Tag Archive for: policies

Coverage Challenges in Ransomware Claims: Cyber Insurance Policies and Trends in Denials | Kohrman Jackson & Krantz LLP


A consistent pattern emerges in data breach and cyber-attack cases when companies turn to their insurers for coverage after such incidents. Whether they possess specialized cyber insurance or not, insurers often decline claims, citing various reasons such as failure to provide timely notice, failure to mitigate costs, employee misconduct or criminal activity leading to the breach, or attributing the losses to a party not covered by the policy. This holds true for both General Casualty or Liability policies (GCL) and specialized cyber liability insurance policies, covering damage to electronic assets.

On December 22, 2022 the Ohio Supreme Court in EMOI Servs., L.L.C. v. Owners Ins. Co. ruled that an Ohio medical billing company’s cyber insurance policy did not cover a ransomware claim for damages because the insured could not demonstrate that there was “physical harm or damage” to the computers which housed the data, as required by the terms of the policy. The electronic policy noted that the coverage included:

“When a limit of insurance is shown in the Declarations under ELECTRONIC EQUIPMENT, MEDIA, we will pay for direct physical loss of or damage to “media” which you own, which is leased or rented to you or which is in your care, custody or control while located at the premises described in the Declarations. We will pay for your costs to research, replace or restore information on “media” which has incurred direct physical loss or damage by a Covered Cause of Loss. Direct physical loss of or damage to Covered Property must be caused by a Covered Cause of Loss.”

The insured argued that since the ransomware made the data inaccessible and unusable, the media suffered damage covered by the policy language. However, the Ohio court disagreed.

EMOI Servs., L.L.C. v. Owners Ins. Co. Case Overview

EMOI is an Ohio-based company assisting hospitals with medical billing, resulting in the handling of personal data, financial data, and Protected Health Information. In September of 2019, EMOI was the victim of a ransomware attack, where the attackers locked up files and demanded ransom. After obtaining a “test key” from the hackers to unlock a single data file,…

Source…

UK unis implement new IP traffic policies to combat ransomware


Jisc, the non-profit that supports the UK higher education and research community with shared digital infrastructure and services such as the Janet network, has announced that it will start blocking traffic originating from outside the UK from accessing the Remote Desktop Protocol (RDP) remote-access feature from 28 March 2023, to better protect its users from ransomware attacks.

The move follows a 2021 consultation with its users, and reflects the fact that 50% of major ransomware incidents experienced by UK higher education institutions in the past two years began when attackers exploited the RDP feature.

Going forward, said Jisc, inbound traffic to port 3389 – the default port used for RDP – that originates from outside the UK will be blocked, and only inbound traffic from UK IP addresses will be allowed to proceed. Currently, this blocking is possible via Jisc as an opt-in measure, but it will now be by default.

“The use of ransomware against our sector, and globally, has ramped up over the past couple of years, and some attacks against colleges and universities have been devastating,” said John Chapman, director of information security policy and governance at Jisc.

“Organisations can still opt out of restrictions to specific IP addresses if they wish to, but they must accept the greater risk of a serious cyber security incident. Controlling access to a known attack vector will help protect the sector as a whole against this type of attack.”

Originally developed by Microsoft, RDP is a supposedly-secure network communications protocol that is intended to help IT admins diagnose problems remotely, and let users access their physical work desktops from other devices.

This is done by deploying RDP client software to connect to the system or server running RDP server software, and open a socket on the desired system to accept authenticated inbound traffic through port 3389. The user can then access all their applications and files just as if they were physically present in the workplace.

Legitimate use of RDP soared in 2020 during the Covid-19 pandemic, as millions of people were forced to work from home by lockdown restrictions, a policy that for many…

Source…

Twitter whistleblower alleges reckless and negligent cybersecurity policies


By Donie O’Sullivan, Clare Duffy and Brian Fung, CNN Business

Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.

The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight. It also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.

The whistleblower, who has agreed to be publicly identified, is Peiter “Mudge” Zatko, who was previously the company’s head of security, reporting directly to the CEO. Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk’s attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk’s claims).

Musk subpoenas friend, former Twitter CEO Dorsey in acquisition battle

Zatko was fired by Twitter in January for what the company claims was poor performance. According to Zatko, his public whistleblowing comes after he attempted to flag the security lapses to Twitter’s board and to help Twitter fix years of technical shortcomings and…

Source…

Not-So-Secret Service: Text Retention and Deletion Policies


Recent news reports indicate that the United States Secret Service, as part of a hardware replacement policy for agents’ phones, allowed individual agents to wipe all of the data from their devices, and failed to preserve text messages as required both by federal law and pursuant to demands from both Congress and the USSS’s oversight agency, the DHS Office of the Inspector General.

It was reported that, long before the replacement program was implemented, employees were advised of their document retention requirements, and were provided specific procedures about how to restore their old devices to factory settings while preserving the data formerly contained therein. Apparently, nobody got the memo, or — in a more sinister interpretation — they got and deliberately ignored that memo. Generally, I am a fan of not attributing to venality that which mere stupidity can adequately explain, but when the device wiping was systematic and programmatic, that’s an awful lot of stupidity to explain. Many government agencies and private entities have both a hardware and data life cycle. Laptops, hard drives and smartphones are replaced. Emails that are no longer needed for the company, and for which there is no legal retention requirement are purged, as are outdated documents, files, attachments, etc. In fact, from a privacy and data security standpoint, it is important to get rid of data that is no longer needed and to update hardware and software in a way that includes the latest security and privacy protections.

DevOps Connect:DevSecOps @ RSAC 2022

The flip side of this, of course, is that data that is needed for the functioning of the entity—or which is required to be maintained by law—must be preserved in the process of upgrading or migrating.

As such, companies need to have robust document retention and destruction programs to identify data that needs to be deleted and data that needs to be kept. This includes a process for a litigation hold—that is, a suspension of the document destruction program when the data that is to be destroyed is relevant to ongoing or anticipated litigation or investigation. To be subject to a litigation hold, it is not necessary that there actually be litigation and formal…

Source…