Cybersecurity Newsletter – July 2015

    By Nicole J. Harrell, Data Privacy and Security


    In fact, your smartphone may be tracking every move you make and the files you thought you deleted are not exactly gone forever. And, the information may be collected for litigation purposes.

    A mobile device holds a significant amount of information about where the user has been physically located. Cell towers record the location of every phone call, photos are geo-tagged when they are taken, location of a Wi-Fi network is stored if the user joins the network, and apps ask a user to use location information. Location information is recorded to increase the smartphone’s functionality.

    Forensic experts can gather some geographic history information without even having access to the smartphone. The Google Now service on the Google phone stores information in the user’s Google account, so the experts only need to access the account to obtain information about the location of a user. Software is available to extract location information directly from a smartphone and if the information is then loaded into Google Earth, then an investigator can easily map out the location of the phone over time.

    To avoid constant tracking, users can disable geo-tagging and turn off location services. Some tracking, however, is unavoidable because smartphones must communicate with cell towers.

    When a user deletes text and email messages, the database where they are stored flags the message and it is removed from the information the user sees. However, the content remains on the smartphone until it is overwritten. This makes it likely that an investigator will be able to recover recently deleted messages.

    Browsing history can also be recovered. Just like a deleted text message, a flag is placed on the record in the database and the history is not seen by the user, but it is still available for recovery.

    Smartphones not only pose a risk if they are lost or stolen, but they also pose a risk because of the amount of trackable information stored on them ranging from the location of the user to the activities of the user. This information can be recovered and may be subject to discovery in litigation.


    Medical practices, hospitals, pharmacies and their vendors are increasingly becoming the target of cyberattacks that result in breaches of sensitive patient information and trigger the notification requirements under the Health Insurance Portability and Accountability Act (“HIPAA”). Once an organization has become aware of a potential breach of protected health information, it generally has sixty days to analyze the situation and send the required notification letters to the affected patients and, if required, to notify the media and the Department of Health and Human Resources (“HHS”). For that reason, it is critical that organizations are familiar with their breach response and notification policies and procedures and understand how to properly react when discovering a potential breach of protected health information.

    More often than not, investing time and resources into HIPAA compliance up front reduces the cost of a breach, should one occur. Even more, HHS is increasingly levying fines against organizations with insufficient policies and procedures. Accordingly, organizations need to be sure that they have legally compliant HIPAA policies and procedures that are properly implemented in the organization, including breach response and notification policies.

    HIPAA breaches stem from numerous causes and take various forms. As such, an organization’s HIPAA breach response policy must be robust, yet practical enough to be easily implemented. Defining what constitutes a breach and establishing an actionable formal response plan (including identifying breach officers, forming internal reporting procedures, and distinguishing escalation events) can go a long way in mitigating the impact of a breach. Additionally, running mock breach response exercises and participating in employee HIPAA incident training can help ensure organizations are prepared to mobilize and react effectively if a breach occurs.


    It is not a question of if, but when most financial institutions will become victim to a cyber-attack, whether directly or through their customers. It seems every week there is a new headline covering the details of the latest breach and these are only the ones we hear about.

    The consequences of these breaches can be costly for any institution and damaging to its reputation. The ongoing litigation involving the Sony Pictures Entertainment, Inc. breach highlights the most recent development in liability for breaches. A federal judge recently ruled that the employees affected by the breach have standing to sue even if they cannot prove their personal information was used by criminals. This follows a similar ruling from 2013 in California involving litigation related to an Adobe Systems Inc. breach. Plaintiffs were able to initiate litigation against Adobe even though they could not establish their personal information was misused.

    Cybersecurity and the harsh implications that follow from a data breach cannot be ignored. The Comptroller of the Currency has stated that financial institutions are prime targets because of the money they handle and the vast amount of customers’ personal information they possess. The following tactics can assist financial institutions, from large national banks to small community credit unions, prepare for and potentially protect against the next breach.

    1. Employee Awareness Training. There are numerous stories about hackers attacking an organization through its employees. Ongoing training for employees to advise them of all potential risks can help financial institutions protect against such targeted attacks. Training should include how to monitor for suspicious activity and how to identify phishing attempts, such as suspicious emails and phone calls, before taking action, e.g., clicking on external links, transferring funds, or providing information. This training should be done at every level and implementation of a safety mentality from senior management down to entry level is important.
    2. Cybersecurity and Data Protection Policies and Procedures. The Gramm-Leech Bliley Act requires financial institutions to implement a comprehensive written security program that includes various types of safeguards to protect customer information and protect against any anticipated threats or hazards. Virginia and most states have additional requirements that govern the reporting of data breaches related to consumer information. Including all state requirements in the federally required written security program can assist a financial institution. A proactive and quick response is important to mitigate any breach, protect against further exposure, and to ensure compliance with all relevant statutes and regulations.

      Though institutions are not required to implement a uniform set of policies, you should consider including periodic testing of computer security, patch management (prompt installation of software updates), and limiting and restricting administrative access (e.g., checks and balances, segregation of duties, etc.). As with all policies and procedures, they should be reviewed periodically and updated to account for the quickly evolving cyber criminals and utilized technology. You should also consider testing the effectiveness of an incident response plan to ensure all employees understand their respective responsibilities and procedures.

    3. Encryption. A leading cause of data breaches is a lost or stolen laptop or device. USB flash drives or other portable memory devices can also present an enormous risk. Financial institutions should encrypt all devices and implement a remote deletion plan. If employees are permitted to use their own devices, consider developing a Bring Your Own Device-specific policy. Encryption should be implemented everywhere.
    4. Due Diligence of Third-Party Providers. Bad actors can gain physical and technical access through trusted third-party service providers. The infamous Target breach was traced to network credentials stolen from a third party vendor. Financial institutions need to ensure that proper due diligence is conducted on any third-party vendors and the risks of any relationship evaluated. The cybersecurity controls of the third-party vendor should be assessed and each vendor should appropriately manage and monitor its own cybersecurity risk. Any agreements entered into should require the third-party vendor to promptly notify the financial institution in the instance of any breach so the financial institution may respond appropriately.
    5. Participation in the Financial Services Information Sharing and Analysis Center (“FS-ISAC”).The FS-ISAC is a private-sector nonprofit information sharing resource that was established by the financial services industry to allow collaboration on critical security threats facing the industry. The Federal Financial Institutions Examination Council issued a recommendation within the last year that financial institutions of all sizes join this forum. The sharing of information can help prepare financial institutions monitor cyber vulnerabilities and respond to threats immediately. Participating in the FS-ISAC can bolster a financial institution’s risk management.

    The threat of a cyber-attack is not going to subside. As technology continues to evolve, the bad actors find new ways to breach information technology systems and obtain access to money and information. Financial institutions must continue to be vigilant and the five ways outlined above can assist in effectively preparing for, detecting, and responding to any potential breaches.

    Kaufman & Canoles remains available, even on short notice, to assist with any breach, cyberattack and your HIPAA compliance matters. In the event of a potential breach, attack, an upcoming HIPAA audit, or if you have any questions regarding security planning, response or compliance, contact our Cybersecurity Response Team. The Cybersecurity Response Team can be reached at (844) 417.3309 or

    The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2024.