The saga surrounding the St. Louis Cardinals hacking scandal concluded with the issuance of a final punishment from MLB. The scandal stemmed from the actions of the former Cardinals scouting director Chris Correa, after he illegally accessed the e-mail accounts of members of the Houston Astros front office as well as their scouting database. The Cardinals were ordered to forfeit their top two selections in the upcoming 2017 amateur draft to the Astros and pay them two million dollars within … Read More
The Office of Civil Rights (OCR) first HIPAA settlement of 2017 is based on a failure to report a breach of health information in a timely manner. The settlement was reached with Presence Health, a large health care network that operates in approximately 150 locations in Illinois. Presence Health has agreed to settle the potential violations by paying a fine of $475,000 and implementing a corrective action plan to deal with this problem in the future.
The settlement stems from … Read More
To effectively guard against an enemy of any kind it’s important to know your enemy. This strategy is just as effective when fighting an online battle to protect your company’s data.
Before you can effectively defend against cyberattacks, it is important to educate yourself on potential threats and how to handle them. We invite you to join us on September 7 for part two of the Columbus Cybersecurity Series featuring FBI agent David Fine returns. During this portion of the … Read More
Savvy in-house counsel and business owners often ask are whether the insurers selling cyber policies actually pay claims or whether the policyholders are just buying the right to later sue the insurers for coverage. The initial wave of cyber insurance litigation involved policyholders trying to obtain coverage for data breaches under their standard commercial general liability policies. This produced mixed results with some courts finding coverage, while others did not. The next wave of cyber insurance litigation involved policyholders asserting … Read More
The new DoD cybersecurity regulations require contractors to implement the security requirements specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than Dec. 31, 2017. DFARS, 252.204-7008(c)(1).
However, a contractor may propose to vary from the NIST SP 800-171 requirements under two circumstances. Under DFARS 252.204-7008(c)(2), a contractor may propose to vary from the security requirements specified by NIST SP 800-171 through a … Read More
Indiana law does not grant consumers the right to sue Anthem or any other data base owner for negligence following a data breach, according to the federal judge presiding over the Anthem data breach multi-district litigation. Order, In re Anthem, Inc. Data Breach Litig., No. 15-MD-2617 (N.D. Cal. Feb. 14, 2016).
Instead, Indiana law grants consumers only the right to be notified of the data breach without unreasonable delay. Indiana Code § 24-4.9-3-1. If notice is not properly given, … Read More
The U.S. Department of Defense published its Network Penetration Reporting and Cloud Computing Services regulations as an interim rule in August 2015 and updated them in December 2015. Watch this new webinar replay at your convenience to learn about the regulations, how they may impact your business, and the concerns of industry groups. Click HERE to watch the webinar in its entirety.
You need cyber insurance to protect your organization from the potentially-devastating financial harm that often follows a data breach, and to protect your brand and guard your reputation. Cyber insurance can help your organization survive a breach and pay the cost to notify customers of the breach and offer them credit monitoring services, defend your organization from class action lawsuits by customers, banks / credit card companies, and shareholders, and defend government investigations and enforcement proceedings. There are no standard-form … Read More
One way to consider how they’re different is to think of data privacy as the who and what of confidential information that must be kept safe and data security as the how, the means for keeping it safe.
Put another way, data privacy focuses on the individual whose private information is at … Read More
The Federal Financial Institutions Examination Council (FFIED) warned financial institutions of the increasing frequency and severity of cyber attacks involving extortion resulting from ransomeware, denial of service attacks, and theft of sensitive business and customer information to extort payment and other concessions from victims.
The FFIEC recommends that financial institutions develop and implement programs to ensure that the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks, including:
- Conducting ongoing information security risk
Use of a remote, shared computer network to store, manage and process data can save time and money by eliminating the need for a local data center and an IT team to run it. Whether on a smart phone, a laptop or a desktop computer, cloud computing gives users immediate access to data anywhere there is an Internet connection.
Gartner, one of the world’s foremost … Read More
Nearly all mobile applications connect to the cloud, storing private business information, user names, passwords and other sensitive content. Employees tie into the Web with mobile device apps such as Google Maps, LinkedIn and Wink, which allows users to see from afar who is ringing the home doorbell or lets … Read More
Law firms are increasingly becoming the target of cyber attacks. Below is a phishing attack email example. (You can read Diane Reynolds’ blog post on phishing attacks here.) Basically, bad guys want you to open an email and click on a link that provides them access to your computer and our network. There are some simple ways to spot a phishing email.
First, ask yourself why would UPS send you an email to complete a shipment? Never happens.
Second, why … Read More
A phishing attack is the leading type of data breach. Phishing is an e-mail fraud method in which the perpetrator sends out a legitimate-looking email in an attempt to gather personal and financial information from a recipient.
The logic behind this type of attack is a simple reliance on human error. Statistically, if enough e-mails are sent, a sufficiently large number of recipients, who are rushed or distracted, will fail to scrutinize the IP address. They will click on the … Read More
The staff of the Investment Management Division of the U.S. Securities and Exchange Commission (“Staff”) recently issued guidance to both registered investment companies (“funds”) and registered investment advisers (“advisers”) regarding the ever present cybersecurity risks these entities face and measures they might adopt to protect the confidential and sensitive information that they collect, maintain, transfer, and … Read More
All companies have employee, proprietary, financial and other sensitive data that require protection. Human error is still one of the most common causes of a data breach and that is very difficult, if not impossible, to completely eradicate. Moreover, with the recent release of the Yates Memorandum from the Department of Justice (“DOJ”), the DOJ is emphasizing best practices when dealing with individuals in connection with corporate wrongdoing. To quote my colleague, Jackie Bennett, “…now is the time to … Read More
Northern Kentucky University’s Annual CyberSecurity Symposium
Oct. 9, 2015
NKY Mets Center
Matthew D. Lawless, presenter: “Considering Privacy and Data Security Harms.”
Technology First, 9th Annual Taste of IT Conference
Nov. 18, 2015
Sinclair Ponitz Center, Dayton, Oh
Diane D. Reynolds, panelist and Matthew D. Lawless, panel moderator.
“Cybersecurity Compliance: If it ain’t working for Anthem, Lifelock and Neiman Marcus, What am I Supposed to do for My Company?”
*This is the fourth post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides a compliance checklist for contracting for cloud services regulations relating to the new DoD cyber security regulations and also details the ramifications for failure to comply … Read More
*This is the third post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides a handy compliance checklist relating to the new DoD cyber security regulations.
- Acquire a DoD-approved medium assurance certificate to report cyber incidents. (Source: DFARS 252.204-7012(c)(3)
Far-reaching legislation that would establish new privacy and security protections for U.S. consumers has been introduced in Congress by a group of Democratic senators, including Patrick Leahy of Vermont and Elizabeth Warren of Massachusetts.
The Consumer Privacy Protection Act goes further than other federal data protection proposals by establishing stricter standards for notifying customers when their personal information is lost or stolen. It would cover private information beyond financial data that is typically already covered by state laws, such as … Read More
The Internet of Things goes by a deceptively simple title but includes a vast – and mushrooming – network of physical objects or “things” that connect to the Internet through embedded sensors, electronics and software, allowing them to exchange data with the operator of the object, its manufacturer or other connected devices.
Some are calling it the next stage in the information revolution, a way to make everything in our lives “smart,” from cars, roads and traffic control systems to … Read More
Taft Stettinius & Hollister LLP is pleased to announce that 17 attorneys from its Privacy and Data Security group have been selected for inclusion in Best Lawyers of America® 2016. Responding to data breaches often requires a multi-faceted response approach, drawing from a broad depth of legal experience. The following Privacy and Data Security attorneys are honored by Best Lawyers®:
- Gregory W. Bee
- Jackie M. Bennett Jr.
- Charles A. Bowers
- Beth A. Bryan
- David J. Butler
- Brian G. Dershaw
The Seventh Circuit’s ruling in Remijas v. Neiman Marcus Group, LLC may have removed a substantial hurdle for data-breach class actions (as we previously discussed) by holding that “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” were sufficient to confer Article III standing. But does that ruling remove all of the major obstacles to data-breach class actions? Absolutely not. There are still additional daunting hurdles in a plaintiff’s path to obtaining class certification … Read More
The Seventh Circuit may have gone a long way to opening a flood of data-breach class actions when it held that “injuries associated with resolving fraudulent [credit-card] charges and protecting oneself against future identity theft” suffice as injuries to confer Article III standing on the plaintiffs in Remijas v. Neiman Marcus Group, LLC.
Standing (whether a plaintiff has suffered an injury the courts will recognize) has historically proven to be a substantial hurdle to plaintiffs seeking to bring class … Read More