How To Check A Suspicious Website

phishing

We’re all getting emails these days from hackers seeking to install malware on our computers and then steal our data. Phishing and spear phishing schemes start with innocent looking email messages, but when an unsuspecting user clicks a link, the result can be a risk management nightmare.

One of the easiest ways to check a link is to hover over it – but do not click it! – with your cursor. The web site address of the link will pop up, and you can see whether the actual address that pops up matches the text of the link in the email.

For example, let’s say you’re a customer of Acme Bank, and you get an email purporting to be from them asking you to click a link labeled “Update your login credentials” in the email. When you hover over the link, however, the web site address that appears is not Acme Bank at all, but something more like “iwill_steal-yourmoney.co.” In addition to deleting the message pronto, you should also alert other members of your organization so they don’t fall for the trick either.

Sometimes, you’ll run across a web site address might seem legit, but you just don’t know. The answer won’t be as obvious as the previous scenario. Maybe a friend or coworker told you about a site, or you found it on a search engine. Here at INSUREtrust, we recently ran across this situation with the real site of a real insurance organization. When we tried to go to the site, an ominous red screen appeared that warned if we continued, we might encounter malware. We definitely did not click to continue to the site!

Instead, we researched the site with these online tools:

https://sitecheck.sucuri.net
https://www.webinspector.com
http://www.isithacked.com

Turns out, the web site had been blacklisted by all three tools for potential malware issues. We called the organization to inform them of the problem, of which they were unaware. We’re glad we could help them, but we won’t be going to that web site until the issues are cleared up!

Remember, there are all sorts of evil plots out there to steal your data. You need to be ever-vigilant. Doing a simple web check on links in emails – and other easy steps like this – will help. But, there is a lot more to this whole IT security puzzle. If you’d like to learn more, just email us for a copy of our “IT Security Policy Guide.”

New “Merry Christmas” Ransomware Discovered

hand clicking ransomware

All the celebrations are over and the decorations put away, but new ransomware by the name of “Merry Christmas” was discovered last week. Unsuspecting victims are sent an email that appears to either be from the Federal Trade Commission or from a court, both saying the victim has violated a regulation or law.

When a link to the supposed referenced legal document is opened, it launches Merry Christmas and infects the computer. Not only does the malware encrypt the user’s data, but some versions also load another piece of software that can steal login credentials and turn the user’s computer into a “bot” for use in other cyber attacks.

As always, be extra vigilant when you get a suspicious email. And don’t click a link unless you are positive that it is legitimate. If you’d like a copy of INSUREtrust’s “IT Security Policy Guide” to help your business be cyber secure, just email us.

For more information about the Merry Christmas ransomware, we recommend this article from ZDNet.

The Intriguing Story of LabMD – Part 3

int5

In Parts 1 and 2 of this series, we’ve chronicled the fight between LabMD and the Federal Trade Commission (FTC), a large Federal agency charged with protecting consumers from unfair practices. In this article, we examine a recent FTC decision and a subsequent holding by the U.S. 11th Circuit Court of Appeals for additional facets of the story.

Eventually, LabMD decided to stop being cooperative with the FTC and to fight back. And fight they did: Various lawsuits were filed challenging the FTC’s authority to come after LabMD. Though the company lost, they were able to slow the FTC down to the extent it was necessary to deal with LabMD’s counter-punches. (Since 2013, LabMD’s defense has been handled pro-bono.)

The FTC’s action began in 2013 with the filing of its formal complaint against LabMD through its administrative dispute process. Then, in 2014, a Tiversa whistle-blower called LabMD’s president to say that none of the data had ever gone beyond Tiversa. The FTC proceeding was delayed while the whistle-blower sought, and eventually obtained, immunity from the DOJ. In the meantime, Rep. Issa’s committee Staff Report was embargoed until the conclusion of the whistle-blower’s testimony. The Staff Report was clearly critical of the FTC. Ultimately, the FTC administrative law judge held for LabMD and against the FTC. The FTC appealed to the full three-member commission.

The full commission of the FTC ruled this summer that the administrative law judge was wrong, and reversed the decision.  The full commission decision runs some 37 pages. In it, the commission imposes data security and regular reporting requirements on LabMD (and the use of a third-party assessor engaged by LabMD.) At least in part, the FTC tips its hand as to what it considers reasonable data security management practices to be. The costs of these FTC requirements are, according to the recent 11th Circuit ruling, hotly disputed. But they are certainly not zero.

LabMD isn’t done with the FTC yet, according to the Bloomberg article. Daugherty says that he had to lose before the full Commission (which has just occurred) in order to sue the FTC in federal court, outside the agency’s administrative arena. The Bloomberg article quotes Daugherty as saying that “I am basically opening the playbook to the world, which is what I ultimately want to do. We’re going to have a fair fight.”

That seems to be what has begun to happen. This is a complex multi-year situation with much litigation over many claims. But the “big picture” issue which should be of paramount interest to everyone is the heavy-handed action of the FTC against a small business. Apparently, the FTC views a business with the unmitigated audacity to challenge the FTC’s authority as a major threat. Their actions (described in the Bloomberg article and in a prior blog post) when they began their enforcement show that to be the case – very unambiguously.

The 11th Circuit was certainly not deferential to the FTC in its recent decision. Based on the language in the recent ruling staying the enforcement of the FTC’s full-commission order, it seems there is a solid chance the Court will look deeply (and critically) into the FTC’s actions, as well as the agency’s asserted grounds for its authority to take those actions.

This is indeed a cautionary tale about how the Federal government can destroy a company in an enforcement action, and it is a story which is not over yet – despite the destruction of LabMD as a going concern. But there may already be potentially important lessons to be learned. The details of the FTC’s decision are the subject of the next article, in an attempt to glean some guidance as to what its stated expectations of a small business are.

*AN IMPORTANT NOTE: The facts as summarized in this article are all according to published reports, and this article is only a synthesis of published reports on the subject. There is ongoing litigation, and each side contests the other’s position.  This article is based in large part on Dune Lawrence’s detailed article “A Leak Wounded this Company. Fighting the Feds Finished It Off” in the April 25, 2016, issue of Bloomberg Businessweek.

The Intriguing Story of LabMD – Part 2

02i93617-2

In Part 1 of this series, we began to tell the story of how one simple breach of a single rule by a single employee sank a $4 million per year company called LabMD, and how the breach triggered very expensive – and extensive – litigation.

As LabMD dealt with its new DC lawyers, owner Michael Daugherty has said he urged them to think about Tiversa’s role in the FTC’s interest in LabMD. As far as he knew, the only entity downloading the information had been Tiversa. For whatever reason, his lawyers were not interested. Turning back to the FTC, Daugherty did not want to sign a consent decree, which would be available to the general public. Knowledge of the breach going public, Daugherty reasoned, would lead his customers (doctors) to conclude that their patients’ information was not secure with LabMD. So, he fought.

Daugherty’s arguments concerning Tiversa finally caught the attention of FTC commissioner J. Thomas Rosch. In 2012, Rosch said in a dissenting FTC opinion, a few months before he left the agency, that the evidence provided by Tiversa shouldn’t be used against LabMD. Daugherty began to work with Cause of Action Institute, a conservative legal aid group, which has handled LabMD‘s defense before the FTC pro bono since 2013. Daugherty also began to build a relationship with US Representative Darryl Issa (R-CA) of the House Oversight Committee.

The FTC litigation began in 2013 when the FTC brought an administrative action against LabMD in the agency’s administrative courts. The FTC charged that not only had LabMD‘s information on 9,000 patients leaked from its system, but that the personal information of some 500 persons had fallen into the hands of identity thieves in California. The agency came full-on: In a 3-hour period on October 24, 2013, its lawyers sent notice of 20 depositions to be taken in various parts of the country, and scheduled them all on the same day.

The company’s legal fees had reached about $500,000 by now. LabMD‘s lawyers sought a protective order. But the stress and cost of the battle was destroying the company. LabMD’s revenues nose-dived and Daugherty finally shuttered it in 2014. After losing his company, Daugherty self-published a book about his experiences called The Devil Inside the Beltway.

As Daugherty was waiting for the administrative court trial to kick off, he received a call in April 2014 from Richard Wallace, a Tiversa employee who had just left the company. Wallace told Daugherty of Tiversa’s role in LabMD‘s demise. It was Wallace who originally discovered the files on a peer-to-peer file-sharing network. The files had never been anywhere else; when LabMD declined Tiversa’s services, Wallace claimed he was instructed to add LabMD to a list of companies which Tiversa reported to the FTC. Wallace further stated that he had been instructed to create fake evidence showing other places where the LabMD file had supposedly been found.

The FTC trial began in May and Wallace’s testimony was crucial – since the FTC’s case was based primarily on Tiversa’s evidence. Wallace testified in May 2015, just over a year after he first called Daugherty.

At the same time, the House Oversight Committee had prepared a report which was locked away until the completion of Wallace’s testimony. The report found that Tiversa faked evidence of data breaches to market its services. The report also disclosed an FTC-Tiversa relationship dating back to 2007. One writer summarized the findings this way:

The report concluded that the FTC had sacrificed “good government” in using Tiversa to “obtain information validating its regulatory authority” and with providing Tiversa with “actionable information it exploited for monetary gain.”

In November, the administrative judge in the case ruled in favor of LabMD, throwing out Tiversa‘s testimony and evidence. This left the FTC without much of a case. The judge characterized the FTC’s assertions regarding LabMD and the data of the 9,000 patients as “pure, unsupported speculation.”

But the story is not yet over. In the last installment of this series, we will discuss the litigation between Daugherty and Tiversa, as well as dueling Wall Street Journal op-eds on the issue, and a 48 page decision this summer by the FTC reversing the decision of the ALJ, imposing stringent requirements on LabMD. And we’ll learn the FTC’s reasons for doing so.

*AN IMPORTANT NOTE: The facts as summarized in this blog post are all according to published reports, and this blog post is only a synthesis of published reports on the subject. There is ongoing litigation, and each side contests the other’s position. This blog post is based in large part on Dune Lawrence’s detailed article “A Leak Wounded this Company. Fighting the Feds Finished It Off” in the April 25, 2016, issue of Bloomberg Businessweek.

The Intriguing Story of LabMD – Part 1

This is a rather different story of a cyber breach than what we usually write about. Instead of a company pitted against an unknown hacker whose identity will probably never be known, this one is about the cyber fight of one company, LabMD, with another, Tiversa. It started nearly ten years ago, and the saga continues today. As one recounting of this struggle explained: “A leak wounded [LabMD]; fighting the Feds finished it [LabMD] off.”

Back in 2008, LabMD, a medical testing lab, had about 30 employees and $4 million in annual sales. In May of that year, Tiversa, a web security company, called LabMD with information on an alleged breach. Tiversa told LabMD that it had obtained a file from LabMD‘s computer system containing patient information.

Tiversa sent the document to LabMD, which included more than 9,000 patients’ Social Security numbers. Tiversa told LabMD that it could investigate the breach, locate the cause, determine the extent of the damage, and then stop further spread of the information. LabMD investigated the breach on its own, and discovered that a single employee had (in violation of company rules) downloaded music file sharing software on her work computer. At the end of its month-long investigation, LabMD concluded that the information had not spread.

During this time, Tiversa continued to contact LabMD, claiming it was detecting searches for and downloads of the file. LabMD asked for details, but Tiversa wouldn’t provide any until LabMD signed up for Tiversa‘s services – at $475/hour. Tiversa was no fly-by-night firm: For a time, retired US Army General Wesley Clark was one of its advisors. By July of 2008, LabMD declined further solicitations and told Tiversa to direct all communications its lawyers.

In the fall, Tiversa informed LabMD’s attorney that it was worried about being sued for not reporting the LabMD situation to the Federal Trade Commission (FTC). In early 2010, the FTC notified LabMD that it was conducting an inquiry, asserting that the file in question was available on a peer-to-peer file sharing network. And that was really the beginning of the end for LabMD.

As early as 2000, the FTC had stated that data breaches were subject to FTC jurisdiction per Section 5 of the FTC Act – which prohibits unfair or deceptive acts or practices affecting commerce. The first settlement was with online pharmacies. Since then, more than 60 cases have been brought by the agency. Apparently, LabMD is the only company who refused to settle with the FTC, and it would cost them dearly.

At first, the man who ran LabMD, Michael Daugherty, tried to be cooperative with the FTC in an attempt to resolve the matter. In a published interview, he has stated that he now calls that phase “the stupid zone.” At one point, he shipped 5,000 pages of documents to FTC headquarters in Washington, DC, even though the agency asked that everything be sent via FedEx, an extremely expensive method for moving that many documents. Eventually, Daugherty and his lawyer met with two FTC lawyers in July, and they sent more documents to the FTC in August.

In 2011, the FTC called again, requesting sworn testimony. At the urging of its counsel, LabMD’s hired Washington attorneys. The DC lawyers assumed control, but by then LabMD had spent nearly $250,000 on cyber security and system upgrades. And the company’s plight was about to go from bad to worse.

*AN IMPORTANT NOTE: The facts as summarized in this blog post are all according to published reports, and this blog post is only a synthesis of published reports on the subject. There is ongoing litigation, and each side contests the other’s position. This blog post is based in large part on Dune Lawrence’s detailed article “A Leak Wounded this Company. Fighting the Feds Finished It Off” in the April 25, 2016, issue of Bloomberg Businessweek.

Directors and Officers On the Hook For Breach-Related Mismanagement

meeting (1)

In response to a security breach in 2000 at the State Department, then Secretary of State Madeleine Albright told her staff, “I don’t care how skilled you are as a diplomat, how brilliant you may be at meetings, or how creative you are as an administrator – if you are not professional about security, you are a failure.”

Albright’s remarks might as well have been directed at every company’s directors and officers. Among a host of other requirements, directors and officers are tasked with acting in good faith and using all available information to make the best decisions for the company. Gone are the days of invoking the business judgment rule as a defense and assuming that courts will not second-guess management decisions – including those related to cyber security and preparedness.

Private company executives face many of the same potential cyber claim scenarios as their public company counterparts, often without the resources to defend the claim or maintain operations after judgment. These suits can come from a variety of sources: regulatory agencies, shareholders claiming mismanagement (i.e., security breaches affect the company’s financials), clients / PE firms with a financial interest, etc.

Preparation is key in mitigating the exposures from a cyber-related D&O suit. Purchasing security products merely to satisfy a checklist will not be defensible in court. Directors, officers, board members, and others in key leadership positions should:

  • Have a detailed understanding of the technology and system architecture of the company’s security
  • Play a role in the development of customer-facing terms, conditions, and privacy policies
  • Engage in vendor negotiations and breach planning
  • Be involved in the training, testing, and rehearsal of system defenses
  • Provide an adequate workforce dedicated to cyber security
  • Invest not only company resources, but also company time.

A properly underwritten directors’ & officers’ policy can be just as valuable as a cyber policy in the event of a security breach. Historically (and by design), D&O policies were intended to cover the executives for claims alleging mismanagement of his/her company with very few restrictions as to the type of mismanagement involved.

However, with the uptick in security breaches over the past ten years, many carriers have discreetly added a new exclusion to their policies removing coverage “based upon, arising out of, relating to, directly or indirectly resulting from, or in any way involving” cyber/security claims. This clause essentially removes coverage for management decisions related to the implementation and supervision of security protocols even when measures have been taken to protect the company (duty of care). Sounds crazy, right? The exact exposure meant to be addressed by a D&O policy is no longer covered.

There is good news though. A handful of markets are agreeable to modifying the exclusion. This can be accomplished through alternate intro wording, by providing a carveback for individual directors/officers (Side A), or by removing the exclusion altogether. The standard exclusion noted in the paragraph above should only be accepted as a last resort.
Just as a company’s directors, officers and employees work together to prevent a security breach, the Cyber and D&O policies must work together in response to a breach. Understanding the exposures and having the proper policy language in place certainly helps.

Penetration Tests

security-265130_1920To offer maximum value to our insureds and stand out from the competition, we as insurance professionals need to do more than just offer our clients good coverage. We also need to help them with the bigger risk management picture.

For example, you may sell your client a workers’ comp policy, but you could also provide them with employee training materials geared towards reducing on-the-job accidents.

Similarly, when selling cyber insurance, we need to be thinking about other facets of risk management beyond risk transfer via a policy: Strengthening network security, educating employees on best practices, developing a breach response plan, and more.

One simple step towards the goal of shoring up network security is to evaluate the ability of the network to resist outside attacks. This is done through a penetration test (also called a “pen test”) – a method to open the insured’s eyes to their digital weaknesses which attackers could use to break into their systems, applications, devices, files, and networks. Penetration tests are foundational in defending IT assets.

Sometimes the phrases “vulnerability scan” and “penetration test” are used interchangeably, but they are not the same. A vulnerability scan is automated and focused on the inside of the network, while a penetration test requires the time of a security expert to manually verify vulnerabilities from the outside of the network.

A pen test attempts to gain access to the digital assets the insured values most. If a security hole is uncovered that could lead to a chain of threat actions, then it is understood as a significant weakness which requires immediate attention.

The IT professional conducting a penetration test will look in all sorts of areas for potential problems, including connectivity, configurations, application code, certificates and encryption, and even human behavior. All of these and more must be tested.

The pen test culminates in a lengthy report of findings. Unfortunately, these reports are infamously confusing, utilizing weakness rankings indirectly connected to the actual needs of the businesses. For this reason, they often gather dust and are used mainly to tick off key tasks on a regulatory checklist.

What’s missing from nearly all pen tests is a clear evaluation and quantification of sensitive data (customer information, financial accounts, employee files, proprietary business plans and trade secrets, etc.) and business processes truly at risk. If there’s no direct correlation between a weakness found and a real, quantifiable impact on the business, then it is impossible to justify the cost to repair the weakness.

INSUREtrust’s security services division, ASSUREtrust, offers penetration testing that focuses on the specific data and business operations of an individual insured. Small and medium sized businesses need robust security, but don’t have big IT budgets. We get it. Our pen test solution is easy to understand, and gets right to the point of how an insured can fortify their security using a practical, reasonable outlay of resources.

Contact us today to find out how to help your clients get real value from their limited security dollars.

Overcoming Client Objections to Cyber Coverage – Part 1

“Cyber Liability… What is that, exactly? Do you mean data breach insurance? That has something to do with technology, right? Like, internet insurance?” These were some of the questions we saw in the early years of cyber liability products. Today though, the questions have changed. High profile breaches at Target, Home Depot, Sony, and many others are in the news on a regular basis.

It’s no longer a matter of bringing up the conversation in our meetings with clients. Now it’s the media that’s providing us with the conversation starter. Okay, so combine the fact that everyone now knows the coverage exists with the obvious black cloud of fear it has placed in business owners, and the result must be that everyone is purchasing, right? Well, no. As most independent agents are painfully aware, this is simply not the case.

So if the hackers are winning the war, and any and all companies are vulnerable to a breach, what is the pushback from insureds? We’re observing a combination of insured misconceptions about cyber dangers and their potential solutions that are leading them to go without coverage:

  1. Inability to recognize their company’s exposures to cyber incidents.
  2. Failing to understand the breadth of coverage in a state-of-the-art cyber policy.
  3. Mistakenly believing that strong IT security is all their business needs.

You’ve probably heard a client say something like:

“I don’t have any valuable data.”

“But my data is stored in a hosting facility.”

“I’m not Target, hackers aren’t interested in me.”

“I don’t sell products online.

“When I do take credit cards, they are handled by someone else.”

Let’s take a closer look at the first objection: “I don’t have any valuable data.” For virtually any business, this is simply not the case. For example, a general contracting firm, which usually has very little personally identifiable information (PII) or credit card information on its network, still has data exposure. Their email probably contains all sorts of privileged and confidential information. Email can be hacked.

The contractor also likely has employee records on file, containing Social Security numbers, salary information, addresses, etc. OK, so big deal, right? What if a disgruntled employee or outside hacker breaks in and publishes this data? Does anyone care that Jenny makes more than Johnny? What if Jenny was hired last month, and Johnny has been with the company for 10 years?

No doubt, there is digital data with sensitive corporate information: Strategic plans, customer lists, and other valuable files that needs to stay out of the hands of the competition.

Though unlikely, for the sake of argument, let’s assume the contractor has some important documents such as architectural plans only in paper form. They are sitting in files in the office. Even these paper files are covered by a strong policy. What happens when Johnny misplaces the files and work stops, or if the customer needs specific data in the files and no one can locate them?

As you can see, sensitive data extends far beyond credit cards and Social Security numbers. It’s important to help your clients understand their digital vulnerabilities. Clients have real exposure, and need real protection.

The good news is that it’s a buyer’s market, and cyber policy premiums are competitive.

In the next article, we’ll discuss other objections to cyber coverage.

Physical Security is Vital to Defend Against Hacking

laptop antitheftThere are a lot of things that a business can do to from a digital standpoint to boost its IT security, and we’ve written repeatedly about some of these methods. But physical security of computer resources, and particularly laptops, is also critical in maintaining a strong defense against cyber criminals.

According to Cybersecurity for Businesses, a document issued by the San Diego Police Department, there are numerous physical security measures your business should have in place, including:

  • Prevent unauthorized persons, including cleaning crews, from access to any of your computers.
  • Install strong doors and locks to the computer room to prevent equipment theft and tampering.
  • Restrict access to computer facilities to authorized personnel.

Portable computing devices are even more prone to physical theft than desktops and servers, and therefore need extra attention:

  • Have employees lock up their laptops when they are left unattended in their offices. Laptops should never be left unguarded.
  • Don’t leave a laptop visible inside vehicles or unattended in public places.
  • Keep a record of all laptop model and serial numbers so if one is recovered you can prove it is yours. Also keep the sales receipt and register the laptop with the manufacturer.
  • Place stickers on the laptops with a phone number to call if one is lost and found by an honest person. But don’t put the business name on it. That could be used by criminals to guess passwords or assess the sensitivity of the data stored on the laptop.

We will be discussing IT security and other topics relevant to cyber liability coverage at all five of our 2016 Cyber Boot Camps. Please plan to join us in Miami, Houston, Dallas, Los Angeles, or Atlanta for a Cyber Boot Camp!

There are also numerous past articles about IT security on the News section of our web site.

Current Cyber Threats and Market Update


Cyber policies from various carriers are widely different products that make it nearly impossible for the average buyer to effectively compare.

Industries most frequently breached are healthcare, higher education, and financial services. But all companies have email, and that is sensitive information too.

One current concern of underwriters is how to deal with a scenario where a cloud vendor is breached that houses the data of multiple insureds.

1 2 3 25