[BreachExchange] Phishing: Data Breach Is “Chalkdust Torture”

Tue Jun 21 10:10:16 EDT 2016

http://www.jdsupra.com/legalnews/phishing-data-breach-is-chalkdust-18279/

Seyfarth Synopsis: Hernandez v. Sprouts Farmers Market, Inc., a case
stemming from a phishing scam, emphasizes the need for California employers
to implement comprehensive data protection and data breach notification
policies and practices for personal employee information under the CDPA.

A story of a company suffering a data breach tops newspaper headlines
almost daily. So how can you stay out of the “fuego,” and stay compliant
with California laws about your employees’ and customers’ data?

California’s Data Protection Act—“Army Of One”

In 2003 California passed the nation’s first data breach notification
statute: the CDPA. Since then, over 30 states have enacted similar
statutes, but California remains the national leader in privacy and data
security standards.

The CDPA mandates that any business that “owns or licenses personal
information about a California resident shall implement and maintain
reasonable security procedures and practices appropriate to the nature of
the information, to protect the personal information from unauthorized
access, destruction, use, modification, or disclosure.” And it requires a
company to notify affected individuals of a data breach “in the most
expedient time possible and without unreasonable delay.”

The CDPA takes a very broad view of personal information, defining the term
to include:

An individual’s signature,
A person’s physical characteristics or description,
Information collected through an automated license plate recognition
system, and
An individual’s employment and employment history.

The CDPA also requires that if a company experiences a data breach and
decides to offer “identity theft prevention and mitigation services” to
affected persons, then it must provide these services to affected persons
for at least 12 months and at no cost. Additionally, unlike many other
state laws about data breaches, the CDPA requires a company affected by a
data breach to submit a sample of the data breach notification letter to
the California Attorney General.

“Vultures” Go Phishing At Sprouts

What’s Phishing? In a phishing scam, a fraudulent email message appears to
be legitimate, and often directs one to a spoofed website in order to dupe
the recipient into divulging private personal information. The perpetrators
then use this information to commit identity theft.

In March 2016, a Sprouts employee received an email purportedly from a
Sprouts senior executive, asking for the 2015 W-2 statements of all Sprouts
employees (which contain social security numbers). In reality, the email
was sent by a third-party and was a phishing scam.

When the Sprouts employee received the phishing email, the W-2 forms of
thousands of current and former employees were compiled and sent to the
third-party. Sprouts later realized the error and notified the affected
individuals of the data breach.

Shortly afterwards, a former Sprouts employee filed a class action lawsuit
against the company, alleging violations of the CDPA and the California
Unfair Competition law. The suit alleges essentially that the employer
should have had procedures and policies in place to protect employee
information from a phishing attack because such attacks are commonplace in
the information age. A First Amended Complaint was filed on May 25, 2016,
and Sprouts has not yet filed its response.

Sprouts highlights that it is important for California employers to have a
data protection and data breach notification plan. Such a plan is
instrumental to head off attacks by hackers and bad actors seeking private
employee data to commit identity theft.

“Anything But Me”—What’s An Employer To Do?

The California Attorney General has issued annual reports analyzing data
breach notices and providing recommendations to companies and employers for
implementing data breach plans, including recommending that companies and
employers:

Implement the Center for Internet Security’s Critical Security Controls as
the “minimum level of information security” if they handle personal data.

The Attorney General has stated that“[t]he failure to implement all the
Controls that apply to an organization’s environment constitutes a lack of
reasonable security.”

Implement “strong encryption” for personal information on laptops and other
portable devices, and consider full encryption on desktop computers when
not in use.
Encrypt digital personal information when moving or sending personal
information out of their secure network.
Encourage individuals affected by a breach of Social Security numbers or
driver’s license numbers to place a fraud alert on their credit files and
make this option very prominent in their breach notices.
Make multi-factor authentication available on consumer-facing online
accounts that contain sensitive personal information.
Provide training to employees and contractors on data security controls.
Improve the readability of breach notification letters.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160621/000d3dba/attachment.html>