MISCELLANEOUS CYBERSECURITY NEWS:

FTC to crack down on biometric tech, health app data privacy violations - Developers of consumer-driven health apps and tech can expect more stringent enforcement, as the Federal Trade Commission intends to update its Health Breach Notification Rule to clarify language around breach of security, user consent language and other functions. https://www.scmagazine.com/news/identity-and-access/ftc-to-crack-down-on-biometric-tech-health-app-data-privacy-violations

Utah Cybersecurity Auditor Report - Utah’s Office of the Legislative Auditor General reviewed cybersecurity practices at state agencies and local government agencies and some educational institutions. https://ewscripps.brightspotcdn.com/c4/6e/16090990435a855b82a739cb94af/a-performance-audit-of-the-cybersecurity-in-the-state-of-utah-report-2023-04.pdf

GAO Tells Federal Agencies to Fully Implement Key Cloud Security Practices - A new US Government Accountability Office (GAO) report shows that the Departments of Agriculture, Homeland Security (DHS), Labor, and the Treasury have not fully implemented six key cloud security practices for their systems. https://www.securityweek.com/gao-tells-federal-agencies-to-fully-implement-key-cloud-security-practices/

Salesforce Community Cloud data leaks shine light on misconfigurations - Reported misconfigurations in the Salesforce Community Cloud once again shows how the industry needs to do a better job explaining the shared responsibility model for cloud apps. https://www.scmagazine.com/news/cloud-security/salesforce-community-cloud-data-leaks-misconfigurations

Practicefirst pays New York $550K after patching failure leads to 2020 breach - Practicefirst Medical Management Solutions and PBS Medcode will pay the state of New York $550,000 after it failed to timely apply a patch to a known vulnerability, leading to a massive data breach impacting over 1.2 million individuals, 428,000 of whom reside in New York. https://www.scmagazine.com/news/compliance/practicefirst-pays-new-york-550k-after-patching-failure-leads-to-2020-breach

How the ILOVEYOU worm exposed human beings as the Achilles Heel of cybersecurity - Twenty-three years ago, the digital world witnessed a cyberattack that would forever change our approach to cybersecurity. https://www.scmagazine.com/perspective/cybercrime/how-the-iloveyou-worm-exposed-human-beings-as-the-achilles-heel-of-cybersecurity

CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT & LOSS:

FTC says fertility app Premom shared user health data with third parties - Premom “deceived users” by sharing their personal and health data with third parties, including two firms based in China,” according to a new Federal Trade Commission enforcement action against the fertility app. https://www.scmagazine.com/news/application-security/ftc-says-fertility-app-premom-shared-user-health-data-with-third-parties

EyeMed Vision Care Reaches $2.5M Settlement Over Multistate Data Breach - May 18, 2023 - Vision insurer EyeMed Vision Care reached a $2.5 million settlement with the states of New Jersey, Oregon, and Florida, following a 2020 data breach that impacted 2.1 million individuals. https://healthitsecurity.com/news/eyemed-vision-care-reaches-2.5m-settlement-over-multistate-data-breach

Up to 100 cases taken over HSE cyberattack, judge told - European court to decide key liability issues over data breach but question mark hangs over HSE liability for ‘non-material’ damage such as stress. https://www.irishtimes.com/crime-law/courts/2023/05/18/up-to-100-cases-taken-over-hse-cyberattack-judge-told/

GitHub reveals reason behind last week’s string of outages - GitHub's Chief Security Officer and SVP of Engineering shared more details today on a string of outages that hit the code hosting platform last week. https://www.bleepingcomputer.com/news/technology/github-reveals-reason-behind-last-weeks-string-of-outages/

UK steel industry supplier Vesuvius says ‘cyber incident’ cost £3.5 million - Engineering company Vesuvius, which announced in February that it was managing a cyber incident, now says the episode will cost the company £3.5 million ($4.6 million) https://therecord.media/vesuvius-engineering-uk-steel-cyber-incident-cost

Patients angered after Oklahoma allergy clinic blames cyberattack for shutdown - Dozens of angry parents and patients are demanding answers after an Oklahoma allergy clinic shut its doors, blaming a cyberattack for the abrupt closure. https://therecord.media/oklahoma-allergy-clinic-blames-ransomware-for-shutdown

Dish Ransomware Attack Impacted Nearly 300,000 People - Satellite TV giant Dish Network says the recent ransomware attack impacted nearly 300,000 people and its notification suggests a ransom has been paid. https://www.securityweek.com/dish-ransomware-attack-impacted-nearly-300000-people/

Cyberattack on Norton Health spurs long waits, prescription and lab delays - The FBI is actively working with Norton Healthcare to determine the scope of an ongoing cyberattack, as the Louisville, Kentucky, health network works to recover a number of patient care systems. https://www.scmagazine.com/news/privacy/cyberattack-on-norton-health-spurs-long-waits-prescription-and-lab-delays

Why are 1.8M Apria patients just now being notified of a 2021 data breach? - Apria Healthcare on May 22 notified over 1.8 million patients and employees that their personal, financial and health data was accessed during a systems hack. https://www.scmagazine.com/news/breach/apria-healthcare-notifies-nearly-2-million-patients-of-2021-data-breach

Cyberattack on Norton Health spurs long waits, prescription and lab delays - The FBI is actively working with Norton Healthcare to determine the scope of an ongoing cyberattack, as the Louisville, Kentucky, health network works to recover a number of patient care systems. https://www.scmagazine.com/news/privacy/cyberattack-on-norton-health-spurs-long-waits-prescription-and-lab-delays

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices
   
   Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.
   
   Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
    
    Utilization of the Internet presents numerous issues and risks which must be addressed. While many aspects of system performance will present additional challenges to the bank, some will be beyond the bank's control. The reliability of the Internet continues to improve, but situations including delayed or misdirected transmissions and operating problems involving Internet Service Providers (ISPs) could also have an effect on related aspects of the bank's business. 
    
    The risks will not remain static. As technologies evolve, security controls will improve; however, so will the tools and methods used by others to compromise data and systems. Comprehensive security controls must not only be implemented, but also updated to guard against current and emerging threats. Security controls that address the risks will be presented over the next few weeks.
    
    SECURITY MEASURES
    
    The FDIC paper discusses the primary interrelated technologies, standards, and controls that presently exist to manage the risks of data privacy and confidentiality, data integrity, authentication, and non-repudiation.
    
    Encryption, Digital Signatures, and Certificate Authorities 
    
    Encryption techniques directly address the security issues surrounding data privacy, confidentiality, and data integrity.  Encryption technology is also employed in digital signature processes, which address the issues of authentication and non-repudiation.  Certificate authorities and digital certificates are emerging to address security concerns, particularly in the area of authentication.  The function of and the need for encryption, digital signatures, certificate authorities, and digital certificates differ depending on the particular security issues presented by the bank's activities.  The technologies, implementation standards, and the necessary legal infrastructure continue to evolve to address the security needs posed by the Internet and electronic commerce.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
  
  Chapter 4.6 Industrial Espionage
  
  Industrial espionage is the act of gathering proprietary data from private companies or the government for the purpose of aiding another company(ies). Industrial espionage can be perpetrated either by companies seeking to improve their competitive advantage or by governments seeking to aid their domestic industries. Foreign industrial espionage carried out by a government is often referred to as economic espionage. Since information is processed and stored on computer systems, computer security can help protect against such threats; it can do little, however, to reduce the threat of authorized employees selling that information.
  
  Industrial espionage is on the rise. A 1992 study sponsored by the American Society for Industrial Security (ASIS) found that proprietary business information theft had increased 260 percent since 1985. The data indicated 30 percent of the reported losses in 1991 and 1992 had foreign involvement. The study also found that 58 percent of thefts were perpetrated by current or former employees. The three most damaging types of stolen information were pricing information, manufacturing process information, and product development and specification information. Other types of information stolen included customer lists, basic research, sales data, personnel data, compensation data, cost data, proposals, and strategic plans.
  
  Within the area of economic espionage, the Central Intelligence Agency has stated that the main objective is obtaining information related to technology, but that information on U.S. government policy deliberations concerning foreign affairs and information on commodities, interest rates, and other economic factors is also a target. The Federal Bureau of Investigation concurs that technology-related information is the main target, but also lists corporate proprietary information, such as negotiating positions and other contracting data, as a target.