May 29, 2019 | Whistleblower
On May 24, 2019, the Securities and Exchange Commission announced that it awarded more than $4.5 million to a whistleblower whose tip triggered the company to review the allegations as part of an internal investigation and subsequently report the whistleblower’s allegations to the SEC and another agency.
According to the SEC, the whistleblower sent an anonymous tip to the company alleging significant wrongdoing and submitted the same information to the SEC within 120 days of reporting it to the company. This information prompted the company to review the whistleblower’s allegations of misconduct and led the company to report the allegations to the SEC and the other agency. As a result of the self-report by the company, the SEC opened its own investigation into the alleged misconduct. Ultimately, when the company completed its internal investigation, the results were reported to the SEC and the other agency. This is the first time a claimant is being awarded under this provision of the whistleblower rules, which was designed to incentivize internal reporting by whistleblowers who also report to the SEC within 120 days.
The SEC has now awarded approximately $381 million to 62 individuals since issuing its first award in 2012. All payments are made out of an investor protection fund established by Congress that is financed entirely through monetary sanctions paid to the SEC by securities law violators. No money has been taken or withheld from harmed investors to pay whistleblower awards.
Whistleblowers may be eligible for an award when they voluntarily provide the SEC with original, timely, and credible information that leads to a successful enforcement action. Whistleblower awards can range from 10 percent to 30 percent of the money collected when the monetary sanctions exceed $1 million.
On Feb. 21, 2018, the U.S. Supreme Court issued an opinion in Digital Realty Trust, Inc. v. Somers stating that the Dodd-Frank anti-retaliation provisions only extend to those persons who provide information relating to a violation of the securities laws to the SEC. The SEC protects the confidentiality of whistleblowers and does not disclose information that could reveal a whistleblower’s identity as required by the Dodd-Frank Act.
Source: SEC.gov
May 29, 2019 | Consumer Protection, Employment & Technology Archive
On May 29, 2019, Forbes.com reported that “Flipboard, the hugely popular news aggregation app that is used by 150 million people each month, has been hacked. Twice. According to a security notice posted by Flipboard, what it calls ‘unauthorized access’ to databases took place between June 2, 2018 and March 23, 2019 as well as April 21, 2019 and April 22, 2019. The hacker is confirmed as having ‘potentially obtained copies of certain databases containing Flipboard user information.'”
On May 29, 2019, theinquirer.net reported that “[t]he data of 1.5 million accounts is thought to have been affected, but sensitive information such as passwords should be ok because they are protected with ‘salted hashing’.”
Flipboard’s “Notice of Security Incident” reported the following:
What happened
[Flipboard] recently identified unauthorized access to some of our databases containing certain Flipboard users’ account information, including account credentials. In response to this discovery, [Flipboard] immediately launched an investigation and an external security firm was engaged to assist. Findings from the investigation indicate an unauthorized person accessed and potentially obtained copies of certain databases containing Flipboard user information between June 2, 2018 and March 23, 2019 and April 21 – 22, 2019.
What information was involved
The databases involved contained some of [Flipboard] users’ account information, including name, Flipboard username, cryptographically protected password and email address.
Flipboard has always cryptographically protected passwords using a technique known by security experts as “salted hashing”. The benefit of hashing passwords is that [Flipboard] never need[s] to store the passwords in plain text. Moreover, using a unique salt for each password in combination with the hashing algorithms makes it very difficult and requires significant computer resources to crack these passwords. If users created or changed their password after March 14, 2012, it is hashed with a function called bcrypt. If users have not changed their password since then, it is uniquely salted and hashed with SHA-1.
Additionally, if users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account. [Flipboard has] not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts. As a precaution, [Flipboard has] replaced or deleted all digital tokens.
Importantly, [Flipboard does] not collect from users, and this incident did not involve, Social Security numbers or other government-issued IDs, bank account, credit card, or other financial information. [Emphasis added.]
For additional information about what steps Flipboard is taking, what Flipboard users can do, as well as additional information about the data breach, please click here.
May 29, 2019 | Consumer Protection, Employment & Technology Archive
On May 29, 2019, HealthITSecurity.com reported that “. . . Medical Informatics Engineering has reached a $900,000 settlement in the country’s first federal multistate lawsuit, stemming from its health data breach impacting 3.5 million patients in 2015.”
According to HealthITSecurity.com:
The settlement comes just days after the Department of Health and Human Services Office for Civil Rights announced its settlement with MIE, which included a $100,000 civil monetary penalty and a corrective action plan.
The multistate agreement stems from the 2018 lawsuit filed against MIE by the patients across 16 states who were impacted by the EMR service vendor’s 2015 hack. Officials discovered a “sophisticated cyberattack” on their servers in May 2015 that gave hackers access to the protected health information of millions of patients, including Social Security numbers and clinical data. [Emphasis added.]
HealthITSecurity.com also reported that
[t]he proposed multistate consent judgement will resolve allegations that MIE violated HIPAA provisions, along with state personal information protection laws, notice of data breach statutes, and unfair and deceptive practice laws.
Under the multistate agreement, MIE is required to implement and maintain an information security program and a security incident and event monitoring security tool to detect and respond to malicious cyberattacks. Further, MIE must implement data loss prevention technology to prevent and detect unauthorized data exfiltration.
MIE is also required to create password policies and procedures to enforce the use of strong, complex passwords. The vendor will also need to implement multi-factor authentication procedures for remote-access processes on systems that store or permit access to electronic protected health information.
Lastly, MIE must implement controls during the creation of accounts that allow access to ePHI. The $900,000 financial penalty will be distributed to the 16 states involved in the lawsuit: Florida, North Carolina, Arizona, Arkansas, Wisconsin, Kansas, Kentucky, Louisiana, Michigan, Nebraska, Minnesota, West Virginia, Iowa, Indiana, Tennessee, and Connecticut. [Emphasis added.]
Source: HealthITSecurity.com
May 28, 2019 | Consumer Protection, Employment & Technology Archive
First American Financial Corporation Issues Statement Regarding Its Ongoing Investigation Into a Reported Security Incident
On May 28, 2019, First American Financial Corporation (“First American”) issued a press release which, among other things, stated:
First American Financial Corporation advises that it shut down external access to a production environment with a reported design defect that created the potential for unauthorized access to customer data. The company is working diligently to address the defect and restore external access.
An outside forensic firm has been retained to aid in assessing the extent to which any customer information may have been compromised. Though the ongoing investigation is in its early stages, at this time there is no indication that any large-scale unauthorized access to sensitive customer information occurred. The company plans to provide updates on its investigation exclusively on its website at https://www.firstam.com/incidentupdate.
. . .
If the investigation shows that any confidential information has been compromised, the company will notify and provide credit monitoring services to the affected consumers. First American will soon provide a mechanism through its website, https://www.firstam.com/incidentupdate, that will give consumers who believe their confidential information has been compromised the ability to report this to the company. [Emphasis added.]
As previously reported, on May 27, 2019, a class action complaint was filed in United States District Court, Central District of California, against First American Financial Corporation and First American Title Company alleging, among other things, that defendants, “[d]espite explicitly promising customers robust data security as part of the high cost of title services, . . . allowed anyone to access the sensitive files of millions of customers.”
The class action was filed on behalf of a proposed class of “[a]ll persons who utilized First American’s title insurance or other closing services in a real estate transaction that involved mortgage financing.”
On May 19, 2019, Krebsonsecurity.com reported that “[t]he [w]eb site for Fortune 500 real estate title insurance giant First American Financial Corp. . . . leaked hundreds of millions of documents related to mortgage deals going back to 2003, until notified . . . by KrebsOnSecurity. The digitized records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images — were available without authentication to anyone with a [w]eb browser.”
May 28, 2019 | Consumer Protection, Employment & Technology Archive
On May 27, 2019, a class action complaint was filed in United States District Court, Central District of California, against First American Financial Corporation and First American Title Company (collectively, “First American”) alleging, among other things, that First American, “[d]espite explicitly promising customers robust data security as part of the high cost of title services, . . . allowed anyone to access the sensitive files of millions of customers.”
According to the complaint:
First American made it incredibly easy for the public to access this private information by failing to implement even rudimentary security measures. Suppose that you are a First American customer. The company provides you with a URL to access your documents on its website. That URL might end in “DocumentID= 000000075.”
Now suppose you want to access someone else’s personal file. Type the same URL but alter the Document ID number by one digit—say, “DocumentID= 000000076”—and someone else’s personal file will appear. Change the numbers again (and again), and you will reveal still more personal files.
It took no computer sleuthing to uncover numbers that will pull personal data; First American’s document identification numbers were sequential. Follow that sequence 885 million times—1, 2, 3, 4, and so forth—and you could access all 885 million documents.
Because First American breached promises and was negligent in its data security, the American dream of home ownership is now a financial security nightmare, as individuals who did business with this company face a serious threat of identity theft or other financial harms. [Emphasis added.]
Moreover, according to the complaint:
First American’s document storage solutions were not secure. On May 24, 2019, cybersecurity researcher Brian Krebs announced that 885 million files were available on First American’s website for anyone to access.[] The files contained bank account numbers, Social Security numbers, financial and tax records, and images of drivers’ licenses.[] [Emphasis added.]
The class action was filed on behalf of a proposed class of “[a]ll persons who utilized First American’s title insurance or other closing services in a real estate transaction that involved mortgage financing.”
For additional information, see “First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records.”
