RSS Feed LinkedIn Instagram Twitter Facebook
FMG Law Blog Line

Posts Tagged ‘privacy’

Businesses Beware of the Parallax RAT Trap

Posted on: July 7th, 2020

By: Peter Dooley

One of the newest and most potentially harmful malware campaigns, the appropriately named Parallax RAT, has been wreaking havoc on businesses of all sizes during this already trying time of increased remote work. RAT stands for “remote access trojan” and Parallax RAT is on the cutting edge of malware that is most often distributed through malicious attachments to camouflaged emails. The full control over an infected system that this remote access trojan gives hackers can and has been devastating to businesses storing sensitive client or employee information.

The sensitive personal, medical, and financial information gained by hackers using Parallax RAT can be sold on any number darknet markets or forums. Additionally, companies facing breaches of larger magnitudes have been forced to pay ransoms in Bitcoin in order to regain control of their sensitive data. Trojan threats like this one are nothing new and RATs have been used to gather information and steal credentials for nearly two decades; notable RATs that rose to popularity before Parallax include Agent Tesla, IvizTech, and RevengeRAT. Parallax RAT distinguishes itself by offering malicious actors a wider range of file types to phish for credentials as well as more efficient and sophisticated tools to camouflage attacks. The ease of use and ability to tailor communications using specific information are putting small businesses in increasing peril.

Recent accounts of certified public accounting firms being victims of the malware and having fraudulent tax returns filed using the CPA’s credentials illustrate the high stakes and complex risks associated with a Parallax RAT attack. If a breach does occur, the login credentials seized may be used to deliver the Trojan’s payload to the affected computer. Parallax is then installed and launches whenever a user logs into the system. At this point, the hacker has the ability to access the infected computer and can use a keylogger to copy or steal sensitive or valuable information. This scenario is even more worrisome as victims of a Parallax RAT attack are often completely unaware of the breach until they are notified through other means that sensitive data has been leaked.

To minimize these risks of a Parallax RAT attack or other cyber-attack, organizations should be vigilant in its defenses against malware. Training your workforce on identifying phishing emails, being skeptical of anything unsolicited, and not clicking on attachments or links from unknown sources, is critical and should be among your first priorities. Anti-virus should installed and up-to-date on all servers and endpoints within your network, in addition to intrusion detection software that identifies and alerts you to any suspicious activity. Also be sure that your organizations maintains regular backups of its data, stored separately and unconnected from your primary data repository, so you have the ability to restore files if you become infected with ransomware. Lastly, now is a good time to review your cyber liability insurance to ensure coverage is in place with appropriate limits and coverage for ransomware and other privacy events. In addition to the stress involved, cyber attacks can be costly and you will thank yourself later.

If you have questions or would like more information, please contact Peter Dooley at [email protected] or a member of our Data Security, Privacy & Technology practice group.

New Jersey’s Continued Push to Expand its Data Breach and Privacy Laws

Posted on: July 1st, 2020

By: Zachary Danner

Following in the steps of California and other states considering consumer privacy legislation, New Jersey’s legislators have recently introduced a number of bills that would establish specific notification requirements for the collection and use of personally identifiable information (“PII”). While current law requires businesses to notify consumers if there is an unauthorized access to electronically stored personally PII, there is no current law in New Jersey that requires businesses to notify consumers when and if their PII is being collected or shared with a third party. There also is not an existing process for a consumer to request information about the collection or sharing of his or her PII or to request that it be destroyed.

However, there are two bills currently being considered by the New Jersey Senate and Assembly that would require specific steps by a business before collecting PII or sharing it with a third party. These bills also establish requirements for businesses handle PII that it collects from consumers to ensure its security and privacy. The following is a summary of the key provisions of each bill under consideration.

I. Senate Bill S1257

In February 2020, Senate Bill S1257, introduced by Assembly Member Troy Singleton, was referred to the Senate Commerce Committee. In short, if approved and signed, the bill would require commercial internet websites and online services to notify consumers of the collection and disclosure of PII and would allow the consumer to opt-out of the sale of their PII.

The notification to consumers prior to collection of PII must be clearly and conspicuously posted on the business’s website or online service, or in another prominently accessible location that the business maintains for consumer privacy settings, and include the following information:

  1. The categories of PII collected through the website or online service about a consumer who uses or visits the website or service;
  2. All third parties with which the operator may disclose a consumer’s PII;
  3. Whether a third party may collect PII about a consumer’s online activities over time and across different websites or online services when the consumer uses the operator’s website or online service;
  4. A description of the process for a consumer to review and request changes to any of his or her PII that is collected by the website or online service;
  5. The process by which the operator notifies consumers who use or visit the website or online service of material changes to the notification currently posted on the website; and
  6. One or more designated addresses that a consumer may use to request information under the bill.

As to selling information with third parties, the bill would require a business to provide a link on its website or online service that allows a consumer, by verified request, to opt out of the sale of the his or her PII to any third party. A consumer may request from the business information about his or her PII that was disclosed and the names and contact information of the third parties that received his or her PII. Once the request is received, the business must respond to the consumer within 60 days provide the information for all disclosures of PII that occurred in the prior 12 months. This information is to be provided free of charge.

The bill also creates protections for consumers who opt out of the sale of their PII. It specifically prohibits a business from discriminating against or penalizing a consumer who opts out. However, the business would not be prohibited from offering consumers discounts, loyalty programs, or other incentives for the sale of their PII, or from providing different services to consumers that are reasonably related to the value of the relevant data.

Lastly, the proposed legislation does not include a private right of action for alleged violations. Rather, the Attorney General is to have sole authority to enforce a violation of the statute, if it were to be adopted and put into law in its current form.

II. Assembly Bill A3255

A second similar, but even more consumer-friendly bill, was proposed to the General Assembly in February 2020. Assembly bill A3255, introduced by Assembly Member John J. Burzichelli, was referred to the Assembly’s Science, Innovation, and Technology Committee for consideration. 

This bill requires that businesses follow certain requirements concerning the collection of a consumer’s PII. Unlike Senate Bill S1257, Assembly Bill A3255 specifically prohibits a business from collecting a consumer’s PII unless a consumer affirmatively opts in to the collection. At or before the point of collection, a business that collects a consumer’s PII must inform consumers about the categories of PII to be collected and the purposes for which the categories of PII will be used. Further, the business may not collect other categories of PII or use PII collected for other purposes without providing the consumer prior notice. 

If the business wants to sell a consumer’s PII to a third party, the bill requires that it provide each consumer with notice that PII may be sold and that the consumer has the “right not to opt-in” to the sale of his or her PII.  Even if a consumer initially agrees to the sale of his or her PII, the consumer can at any time rescind that authorization, and the business must immediately stop selling the consumer’s PII.

A consumer also would have the right to request information about the disclosure of his or her PII. If a business receives a verifiable request from a consumer, it must promptly take steps to disclose and deliver, free of charge, the PII that was disclosed to a third party. The information may be delivered by mail or electronically, and if provided electronically, it must be in a portable and, to the extent technically feasible, readily useable format that allows the consumer to transmit this information to another entity without hindrance. A business may provide PII to a consumer at any time, but is not to be required to provide PII to a consumer more than twice in a 12-month period.

The bill also provides that a consumer has a right to request that a business delete any PII it has collected from the consumer. Like Senate Bill S1257, this statute would also prohibit discrimination against any consumer who chooses to opt out of the sale of his or her PII to third parties.

Any violation of the bill would constitute an unlawful practice and violation of the New Jersey Consumer Fraud Act, which would be punishable by a monetary penalty of up to $10,000 for a first offense and $20,000 for a subsequent offense. However, a grace period would be provided to the business, allowing it 30 days to cure any alleged violation after being notified of the alleged noncompliance before it is assessed a penalty.

III. Takeaways from the proposed legislation

If adopted into law, each of these statutes would change the way businesses in New Jersey operate with regard to the collection and use of consumer information. Clearly, the California Consumer Privacy Act is the model by which New Jersey and other states are now looking to model themselves. As businesses in California already know, complying with these requirements is onerous and can take time. Therefore, businesses should stay informed on the proposed legislation and be aware of New Jersey’s developing efforts to protect PII, as they could have a significant impact on their operations.

Please be sure to visit our firm’s blog for updates and other up-to-date news and analysis of data security and privacy issues. If you have questions or would like more information, please contact Zachary Danner at [email protected].

Currently pending in the Massachusetts legislature is Bill S.120 entitled “An Act Relative to Consumer Data Privacy”

Posted on: April 25th, 2019

By: Eric Martignetti

The proposed bill defines “personal information” as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or the consumer’s device.” “Personal information” includes “biometric information.” “Biometric information” is “an individual’s physiological, biological or behavioral characteristics, including an individual’s DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity,” including “imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.”

Under the proposed bill, a business that collects a consumer’s personal information shall, at or before the point of collection, notify a consumer of: (1) the categories of personal information it will collect; (2) the business purpose for which their personal information will be used; (3) the categories of third parties to whom the business discloses their personal information; (4) the business purpose for the third-party disclosure; and (5) the consumer’s right to request a copy of their personal information, the deletion of their personal information, and the right to opt out of the disclosure of their personal information to third parties. Also, a business must include these five items either in its online privacy policy or on its website.

Under the proposed bill, a business shall also make reasonably available to consumers two or more methods, including a link on the home page of its website, for submitting a consumer verified request. Through a consumer verified request, a consumer can request: (1) the specific pieces of personal information the business has collected about them; (2) the sources from which their personal information was collected; (3) the names of third parties to whom the business disclosed their personal information; and (4) the business purpose for third-party disclosure.

The proposed bill applies to a “business” that: (1) “is organized or operated for the profit or financial benefit of its shareholders or other owners”; (2) “collects Massachusetts consumers’ personal information”; and (3) “has annual gross revenues in excess of $10,000,000” or “derives 50 percent or more of its annual revenues from third party disclosure of consumers’ personal information.”

The proposed bill carves out an exception for “a business collecting or disclosing personal information of the business’s employees so long as the business is collecting or disclosing such information within the scope of its role as an employer.” This exception would, in most cases, protect employers from lawsuits brought by employees under the Act.

The proposed bill creates a private right of action for consumers. In a private right of action, a consumer need not suffer a loss of money or property, and they may recover $750 in statutory damages of their actual damages, whichever is greater. A consumer may also recover costs and attorneys’ fees.

If you have any questions or would like more information, please contact Eric Martignetti at [email protected].

New Cybersecurity Trend: Data Security and Disposal Laws

Posted on: February 7th, 2019

By: David Cole & Amy Bender

Tales of data breaches flood our news reports these days. By now, you hopefully are aware that all 50 states have laws requiring persons and organizations that own or maintain computerized data that includes personal information to notify affected individuals, and sometimes the government, in the event of a data breach involving their personal information. (You know those letters you’ve received from hospitals, retail stores, and other companies advising you that they experienced a data breach that may have exposed your personal information? They didn’t notify you out of the goodness of their hearts – it’s the law!)

In the past, these laws have focused solely on notifying affected individuals about compromises to their personal information. Outside of specific industries, such as healthcare or financial services, which are regulated by laws applicable only to them, such as HIPAA and the Gramm-Leach- Bliley Act, respectively, there have not been laws of general applicability regulating the standard of care required for protecting personal information in the first place. Recently, however, a trend has emerged among state legislatures to take this next step in cybersecurity legislation by setting standards for businesses’ protection of consumers’ personal information.

The majority of states now have enacted data security and/or data disposal laws that place affirmative obligations on entities (or, in some instances, certain types of industries) that own or use computer data containing personal information to safeguard and/or dispose of or encrypt that data. Below is a current list of states that have adopted these laws:

(Click here for our discussion of the significant and comprehensive data security law California passed last year.)

Unfortunately, there is not one universal standard for how to secure and destroy data containing personal information, but rather, the standard varies by state. Organizations that operate in multiple states thus may have to comply with multiple and differing requirements. In addition, many of these laws only provide general, and often vague, guidelines that do not specify particular technologies or data security measures that should be implemented. For instance, many laws only require that businesses implement “reasonable” administrative, physical, and/or technical safeguards to protect personal information from unauthorized use or disclosure, and then describe “reasonable” measures as those “appropriate based on the size of the business and the nature of information maintained.” That may be clear as mud, but at least it’s a start and enough to put businesses on notice that doing nothing is not an option.

For these reasons, we recommend that businesses work with legal counsel to understand the laws of the states where they do business and to conduct a security risk assessment to evaluate the information they maintain, the potential risks to it, and the current measures in place to protect it. Working with legal counsel, businesses should then work with an experienced cybersecurity provider to translate that risk assessment into an actionable plan for improving data security and privacy within their organization. The legal standards still might be vague, but going through a process like this will put businesses in the best position to demonstrate good faith and reasonable efforts to meet their legal obligations if and when an incident occurs or a claim is made by a third party.

Please contact David Cole, Amy Bender, or one of the other members of our Data Security, Privacy & Technology team at FMG for additional questions or to discuss conducting a risk assessment for your organization.

VISA Issues Security Alert Due to Increased Data Breaches Caused by Insecure Remote Access

Posted on: July 30th, 2014

By: David Cole

When a merchant experiences a data breach involving credit card information, it is often required by the card brands to hire a Payment Card Industry Forensic Investigator (PFI). The PFI investigates the incident and then provides a report to the card brands on what happened, how it happened, and whether the merchant’s system complied with the Payment Card Industry Data Security Standards (PCI DSS).  The card brands receive hundreds of PFI reports each year, and they occasionally issue security alerts when they see an emerging threat pattern in PFI reports.

Just this month, Visa issued a security alert titled “Insecure Remote Access and User Credential Management,” in which it reported an increase in data security breaches stemming from insecure remote access.  The alert notes that a number of remote access solutions are commonly used to provide remote management and support for merchants, such as LogMeIn, PCAnywhere, VNC, and Microsoft Remote Desktop.  When used correctly, applications like these are effective ways to provide technical support among large numbers of merchants.  But if used maliciously, they can expose payment card data and other sensitive information to cyber criminals. This is because insecurely deployed remote access applications create a conduit for cyber criminals to log in, establish additional “back doors” by installing malware, and steal payment card data.

The alert warns that the circumstances around multiple data breaches in the last several months suggest that an actor or group of actors are targeting merchants who share common Point-of-Sale (POS) integrators or remote support vendors.  It then identifies several common vulnerabilities that are allowing intruders to gain access through remote applications.  These include: (1) remote access ports and services always being available on the Internet; (2) outdate or unpatched systems; (3) use of default passwords or no passwords at all; (4) use of common usernames and passwords; (5) single factor authentication; and (6) improperly configured firewalls.

To protect against these vulnerabilities, the alert advises merchants to examine their remote management software for insecure configurations, use of outdated or unpatched applications, common or easily-guessed usernames and passwords, and ensure that overall payment processing environment is securely configured and maintained in accordance with the PCI DSS.  In addition, merchants should follow these other security practices to mitigate their risk:

  • Ensure proper firewalls rules are in place, only allowing remote access only from known IP addresses.
  • If remote connectivity is required, enable it only when needed.
  • Contact your support provider or POS vendor and verify that a unique username and password exists for each of your remote management applications.
  • Use the latest version of remote management applications and ensure that the latest security patches are applied prior to deployment.
  • Plan to migrate away from outdated or unsupported operating systems like Windows XP.
  • Enable logging in remote management applications.
  • Do not use default or easily-guessed passwords.
  • Restrict access to only the service provider and only for established time periods.
  • Only use remote access applications that offer strong security controls.
  • Always use two-factor authentication for remote access. Two-factor authentication can be something you have (a device) as well as something you know (a password).