Archives: Cyber Security

Subscribe to Cyber Security RSS Feed

Please Add Internal Threat Monitoring to NYDFS’s Cyber Security Requirements for Banks and Insurers

One best practice missing from the New York State Department of Financial Services’ announcement of potentiabigstock-Stack-of-manilla-file-folders-30317660-1080x675l new cyber security regulation requirements for banks and insurers was the need to develop an approach to monitor internal threats, including the detection of anomalous conduct by employees.

The FBI, SEC, and others have identified dishonest acts by employees as one of the major causes of data security breaches.  In fact, it’s one of the areas audited under the FFIEC’s Cybersecurity Assessment ToolRead More

Answers to Frequently Asked Questions on DoD’s New Cyber Security Regulations

faqDoD recently published answers to 43 frequently asked questions on the Department of Defense Network Penetration Reporting and Contracting for Cloud Services regulations.  The FAQs document is available here.  In addition, you can read our blogs posts on the new regulations below.

Read More

Financial Institutions Warned of Increased Cyber Attacks Involving Extortion

bankThe Federal Financial Institutions Examination Council (FFIED) warned financial institutions of the increasing frequency and severity of cyber attacks involving extortion resulting from ransomeware, denial of service attacks, and theft of sensitive business and customer information to extort payment and other concessions from victims.

The FFIEC recommends that financial institutions develop and implement programs to ensure that the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks, including:

  • Conducting ongoing information security risk
Read More

Privacy in the Cloud: Protecting Yourself

cloud-computing-magnifiDemand for cloud computing is mounting swiftly, with double-digit annual growth rates expected through 2018.

Use of a remote, shared computer network to store, manage and process data can save time and money by eliminating the need for a local data center and an IT team to run it. Whether on a smart phone, a laptop or a desktop computer, cloud computing gives users immediate access to data anywhere there is an Internet connection.

Gartner, one of the world’s foremost … Read More

Top Five Privacy Risks in Web Applications

web appsThe Web hosts a vast array of applications, many of them critical for business operations, from office suites such as Google Docs, to email, calculators, spread sheets and data storage.

Nearly all mobile applications connect to the cloud, storing private business information, user names, passwords and other sensitive content. Employees tie into the Web with mobile device apps such as Google Maps, LinkedIn and Wink, which allows users to see from afar who is ringing the home doorbell or lets … Read More

How an Incident Response Plan Can Reduce Your Cyber Insurance Costs

ponemon-institutePreparing for a breach can greatly reduce the cost of a breach according to the Ponemon Institute. Thus, insurers reward those organizations who have taken preparatory steps and implemented defensive measures such as an incident response plan and designated a team to execute that plan. An incident response plan will identify the actions that should be taken when a data incident occurs. Having an incident response plan can result in lower premiums.

Since securing cyber liability insurance is now a … Read More

Taft Incident Response Planning Webinar Nov. 4

An incident response plan can lead to a better roadmap for securing cost-effective cyber liability insurance and, consequently, lower costs associated with a data breach.

The adoption of an incident response plan is a major indicator to underwriters that an organization is sophisticated and understands that incidents do occur regularly within firewall perimeters and that the organization has an early detection, containment and eradication plan in place to manage incidents, thus protecting data more effectively.

Early detection minimizes the time … Read More

Why Benjamin Franklin Would Want to See Your Incident Response Plan

Ben-FranklinFire prevention elements played a large role in the planning of Philadelphia; streets were wider than average and brick and stone were common building elements. Despite these preventive measures and the efforts of firefighters, fires did still occur. Benjamin Franklin began to study this situation and stated “About this time I wrote a paper…on the different accidents and carelessness by which houses were set on fire, with cautions against them, and means purposed of avoiding them.” In 1736 Franklin and … Read More

Cyber Insurance: Why You Need It If Your Organization Collects Consumer Data

Two recent cases and NetDiligence’s 2015 Cyber Claims Study suggest that every organization that collects personally identifiable information from consumers should consider buying cyber insurance. PII-Image-672x372

Consumer businesses, non-profits, and government-run utilities often collect consumer personally identifiable information, such as full names, dates of birth, social security numbers, account user names and passwords, etc., in the course of their operations. Many states regulate how such personally identifiable information can be collected, recorded, stored, used, and disposed. If your organization does business … Read More

Law Firms Targeted by Cyber Attacks

Law firms are increasingly becoming the target of cyber attacks. Below is a phishing attack email example. (You can read Diane Reynolds’ blog post on phishing attacks here.) Basically, bad guys want you to open an email and click on a link that provides them access to your computer and our network. There are some simple ways to spot a phishing email.

First, ask yourself why would UPS send you an email to complete a shipment? Never happens.

Second, why … Read More

The Most Common Breach Incident and How an Incident Response Plan Could Save You

Emailing A phishing attack is the leading type of data breach. Phishing is an e-mail fraud method in which the perpetrator sends out a legitimate-looking email in an attempt to gather personal and financial information from a recipient.

The logic behind this type of attack is a simple reliance on human error. Statistically, if enough e-mails are sent, a sufficiently large number of recipients, who are rushed or distracted, will fail to scrutinize the IP address. They will click on the … Read More

Six Steps to Reduce Your Cybersecurity Risk

SECHere are six lessons you can start using today from the SEC’s Investment Management Division guidance on protecting confidential information from cybersecurity risks.

The staff of the Investment Management Division of the U.S. Securities and Exchange Commission (“Staff”) recently issued guidance to both registered investment companies (“funds”) and registered investment advisers (“advisers”) regarding the ever present cybersecurity risks these entities face and measures they might adopt to protect the confidential and sensitive information that they collect, maintain, transfer, and … Read More

Corporate Boards Beware: The FTC is Watching

FTCNow, more than ever, corporate boards must ensure their cybersecurity measures are up to par, funded, and properly implemented to avoid the FTC’s wrath. Corporate boards need to be cognizant of both ensuring that their cybersecurity measures are consistent with best practices and with nationally and internationally recognized data security standards — and that those cybersecurity measures can actually be met through commitment of sufficient resources. Otherwise, the Federal Trade Commission may find fertile ground to scrutinize the company, and … Read More

Why Do You Need an Incident Response Plan?

speedAll companies have employee, proprietary, financial and other sensitive data that require protection. Human error is still one of the most common causes of a data breach and that is very difficult, if not impossible, to completely eradicate.  Moreover, with the recent release of the Yates Memorandum from the Department of Justice (“DOJ”), the DOJ is emphasizing best practices when dealing with individuals in connection with corporate wrongdoing.  To quote my colleague, Jackie Bennett, “…now is the time to … Read More

Privacy and Data Security Attorneys Presenting at Three Upcoming Seminars

Northern Kentucky University’s Annual CyberSecurity Symposium
Oct. 9, 2015
NKY Mets Center
Matthew D. Lawless, presenter: “Considering Privacy and Data Security Harms.”

Technology First, 9th Annual Taste of IT Conference
Nov. 18, 2015
Sinclair Ponitz Center, Dayton, Oh
Diane D. Reynolds, panelist and Matthew D. Lawless, panel moderator.
“Cybersecurity Compliance: If it ain’t working for Anthem, Lifelock and Neiman Marcus, What am I Supposed to do for My Company?”

Indiana University Kelley School of Business’ “Indiana Read More

Checklist for Complying with the DoD Contracting for Cloud Services Regulations

*This is the fourth post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)

Today’s post provides a compliance checklist for contracting for cloud services regulations relating to the new DoD cyber security regulations and also details the ramifications for failure to comply … Read More

Checklist to Comply with the Duties and Obligations of the Network Penetration Reporting Regulations

*This is the third post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides a handy compliance checklist relating to the new DoD cyber security regulations.

  1. Acquire a DoD-approved medium assurance certificate to report cyber incidents. (Source: DFARS 252.204-7012(c)(3)Check list
  2. Provide
Read More

Introduction to the New DoD Cyber Security Regulations

*This is the first post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense (“DoD”) on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides an introduction to the new DoD cyber security regulations.

Cloud securityThe DoD decided to implement the new cyber security regulations, and make them effective immediately upon … Read More

Is a U.S. Consumer Privacy Law Coming?

Far-reaching legislation that would establish new privacy and security protections for U.S. consumers has been introduced in Congress by a group of Democratic senators, including Patrick Leahy of Vermont and Elizabeth Warren of Massachusetts.

The Consumer Privacy Protection Act goes further than other federal data protection proposals by establishing stricter standards for notifying customers when their personal information is lost or stolen. It would cover private information beyond financial data that is typically already covered by state laws, such as … Read More

Internet of Things: A huge realm of opportunity — and risk

The Internet of Things goes by a deceptively simple title but includes a vast – and mushrooming – network of physical objects or “things” that connect to the Internet through embedded sensors, electronics and software, allowing them to exchange data with the operator of the object, its manufacturer or other connected devices.

Some are calling it the next stage in the information revolution, a way to make everything in our lives “smart,” from cars, roads and traffic control systems to … Read More

Seventeen Taft Privacy and Data Security Attorneys Listed in Best Lawyers in America 2016

Taft Stettinius & Hollister LLP is pleased to announce that 17 attorneys from its Privacy and Data Security group have been selected for inclusion in Best Lawyers of America® 2016. Responding to data breaches often requires a multi-faceted response approach, drawing from a broad depth of legal experience. The following Privacy and Data Security attorneys are honored by Best Lawyers®:

  1. Gregory W. Bee
  2. Jackie M. Bennett Jr.
  3. Charles A. Bowers
  4. Beth A. Bryan
  5. David J. Butler
  6. Brian G. Dershaw
Read More

Reynolds Named Columbus – Business Organizations “Lawyer of the Year” by Best Lawyers 2016

Reynolds_Diane_HiresTaft Stettinius & Hollister LLP is pleased to announce that Diane D. Reynolds has been named “Lawyer of the Year” – Columbus, Business Organizations (including LLCs and Partnerships) by Best Lawyers® 2016. “Lawyer of the Year” recognitions are awarded to individual attorneys with the highest overall peer-feedback for a specific practice area and geographic location. Only one lawyer is recognized as the “Lawyer of the Year” for each specialty and location.

Reynolds has an extensive background in corporate transactional, finance … Read More

Remijas v. Neiman Marcus—Overhyped and Overblown

The Seventh Circuit’s ruling in Remijas v. Neiman Marcus Group, LLC may have removed a substantial hurdle for data-breach class actions (as we previously discussed) by holding that “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” were sufficient to confer Article III standing.  But does that ruling remove all of the major obstacles to data-breach class actions?  Absolutely not.  There are still additional daunting hurdles in a plaintiff’s path to obtaining class certification … Read More

Getting Compliant With the EU Cookie Law

Google recently sent out a letter to users of its AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange products.  It looked like this:

Dear Publisher,

We want to let you know about a new policy about obtaining EU end-users’ consent.
It clarifies your duty to obtain end-user consent when you use products like Google
AdSense, DoubleClick for Publishers, and DoubleClick Ad Exchange . . .
Please ensure that you comply with this policy as soon as possible, and
not later
Read More