“This article was originally published with Security Toolbox on September 15, 2020. You can view the original content, here.”

Domestic and international politics have invaded the field of data security, and the COVID-19 pandemic has only added to this invasion. Shane O’Donnell a partner & Chief Audit Executive at The Mako Group and Sean Griffin, a member at Dykema explains how security leaders can safeguard their crucial IT infrastructure in this new era of data security and navigate foreign and domestic politically motivated leaks.

Like it or not, domestic and international politics have invaded the field of data security.  Of course, COVID-19 has assisted this invasion, but other political factors from the upcoming US election to this summer’s Black Lives Matter protests have played a part. Data security professionals must therefore keep an eye not only on their IT infrastructure but the practical consequences of recent political actions.
Continue Reading Political Cost of Data Leaks: Data Security in the Crosshairs

Months ago, the Firewall warned that cybercriminals were taking advantage of the anxiety and insecurity from COVID-19 to promulgate phishing schemes, malware, and other schemes.  Interpol recently released a report (click here to download PDF from Interpol) warning of these dangers and other cybercriminal activity that exploits the current COVID-19 environment. As the Firewall advised in April, Interpol’s report notes that cybercriminals are taking advantage of the increased security vulnerabilities arising from the sudden shift to remote work.

Interpol groups the recent COVID-related cybercriminal activity into five categories.
Continue Reading COVID-19 Increases Data Security Threats, Interpol Warns

Recently, this blog warned about Advanced Persistent Threats (APTs)—state-sponsored hackers that attack U.S. companies in the hopes of sowing political, technological, or financial disruption. In particular, we warned that healthcare companies were a favorite APT target, as foreign governments sought to extract data relating to healthcare research.

Security officials in the United States, the United Kingdom, and Canada recently announced that a Russian APT called APT29 is targeting organizations involved in national and international COVID-19 responses. According to U.S. intelligence services, APT29 is part of the SVR, Russia’s CIA equivalent, and UK officials also blame it for attacks against the 2016 presidential election.


Continue Reading Recent Russian Cyberattacks Against Coronavirus Researchers and Other Industries Provides a Lesson on Cyber Preparedness

Among countless other disruptions, COVID-19 has raised important questions about the limits of data collection and highlighted the shortcomings of both the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”). The pandemic has proven to be a black swan for which neither law nor its enforcement bodies are prepared—and which carries privacy-law implications that will persist long after the health crisis ends. Consequently, governments and businesses must work without meaningful existing guidance to strike a delicate balance between gathering the critical information needed to manage the virus and honoring the GDPR’s and CCPA’s stringent requirements.

Data Collection in Europe

The European Data Protection Board’s general guidance on how to collect data, in the context of COVID-19, leaves much room for interpretation. GDPR Articles 6 and 9 permit data collection without consent if the processing is necessary for the performance of a task carried out in the public interest. Although combating COVID-19 qualifies as a public interest need, it is unclear whether the collection methods employed, which vary by country, qualify as “necessary” under GDPR, or whether or to what extent those processes can sustain after the pandemic without violating the law. Each member state decides for itself how much intrusion is necessary, which invites comparisons to determine how far is far enough when gathering data in the public interest.
Continue Reading The Crisis Beyond the Crisis: How Data Tracking for COVID-19 Creates Privacy Issues That Will Persist Once the Pandemic Is Over

Recently, we cautioned companies to ensure that their workers’ mobile phones remain secure. On April 23, news about a possible security vulnerability in Apple’s iPhone mail system lends this recommendation additional urgency.

ZecOps, a San Francisco-based mobile security firm, claims to have discovered a hack targeting iPhones’ native email program. This hack is called a “zero click” attack, because unlike a typical “phishing” exploit, which requires the victim to click on a link in an email or text message, a “zero click” exploit can execute without the victim’s action or knowledge. According to ZecOps, the vulnerability enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory. The attackers can trigger the vulnerability before the entire email is downloaded, so the email content will not necessarily remain on the device. In other words, the perpetrators can send an email containing malicious code, and that code can then set off a chain reaction, or an “exploit chain” that overcomes the phone’s defenses and erases its tracks along the way. Such an attack can be nearly impossible to detect.
Continue Reading iPhone Hack Highlights Home Office Data Security Risks

The California Consumer Protection Act (“CCPA”) was in effect for just over three months when the American economy stopped cold in the face of the COVID-19 global pandemic. Much effort was expended in the months before the January 1, 2020 effective date to ensure compliance with the CCPA which, like its European cousin, the General Data Protection Regulation (“GDPR”) aspires to protect data and personal information. But also like the GDPR, many anticipated enforcement by the California attorney general (scheduled to begin on July 1, 2020) to provide guidance on how the CCPA would be interpreted and applied. Then the world came to a halt. Literally. Notwithstanding, as discussed in our earlier post, the California Attorney General has signaled that businesses subject to the CCPA should not expect any delays in enforcement. To be clear, privacy concerns did not cease to exist because of the pandemic. These concerns simply took a back seat as the world focused on defeating the virus. But privacy rights may be moving to the forefront again with the advent of COVID-19 tracking applications under consideration by governments seeking to use this technology to contain the spread of the virus. Most recently, on April 10, 2020, Google and Apple announced a joint endeavor to use Bluetooth technology in conjunction with apps from public health authorities to allow contact tracing of those individuals affected with COVID-19. The system is supposed to ensure users’ privacy and operate only with valid consent. See also our recent blog post on Locating COVID-19 Without the Location Data. Although tracking technology is not new–other iterations were used to track other diseases such as the seasonal flu–its use here would be one of the first to be used in the CCPA era. And arguably, the need to comply with the CCPA–passed by referendum in one state–has affected the usefulness of contact tracing solutions in every state. The Apple-Google solution, for example, covers the vast majority of mobile devices and is likely to be the only solution agreed upon by these two companies. It skirts the need to handle geolocation data, reducing the regulatory footprint under the CCPA, but the very lack of geolocation data degrades the usefulness of this system to local governments for finding and locking down hotspots–and to users in avoiding them. Few, if any, privacy professionals envisioned that preparation for CCPA compliance needed to include protocols for responding to governmental requests for data in combatting a public health crisis. But here we are.
Continue Reading Will COVID-19 Finally Prompt a Federal Privacy Law?

Recently, Apple and Google – two of the world’s biggest tech firms–jointly devised a system of contact tracing for COVID-19. This contact tracing does not involve analyzing centralized data stores of personal data. Rather, it leverages a proximity technology most often seen in retail stores and shopping centers plus a peer-to-peer (P2P) communications concept that parallels methods explored for connected vehicles. The Apple-Google design is a fascinating departure from the conventional model of central collection and processing of personal data.

Coincidence… or Bluetooth?

You may have encountered mobile applications that have asked for Bluetooth access. Or you may have received what seems like a strangely coincidental promotional email as you have walked through the door of a store. This is not a coincidence; retailers frequently use Bluetooth, among other methods, to determine where a customer is standing in a store and to trigger promotions. This is not regulated in most of the United States. We normally think of Bluetooth as a way that a “master” device (a computer, car, or audio source, typically) can communicate with an “accessory” such as keyboards, mice, headphones, hands-free sets, etc. As most users encounter the technology, it is a matter of “pairing” one device with another. But Bluetooth can run under numerous profiles that transmit a variety of data types. GPS-free location tracking was largely enabled by Bluetooth LE, which allows the radio technology to run on a mobile device without creating an excessive battery drain. This eliminated a major inconvenience of prior versions of Bluetooth, and the practical effect is that it can remain “on” all the time. Many implementations of Bluetooth 4.0/LE allow range-finding between a transmitter and receiver. A store, for example, can determine where a customer is standing by measuring the distances from the visitor’s phone to sensors in the store.
Continue Reading Locating COVID-19 Without the Location Data

The videoconference platform Zoom has seen a surge in users since the coronavirus pandemic. Teleworkers are relying increasingly on Zoom for virtual meetings, and as a HIPAA-compliant videoconferencing program, Zoom for Healthcare has gained popularity among healthcare providers in particular. New York’s Attorney General has asked Zoom to explain its privacy policies, and additional scrutiny is likely to follow.

Hackers have noticed. Since the beginning of the year, reports show 1,700 registrations including the word “Zoom,” with 4 percent containing suspicious characteristics. A click on a fake Zoom invitation could install InstallCorePUA, which opens the door to malicious software installations.
Continue Reading Working From Home Data Security Risks

Telehealth

On March 17, 2020, OCR issued guidance indicating that it would exercise enforcement discretion and waive penalties for entities that provide services to individuals using “everyday communication technologies.”

On March 20, 2020, OCR provided additional more detailed guidance on telehealth services applicable to all health care providers  covered by HIPAA who provide telehealth services during the COVID -19 public health emergency.

OCR defines “telehealth” as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration” (relying on the definition used by the Health Resources and Service Administration of DHHS). Telehealth may be provided through audio, text messaging, or video conferencing. This guidance does not apply to other covered entities, such as insurance companies, that may pay for telehealth services.
Continue Reading OCR Guidance During the COVID-19 Public Health Emergency

Bad actors love crises. The forced telecommuting of millions of employees (and the attendant exponential increase in use of remote access technologies), coupled with real fears and concerns regarding the spread of COVID-19, have produced a fertile environment for an increase in cyberattacks. Trend Micro reports that COVID-19 is being used in a variety of malicious campaigns including email spam, business email compromise (i.e., using stolen information to initiate fraudulent wire transfers), malware, ransomware, and malicious domains. Trend Micro estimates that nearly 66% of these attacks involve email spam. Both Trend Micro and Sophos have separately reported discovery of what Sophos calls a “dirty little secret” scam: users receive an email asserting that the sender knows their whereabouts and other personal information, and threatens that if the user refuses to pay a fairly large sum ($4000 in one instance), they will infect your family with coronavirus. Nasty, eh?

With this increased risk environment, and everyone’s guard down a bit as we focus on simply trying to keep doors open, it is important for those responsible for data security to undertake basic steps to lessen the success of these attacks. These steps can include:
Continue Reading Strengthening Your Cybersecurity in the Age of the Coronavirus