In November 2015, electronic toy manufacturer VTech’s company’s “Learning Lodge” app store was hacked, affecting five million customers, over half of whom were not adults. While the data breach did not didn’t reveal credit card data, social security numbers, or driver’s license IDs, it gave the hackers access to customers’ names, addresses, encrypted passwords, birthdays, and genders for kids.
On behalf of the Federal Trade Commission (FTC), the Department of Justice (DOJ) sued VTech for violating online privacy laws for children. This has been FTC’s first children’s privacy case involving Internet-connected toys. VTech had failed to directly notify the parents that they were storing users’ data, didn’t get parents’ consent to store the data, and failed to protect the data it acquired. Therefore, VTech violated the Children’s Online Privacy Protection Act (COPPA).
On January 8, 2018, VTech agreed to settle to the charges and will pay $650,000 as part of the settlement with the FTC. (Note that the $650,000 figure does not include any first-party costs incurred by VTech, such as forensics and remediation.) VTech must also implement a comprehensive data security program that will be audited every year for the next 20 years.
The VTech settlement stresses the importance of having strong data security practices that are regularly updated and reviewed, and shows that the FTC is up to the task of protecting consumers online. It also highlights the risk of collecting data on children and the importance of following COPPA compliance requirements as the Internet of Things market continues to grow. Smart toy sales are expected to reach $15.5 billion by 2022, up from an estimated $4.9 billion in 2017, according to a report from Juniper Research.
If your client’s company was in a similar situation, and had a cutting-edge cyber coverage, such a policy could cover a wide range of costs, including fines and penalties, victim notification, and forensics to repair the holes in the network that allowed hackers to access the data.
Cyber coverage is highly complex, and so are the needs of technology companies. Call us today for help placing the right coverage.
Intel has recently named Michael Mayberry as its new chief technology officer and senior VP. This leadership change, plus other management changes, is amid a time when nearly every day there’s a new alarming headline about the two security vulnerabilities, such as “Meltdown And Spectre Patching Has Been A Total Train Wreck,” “Intel’s Never-Ending Spectre Saga Continues to Be a Hot Mess,” and “OK, panic again: patching Spectre and Meltdown has been a disaster.” Both Intel and Apple are also now facing class action lawsuits over the Meltdown and Spectre bugs. And just this week, German antivirus testing firm AV-Test discovered 139 samples of malware that appear to be early attempts at exploiting the Meltdown and Spectre CPU bugs.
Glitches with the Meltdown-Spectre patches
As software and cloud service companies have rushed to push out updates and patches, there’s been conflicting information and opinions on whether it’s a good idea or not to install the patches. In January, Intel announced there were glitches in the patch. And Linux creator Linus Tovalds has been an outspoken critic of Intel’s patches for the Linux kernel, writing in a public message board, “The patches are COMPLETE AND UTTER GARBAGE. … They do things that do not make sense.”
A study by IT company Spiceworks found that while 70 percent of businesses surveyed had already begun patching for Meltdown and Spectre, these efforts were met with issues, like a performance drop, locked-up systems. and boot-up problems.
Okay, so, what’s a business to do?
Here are a few tips that TechRepublic has suggested.
1. Test patches on disposable systems
Test patches on non-critical servers before rolling them out to production. The test systems should be identical in every way to your production systems.
2. Have a quick recovery plan set up for your systems
Having a recovery plan in place will save you a lot of time, energy, and frustration.
3. Check for the latest patches and always use the most immediately available fixes
Check the vendor website consistently. “Companies currently working off the old microcode_ctl-1.17-25.2.el6_9:1.x86_64 microcode_ctl package initially released are in for a nasty surprise which is why it’s crucial to stay abreast of package changes,” TechRepublic wrote.
4. Learn about the patch ramifications
Read the vulnerability/patch advisories before you proceed. Consider what possible issues could occur, what the resolutions might be, and how to prepare in advance. “The more hype is involved with a vulnerability and the associated fix means the more caution you must employ when proceeding; these patches are often rapidly pushed out with less testing than may be advisable,” TechRepublic states.
5. Look for alternate solutions where necessary
TechRepublic notes that many problematic patches for such vulnerabilities don’t necessarily need to be applied. “You can employ a workaround by turning an unneeded process off, for instance, or disabling an unused setting. Follow vendor guidelines and determine your best course.”
“Cyber-light” is a term used to describe policies that are low on actual cyber coverage, so that the carrier can promote cyber as part of a package policy, at very little additional cost to the insured. But this coverage can do more harm than good, because it gives the insured a false sense of security.
For example, a cyber-light policy might sublimit notification costs at a measly $50,000. But a breach of any significant size will go through that amount quickly, and the insured will be left holding the bag for the balance of the cost. (Now it’s becoming clear why cyber-light coverage is free or nearly free.)
The ironic thing here is that state-of-the-art, robust cyber coverage would offer up to $1,000,000 in limits, for around $1,000 for a smaller company. And even for companies of up to $50M in revenue, this coverage can be very competitively priced.
According to one recent report in Insurance Business, a cyber underwriter stated that 90% of the attacks that the carrier she works for sees are targeted at businesses with revenues under $50M. Smaller businesses are easier prey for the bad guys, as these companies typically have less sophisticated IT security.
Cyber attacks can and do happen to small companies, which are the ones least able to deal with them if they are not properly insured.
With the extremely soft cyber insurance market, prices are very competitive. There is no reason to let your clients settle for cyber-light, and then come to you angry when they’re breached and their cyber policy turns out to be a dud.
We can help you secure strong, affordable coverage for your clients. Call us today for a quote!
In early January, it was revealed that nearly every computer chip made in the past 20 years contains fundamental security flaws called Spectre and Meltdown. Both bugs use a side-channel analysis attack, where malicious code can let attackers see information stored in a computer’s central processing unit (CPU).
This is a big deal! Virtually everyone is impacted by these security vulnerabilities. And to make matters worse, if you have been the victim of a Meltdown or Spectre attack, you probably wouldn’t be able to detect it.
Cybercriminals could steal sensitive data such as passwords, personal photos, emails, instant messages, banking information and business-critical documents. The bugs have been found in processors designed by Intel, AMD and ARM, and affect everything from smartphones, PCs, tablets and TVs to cloud computing. It’s still unknown if Meltdown and Spectre have been abused in the wild.
So how did this happen? In the early 1990s, in an effort to improve computer processing speed, computer chip engineers started using a process called “speculative execution,” where computers try to guess what users will likely do next.
“It’s something like a salesperson who sees a man pick out a pair of slacks in a store and so grabs a belt and a jacket that match because they might be what he looks for next,” USA TODAY explains. Chipmakers prioritized speed and performance, but at the expense of security.
“In the computer, it could be that you go to the banking section of your password management program. The speculative execution function then pulls all your banking passwords into the protected memory portion of the CPU because it’s making a good guess you’ll ask for that next. Meltdown allows full access to the protected memory space, so it’s potentially more dangerous,” USA TODAY writes.
Researcher Daniel Gruss of Graz University of Technology said Meltdown is “probably one of the worst CPU bugs ever found.” Intel has been the most heavily affected, and has issued updates for most of the CPUs that have been introduced in the past five years. Intel CEO Brian Krzanich recently wrote an open letter pledging to be more transparent about CPU, security, and performance.
While patches are available, WIRED reports that many of these fixes are slowing down servers and causing other problems: “Millions of Windows PCs and servers around the world, even those that are just a few of years old, could get noticeably more sluggish — as much as 20 percent slower in some cases. Intel also published benchmark and user data… which similarly shows deeper losses for older generations of silicon.”
Meltdown and Spectre were independently discovered and reported by Google’s Project Zero team and several researchers from different countries and universities. The two major bugs were found among the researchers concurrently.
In 1995, the EU introduced its Data Protection Directive to protect consumers. But 20 years later, with rapid changes in technology, the Data Protection Directive now seems outdated. Consumers are more worried than ever about what companies do with their consumer data, especially after security breaches occur. They want to have control over how their personal data is used.
In comes EU’s ambitious and strict General Data Protection Regulation (GDPR), which will take effect May 25, 2018. Four years in the making, it was finally approved by EU Parliament in April 2016. With this new Regulation, companies will be required to report breaches to their regulators and often to consumers. Additionally, GDPR allows a consumer to find out how their personal data is being used by a business.
“The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established,” according to the EUGDPR.org website.
Businesses will face heavy fines for non-compliance. GDPR’s obligations will affect any company that handles EU citizens’ data, whether the company is located in the EU or not, and ultimately will have global ramifications.
Here are some key changes in the Regulation, as stated on the EUGDPR.org website.:
- Increased Territorial Scope (extra-territorial applicability)
- “GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.”
- “Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).” Note: €20 Million currently is the equivalent of about $24,000,000.
- “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”
Under GDRP, individuals whose data has been collected by a business have the following rights:
- Breach Notification
- Right to Access
- Right to be Forgotten
- Data Portability
- Privacy by Design
If your company collects or processes EU citizens’ data, you will need to be GDPR-compliant. But bad things can still happen, and you need the correct coverage in the event of a breach or other cyber event. For more information about GDPR and how it will impact your business’ cyber risk exposure, contact us today.