Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement

On September 21st, 2017, Daniel Therrien, Canada’s Federal Privacy Commissioner, tabled his annual report to Canada’s Parliament today. The report to Parliament includes results and recommendations with respect to the OPC’s study on consent. In addition, the Commissioner requests Parliament overhaul Canada’s federal private sector legislation – the Personal Information Protection and Electronic Documents Act (PIPEDA).

Consent and Technology

A key issue for regulators and businesses is how to obtain meaningful and valid consent to collect and use personal information in the digital age. Revisiting and enhancing the consent model under PIPEDA is grounded in the Commissioner’s five year strategic privacy priorities. In 2016, the OPC issued a consultation paper regarding the challenges of obtaining meaningful consent in a continuously evolving technological ecosystem where the traditional “privacy policy” may not always be suitable. The OPC received feedback through roundtables, focus groups, surveys and receipt of 51 submissions from organizations, information technology specialists, academics, advocacy groups and other stakeholders.

Four Key Elements in Privacy Policies: The Commissioner stated that the OPC will be issuing an updated version of its consent guidelines that will require businesses and organizations to highlight in a user friendly way the following four key elements in their privacy notices:

  1. What information is being collected
  2. Who is it being shared with, including an enumeration of third parties
  3. The purposes for collecting, using or sharing including an explanation of purposes that are not integral to the service, and
  4. Identify the risk of harm to individuals, if any.

Risk of Harm: The OPC is amending its guidelines to require organizations to consider the risk of harm to individuals when considering the form of consent used. This consideration will be in addition to the sensitivity of the personal information and the reasonable expectations of the individual. We expect to learn more about this in the updated guidelines.

No-Go Zones: Expect new guidance for businesses and no-go zones where the use of information, even with consent, should be prohibited as inappropriate. The guidance will be aimed to provide clarity on what the OPC considers “inappropriate uses” under subsection 5(1) of PIPEDA.

Alternatives to Consent: The Commissioner outlined three potential solutions for enhancing privacy protection where traditional consent models conflict with advances in technology, including:

  1. De-identification: In some circumstances, like big data, de-identification protocols may be the right solution. The OPC will be issuing guidance on de-identification that will help businesses assess their protocols and reduce risk of re-identification to a low level where the information may be used without consent.
  2. Publicly available information: The Commissioner agrees that the categories of publicly available information in PIPEDA’s regulations are out of date, and should be revisited by Parliament. For now these exceptions remain the same, but we may someday see changes to the regulations.
  3. Call for reform of new exceptions: The Commissioner has requested that PIPEDA be amended to include new exceptions to consent (section 7 of PIPEDA) to address social activities not contemplated when PIPEDA was first drafted. The goal is to help organizations use data for new purposes that would benefit individuals and obtaining consent is not practical. For example, a mobile app wishes to now use information collected for geolocation mapping, and the business can demonstrate that the benefit of the new use of information outweighs the privacy incursion. This option would be considered a last resort and require pre-approval by the OPC.

Overhaul of PIPEDA including new Powers

The Commissioner reported that it is time to revisit how Canada’s federal privacy legislation, enacted in 2000, meets the realities of today’s digital world, including advances technology as well the addition of new enforcement powers already used by the OPC’s counterparts in the U.S. and Europe. The Commissioner proposed to Parliament that this overhaul include a new enforcement model that emphasizes proactive powers that are backed up by order-making authorities, including:

  • involuntary audits
  • issuing binding orders, and
  • impose administrative monetary penalties.

The request for reform of PIPEDA is certainly a hot topic as businesses and organizations await how Canada’s status as an adequate country is, or is not affected as a result of Europe’s General Data Protection Regulations.

Expect a more aggressive OPC

However, do not expect the OPC to wait for new powers. The Commissioner ended his report to Parliament adding that, beginning today, we can expect a more proactive and aggressive OPC with respect to enforcement. The OPC is sending a signal that complaints to the OPC will no longer be the primary tool and the OPC will be shifting itself as a proactive regulator ready to initiate investigations. The Commissioner reported that a complaint-driven model has its limits:

People are unlikely to file a complaint about something they do not know is happening, and in the age of big data and the Internet of Things, it is very difficult to know and understand what is happening to our personal information. My Office, however, is better positioned to examine these often opaque data flows and to make determinations as to their appropriateness under PIPEDA.

This is an important message. The Commissioner is not waiting for legislative reform and has put businesses and organizations on notice to expect a more active OPC, one that will be on the lookout for “specific issues or chronic problems” that must be addressed – possibly resulting in more Commissioner-initiated investigations.

More information

You can read the OPC’s news release here.

You can read the Commissioner’s remarks and full Annual Report to Parliament here.

Canada’s Privacy Commissioner Pursues a Stronger Consent Framework and More Proactive Enforcement

HHS Issues Quick Response Cyber Attack Checklist

Last month, after the WannaCry ransomware attack infected 230,000 computers in 150 countries, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a “Quick-Response Checklist” for HIPPA covered entities and business associates to follow when responding to a ransomware attack or other “cyber-related security incident,” as that phrase is defined under the HIPAA Security Rule. 45 C.F.R. 164.304.

Checklist Recommendations

The checklist provides four recommendations:

  1. Execute the response and mitigation procedures and contingency plans. Entities should immediately fix any technical or other problems to stop the incident and take steps to mitigate any impermissible disclosure of protected health information (either done by the entity’s own information technology staff, or by an outside entity brought in to help).
  2. Report the crime to other law enforcement agencies. This includes state or local law enforcement, the FBI, or the Secret Service. The OCR makes clear that any such report should not include protected health information (unless otherwise permitted by the HIPPA Privacy Rule).
  3. Report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs). A cyber threat indicator is defined under federal law as information that is necessary to identify malicious cyber activity. The US Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Response, and private-sector cyber-threat ISAOs are all identified as acceptable information-sharing organizations under the new checklist. The OCR, however, makes clear that it does not receive reports from its federal or HHS partners.
  4. Report the breach to OCR as soon as possible, “but no later than 60 days after the discovery of a breach affecting 500 or more individuals.” Entities should notify “affected individuals and the media unless a law enforcement official has requested a delay in the reporting.” The OCR also presumes that all cyber-related security incidents where protected health information was accessed, acquired, used, or disclosed are reportable breaches unless the information was encrypted by the entity at the time of the incident or the entity determines, through a written risk assessment, that there was a low probability that the information was compromised during the breach. An entity that discovers a breach affecting fewer than 500 individuals has an obligation to notify individuals without unreasonable delay, but no later than 60 days after discovery. And the OCR must be notified within 60 days after the end of the calendar year in which the breach was discovered.

In the end, the OCR states that it considers “all mitigation efforts taken by the entity during any particular breach investigation,” including the voluntary sharing of breach-related information with law enforcement agencies and other federal and analysis organizations, as outlined in the checklist.

Takeaways

The OCR’s checklist makes clear that preparing for, and responding quickly to any potential breach should be a priority for HIPPA covered entities and their business associates. This includes preparing or updating enterprise wide incident response plans, training leadership, implementing effective governance programs, and having the ability to rapidly mobilize a response to malicious activity. Dentons’ global Privacy and Cybersecurity Group, in conjunction with Dentons’ leading healthcare practice, has extensive experience helping entities prepare and execute such plans and dealing with the rapidly changing legal and regulatory landscape that emerges in the aftermath of a security incident.

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

HHS Issues Quick Response Cyber Attack Checklist