TLP White: In this edition of Hacking Healthcare we begin by catching up with the latest effort to establish global cyber norms. Next, we look at another high profile company whose woefully inadequate cybersecurity processes have landed it in hot water. Finally, we explore the implications of a recent D.C. circuit court opinion on data breach victims seeking redress.
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)
Welcome back to Hacking Healthcare.
1. Another Attempt at Setting Cyber Norms.
The lack of globally established cyber norms is perhaps the most impactful reason why cyberspace is so unstable and unpredictable for states, corporations, and individuals. While the members of the European Union have made strides to coalesce around legislation like GDPR, even that partial uniformity, which helps to inform baseline standards of acceptable practice, does not extend to culturally similar traditional allies like the United States and Australia. The lack of global consensus is not aided by the fact that several of the most advanced users of cyberspace are nation states with adversarial relationships. This lack of globally accepted norms adds uncertainty and anxiety to anyone operating within or impacted by the internet.
While the UN had previously attempted to address this issue through the Group of Governmental Experts, these talks were often labored and eventually stagnated. However, last week, in an attempt to resuscitate the discussion on cyber norms, 27 nations issued a statement on “Advancing Responsible State Behavior in Cyberspace.”[i] The brief statement references the growing irresponsible behavior in cyberspace to target critical infrastructure, undermine democracies, and “undercut fair competition in the global economy.”[ii]
The statement goes on to reaffirm the need to accept “an evolving framework of responsible state behavior in cyberspace, which supports the international rules-based order, affirms the applicability of international law to state-on-state behavior, adherence to voluntary norms of responsible state behavior in peacetime, and the development and implementation of practical confidence building measures to help reduce the risk of conflict stemming from cyber incidents.”[iii] The statement ends by pledging to work voluntarily to “hold states accountable when they act contrary to this framework, including by taking measures that are transparent and consistent with international law. There must be consequences for bad behavior in cyberspace.”[iv]
2. Dunkin’ Donuts in Hot Water.
A recent lawsuit filed by the New York Attorney General’s Office highlights how major corporations with ample resources are still struggling to put adequate cybersecurity measures in place despite seeing dozens of their high profile counterparts raked over the coals of public opinion and fined for negligence and damages to customers. Dunkin’ Brands, the parent of Dunkin’ Donuts, is the subject of the lawsuit, and is now the most recent company to be taken to task for what is alleged to be a completely inadequate response to a series of attacks between 2015 and 2018 that violated New York state data breach laws.
The lawsuit alleges that despite being made aware, by both customers and an app developer, the company failed to notify its customers of an attack that compromised tens of thousands of customer accounts as required by state data breach laws.[v] Additionally, they allegedly failed to properly investigate the breach to ascertain its scope, did not implement improved security measures, and misled customers about the nature of a similar incident in 2018.[vi] For their part, Dunkin’ Donuts has vigorously denied the veracity of the allegations.
3. Court of Appeals for the United States District of Columbia (D.C.) Circuit Makes Office of Personnel Management (OPM) Decision.
One of the more curious legal issues surrounding data breaches is whether or not victims have standing to bring a case. “Standing” to bring suit is the constitutional requirement that a plaintiff must be able to show they “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” The first of those requirements can be difficult to meet for data breach victims, because stolen data on its own may not cause an actual injury to a breach victim. Furthermore, the “injury in fact” requirement specifically rules out conjectural and hypothetical injuries.
So where does that leave breach victims whose personal data has been stolen, and whose risk for identity theft is significantly increased by the breach, but where no known abuse of that data has yet occurred? A recent decision by the Court of Appeals for the Washington D.C. Circuit on the victims of the 2014 OPM hack helps to further illuminate the answer.
The 2014 OPM breach, widely attributed to the Chinese state, consisted of two related attacks that ultimately led to millions of files of personal data for current and former government employees being stolen. This hack has had a lasting impact on those millions of individuals and ultimately led to 21 lawsuits.[vii] Those lawsuits were then consolidated into two before eventually being dismissed due to lower court findings that the plaintiffs “lacked standing and that the doctrine of sovereign immunity barred their claims from going forward.”[viii]
However, in late June of this year, The United States Court of Appeals for the District of Columbia “reversed in part and affirmed in part” that judgment.[ix] The notable aspect was that they found “both sets of plaintiffs have alleged facts sufficient to satisfy Article III standing requirements.” [x] This included the ability show “injury in fact.” The majority opinion explained that they focused on “[The] one injury they all share: the risk of future identity theft.” By citing the 2017 case Attias v. CareFirst, the court concluded that the plaintiffs “face a substantial—as opposed to a merely speculative or theoretical—risk of future identity theft.” [xi]
Tuesday, October 1st:
-No relevant hearings
Wednesday, October 2nd:
-No relevant hearings
Thursday, October 3rd:
-No relevant hearings
International Hearings/Meetings –
EU – None This Week
Conferences, Webinars, and Summits –
— Healthcare Cybersecurity: The Current Diagnosis & How to Cure Pain Points – Webinar (10/1/2019)
–HEALTH IT Summit (Northeast) – Boston, MA (10/3/2019-10/4/2019)
–Northeast Healthcare Cybersecurity Forum – Boston, MA (10/4/2019)
–H-ISAC Grand Rounds Webinar Series #1: Cost Effective Threat Intel – Webinar (10/9/2019)
–2019 H-ISAC European Summit – Zurich, Switzerland (10/16/2019-10/17/2019)
–Health IT Summit (Midwest) – Minneapolis, MN (10/17/2019-10/18/2019)
–Healthcare Cybersecurity Forum (Midwest) – Minneapolis, MN (10/18/2019)
–H-ISAC / MITSF Healthcare Cybersecurity Workshop – Tokyo, Japan (10/24/2019)
–CHIME Healthcare CIO Boot Camp – Phoenix, AZ (11/6/2019-11/9/2019)
–Health IT Summit (Southwest) – Houston, TX (11/14/2019-11/15/2019)
–Southwest Healthcare Cybersecurity Forum – Dallas, TX(11/15/2019)
–Health IT Summit (Northwest) – Seattle, WA (11/19/2019-11/20/2019)
–Pacific Northwest Healthcare Cybersecurity Forum – Seattle, WA (11/20/2019)
–2019 H-ISAC Fall Summit – San Diego, CA (12/2/19-12/6/2019)
–German manufacturer says malware has caused ‘significant disruption’ to plants in three countries
–CISOs on job market could benefit from breach experience, report says
–Vimeo collected detailed facial scans without consent, lawsuit alleges
–Unpatchable bug in millions of iOS devices exploited, developer claims
Contact us: follow @HealthISAC,