Hungry, Hungry HIPAA

HIPAA compliance

One recent case that didn’t get much attention, but should have, clarifies Ohio health care providers’ potential exposure for the unauthorized disclosure of patient health information (“PHI”).  On August 14, 2015, the Second District Court of Appeals decided Sheldon v. Kettering Health Network. [i]   In Sheldon, the Second District addressed patients’ rights related to the unauthorized disclosure of PHI.  Although the plaintiff was ultimately unsuccessful, the court affirmatively held that the Health Information Portability and Accountability Act (“HIPAA”) does not prevent a patient for asserting a common law tort claim for unauthorized disclosure of medical information.  On February 10, 2016, the Ohio Supreme Court declined to review the correctness of the Second District’s decision.  At that point, Sheldon effectively removed more than fifteen (15) years of gray area on the matter.[ii]

Prior to Sheldon, the Ohio Supreme Court decided Biddle v. Warren Gen. Hosp.[iii]  In Biddle, the Court held that, in Ohio, a physician can be held liable under Ohio common law for unauthorized disclosures of medical information.  The cause of the “gray area” was that the Supreme Court decided Biddle before HIPAA’s privacy-rule regulations were published on December 28, 2000 and before its security-rule regulations took effect on April 21, 2003.[iv]   The Sheldon case provides considerable clarity on exactly how HIPAA and the HITECH Act coexist with Ohio common law tort claims.

One point verified by Sheldon is that, according to Ohio law,  HIPAA does not allow a private cause of action.[v]  However, the Second District then concluded that HIPAA does not preempt an Ohio state law claim for the independent tort recognized by the Ohio Supreme Court in Biddle:

“[T]he unauthorized, unprivileged disclosure to a third party of nonpublic medical information that a physician or hospital has learned within a physician-patient relationship.”

The Second District went on the refer to such actions as “Biddle claims.”   The Second District went a step further in addressing how the standards delineated in the HIPAA regulations interact with Biddle claims.

The Second District held that violation of HIPAA does not provide for negligence per se claims.  The Court reasoned that to allow such a claim would essentially override HIPAA’s explicit prohibition of private causes of action.[vi]   However, buried in the Sheldon decision is one sentence that should send a shiver down the spines of physicians and the attorneys who represent them:

“[T]he violation of an administrative rule does not constitute negligence per se; however such a violation may be admissible as evidence of negligence.”[vii]

Essentially, HIPAA may not allow for a private cause of action, but according to Sheldon, a health care provider’s HIPAA dirty laundry can still be heard by a jury in conjunction with a Biddle claim.

More troubling is that recent Federal case law, although only persuasive authority for Ohio state claims, will make it much easier to get these types of cases to a jury.

In  July 2015, the Federal Seventh Circuit Court of Appeals decided Remijas v. Nieman Marcus Group, LLC[viii]a case involving a massive data breach.  The Seventh Circuit overruled the trial court’s ruling in holding that “injuries [of customers] associated with resolving fraudulent charges and protecting oneself against future identity theft do” provide sufficient standing to maintain a cause of action for those affected by a data breach.[ix]  Thus, in situations where a data breach has occurred, but no actual identity theft has occurred, Remijas establishes the framework for plaintiffs’ lawyers to overcome the heretofore solid defense of lack of standing due to intangible and speculative damages.   Although no Ohio court has applied the reasoning of Remijas, there is now a viable legal argument to be made in Ohio state law negligence claims.

With the spate of data breaches in the health care industry occurring around the country (including several in the state of Ohio), HIPAA covered entities must take action to ensure that information security processes and procedures are in place. Not only because the impending threat of litigation or the fact that the Department of Heath and Human Services has announced that 200 new HIPAA audits are in the pipeline for 2016.[x]  It is simply the right thing to do.  Perhaps the Hippocratic oath, in our digital age, should extend to patients’ identity as well as their health and wellness.

Ickes Holt is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and Ickes Holt is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.

 

[i] Sheldon v. Kettering Health Network, 40 N.E.3d 661(App. 2d Dist. 2015)

[iii] Biddle v. Warren Gen. Hosp. , 86 Ohio St.3d 395, 401,1999-Ohio-115, 715 N.E.2d 518 (1999)

[iv]Sheldon at 671

[v] Id. at 670 citing Henry v. Ohio Victims of Crime Comp. Program, S.D.Ohio No. 2:07-cv-0052, 2007 WL 682427 (Feb. 28, 2007)

[vi] Id. at 674

[vii]Id. citing Chambers v. St. Mary’s School, 82 Ohio St.3d 563, 1998-Ohio-184, 697 N.E.2d 198 (1998)

[viii] Remijas v. Neiman Marcus Group, LLC, 794 F3d 688 (7th Cir. 2015)

[ix] Id.

[x] Raths, David, OCR’s Samuels Describes Launch of Phase 2 of HIPAA Audit Program, Health Care Infomatics, March 19, 2016

Information Security and Privacy Round-Up: Memphis Neurology & Fazio Mechanical

identity theft in memphis

Information security and privacy is an incredibly broad and pervasive topic.  It spans across industries, relates to private and public sectors, affects small business to publicly traded companies, is governed by federal and state legislation, is enforced by regulators and courts, and incorporates IT and legal solutions.  Information is the DNA of the modern world.  It is everywhere – our computers, our phones, our cars, our homes, our businesses, the cloud.  We have unprecedented access to each other, and as a result, other people have unprecedented access to our information. The boundaries of information security are continually being stretched by the dramatic leaps in technology and ever shifting societal norms.

Events in the information security realm occur so quickly that it is difficult, even for privacy professionals, to keep current.  This article will provide an overview of some recent information security cases, both which illustrate the concept that small to mid-sized business are the most vulnerable to, and least equipped to prevent, information security attacks.

Memphis Neurology Case:  In February, the U.S. Attorneys’ office indicted Jeremy Jones on charges of identity theft, fraud, and conspiracy.  Jones is accused of conspiring to steal the identities of more that 145 patients of Memphis Neurology, as well as customers of car dealerships and other people he knew.  Jones used the stolen identities to apply for loans and credit cards, and to open banks accounts in the victims’ names.   The estimated loss to the defrauded financial institutions is $1,660,587.30.

The Memphis Neurology case presents significant information security concerns, namely, insider threats and access controls.  Memphis Neurology is a regional, private neurological practice with five locations.[i]  The practice has been in business since the 1970’s.  Jones allegedly conspired with an employee of Memphis Neurology to steal patient information from the practice’s database.[ii]   The scheme allegedly began in 2011 and continued through 2015.[iii]

This case underscores the importance of: (1) training employees about information security: (2) clearly communicating to employees the consequences for intentional and unintentional security breaches; (3) properly screening potential employees during the hiring process; (4) conducting periodic audits of information security practices for efficacy and potential breaches; and (5) ensuring access to patient information is properly limited to authorized employees, including organizational and physical security.  These items are crucial components to an overall information security governance program, which is required by HIPAA and the FTC Act, as well as necessitated by the modern world in which small to mid-sized medical practices operate.

Jeremy Jones is facing criminal charges.  The financial institutions are facing the loss of $1,660,587.30.  But, what about Memphis Neurology?  What are the potential consequences to the practice?  First, they almost certainly lost existing and future customers.  Second, they face potential investigation and enforcement by the Federal Trade Commission and/or the Department of Health and Human Services.  An investigation and enforcement action will cost Memphis Neurology significantly in legal fees and lost productivity.  Further, the FTC and HHS are not averse to levying heavy financial penalties for violations.  Finally, while neither the FTC Act or HIPAA provide a private right of action, there is an increasing trend of state courts adopting federal statutory/regulatory frameworks as the “standard of care” in common law negligence actions.[iv]  This trend could expose Memphis Neurology to state court negligence lawsuits brought by the patient victims.

Target Breach-Fazio Mechanical.  Most people are aware of the Target breach in 2013.  In fact, most people probably held their breath waiting for notice from the retail giant that their information had been compromised.  The fallout from the Target breach has been staggering:

  • 110 million customers’ information exposed
  • Immediate 50% drop in profits at the time of the breach from the previous year
  • Consumer and media backlash
  • Approximately $252 million spent to manage the breach
  • An escrow account of $10 million set aside for compromised customers
  • Ongoing litigation and regulatory action
  • Target CEO ousted
  • Potential personal exposure to fines and monetary damages for Target executives[v]

What is not commonly known is the source of the hack leading to the Target breach.  According to Krebs on Security, hackers gained access to Target’s network via one of its vendors, Fazio Mechanical, a Pennsylvania based refrigeration company.[vi]  According to investigators, the Target breach “traces back to network credentials” issued to Fazio by Target.   Fazio has stated that its data connection to Target “was exclusively for electronic billing, contract submission and project management[.]”[vii]

It appears that Target’s network credentials were stolen by means of email “phishing” attack sent to employees at Fazio.  Facts indicate that one or more Fazio employees opened the phishing email, thus infecting Fazio’s system and delivering Target’s network credentials to the hackers.  The hackers then planted malware on Target’s system and began stealing credit card data from thousands of Target’s registers nationwide.

Target receives and retains an immense amount of customer information.  As the recipient of this information, Target had a duty to ensure that the third party vendors with which it works have adequate security controls.  There is no question that Target should have done a better job of auditing Fazio’s information security controls and ultimately bears responsibility for the breach.   However, while Target is certainly culpable for the breach (namely failing to timely act on the breach[viii] and sending out inadequate data breach notifications[ix]), it was undoubtedly prepared for the possibility of an attack.  Six months prior to the breach, the retailer had started installation of a $1.6 million malware detection tool designed by FireEye.  FireEye is a leading cyber security firm who provides services to the CIA and the Pentagon.  Target employed a security squad in Bangalore to monitor its system 24/7.[x]  Despite these measures and obscene financial resources, Target was hacked and is now facing reputational damage, lawsuits, and regulatory enforcement.

And it is, in large part, Fazio’s fault.

True, if it wasn’t Fazio, it likely would have been another vendor.  Or perhaps, malefactors could have penetrated Target’s system directly.  However, the facts surrounding the Target breach point blame directly to an unremarkable, “mom and pop” business lacking any information security policies and practices.  In stark contrast to Target’s measures, Fazio primarily relied on the free version of Malwarebytes Anti-Malware (“MBytes”) to detect malicious software on its systems.[xi]  It is unknown if Fazio employed any actual information security protocols, but based on their use of MBytes, it seems likely that they did not.

What is more inexplicable was Fazio’s response to its role in the Target breach.  In a press release, Fazio stated it was “the victim of a sophisticated cyber attack operation,” and further that its “IT system and security measures are in full compliance with industry practices.”[xii]  Clearly, Fazio was out of its depths concerning the technical aspects of information security as well as willfully or unintentionally ignorant of its duties under applicable state and federal law.

First, phishing attacks are not “sophisticated.” Phishing attacks are common.  They are not targeted, but instead use a “blast” approach to distribute the poison pill email as widely as possible.  In fact, email phishing attacks are so unsophisticated that they can be defeated by simply ignoring and deleting the email.[xiii]

Second, while MBytes is a reputable malware program, it is seriously limited.  The free version is an on-demand scan and kill program, which means a user must actually run the scanner or set it to run at scheduled times.  Also, the free version of Mbytes does not offer real-time protection against threats.  Real-time protection means that the software actually blocks or stops malware that is actively trying to infect a system.  Imagine a pop-up blocker, which is a real-time protector.  A pop-up blocker that did not protect in real-time would effectively allow the pop-up to appear, and then only remove the pop-up when the user prompts it to do so.  Essentially, a non-real time malware program is ineffective to prevent malware infections.

Third, Fazio clearly was not in compliance with industry practices.  We have already discussed the limited capabilities of free MBytes above.  Further, the free version of Mbytes is made explicitly for individual users and its license prohibits corporate use.[xiv]  Fazio violated this license, which is definitely not an industry standard. Finally, there is no evidence that Fazio employed any reasonable information security policies and procedures, let alone a written program including preventative measures, training, incident response strategy, and data breach notification plan.  Thus, Fazio quite literally failed to meet the requirements of state and federal information security laws, which ARE the industry standard.[xv]

Information security is not a problem for “big” companies.  Information security is not IT’s problem.  Information security is everyone’s problem.  Do you think your organization is somehow protected from phishing attacks?  It happened to Fazio Mechanical.  Fazio’s role in the Target breach proves that the “little guys” cannot ignore their place in the global marketplace.   According to the Privacy Rights Clearinghouse, 621,955,664 records have been breached in the U.S. since state data breach notifications laws went into effect in 2005.  Those are only the ones that have been reported—experts think the figure is actually much larger.[xvi]

In this modern age, it is best practice to assume that your organization has already been breached or will be breached in the future.  The only way to prevent a breach is to put solid information security policies and procedures into place, train your employees, and regularly test your network security.

Ickes Holt is a full-service, team-driven, and client focused law firm in Northeast Ohio concentrating on information security and governance. Information is the DNA of modern organizations and Ickes Holt is dedicated to advising clients on how to protect its information. Please contact us to discuss establishing or improving the information governance policies for your organization.


 

[i]       http://www.memphisneurology.com/

[ii]      http://www.commercialappeal.com/blogs/news/on-the-docket/Memphis-man-indicted-for-allegedly-using-stolen-identities–369166781.html

[iii]      http://www.hipaajournal.com/man-indicted-for-5-year-identity-theft-spree-used-memphis-neurology-data-8321/

[iv]      http://www.thompsonhine.com/publications/de-facto-private-right-of-action-under-hipaa-is-ohio-next

[v]      http://www.huffingtonpost.com/eric-dezenhall/a-look-back-at-the-target_b_7000816.htmlhttps://www.privacyandsecuritymatters.com/2015/02/target-data-breach-price-tag-252-million-and-counting/; http://www.usatoday.com/story/money/business/2014/05/05/target-ceo-steps-down/8713847/

[vi]      http://krebsonsecurity.com/tag/fazio-mechanical-services/

[vii]     https://ickesholt.com/old/wp-content/uploads/2016/03/Target-Breach-Statement.pdf

[viii]     http://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-datahttp://www.huffingtonpost.com/eric-dezenhall/a-look-back-at-the-target_b_7000816.html;

[ix]      http://www.pcworld.com/article/2089104/target-breach-notifications-are-a-perfect-example-of-what-not-to-do.html

[x]      http://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data

[xi]      http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xii]     https://ickesholt.com/old/wp-content/uploads/2016/03/Target-Breach-Statement.pdf;  http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xiii]     http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xiv]     http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xv]     See http://krebsonsecurity.com/tag/fazio-mechanical-services/

[xvi]     http://www.cnbc.com/2013/12/19/why-did-target-take-so-long-to-report-the-breach.html

Events on Corroborate Experts’ Identification of Ransomware as 2016 Top Threat

ransomware hacker

On February 5, 2016, Hollywood Presbyterian Medical Center was the target of a ransomware attack, in which malefactors seized control of the hospital’s computer systems and demanded a ransom in exchange for returning control.[i]  Initial reports indicated that the malefactors demanded 9,000 bitcoin, or $3.6 million, to unlock the system.[ii]  On February 17, 2015, the hospital paid a ransom of 40 bitcoin, or $17,000, to the malefactor.  The hospital was locked out of their system for almost two weeks, with no access to patient records.[iii]  More importantly, during this time, the malefactor had complete access to the patient records and other non-public privacy information of both the hospital’s patients and employees.

Ransomware is malicious software that allows a malefactor to infiltrate an organization’s systems, access and encrypt the organization’s data, and demand payment from the organization to decrypt or otherwise release the data.  Ransomware effectively allows a malefactor to hold an organization’s data, or even it’s entire system, hostage.[iv]  Ransomware attacks grew 113% in 2014.[v]  There were a total of 8.8 million ransomware attacks in 2014, up from 4.1 million in 2013.[vi]   Most experts anticipate that ransomware attacks will be a leading threat vector in 2016.

The Online Trust Alliance reports that malefactors have begun to intentionally select targets based on a variety of factors, including the value of the data, the size of the company, market value, and much more.[vii]  While targeted ransomware attacks are increasing in frequency, many malefactors still automatically send ransomware to large numbers of people in hopes that they will open it.  Organizations must be cognizant of, and prepared to deal with, both targeted and spammed ransomware attacks.

Researchers continue to discover new ransomware variants in greater numbers than ever before.[viii]  Many of these variants have new stealth functionalities.  For example, certain ransomware will stealthily encrypt the organization’s data in anticipation of eventual system backups.  When the system backs up, the ransomware and encrypted data will then “infect” both the organization’s system and all backups, making it that much more challenging for an organization to avoid paying the ransom. [ix]  Other real world examples of ransomware include threats to release the organization’s information to the Internet if the ransom is not paid.  Finally, as with all ransom situations, there remains the possibility that a malefactor will not relinquish control of the organization’s data and/or systems, or will follow through on the threat to release the data to the Internet even after the ransom is paid.  In many instances, however, the FBI is advising victims to pay the ransom.  This fact is a telling indicator of the overall inability of organizations and government to effectively deal with ransomware attacks.[x]

Additionally, the “ransomware-as-a-service” business model will continue to grow.[xi]  Ransomware-as-a-service allows inexperienced cybercriminals to access ransomware for free or for a nominal fee.  Once the target pays the ransom, the original author of the ransomware receives a 5% to 20% fee.[xii]  The availability of ransomware to a segment of people who do not have the knowledge or experience to code it themselves realistically creates a whole new breed of “lay” cybercriminals.   Additionally, the proliferation of ransomware creates a layer of anonymity for the actual author, which in turn reduces the risk exposure because they are not the one “pulling the trigger.”  The reduced risk of selling ransomware to a third party may embolden more experienced and talented hackers to engage in increasingly more frequent and diverse attacks, and for little reason other than making a quick buck.  The commoditization of cybersecurity threats is a dangerous development to which all organizations should pay heed.

Ransomware is typically contained in an infected attachment or link, and, once downloaded or opened by any employee, it locks all files on the device until the target pays a ransom to unlock it.[xiii]  This can occur on any electronic device connected to a company’s systems, including computers, tablets, or smartphones.[xiv]  Therefore, it is essential for organizations to: (1) educate themselves and their employees on information security and awareness, including current and emerging threats; (2) provide consistent and frequent training on email and Internet usage protocols; (3) monitor all employees’ use of computers and company issued mobile devices; and (4) restrict or limit employees’ use of personal computers, mobile devices, and wearable devices, or implement a Bring Your Own Device (“BYOD”) policy.  These minimum steps should be an organization-wide priority for 2016.


[i] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

[ii] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html

[iii] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

[iv] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.

[v] Symantec, Internet Secuirty Threat Report, 2015, 7, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.

[vi] Symantec, Internet Security Threat Report, 2015, 17, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.

[vii] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html.

[viii] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.

[ix] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.

[x] Steven Norton, ‘Ransomware’ Attacks to Grow in 2016, Says Intel’s McAfee Labs, The Wall Street Journal, November 10, 2015, http://blogs.wsj.com/cio/2015/11/10/ransomware-attacks-to-grow-in-2016-says-intels-mcafee-labs/.

[xi] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.

[xii] Dan Turkel, There are now programs that anyone can use to extort money from you, Business Insider, http://www.businessinsider.com/ransomware-as-a-service-is-the-next-big-cyber-crime-2015-12.

[xiii] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.

[xiv] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.


 

[1] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

[1] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html

[1] Richard Winton, Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating, Los Angeles Times, February 18, 2016, http://www.latimes.com/local/lanow/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html.

[1] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.

[1] Symantec, Internet Secuirty Threat Report, 2015, 7, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.

[1] Symantec, Internet Security Threat Report, 2015, 17, https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-security-threat-report-volume-20-2015-social_v2.pdf.

[1] Darlene Storm, Hollywood hospital hit with ransomware: Hackers demand $3.6 million as ransom, ComputerWorld, February 15, 2016, http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-with-ransomware-hackers-demand-3-6-million-as-ransom.html.

[1] Security Magazine, Ransomware Attacks to Grow in 2016, November 23, 2015, http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016.

[1] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.

[1] Steven Norton, ‘Ransomware’ Attacks to Grow in 2016, Says Intel’s McAfee Labs, The Wall Street Journal, November 10, 2015, http://blogs.wsj.com/cio/2015/11/10/ransomware-attacks-to-grow-in-2016-says-intels-mcafee-labs/.

[1] McAfee Labs, 2016 Threats Predictions, 2015, 24, http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf.

[1] Dan Turkel, There are now programs that anyone can use to extort money from you, Business Insider, http://www.businessinsider.com/ransomware-as-a-service-is-the-next-big-cyber-crime-2015-12.

[1] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.

[1] Stacy Collett, Five New Threats to Your Mobile Device Security, CSO Online (May 21, 2014), http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html.