Proof of Concept: California's First Consumer Privacy FineAlso: Defending Against New Ransomware Tactics; Mitigating Impact of Zelle Scams
In the latest "Proof of Concept," Lisa Sotto of Hunton Andrews Kurth LLP and former CISO David Pollino of PNC Bank, join editors at Information Security Media Group to discuss the California attorney general's first CCPA fine, how enterprises can better protect themselves against the latest tactics employed by ransomware gangs, and how businesses and consumers can mitigate the increasing number of scams targeting users of the Zelle peer-to-peer app.
Anna Delaney, director of productions; Tom Field, senior vice president of editorial; David Pollino, former CISO of PNC Bank; and Lisa Sotto, partner and chair of global privacy and cybersecurity practice at Hunton Andrews Kurth LLP; discuss:
- How the California attorney general's office has issued its first fine against retailer Sephora for the mishandling of customer data;
- The latest ransomware trends and how organizations can still improve incident preparation and response activities;
- The Zelle financial fraud problem and what is required to strengthen the security of peer-to-peer payment apps.
Named in The National Law Journal's "100 Most Influential Lawyers," Sotto serves on the Hunton Andrews Kurth executive committee. She was voted the world's leading privacy adviser by Computerworld magazine and has earned the highest honor from Chambers and Partners as a "Star" performer for privacy and data security. Recognized as a "leading lawyer" by The Legal 500 U.S., Sotto chairs the U.S. Department of Homeland Security's Data Privacy and Integrity Advisory Committee and is editor and lead author of "Privacy and Data Security Law Deskbook." She has represented the U.S. Chamber of Commerce in Indonesia and has advised the Serbian government on global data protection law. An ISMG contributor, Sotto is co-chair of the International Privacy Law Committee of the New York Bar Association and chair of the New York Privacy Officers' Forum.
Pollino has over 25 years of experience in information security, fraud prevention and risk management. He has focused on financial services for 20 years and was the chief information security officer of Bank of the West and a divisional CISO at PNC. He has held multiple leadership positions in security and fraud, including Wells Fargo, Washington Mutual and Charles Schwab. An ISMG contributor, Pollino has authored multiple books and white papers focused on cybersecurity and fraud.
"Proof of Concept" runs semimonthly. Don't miss our previous installments, including the Sept. 7 edition discussing key steps for improving OT security and the Sept. 20 edition on what CISOs can learn from Twitter and Uber.
Anna Delaney: Hello and welcome to Proof of Concept, the ISMG talk show where we discuss today's and tomorrow's cybersecurity and privacy challenges with experts in the field, and how we can potentially solve them. We are your hosts. I'm Anna Delaney, director of productions at ISMG.
Tom Field: I'm Tom Field. I'm senior vice president of editorial, also at ISMG. Anna, always a pleasure to see you.
Delaney: Always a pleasure. Tom, you're in Atlanta this week. Tell us more.
Field: Well, I'm here for our Southeast Cybersecurity Summit. It was held yesterday live. And today is hybrid as well, where we brought together security leaders to talk about leading topics such as third-party risk management, such as business email compromise, incident response, software security, so much more.
Delaney: If there was one key takeaway for you, what would that be?
Field: Key takeaway. One thing in Atlanta, I'm always impressed with the solidarity of this community. It's one of the tightest CISO communities I've seen anywhere in the world honestly. People that have stayed together and networked together and have been close for 20 years or more. So it's a tight community here. And if there's alignment on anything, it is that we have to address issues such as software supply chain security, we have to address incident response to the point that we're having a more structured and more automated response to attacks that are increasingly broader and increasingly automated. So, similar conversations to what we've had elsewhere in the world this year. But again, I'm particularly impressed by this community and how tight it is and how aligned it is on topics such as these.
Delaney: Fantastic. Did you learn anything new?
Field: Did I learn anything new? I learned that I am not a good resident at a so-called Millennial Hotel. I'm not going to give all names, I don't want to give any adverse publicity, but it's one of these hotels. Let me read from the description here, if I may. "During your stay, you might see a flash mob breakout, or a giant pink teddy bear sitting at the bar. It's all about the fun for us here." Now, this fun includes: there are no closets in the rooms, there are hooks on the wall, there are no irons or ironing boards, there are ironing stations on one floor where you queue up to iron your clothes. There are no coffee machines in the room. And it's all designed, as they say here, so that you can have room to do your downward dog in your room and not be bothered by these other things. You know, I'm officially too old and I have officially become the get-off-my-lawn guy. There you go.
Delaney: I think that sounds quite inviting.
Field: That's a difference between Anna and Tom!
Delaney: Talking of the community, you did mention earlier that there was a lot of chatter around the conviction of ex Uber's CSO. Can you reveal what was being discussed? What's the tone?
Field: It comes up in lots of conversations. And there's a lot of guardedness about people wanting to say. I understand that this is a sensitive topic. For people in our community, this is one of our own, who is paying a significant toll for events that have happened. And you can argue what was corporate responsibility? What was his responsibility? What was revealed, and maybe what should have been revealed? But there are repercussions in the conversations that people are being hit home with is what does this say about my role in my organization, in my responsibility? And as someone said yesterday, when I accept a new job in my contract, should it say you're going to protect me? So there are lots of conversations that aren't done by any means. And it's an emotional one and a new one for this community as well. I'm sure David will talk more about him when we bring him on.
Delaney: I look forward to that. Why don't you introduce our first guest?
Field: I would be happy to do that because she's a frequent guest here. She's the chair of the global privacy and cybersecurity practice in the Hunton Andrews Kurth LLP. She's Lisa Sotto. And I understand she's Lisa Sotto live from London today. Is that correct?
Lisa Sotto: That is correct. And I'm laughing about your hotel description, Tom, because mine is the exact opposite. I don't have actually enough outlets. I'm in a very old hotel.
Field: Well, there are plenty of outlets here because Millennials like to be plugged in. So you can be plugged in almost anywhere here, but to make a cup of coffee - that's a different story. Anyway, Lisa, great that you're where you are right now, because just last week, as you know, President Biden signed an executive order to implement a new framework to protect the privacy of personal data shared between the U.S. and Europe. Yeah, as you know, some privacy campaigners aren't impressed. The Austrian privacy activist Maximilian Schrems said he sees no ban on bulk surveillance and no actual limitations. And we expect a new data agreement to be ready maybe by March of next year, although, privacy activists are expected to challenge the ruling in court. Big question for you, what are your thoughts on what's been proposed? And what are we likely to see develop over the next quarter or so?
Sotto: Yeah, Tom, thank you. This new agreement, now known as the Trans-Atlantic Data Privacy Framework, is a very significant development, in my view, in the world of EU and U.K. data transfers to the U.S. So, just to provide a bit of background. About six months ago, the presidents of both the U.S. and the European Commission made a joint statement in which they announced an agreement in principle to replace the now invalidated Privacy Shield. And as you will recall, it had been struck down as one of the very few valid data transfer mechanisms by the Court of Justice of the European Union, and the decision is known as the Schrems II decision. Of course, Max Schrems was operative here. And it focused on the lack of protections for EU residents in connection with U.S. surveillance programs, and the court also criticized the insufficient redress mechanisms to challenge any unlawful government surveillance. So last Friday, President Biden issued an executive order that outlined safeguards that the U.S. government will put in place to address the alleged shortcomings in intelligence gathering, the safeguards used, and also put in place a robust process for redress. And it even stands up a new and independent core to call the data protection review court, which is very significant. So in response, in what was clearly a coordinated approach, the European Commission released a Q&A document and they announced that they intend to now prepare a draft adequacy decision and also launch an adoption procedure and the European Commission will seek an opinion from the European Data Protection Board and also get approval from a committee of EU member state representatives. And the European Parliament also can review adequacy decisions. So, as you said, all of this can take about six months to play out. But the good news is that we are well on our way to having a reinstated transfer mechanism for transfers from the EU and the U.K. to the U.S. And this is very welcome news.
Field: No, indeed. What's your advice to U.S. organizations now, as this plays out?
Sotto: Well, U.S. companies have really been in purgatory, the ones that are certified to the shield. And we've been eagerly awaiting a new revamped version of the framework. We've had to put in place, those companies have had to put in place an alternative mechanism, which generally are standard contractual clauses. They are really complex these days. It's kind of an albatross for companies. So those companies that are currently certified are the lucky ones, they'll be able to take advantage of the revamped shield to transfer data without having to navigate the complexities of the standard contractual clauses. This will bring much needed relief to global organizations. And as you indicated, it is extremely likely that there will be yet another challenge. We'll call it the Schrems III case and Max Schrems has explicitly said as much, but still having this mechanism in place will buy companies at least a few years of relief.
Field: Very good. Shifting gears, Lisa, there was a recent action by the California AG under CCPA. Can you tell us a bit about that?
Sotto: Yeah, absolutely. And it's a very significant action. The California AG had not brought any enforcement actions under the CCPA. And now we have our first enforcement action. This is the Sephora case and they also simultaneously on August 24, they announced a settlement with Sephora, but they also, at the same time, announced a broader enforcement sweep of over 100 online retailers. And the essence of it is that there is a need now to recognize the global privacy controller GPC. We'll call it TPC. And so the Attorney General issued a number of notices of alleged CCPA non compliances regarding business's failure to process opt-out of sale requests that were made using user-enabled global privacy controls such as GPC, so after being notified, many of these businesses updated their service provider contracts and implemented technology to recognize the signal, from GPC. As to Sephora, the allegation was that the company failed to disclose to consumers that their data was being "sold". And that is a term of art. It's a defined term under the CCPA. And it means an exchange of personal data for either monetary consideration or other valuable consideration. And the allegation was that Sephora failed to recognize the GPC signal. And they also did not cure these alleged violations within 30 days, because there's a 30-day grace period right now. And the settlement was for 1.2 million in penalties. And they will need to make continuous reports to the Attorney General on their efforts to both comply with the CCPA and also honor the global privacy control.
Field: Very good. One more topic: ransomware, as we are in the last quarter now of 2022. Let's check in. What are the trends you're seeing in ransomware? And what are the trends you're seeing in response in terms of what organizations continue to do wrong in prevention, preparation and response?
Sotto: All good questions. And it's kind of more of the same but souped up. So we're seeing amounts that are being demanded that are just higher than ever. We used to see amounts when they were very high, they would be deemed moonshot amounts. Now, no longer. They're just standard, very high payment demands. We're also seeing an interesting shift in cryptocurrency where Monero is now the most requested cryptocurrency and there's a premium actually at being charged to accept Bitcoin. Just a couple of other things that I'll add: Look, Russia and Ukraine, obviously, the war has had a very significant impact. And we're seeing Russian threat actors, government actors hitting infrastructure and government systems. And we're also seeing Ukrainian cyber warriors hitting back in some cases with surprising success. And, of course, ransomware takes first prize still in the threat actors' most coveted exploit. The LAPSUS$ arrests were interesting, but clearly, LAPSUS$ has nine lives because then they came back to hit Uber and Rockstar Games, so never say die. And the only other thing I'll mention is that we now have the cyber incident reporting for Critical Infrastructure Act in the United States. And that will mean that certain critical infrastructure entities are going to need to report certain events to the government within 72 hours, and within 24 hours of paying a ransom. And, Tom, I'll just quickly address your last point, which is what are companies still doing wrong? We're still seeing shortcomings in basic security measures, which enough is enough, it's time to just shore things up. Multi-factor authentication everywhere, access control, segmentation, the usual guidance, and there, of course, still needs to be a real beefing up of proactive readiness, doing tabletop exercises, making sure the executive leadership team is well aware of the decisions that they're going to need to make, should this hit. Is the incident response team ready? Is there a state-of-the-art incident response plan? Have all the protective measures been tested over and over again, through Red Team testing or Blue Team testing. And then make sure you know which experts you're going to use if you're hit with this sort of thing. Make sure you are sufficiently prepared with respect to cyber insurance and training and awareness, so you can never get enough of it.
Field: And I know we're going to be talking about this again next year. Please, as always, thanks for your time. Thanks.
Sotto: Thank you very much.
Field: Anna, back to you and our next guest.
Delaney: Fantastic. Excellent insights, Lisa, as always. I would like to welcome back to the studio David Pollino, former CISO of PNC Bank. Great to see you, David.
David Pollino: Hello, Anna. Thanks for having me.
Delaney: Very good. Not in London, unfortunately. I reckon. Not yet. We'll have to get you here. So, David, let's talk about this hot topic of Zelle fraud. Last week, Senator Elizabeth Warren's office said that its investigation into Zelle show that fraud and theft are not only rampant, but getting worse. Can you share an overview of the scale of these Zelle scams and the trends you're most concerned by?
Pollino: Yeah, it's funny we planned on talking about this before the Senate hearings were even discussed or made the headlines. So it's definitely a hot topic. In the report, there's actually some very interesting things. And if you read through the numbers, I think you see a little bit of, you know, why - acknowledgement that there's a problem here. And then you also see some spin on some of the numbers. So, a few things to talk about. A lot of the banks refused to publish their numbers. I thought that was telling that if there wasn't a problem, they likely would have been a lot more transparent. There were four banks that published numbers. And if you look at 2020, compared to 2022, for those four banks, there was about 90 million in fraud, and it went up from 2020 to 255 million in 2022. And that's just four of the thousands of banks that are a part of the Zelle. Obviously, some of the larger banks participate in the platform. What you see is a significant uptick in the overall fraud that's on the platform. They also mentioned that there was $440 million lost in the scam. So this was a 440 million reported is 440 million of actual customer losses in 2021. So what you have is a significant industry here that is focusing on Zelle as their primary revenue stream, from a cybersecurity perspective. So it goes to show that, I think, the product needs innovation. When you do a Google News search for Zelle, the first, I think, it was 20 screens. I looked at, every article was talking about fraud. So, who knows if they'll solve this problem soon. They may even need to change the name because Zelle might become synonymous with fraud. So I think that there's an acknowledgement here across the board. Typically what we've seen in financial services, either they self-regulate, or the government comes and regulates for them. So, I think there's a short window here of the bank's opportunity to change the operating rules and to get to a point where customers are not feeling as scammed and taken over and victims to be able to get the product before the hard hitting regulation comes down and likely changes this product significantly for years to come.
Delaney: Very good. And not only is there a lack of transparency from banks, I read somewhere that they're not repaying 90% of cases in which customers were tricked into making payments on Zelle. What are your thoughts on this? Where does responsibility lie? I suppose there's always a lot of finger pointing. But I'm curious to know your thoughts.
Pollino: Yeah, as a former banker myself, I definitely see both sides of the equation. You have some of these more traditional payment mechanisms like PayPal, Venmo, Cash App that are built on other products, they're built on ACH, they're built on the card infrastructure and to a certain extent, also checking products as well. Those products have well-established operating rules that have factored in fraud as part of the arrangements. And because normally, you're only seeing one side of the transaction, you're either seeing the sender, the maker, the receiver, or you're on the other side, there's some ways to be able to enforce good behavior by chargebacks or unauthorized transfers, you know, those types of things are returned to maker on the check side. So what we're seeing here is this new product that did not factor fraud into its overall revenue model, it was all about cost avoidance. And as a result, they tried to make the rules about product in such a way that they wouldn't see fraud. It's a send-only mechanism. It's not a receive mechanism, you can request it, but it has to be pushed out by the account owner or whoever's in control of the device. That's the authenticator for that particular account. And there hasn't been a good mechanism for charging back. So the one rule that governs this approach is Regulation E and Reg E has three aspects to it, but the primary one that they focus in on for Zelle transactions wasn't authorized. In many of these cases, the customer is fooled, for whatever is happening with that particular scam - which they have a long list of them here, of ones that are seen was out, the customer at some point is saying, "Here's my money", or their MFA has been hijacked to make it look like it's their money, but that's the kind of key differentiator that the banks are saying, "You said that it was authorized. So you can't come back later and say that it's not authorized." So that's why very few customers are being reimbursed. For me, the big differentiator between this and why it's misunderstood, compared to something like a credit card transaction, if you're a credit card merchant, there are certain things you need to go through to establish yourself as a merchant, and then as you're operating, those credit cards hold back some funds for chargebacks. If you have a high chargeback rate, you're either going to be subject to higher fees or you'll be kicked out of the network altogether. We don't have that same infrastructure mechanism around Zell. It's made to be like cash. And I know some scams have hit the Pollino household and also people in the neighborhood and they'll understand that Zell is like cash. It's not like a credit card. It's not like these other transactions where you can say, "The services weren't provided, the goods were never delivered, claw this thing back." No, the money is gone. And so I think there's a combination of innovations in the product to help protect consumers, but also education for the consumer so they understand and know what Zelle is. And not just think about it with the lens of some of the other common payment mechanisms that we have in the industry.
Delaney: Yeah. You mentioned regulation earlier. Warren concluded in her report that regulatory clarity is needed to further protect Zelle users. Do you agree? Because some banks disagree?
Pollino: Well, I definitely see both sides of the overall equation. I think, generally speaking, the banks are better at regulating themselves. And, you know, when you see at kind of the ecosystem that has come up with the card networks, and how they've been able to create something that's advantageous for whether you're a merchant acquirer or a network, they've been able to work that out. Sometimes, you know, the mechanisms that come through government regulation aren't as nimble and aren't as effective as they are when they're originally penned and put to paper. But I do see that there is a huge opportunity here to make sure that we're not banking scammers, and that if we're allowing accounts to be taken over by scammers as a destination, there should be a little bit more onus on that receiving institution to give the money back. And there also should be a greater mechanism to be able to share information to be able to understand where that money is going, and be able to have some sort of a mechanism that if it is a suspicious destination, or if all of a sudden, the transactional volume or the account is being used outside of what your KYC or CDD process indicated that, you know, some action would be taken on the receiving bank, that way the individuals who are being scammed might have some recourse that's not there today.
Delaney: And as ever, David what can organizations merchants networks take away from this?
Pollino: Well, you know, if you look at the scams that are being perpetrated over Zelle, there's a couple of new ones but most of them are kind of the tried and true ones that we've seen over and over again. You have the impersonation, you know, grandparents friends scam, you have overpayments scams, which is a slightly different, you know, twist to it, you have these utility scams, you have law enforcement, "Hey, you need to pay your taxes, or we're going to come arrest you," the lottery scams, all those types of things. The banks, I think, need to do a better job of being able to educate the consumer at the point of transaction to be able to point out, "Does your transaction look like this?" You know, maybe ask them some questions, especially when they're first, second or third time, Zelle users to understand how this money is being used. Let them know that it's cash, it cannot come back, and make sure that they understand the operating rules. You know, my wife's been married to a banker for 27 years. And, you know, her mom was selling a couch and the business upgrade scam, you know, came through my house and we didn't lose the money, but it was "Hey, you know, you upgrade your Zelle account by sending additional money" and even got a, you know, Zelletechsupport@gmail.com, you know, official looking notification that they needed to do it. And, you know, really preys on people's misunderstanding of the product and how it works. And I was able to intervene before the actual loss could take place. But I think there needs to be a better educational program, because right now, if you do a Google News search of Zelle, all it talks about is fraud. It doesn't talk about how to use it correctly, what it actually is, or how it can be used safely.
Delaney: Yeah, very true. Well, not everybody has a David Pollino in their household. So, education is key, for sure. Thank you very much, David. Always informative. Thank you. So let's bring the gang together. A question outside the box perhaps. What is something outside of, or unrelated to, cyber privacy, or even anything legal that helps you in your current roles?
Sotto: I can start, if you like. It used to be that privacy and cyber were esoteric issues that were certainly not part of the usual daily discussion, and now we're seeing enormous social and legal relevance to these issues. So, every day, there are new headlines. And it's always fascinating to me to see how far we have progressed in the last 20 years in these areas.
Delaney: Yeah, sure. David?
Pollino: Yes, one positive development I've seen with companies in the last few years is security and privacy, also, the tools and techniques that we use in this industry can also be used to perform good. So, you see some companies that are either investing in fighting things like human trafficking, and devoting a certain portion of the revenue associated to fund charities that are related to human trafficking, and also some of the mechanisms that you use to detect fraud. And scams can also be used to detect human trafficking. But that's all part of an overall larger trend in the industry, where, you know, companies are saying, "Maybe, I'm worried to feed people, we're going to clothe people, we're going to take care of a need from a charity perspective." And I think that's great. I also see companies offering the ability to do recurring volunteer hours to their employees. So, and those volunteer hours for, as a cybersecurity professional, maybe they're helping out an educational institution or not-for-profit or a religious organization. So you're having a community that is focusing on giving back and with skills that are in demand and in short supply, I think definitely is a positive development in cybersecurity.
Delaney: Yes, for sure. Tom, anything unrelated to cyber that helps you in your role?
Field: Oh, 100%. And, as you know, my girlfriend and I sing and perform in elder care facilities on the weekends, and that's a huge boost, just to get out and express a little bit through music and be able to just bring in some different kinds of energies. That helps enormously.
Delaney: Okay, well, it's great to end on a positive note. Thank you very much, Lisa Sotto and David Pollino.
Pollino: Thanks for having us.
Sotto: Thank you.
Delaney: It's goodbye from us.