Archives: Data Breach

Subscribe to Data Breach RSS Feed

Alabama Rolls with Tide as Last State to Adopt Breach Notification Law

Zachary HeckBy Zachary Heck on Posted in Data Breach

On March 28, 2018, over sixteen years after California passed the nation’s first data breach notification law, Alabama became the fiftieth, and final, state to join the club. As a result, any person or entity conducting business in the United States must be prepared to safeguard personal identifying information belonging to customers, clients, and employees, while also being ready to comply with all applicable state and federal laws and regulations.

What Data?
The Alabama Data Breach Notification Act of 2018 Read More

Data Protection: Key Takeaways for Consumers and Businesses After the Facebook and Cambridge Analytica Scandal

Scot GanowBy Scot Ganow on Posted in Data Breach, Privacy Policy

In a local news interview, I was recently asked to comment on the Facebook-Cambridge Analytica story involving the unauthorized use of Facebook user profile information by Cambridge Analytica for profiling and targeting purposes. The focus of the interview was what consumers can do to better protect themselves. However, there are learning opportunities for businesses too. Here are some quick points to consider for both parties.

Consumers

  1. Your choices matter most. I beat this drum pretty heavily, but it is
Read More

Join us for a Data Breach Response Event in Indianapolis on Feb. 21

Taft LawBy Taft Law on Posted in Data Breach

Join Taft and Sikich for an informational session on Feb. 21 as two of our professionals share their experiences before and during a data breach and share their insights in the hopes of helping you better prepare for and survive a data breach. Register here.

Schedule:
3:30 – 4:00pm Registration & Networking
4:00 – 5:00pm Presentation
5:00 – 6:00pm Networking, drinks & hors d’oeuvres

Presenters:

Scot Ganow, Senior Counsel – Taft Stettinius & Hollister LLP
Scot is co-chair of … Read More

Just Chill: Why the Credit Security Freeze May be Your Best Defense in the Data Breach Era

Scot GanowBy Scot Ganow on Posted in Data Breach

With this year’s high profile breach at a large consumer reporting agency and credit cards ringing up balances during this holiday season, I have been fielding numerous calls from people in both a professional and personal capacity on what they should be doing to “truly” protect their identity and their credit accounts. I often find myself reiterating some of the basics of the laws in place to protect you and to empower you to safeguard your credit information. So, I … Read More

Addressing Data Breaches During Due Diligence – What is a Buyer (and Seller) to do?

Taft LawBy Taft Law on Posted in Data Breach

Taft Business & Finance attorneys Jim Butz and Caroline Thee recently published an article on data breaches becoming increasingly problematic during the due diligence stage of transactions. The article addresses what a buyer (and a seller) should do when investigating a target’s exposure to unauthorized access to data or other proprietary information. Read the article here.… Read More

What should I be doing to better manage the risk of a data breach?

Scot GanowBy Scot Ganow on Posted in Data Breach

As we gather at this time of year to express our gratitude for those people and things most important in our lives, perhaps one of the things on that list at work is that you have not suffered through a security incident or breach this past year, or ever. Indeed, this is reason to be thankful! However, when it comes to privacy and security incidents, it is not a matter of IF but WHEN. So be grateful for your good … Read More

Cybersecurity: An Affirmative Defense to Ohio Data Breach Negligence Claims

William C. WagnerScot GanowBy William C. Wagner and Scot Ganow on Posted in Cyber Security, Data Breach, NIST Guide, Uncategorized

Ohio is poised to lead the nation by incentivizing businesses to implement certain cybersecurity controls, which can be an affirmative defense to a data breach claim based on negligence. Under the proposed legislation, if a business is sued for negligently failing to implement reasonable information security controls resulting in a data breach, the business can assert its compliance with the cybersecurity control as an affirmative defense at trial.

For years we have counseled our clients to implement a comprehensive data … Read More

GDPR: How is it Different from U.S. Law & Why this Matters?

Brian EatonBy Brian Eaton on Posted in Data Breach

This is part two of a multi-part look into the European Union’s General Data Protection Regulation (GDPR) and why U.S. companies need to be aware of the law and how it may impact their business.  We will conclude the series with a webinar in 2018 that will review the series and provide further insights and comments on any updates that may have occurred since the beginning of the series. In this second part of our series, we think it is … Read More

Delaware Data Breach Law: What to Know

Brian EatonBy Brian Eaton on Posted in Data Breach

Delaware has joined a growing number of states in updating and strengthening its data breach law. The new law expands the definition of what is considered personal information, requires companies to “implement and maintain reasonable security” for personal information in their possession, institutes a 60-day deadline for reporting the breach and mandates one year of free credit monitoring should a social security number be included in the breach. If your company has customers within the state of Delaware here a … Read More

St. Louis Cardinals Hacking Scandal: A Real-World Example of the Importance of Password Management

Brian EatonBy Brian Eaton on Posted in Cyber Security, Data Breach

The saga surrounding the St. Louis Cardinals hacking scandal concluded with the issuance of a final punishment from MLB. The scandal stemmed from the actions of the former Cardinals scouting director Chris Correa, after he illegally accessed the e-mail accounts of members of the Houston Astros front office as well as their scouting database. The Cardinals were ordered to forfeit their top two selections in the upcoming 2017 amateur draft to the Astros and pay them two million dollars within … Read More

OCR Penalizes Slow Data Breach Response

Brian EatonBy Brian Eaton on Posted in Data Breach, HIPAA

The Office of Civil Rights (OCR) first HIPAA settlement of 2017 is based on a failure to report a breach of health information in a timely manner. The settlement was reached with Presence Health, a large health care network that operates in approximately 150 locations in Illinois. Presence Health has agreed to settle the potential violations by paying a fine of $475,000 and implementing a corrective action plan to deal with this problem in the future.

The settlement stems from … Read More

Real-Life Attacks On Business & What You Can Do To Deter A Cybercriminal – Event September 7

Caryn KaufmanBy Caryn Kaufman on Posted in Breach Detection, Cyber Security, Data Breach, data privacy, Phishing attack, Privacy Policy

To effectively guard against an enemy of any kind it’s important to know your enemy. This strategy is just as effective when fighting an online battle to protect your company’s data.

Before you can effectively defend against cyberattacks, it is important to educate yourself on potential threats and how to handle them. We invite you to join us on September 7 for part two of the Columbus Cybersecurity Series featuring FBI agent David Fine returns. During this portion of the … Read More

Cyber Insurance: Travelers Required to Defend Healthcare Records Storage Company From Class Actions

William C. WagnerBy William C. Wagner on Posted in Cyber Insurance, Cyber Security, Data Breach

Savvy in-house counsel and business owners termsoften ask are whether the insurers selling cyber policies actually pay claims or whether the policyholders are just buying the right to later sue the insurers for coverage.  The initial wave of cyber insurance litigation involved policyholders trying to obtain coverage for data breaches under their standard commercial general liability policies.  This produced mixed results with some courts finding coverage, while others did not.  The next wave of cyber insurance litigation involved policyholders asserting … Read More

Will the New DoD Cybersecurity Regulations Cause a New Wave of Protest Disputes?

Barbara DuncombeWilliam C. WagnerBy Barbara Duncombe and William C. Wagner on Posted in Breach Detection, Cyber Security, Data Breach, data privacy, Department of Defense, Government Contractors, Government investigation, NIST Guide

The new DoD cybersecurity regulations require contractors to implement the security requirements specified by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations,” not later than Dec. 31, 2017. DFARS, 252.204-7008(c)(1).

However, a contractor may propose to vary from the NIST SP 800-171 requirements under two circumstances. Under DFARS 252.204-7008(c)(2), a contractor may propose to vary from the security requirements specified by NIST SP 800-171 through a … Read More

Data Breach Victims Have No Legal Remedies Under Indiana Law

William C. WagnerBy William C. Wagner on Posted in Anthem, Data Breach, data privacy

Indiana law does not grant consumers the right to sue Anthem or any other data base owner for negligence following a data breach, according to the federal judge presiding over the Anthem data breach multi-district litigation.  Order, In re Anthem, Inc. Data Breach Litig., No. 15-MD-2617 (N.D. Cal. Feb. 14, 2016).

Instead, Indiana law grants consumers only the right to be notified of the data breach without unreasonable delay.  Indiana Code § 24-4.9-3-1.  If notice is not properly given, … Read More

Webinar Replay Now Available on the New Defense Department Cybersecurity Rules

William C. WagnerBarbara DuncombeBy William C. Wagner and Barbara Duncombe on Posted in Cyber Security, Data Breach, data privacy, Department of Defense, Government Contractors, Government investigation, NIST Guide

The U.S. Department of Defense published its Network Penetration Reporting and Cloud Computing Services regulations as an interim rule in August 2015 and updated them in December 2015.  Watch this new webinar replay at your convenience to learn about the regulations, how they may impact your business, and the concerns of industry groups. Click HERE to watch the webinar in its entirety.

 … Read More

Cyber Insurance Buyer’s Guide

William C. WagnerBy William C. Wagner on Posted in Cyber Insurance, Data Breach, Government investigation

Cyber Buyer's GuideYou need cyber insurance to protect your organization from the potentially-devastating financial harm that often follows a data breach, and to protect your brand and guard your reputation. Cyber insurance can help your organization survive a breach and pay the cost to notify customers of the breach and offer them credit monitoring services, defend your organization from class action lawsuits by customers, banks / credit card companies, and shareholders, and defend government investigations and enforcement proceedings. There are no standard-form … Read More

Privacy vs. Security

Taft LawBy Taft Law on Posted in Data Breach, data privacy, Personally Identifiable Information

data privacyThe terms data privacy and data security are sometimes swapped back and forth as though they mean the same thing. They don’t, though they are tightly interlocked.

One way to consider how they’re different is to think of data privacy as the who and what of confidential information that must be kept safe and data security as the how, the means for keeping it safe.

Put another way, data privacy focuses on the individual whose private information is at … Read More

Financial Institutions Warned of Increased Cyber Attacks Involving Extortion

William C. WagnerBy William C. Wagner on Posted in Breach Detection, Cyber Security, Data Breach

bankThe Federal Financial Institutions Examination Council (FFIED) warned financial institutions of the increasing frequency and severity of cyber attacks involving extortion resulting from ransomeware, denial of service attacks, and theft of sensitive business and customer information to extort payment and other concessions from victims.

The FFIEC recommends that financial institutions develop and implement programs to ensure that the institutions are able to identify, protect, detect, respond to, and recover from these types of attacks, including:

  • Conducting ongoing information security risk
Read More

Privacy in the Cloud: Protecting Yourself

Taft LawBy Taft Law on Posted in Breach Detection, Cyber Security, Data Breach

cloud-computing-magnifiDemand for cloud computing is mounting swiftly, with double-digit annual growth rates expected through 2018.

Use of a remote, shared computer network to store, manage and process data can save time and money by eliminating the need for a local data center and an IT team to run it. Whether on a smart phone, a laptop or a desktop computer, cloud computing gives users immediate access to data anywhere there is an Internet connection.

Gartner, one of the world’s foremost … Read More

Top Five Privacy Risks in Web Applications

Taft LawBy Taft Law on Posted in Breach Detection, Cyber Security, Data Breach, Identity theft

web appsThe Web hosts a vast array of applications, many of them critical for business operations, from office suites such as Google Docs, to email, calculators, spread sheets and data storage.

Nearly all mobile applications connect to the cloud, storing private business information, user names, passwords and other sensitive content. Employees tie into the Web with mobile device apps such as Google Maps, LinkedIn and Wink, which allows users to see from afar who is ringing the home doorbell or lets … Read More

Law Firms Targeted by Cyber Attacks

Taft Stettinius & Hollister LLPBy Taft Stettinius & Hollister LLP on Posted in Anthem, Breach Detection, Cyber Security, Data Breach, Phishing attack

Law firms are increasingly becoming the target of cyber attacks. Below is a phishing attack email example. (You can read Diane Reynolds’ blog post on phishing attacks here.) Basically, bad guys want you to open an email and click on a link that provides them access to your computer and our network. There are some simple ways to spot a phishing email.

First, ask yourself why would UPS send you an email to complete a shipment? Never happens.

Second, why … Read More

The Most Common Breach Incident and How an Incident Response Plan Could Save You

Taft LawBy Taft Law on Posted in Breach Detection, Cyber Security, Data Breach, Identity theft, Incident Response Plan

Emailing A phishing attack is the leading type of data breach. Phishing is an e-mail fraud method in which the perpetrator sends out a legitimate-looking email in an attempt to gather personal and financial information from a recipient.

The logic behind this type of attack is a simple reliance on human error. Statistically, if enough e-mails are sent, a sufficiently large number of recipients, who are rushed or distracted, will fail to scrutinize the IP address. They will click on the … Read More

Six Steps to Reduce Your Cybersecurity Risk

Taft LawBy Taft Law on Posted in Breach Detection, Cyber Security, Data Breach, U.S. Securities and Exchange Commission

SECHere are six lessons you can start using today from the SEC’s Investment Management Division guidance on protecting confidential information from cybersecurity risks.

Background
The staff of the Investment Management Division of the U.S. Securities and Exchange Commission (“Staff”) recently issued guidance to both registered investment companies (“funds”) and registered investment advisers (“advisers”) regarding the ever present cybersecurity risks these entities face and measures they might adopt to protect the confidential and sensitive information that they collect, maintain, transfer, and … Read More

LexBlog