SOURCE Boston where I am presenting with Kevin Thompson (@bfist) on Ripped from the Headlines: What the news tells us about Information Security Incidents

CEIC 2014, where I am going to be really busy.  I'm presenting the 2014 DBIR Lessons Learned, and I have organized a panel of authors that will be held twice during the conference:  So You Want to Write a Forensics Book.  One of the panelists, Dave Cowen, has written a post about the panel.

SANS DFIR Summit, where I have organized a panel of authors, So You Want to Write a Forensics Book.  One of the panelists, Harlan Carvey, has written a nice preview.

FDA secretly monitored private emails of whistleblowers, lawsuit alleges

This is an interesting case where FDA whistleblowers allege that their emails were monitored once they told Congress the agency was approving medical devices that were risky to patients.  First, the usual disclaimer: I am not a lawyer--don't take this as legal advice.

FDA employees (and former employees) are alleging that the FDA initiated email monitoring after these complaints, and that in doing so, it violated their Constitutional rights.  They call the monitoring an unlawful search and seizure, and a violation of their rights to free speech and association.  The FDA, on the other hand, indicated that when logging onto the network, employees are warned they may be monitored and should not have an expectation of privacy.  Now, the article quotes the agency, but does not get specific as to what this warning looks like.  If it is like many places, it is a click through banner where the employee must accept the warning before proceeding. 

Further, the article indicated that the FDA began "surveillance of the employee's personal email accounts, which they accessed from Government computers".  So the question is--does the click through banner indicating no expectation of privacy should be held by the employee extend to their personal email accounts when they access them from work?  This will be a very interesting case to follow, given some of the rulings we've seen around similar issues. 

In Ontario v. Quon, the Supreme Court ruled that employers have the right to read text messages—including personal ones—when they own the equipment (phone) that it was sent/received from, and when they have reason to believe that workplace rules are being broken.  In that ruling, Justice Scalia asserts “…that government searches to retrieve work-related materials or to investigate violations of workplace rules—searches of the sort that are regarded as reasonable and normal in the private-employer context—do not violate the …(Fourth) Amendment.” 

Now, that ruling addressed cell phone texting on a work-owned phone, and not personal email accounts accessed through a work computer, but the most important point seems to be that because the search was motivated by a legitimate work-related purpose, it was lawful. 

In Stengart v. Loving Care Agency, Inc., the New Jersey Supreme Court ruled in a case where an employee sent emails to/from her attorney via her personal Yahoo email account, but using a company laptop.  When she left the company and filed suit against them, the employer had a forensic analysis done on the laptop.  It obtained copies of some of the emails from the internet cache folders, and even though the emails contained language about privilege and how the emails were intended only for the recipient, the employer asserted they were fair game.  The court ruled that just because Stengart was using her employer provided laptop, that doesn’t dispel her expectation of privacy when accessing her personal email account.  According to the New Jersey Supreme Court, “a policy that provided unambiguous notice that an employer could retrieve and read an employee’s attorney-client communications, if accessed on a personal password-protected email account using the company’s computer system, would not be enforceable.”

The FDA case seems to fall somewhere in between these two rulings.  While the monitoring may be justifiable as a legitimate work-related investigation (not knowing the details, I can only assume), which would make the communications on the company’s email systems subject to monitoring should be within the realm of not violating their Fourth Amendment rights.  However, when it extends to their personal email accounts, even if they are not attorney-client communications, it becomes possible that a line was crossed. 

The take home for companies should be to make sure their Acceptable Use policies are clear, and that their systems have those click through banners that users must acknowledge that monitoring is a possibility on company owned systems—that is the basic beginning for dispelling that expectation of privacy. However, if during the course of an investigation, private communications are intercepted, the company should be guided by their Legal Counsel on how to proceed.

The outcome of the FDA case will hopefully provide further clarity in this somewhat murky issue.

 I've been working on updating The Leaking Vault data breach database.  I won't be freezing the database until after June 2012, since it takes a good six months for the flow of incidents for the past year to slow to a trickle.  However, I thought I'd share some of the numbers as they currently stand. 

First, there have been a significant number of data breach incidents coming to light from prior years.  Here is the new breakdown of incidents per year.

With the new data, there are now more than 5,500 incidents, and new breaches seem to occur on a daily basis.  As you can see, 2011 already has 871 incidents, and if you are familiar with the previous two Leaking Vault reports, you will notice significant increases in both 2007 and 2008's totals. 

Even with a total of 944 incidents for 2010, however, it still remains the lowest year since the study began for known records disclosed.   Although 2007 and 2008 grew the most in terms of additional incidents being disclosed, 2008 showed the highest number of additional records, with almost 95 million.  Though 2011 is not the highest in terms of incidents, it is now the leader for records disclosed thus far. 

All told, the database shows 1.29 billion records disclosed over the past 7 years, and this total will only grow as more incidents for 2011 come in.  As pointed out in the reports, these records lost figures are an under estimation due to the fact that 36% of the incidents do not list a finite number of records disclosed for the data breach.   One partial explanation for 2010's low records disclosed number is the potential for large breaches to be concealed within the 37% "unknown" value for the records disclosed--only 1% higher than average.  However, it may simply be that there were no really large incidents during that year.  In contrast, 2009 had a 46% unreported figure for records disclosed, and it did not show a large decrease. 

I will be performing the usual analysis when I freeze the database, and releasing The Leaking Vault 2012 some time in the third quarter.  In the meantime, I'm looking at gathering some new metrics and revisiting the existing records. 

As I mentioned earlier, I received a data breach notification email from Brookstone that their third party email service provide (unnamed) had suffered a breach of their information.  Today, I received two other notices that are clearly part of the same breach event.  This helps to illustrate how these third party partner breaches can have a wide reaching effect through their customer base. 

The first was from Disney Destinations, and here is the text:

Dear Guest,

We have been informed by one of our email service providers, Epsilon,
that your email address was exposed by an unauthorized entry into that
provider's computer system.  We use our email service providers to
help us manage the large number of email communications with our
guests.  Our email service providers send emails on our behalf to
guests who have chosen to receive email communications from us.

We regret that this incident has occurred and any inconvenience this
incident may cause you.  We take your privacy very seriously, and we
will continue to work diligently to protect your personal information.

We want to assure you that your email address was the only personal
information we have regarding you that was compromised in this
incident.

As a result of this incident, it is possible that you may receive spam
email messages, emails that contain links containing computer viruses
or other types of computer malware, or emails that seek to deceive you
into providing personal or credit card information.  As a result, you
should be extremely cautious before opening links or attachments from
unknown third parties or providing a credit card number or other
sensitive information in response to any email.

If you have any questions regarding this incident, please contact us
at (407) 560-2547 during the hours of 9:00 am to 7:00 pm (Eastern Time)
Monday through Friday, and 9:00 am through 5:00 pm (Eastern Time)
Saturday and Sunday.

Sincerely,

Disney Destinations

The second was from Tivo, and here is the text:

	TiVo® Service Announcement
	Dear TiVo Customer, Today we were informed by our email service provider that your email address was exposed due to unauthorized access of their system. Our email service provider deploys emails on our behalf to customers who have opted into email-based communications from us. We were advised by our email service provider that the information that was obtained was limited to first name and/or email addresses only. Your service and any other personally identifiable information were not at risk and remain secure. Please note, it is possible you may receive spam email messages as a result. We want to urge you to be cautious when opening links or attachments from unknown third parties. We regret this has taken place and apologize for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. If you have unsubscribed in the past, there is no need to unsubscribe again. Your preferences will remain in place. Sincerely, The TiVo Team

I received an email today that the email service provider of Brookstone.com has experienced a data breach.  The email's contents are posted here.

The data items breached were first name and email, and the company warns that more spam may be in my future because of this, and to urge me not to go clicking on those enticing links or opening any attachments--always good advice.  They also warn that they won't be asking me to confirm any personal information or credit card data unless I'm on their site. 

I've posted the breach incident to the datalossdb.org database.  I haven't seen anything in the media, and don't know how big this breach was.  It is clear it was third party partner facilitated by the text of their email.