Highlights of the 2020 Data Breach Investigations Report by Verizon

There are a number of surveys and studies published each year that provide empirical data about the cybersecurity landscape. One of them is the Verizon Data Breach Investigations Report, which compiles publicly-reported breaches with other sources (including intelligence gathered by the Verizon Threat Research Advisory Center). The 2020 DBIR has just been published. This year, Verizon amassed 157,525 incidents and 108,069 breaches.  Here are some interesting findings:

• Trojans were once the primary means of hacking, comprising as much as 50% of all breaches in 2016. They now comprise only 6.5%.
• Phishing and credential theft are on the rise.
• External attackers continue to be much more common than internal threats.
• Money continues to be the main motive, far ahead of espionage.
• The most common hacker profile is the organized crime ring, followed by state-sponsored actors.
• According to the FBI, hackers are more likely to be close by than around the globe: 85% of victims and perpetrators were in the same country, 56%  in the same state and 35% in the same city.
• Errors are becoming a more common source of breach.  Physical penetrations remain uncommon, but Misuse, Hacking, Malware and Social have all decreased as a percentage.   The most common type of incident was a DDoS, while the most common breach was Social (phishing). 
• Errors (i.e., human errors such as mis-configurations, and mistakenly sharing data) saw a significant increase.  Almost half of all Errors were discovered by security researchers (not by an audit or other internal source).
• Almost all (80%) hacks involved stealing or brute-forcing credentials.  Hackers did not rely as much on finding vulnerabilities or backdoors.  
• Financially-motivated social engineering keeps growing in popularity year over year.
• Although we often think of on-prem solutions as more secure than the cloud, cloud-based assets were involved in just 24% of breaches, while on-prem assets represented 70%. 
• The most common attribute of affected data was that it was "personal" (PII/PI/PD), followed by credentials.
• When looking for "patterns," Verizon found the most common was that breaches involved web applications. 
• The Healthcare sector had the most breaches, followed by Finance, then a near-tie among Public, Education, Manufacturing, and Professional sectors.  
• Retail saw only half as many breaches as the latter sectors.  Most Retail sector attacks involved e-commerce, a trend that grows year over year, and very few attacks involved point of sale (POS), representing a multi-year decline.  In Retail, 99% of breaches were financially-motivated.  Fewer than 20% of the data affected in Retail breaches was "internal" (trade secrets, business deals, etc.); the vast majority were types of personal data or payment information.
• An organization's size has less relationship to the risk of breach this year than in recent years, probably due to the flight to the cloud, where large and small organizations are similarly vulnerable.  
• Within the data analyzed, there were more than four times as many breaches in North America as in APAC or EMEA.

You can read all the details for yourself, if you have time, and you can learn even more at these links:

•  DBIR facts,figures and figure data
• framework withexamples and enumeration listings
• full VERIS schema. 
• database on publiclydisclosed breaches 
•  record your own incidents andbreaches

 

The (Revised) Proposal to "Strengthen North Carolina Identity Theft Protection Act"

North Carolina's Attorney General, Josh Stein, and Representative Jason Saine have unveiled a revised proposal for amending the state's existing Identity Theft Protection Act.  Recall that one year ago, Stein and Saine introduced a summary of proposed legislation (sometimes erroneously called a "fact sheet") outlining their plans for bipartisan legislation to tighten privacy and data security protections for North Carolinian.  In this post, I will attempt to describe the 2019 proposal and highlight differences from the 2018 proposal.

 

Concerns with the 2018 proposal

 

In many of my privacy and data security law presentations during 2018, I expressed my view that some elements of the proposal were reasonable and advisable improvements to the statute, and I also described a couple of my concerns with the proposal:

 

1.  First, the 2018 version of the Act to Strengthen Identity Theft Protections would have created the shortest breach reporting timeframe in the entire United States--only 15 days--giving organizations only half the time to respond to a breach as the next shortest timeframe.  Having assisted some of North Carolina's largest and smallest organizations in post-incident response, I thought that was unrealistically aggressive (although I'm sure well-intentioned).  Several states did, in fact, adopt or revise reporting deadlines in 2018, but none were close to the 15 days in the Stein-Saine proposal, for example:

• 30 days: Colorado; 
• 45 days: Alabama, Arizona, Maryland, Oregon; and
• 60 days: Delaware, Louisiana, South Dakota.

2.  Second, the 2018 proposal would have included ransomware in the definition of "breach" even if no personal information was divulged (i.e., "exfiltrated").  Notifying individuals of an incident in which their data has not been exposed, and for which they probably cannot really take any pro-active or remedial actions, seems pointless, would likely generate fear disproportionate to the risk of harm, and creates a significant and unnecessary expense for the entity that has been attacked. In other words, I think there are good reasons why other states do not include ransomware attacks within the scope of a reportable breach.

What's new in the 2019 proposal

 

In the 2019 version of the proposal, one of these concerns has been addressed.  Let's take a look at how the 2019 proposal differs from the 2018 proposal:

 

• In the 2018 proposal, the Attorney General's office would "determine the risk of harm" to consumers. In the 2019 proposal, the organization makes the initial determination, and "if the breached entity determines that no one was harmed, it must document that determination for the Attorney General’s office to review."
• There were no changes to the security obligation. Both proposals impose a duty on a "business that owns or licenses personal information to implement and maintain reasonable security procedures and practices – appropriate to the nature of personal information – to protect the personal information from a security breach. "
• There were no changes to the proposed expansion of "personal information." In both proposals, the scope would be expanded to include medical information and insurance account numbers. (The interaction with HIPAA was not addressed specifically.)
• The 15 day reporting timeframe in the 2018 proposal has been changed to a 30 day timeframe in the 2019 proposal, which is much more consistent with the approach of other states.
• Under both proposals, consumers will be able to place and lift a credit freeze on their credit report at any time, for free, and credit reporting agencies will also be required to cooperate to establish a simple method so that consumers need not repeat the process with each CRA. (If this sounds familiar, it is because this is how credit fraud alerts already work. Credit fraud alerts are creatures of federal law, and credit freezes arise from state law, and therefore vary from state to state.)
• Under the 2018 proposal, consumers affected by a breach would have access to three free credit reports from each national consumer reporting agency, but that provision was dropped from the 2019 version of the proposal.
• Under the 2018 proposal, if a consumer reporting agency is breached, it will be obligated to provide five years of free credit monitoring; under the 2019 version, the CRA would provide monitoring for four years.
• Under the 2019 version, if any organization is breached, it must provide two years of free credit monitoring to each affected consumer. There was no similar provision in the 2018 proposal (except for CRAs).
• Under the 2019 version, a failure to report a breach will be a violation of the NC Unfair and Deceptive Trade Practices Act. (The 2018 version specified that each affected consumer would support a separate violation; the 2019 version omits that statement.) Frankly, I am not sure that this would actually be a change from the current law; it may be a mere attempt to codify the status quo.
• Both proposals say that a company will need a person's permission before obtaining or using a person’s credit report or credit score, and must disclose the reason for the request. (This is already a requirement under federal law, so I do not foresee much impact from this provision.)
• Finally, both proposals would give NC residents the right to obtain from any CRA "the information maintained on him or herself (both credit related and non-credit related information), its source, and a list of any person or entity to which it was disclosed."

 

 The 2018 proposal never made it to a vote in the North Carolina General Assembly, and I cannot predict whether the new proposal will be adopted in the 2019-2020 session, but it is clear that the Attorney General intends to focus on privacy and data security, through legislation and enforcement actions, during the coming year.

 

 

 

 

 

 

South Dakota and Alabama Become the Last States to Enact Data Security Breach Notification Statutes

South Dakota and Alabama have just become the 49th and 50th states to enact data security breach notification statutes, joining the other 48 U.S. states and four U.S districts/territories that already have similar laws in effect. Here is what you need to know:



South Dakota's Statute (SB 62) At A Glance

• Signed on March 21, 2018 by Governor Dennis Daugaard (before Alabama's statute) and will take effect July 1, 2018 (after Alabama's statute).


• The statute applies to “information holders” which is a term that seems to cover the concepts of data controller and data processor in other regulatory regimes. (This is just one more reason why data controllers and data custodians will want to carefully allocate responsibility for compliance in their contracts.)


• Notice is required to South Dakota residents within 60 days after “personal or protected information was, or is reasonably believed to have been, acquired by an unauthorized person.”


• There are two categories of protected data (unlike most state statutes): “Personal Information" and "Protected Information,” and they include biometric data, in addition to other elements that are common among such state laws.


• Personal and protected information includes health information (which is a recent trend in state laws that many think unnecessarily duplicative of HIPAA's breach notice provisions).


• Access credentials (e.g., a username and password) for an online account are covered, reflecting a recent trend in state laws.


• Notice to the Attorney General of South Dakota is required if more than 250 residents are affected. 


• Notification to consumers is not necessary if the breached organization conducts an investigation and determines that consumers are not likely to be harmed (but notice to the AG is still required). That determination should be supported by a written analysis, which is to be retained. The AG may disagree with the conclusion and require notice to consumers. (This consultation approach is a relatively recent trend in state data breach statutes.)


• The AG can impose fines of up to $10,000 per day per violation.


• Violations of the breach notice requirement may also be criminal deceptive acts or practices under South Dakota’s Deceptive Trade Practices Act (37-24-6). (Note: I am not aware of any other state data security breach notification law that criminalizes a failure to comply.  If you are, please tell me.)


• There is no express right of civil action in the new statute, but because violations are also deemed violations of the Deceptive Trade Practices Act, civil suits seem foreseeable. 

Alabama’s Statute (S.B. 318) At A Glance

• Signed on March 28, 2018 by Governor Kay Ivey (after South Dakota's) will take effect June 1, 2018 (before South Dakota's).


• Notice is required to Alabama residents within 45 days after discovery.


• “Sensitive personally identifying information” includes elements that are common among other state breach notification laws.


• Access credentials (e.g., a username and password) for an online account, are also covered, reflecting a recent trend in state laws. 


• Notice to the Attorney General of Alabama is required if more than 1,000 residents are affected. 


• Those who knowingly violate the notification law are subject to penalties of up to $500,000 under the Alabama Deceptive Trade Practices Act, plus additional amounts up to $5,000 per day for continuing failure to comply.


• There is no express right of civil action in the new statute, but the Alabama Attorney General may bring a “representative action” for named individual victims to recover actual damages plus attorney’s fees and costs.

At long last, every state has some sort of data breach notification law. They vary, of course, in the details. [Georgia's statute, for example applies only to governmental "information collectors" and "data brokers" that collect and share data for compensation, severely limiting the reach of the statute.] Some of them have idiosyncrasies that preclude a once-size-fits-all breach notice. [Compare California's statute with Massachusetts' statute, for example.] For a handy reference of all states' and territories' data security breach laws, see the website of the National Conference of State Legislatures, here.





It should also be noted that the U.S. Congress seems to consider a federal breach notification statute in almost every session, and almost every proposal would preempt all state breach notification statutes.  None, however, have yet been enacted (for reasons you may have heard me describe on social media or in presentations).





As a result of these two new statutes, organizations may want to update cyber incident response plans to reflect the new notice requirements and categories of data covered.

I'm a Certified Information Privacy Professional. (What Does That Mean?)

I recently became IAPP CIPP/US certified.  "What does that mean?" you ask?  Good question! 

What is the CIPP/US designation?

The International Association of Privacy Professionals (IAPP) is a nonprofit association of privacy professionals--the largest in the world. The IAPP issues the Certified Information Privacy Professional (CIPP) designations, which are the most recognized information privacy certifications globally. The CIPP/US credential demonstrates an understanding of privacy and security concepts, best practices, and international norms, with a specific emphasis on U.S. privacy and information security laws.   Applicants are tested to ensure they have the requisite knowledge in the following areas:

I. The U.S. Privacy Environment
A. Structure of U.S. Law
i. Constitutions
ii. Legislation
iii. Regulations and rules
iv. Case law
v. Common law
vi. Contract law
c. Legal definitions
d. Regulatory authorities
i. Federal Trade Commission (FTC)
ii. Federal Communications Commission (FCC)
iii. Department of Commerce (DoC)
iv. Department of Health and Human Services (HHS)
v. Banking regulators
vi. State attorneys general
vii. Self-regulatory programs and trust marks
e. Understanding laws
i. Scope and application
ii. Analyzing a law
iii. Determining jurisdiction
iv. Preemption
B. Enforcement of U.S. Privacy and Security Laws
a. Criminal versus civil liability
b. General theories of legal liability
i. Contract
ii. Tort
iii. Civil enforcement
c. Negligence
d. Unfair and deceptive trade practices (UDTP)
e. Federal enforcement actions
f. State enforcement (Attorneys General (AGs), etc.)
g. Cross-border enforcement issues (Global Privacy Enforcement Network (GPEN))
h. Self-regulatory enforcement (PCI, Trust Marks)
C. Information Management from a U.S. Perspective
a. Data classification
b. Privacy program development
c. Incident response programs
d. Training
e. Accountability
f. Data retention and disposal (FACTA)
g. Vendor management
i. Vendor incidents
h. International data transfers
i. U.S. Safe Harbor
ii. Binding Corporate Rules (BCRs)
i. Other key considerations for U.S.-based global multinational companies
j. Resolving multinational compliance conflicts
i. EU data protection versus e-discovery
II. Limits on Private-sector Collection and Use of Data
A. Cross-sector FTC Privacy Protection
a. The Federal Trade Commission Act
b. FTC Privacy Enforcement Actions
c. FTC Security Enforcement Actions
d. The Children’s Online Privacy Protection Act of 1998 (COPPA)
B. Medical
a. The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
i. HIPAA privacy rule
ii. HIPAA security rule
b. Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
C. Financial
a. The Fair Credit Reporting Act of 1970 (FCRA)
b. The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
c. The Financial Services Modernization Act of 1999 ("Gramm-Leach-Bliley" or GLBA)
i. GLBA privacy rule
ii. GLBA safeguards rule
d. Red Flags Rule
e. Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010
f. Consumer Financial Protection Bureau
D. Education
a. Family Educational Rights and Privacy Act of 1974 (FERPA)
E. Telecommunications and Marketing
a. Telemarketing sales rule (TSR) and the Telephone Consumer Protection Act of 1991 (TCPA)
i. The Do-Not-Call registry (DNC)
b. Combating the Assault of Non-solicited Pornography and Marketing Act of 2003 (CAN-SPAM)
c. The Junk Fax Prevention Act of 2005 (JFPA)
d. The Wireless Domain Registry
e. Telecommunications Act of 1996 and Customer Proprietary Network Information
f. Video Privacy Protection Act of 1988 (VPPA)
g. Cable Communications Privacy Act of 1984
III. Government and Court Access to Private-sector Information
A. Law Enforcement and Privacy
a. Access to financial data
i. Right to Financial Privacy Act of 1978
ii. The Bank Secrecy Act
b. Access to communications
i. Wiretaps
ii. Electronic Communications Privacy Act (ECPA)
1. E-mails
2. Stored records
3. Pen registers
c. The Communications Assistance to Law Enforcement Act (CALEA)
B. National Security and Privacy
a. Foreign Intelligence Surveillance Act of 1978 (FISA)
i. Wiretaps
ii. E-mails and stored records
iii. National security letters
b. Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (USA-Patriot Act)
i. Other changes after USA-Patriot Act
C. Civil Litigation and Privacy
a. Compelled disclosure of media information
i. Privacy Protection Act of 1980
b. Electronic discovery
IV. Workplace Privacy
A. Introduction to Workplace Privacy
a. Workplace privacy concepts
i. Human resources management
b. U.S. agencies regulating workplace privacy issues
i. Federal Trade Commission (FTC)
ii. Department of Labor
iii. Equal Employment Opportunity Commission (EEOC)
iv. National Labor Relations Board (NLRB)
v. Occupational Safety and Health Act (OSHA)
vi. Securities and Exchange Commission (SEC)
c. U.S. Anti-discrimination laws
i. The Civil Rights Act of 1964
ii. Americans with Disabilities Act (ADA)
iii. Genetic Information Nondiscrimination Act (GINA)
B. Privacy before, during and after employment
a. Employee background screening
i. Requirements under FCRA
ii. Methods
1. Personality and psychological evaluations
2. Polygraph testing
3. Drug and alcohol testing
4. Social media
b. Employee monitoring
i. Technologies
1. Computer usage (including social media)
2. Location-based services (LBS)
3. Mobile computing
4. E-mail
5. Postal mail
6. Photography
7. Telephony
8. Video
ii. Requirements under the Electronic Communications Privacy Act of 1986 (ECPA)
iii. Unionized worker issues concerning monitoring in the U.S. workplace
c. Investigation of employee misconduct
i. Data handling in misconduct investigations
ii. Use of third parties in investigations
iii. Documenting performance problems
iv. Balancing rights of multiple individuals in a single situation
d. Termination of the employment relationship
i. Transition management
ii. Records retention
iii. References
V. State Privacy Laws
A. Federal vs. state authority
B. Marketing laws
C. Financial Data
a. Credit history
b. California SB-1
D. Data Security Laws
a. SSN
b. Data destruction
E. Data Breach Notification Laws
a. Elements of state data breach notification laws
b. Key differences among states


Why did you decide to get the CIPP/US certification? 

More and more people are claiming to be privacy experts these days, including a number of lawyers.  Although very few law firms advertised a privacy practice group as of just a few years ago, almost all
large law firms do now...with varying degrees of credibility.  Some lawyers are holding themselves out as privacy experts when their expertise is limited to a couple of privacy laws and a specific context.  They are nonetheless re-branding themselves as "privacy" lawyers.  While there certainly are more lawyers who are competent in a range of privacy and information security issues than ever before, they remain few and far between.  The CIPP/US certification is perhaps the best way to clearly and immediately demonstrate an understanding of the core concepts and legal issues of privacy and information security. 

Does the CIPP/US designation guarantee expertise?

The CIPP/US designation does not guarantee expertise in any particular area of privacy law. The certification tests (there are currently two) do not require the depth of understanding that a true expert must have. For example, the study guides and tests cover financial privacy issues at a level of depth just beyond the surface. There is much more to know about financial privacy law and practice. However, the CIPP/US designation does provide assurance that the certificate holder is at least aware of the salient issues and knows where to find answers or guidance, and those two items are very important. Furthermore, certification requires ongoing learning. Mainting IAPP CIPP certification requires the holder to fulfill 20 hours of continuing privacy education (CPE) per two-year period, to ensure the holder's knowlege remains up to date.
The CIPP/US certification is no guarantee of true legal expertise, but it does provide an independent confirmation of basic competence across a broad spectrum of privacy and information security law. It also tells you that the holder is continuing to build upon his or her knowledge in these areas.

 

* The N.C. State Bar, the regulatory body that supervises and disciplines lawyers licensed in North Carolina, prohibits a lawyer from using the term "specialized" to describe anything other than a N.C. Bar-issued certificate of specalization in one of a very limited number of fields of law. There is no specalization certificate available from the N.C. State Bar for privacy, information security, or any related field of law.