One of the constants in business offices decade after decade is the copying machine, and copiers today are far more advanced than in earlier years. But new technology sometimes brings new problems. Modern copiers have hard drives that allow the convenience of digital backups. The hard drives, potentially rich with sensitive data, can also be a target for hackers.
If you lease a digital copier from an outside source, you are probably at the greatest risk. Sometimes, the copier will be returned at the end of the lease period to the equipment company, without having the hard drive erased – a major problem – because there’s a good chance the copier will be rented or sold to another company after your lease period ends.
Best practice dictates that the hard drive be completed wiped before the equipment company re-takes custody of the machine. Otherwise, you have no idea who might have access to your company’s proprietary, sensitive, and confidential information.
Perhaps the biggest real world example is the 2010 Affinity Health Plan data breach [http://timesleader.com/business/2414/digital-copiers-a-security-risk]. Affinity decided to upgrade their equipment, and their digital copiers were sold to other businesses. None of the hard drives were erased, resulting in over 300,000 medical documents being potentially exposed. Because this was a HIPAA violation, Affinity eventually faced a $1.2 million fine.
To avoid a nightmare scenario, there are several steps you can take, in addition to completing erasing a copier’s hard drive before removing it from your office:
· Ensure the company you purchase or lease equipment from properly encodes your copier’s hard drive for the storage of sensitive data.
· Some machines have a disable feature that stops the drive from making backups of your documents. If your copier has such a feature, considering using it.
· If your copier is on a network so that users can remotely print to it, make sure that the network is secure.
There is never a bullet-proof way to ensure data will be safe, but taking steps like these definitely helps make it more difficult for the bad guys to get their hands on your company’s data.
We’re all getting emails these days from hackers seeking to install malware on our computers and then steal our data. Phishing and spear phishing schemes start with innocent looking email messages, but when an unsuspecting user clicks a link, the result can be a risk management nightmare.
One of the easiest ways to check a link is to hover over it – but do not click it! – with your cursor. The web site address of the link will pop up, and you can see whether the actual address that pops up matches the text of the link in the email.
For example, let’s say you’re a customer of Acme Bank, and you get an email purporting to be from them asking you to click a link labeled “Update your login credentials” in the email. When you hover over the link, however, the web site address that appears is not Acme Bank at all, but something more like “iwill_steal-yourmoney.co.” In addition to deleting the message pronto, you should also alert other members of your organization so they don’t fall for the trick either.
Sometimes, you’ll run across a web site address might seem legit, but you just don’t know. The answer won’t be as obvious as the previous scenario. Maybe a friend or coworker told you about a site, or you found it on a search engine. Here at INSUREtrust, we recently ran across this situation with the real site of a real insurance organization. When we tried to go to the site, an ominous red screen appeared that warned if we continued, we might encounter malware. We definitely did not click to continue to the site!
Instead, we researched the site with these online tools:
Turns out, the web site had been blacklisted by all three tools for potential malware issues. We called the organization to inform them of the problem, of which they were unaware. We’re glad we could help them, but we won’t be going to that web site until the issues are cleared up!
Remember, there are all sorts of evil plots out there to steal your data. You need to be ever-vigilant. Doing a simple web check on links in emails – and other easy steps like this – will help. But, there is a lot more to this whole IT security puzzle. If you’d like to learn more, just email us for a copy of our “IT Security Policy Guide.”
All the celebrations are over and the decorations put away, but new ransomware by the name of “Merry Christmas” was discovered last week. Unsuspecting victims are sent an email that appears to either be from the Federal Trade Commission or from a court, both saying the victim has violated a regulation or law.
When a link to the supposed referenced legal document is opened, it launches Merry Christmas and infects the computer. Not only does the malware encrypt the user’s data, but some versions also load another piece of software that can steal login credentials and turn the user’s computer into a “bot” for use in other cyber attacks.
As always, be extra vigilant when you get a suspicious email. And don’t click a link unless you are positive that it is legitimate. If you’d like a copy of INSUREtrust’s “IT Security Policy Guide” to help your business be cyber secure, just email us.
For more information about the Merry Christmas ransomware, we recommend this article from ZDNet.
In Parts 1 and 2 of this series, we’ve chronicled the fight between LabMD and the Federal Trade Commission (FTC), a large Federal agency charged with protecting consumers from unfair practices. In this article, we examine a recent FTC decision and a subsequent holding by the U.S. 11th Circuit Court of Appeals for additional facets of the story.
Eventually, LabMD decided to stop being cooperative with the FTC and to fight back. And fight they did: Various lawsuits were filed challenging the FTC’s authority to come after LabMD. Though the company lost, they were able to slow the FTC down to the extent it was necessary to deal with LabMD’s counter-punches. (Since 2013, LabMD’s defense has been handled pro-bono.)
The FTC’s action began in 2013 with the filing of its formal complaint against LabMD through its administrative dispute process. Then, in 2014, a Tiversa whistle-blower called LabMD’s president to say that none of the data had ever gone beyond Tiversa. The FTC proceeding was delayed while the whistle-blower sought, and eventually obtained, immunity from the DOJ. In the meantime, Rep. Issa’s committee Staff Report was embargoed until the conclusion of the whistle-blower’s testimony. The Staff Report was clearly critical of the FTC. Ultimately, the FTC administrative law judge held for LabMD and against the FTC. The FTC appealed to the full three-member commission.
The full commission of the FTC ruled this summer that the administrative law judge was wrong, and reversed the decision. The full commission decision runs some 37 pages. In it, the commission imposes data security and regular reporting requirements on LabMD (and the use of a third-party assessor engaged by LabMD.) At least in part, the FTC tips its hand as to what it considers reasonable data security management practices to be. The costs of these FTC requirements are, according to the recent 11th Circuit ruling, hotly disputed. But they are certainly not zero.
LabMD isn’t done with the FTC yet, according to the Bloomberg article. Daugherty says that he had to lose before the full Commission (which has just occurred) in order to sue the FTC in federal court, outside the agency’s administrative arena. The Bloomberg article quotes Daugherty as saying that “I am basically opening the playbook to the world, which is what I ultimately want to do. We’re going to have a fair fight.”
That seems to be what has begun to happen. This is a complex multi-year situation with much litigation over many claims. But the “big picture” issue which should be of paramount interest to everyone is the heavy-handed action of the FTC against a small business. Apparently, the FTC views a business with the unmitigated audacity to challenge the FTC’s authority as a major threat. Their actions (described in the Bloomberg article and in a prior blog post) when they began their enforcement show that to be the case – very unambiguously.
The 11th Circuit was certainly not deferential to the FTC in its recent decision. Based on the language in the recent ruling staying the enforcement of the FTC’s full-commission order, it seems there is a solid chance the Court will look deeply (and critically) into the FTC’s actions, as well as the agency’s asserted grounds for its authority to take those actions.
This is indeed a cautionary tale about how the Federal government can destroy a company in an enforcement action, and it is a story which is not over yet – despite the destruction of LabMD as a going concern. But there may already be potentially important lessons to be learned. The details of the FTC’s decision are the subject of the next article, in an attempt to glean some guidance as to what its stated expectations of a small business are.
*AN IMPORTANT NOTE: The facts as summarized in this article are all according to published reports, and this article is only a synthesis of published reports on the subject. There is ongoing litigation, and each side contests the other’s position. This article is based in large part on Dune Lawrence’s detailed article “A Leak Wounded this Company. Fighting the Feds Finished It Off” in the April 25, 2016, issue of Bloomberg Businessweek.
In Part 1 of this series, we began to tell the story of how one simple breach of a single rule by a single employee sank a $4 million per year company called LabMD, and how the breach triggered very expensive – and extensive – litigation.
As LabMD dealt with its new DC lawyers, owner Michael Daugherty has said he urged them to think about Tiversa’s role in the FTC’s interest in LabMD. As far as he knew, the only entity downloading the information had been Tiversa. For whatever reason, his lawyers were not interested. Turning back to the FTC, Daugherty did not want to sign a consent decree, which would be available to the general public. Knowledge of the breach going public, Daugherty reasoned, would lead his customers (doctors) to conclude that their patients’ information was not secure with LabMD. So, he fought.
Daugherty’s arguments concerning Tiversa finally caught the attention of FTC commissioner J. Thomas Rosch. In 2012, Rosch said in a dissenting FTC opinion, a few months before he left the agency, that the evidence provided by Tiversa shouldn’t be used against LabMD. Daugherty began to work with Cause of Action Institute, a conservative legal aid group, which has handled LabMD‘s defense before the FTC pro bono since 2013. Daugherty also began to build a relationship with US Representative Darryl Issa (R-CA) of the House Oversight Committee.
The FTC litigation began in 2013 when the FTC brought an administrative action against LabMD in the agency’s administrative courts. The FTC charged that not only had LabMD‘s information on 9,000 patients leaked from its system, but that the personal information of some 500 persons had fallen into the hands of identity thieves in California. The agency came full-on: In a 3-hour period on October 24, 2013, its lawyers sent notice of 20 depositions to be taken in various parts of the country, and scheduled them all on the same day.
The company’s legal fees had reached about $500,000 by now. LabMD‘s lawyers sought a protective order. But the stress and cost of the battle was destroying the company. LabMD’s revenues nose-dived and Daugherty finally shuttered it in 2014. After losing his company, Daugherty self-published a book about his experiences called The Devil Inside the Beltway.
As Daugherty was waiting for the administrative court trial to kick off, he received a call in April 2014 from Richard Wallace, a Tiversa employee who had just left the company. Wallace told Daugherty of Tiversa’s role in LabMD‘s demise. It was Wallace who originally discovered the files on a peer-to-peer file-sharing network. The files had never been anywhere else; when LabMD declined Tiversa’s services, Wallace claimed he was instructed to add LabMD to a list of companies which Tiversa reported to the FTC. Wallace further stated that he had been instructed to create fake evidence showing other places where the LabMD file had supposedly been found.
The FTC trial began in May and Wallace’s testimony was crucial – since the FTC’s case was based primarily on Tiversa’s evidence. Wallace testified in May 2015, just over a year after he first called Daugherty.
At the same time, the House Oversight Committee had prepared a report which was locked away until the completion of Wallace’s testimony. The report found that Tiversa faked evidence of data breaches to market its services. The report also disclosed an FTC-Tiversa relationship dating back to 2007. One writer summarized the findings this way:
The report concluded that the FTC had sacrificed “good government” in using Tiversa to “obtain information validating its regulatory authority” and with providing Tiversa with “actionable information it exploited for monetary gain.”
In November, the administrative judge in the case ruled in favor of LabMD, throwing out Tiversa‘s testimony and evidence. This left the FTC without much of a case. The judge characterized the FTC’s assertions regarding LabMD and the data of the 9,000 patients as “pure, unsupported speculation.”
But the story is not yet over. In the last installment of this series, we will discuss the litigation between Daugherty and Tiversa, as well as dueling Wall Street Journal op-eds on the issue, and a 48 page decision this summer by the FTC reversing the decision of the ALJ, imposing stringent requirements on LabMD. And we’ll learn the FTC’s reasons for doing so.
*AN IMPORTANT NOTE: The facts as summarized in this blog post are all according to published reports, and this blog post is only a synthesis of published reports on the subject. There is ongoing litigation, and each side contests the other’s position. This blog post is based in large part on Dune Lawrence’s detailed article “A Leak Wounded this Company. Fighting the Feds Finished It Off” in the April 25, 2016, issue of Bloomberg Businessweek.