Archives: Data Breach

Subscribe to Data Breach RSS Feed

Law Firms Targeted by Cyber Attacks

Law firms are increasingly becoming the target of cyber attacks. Below is a phishing attack email example. (You can read Diane Reynolds’ blog post on phishing attacks here.) Basically, bad guys want you to open an email and click on a link that provides them access to your computer and our network. There are some simple ways to spot a phishing email.

First, ask yourself why would UPS send you an email to complete a shipment? Never happens.

Second, why … Read More

The Most Common Breach Incident and How an Incident Response Plan Could Save You

Emailing A phishing attack is the leading type of data breach. Phishing is an e-mail fraud method in which the perpetrator sends out a legitimate-looking email in an attempt to gather personal and financial information from a recipient.

The logic behind this type of attack is a simple reliance on human error. Statistically, if enough e-mails are sent, a sufficiently large number of recipients, who are rushed or distracted, will fail to scrutinize the IP address. They will click on the … Read More

Six Steps to Reduce Your Cybersecurity Risk

SECHere are six lessons you can start using today from the SEC’s Investment Management Division guidance on protecting confidential information from cybersecurity risks.

Background
The staff of the Investment Management Division of the U.S. Securities and Exchange Commission (“Staff”) recently issued guidance to both registered investment companies (“funds”) and registered investment advisers (“advisers”) regarding the ever present cybersecurity risks these entities face and measures they might adopt to protect the confidential and sensitive information that they collect, maintain, transfer, and … Read More

Why Do You Need an Incident Response Plan?

speedAll companies have employee, proprietary, financial and other sensitive data that require protection. Human error is still one of the most common causes of a data breach and that is very difficult, if not impossible, to completely eradicate.  Moreover, with the recent release of the Yates Memorandum from the Department of Justice (“DOJ”), the DOJ is emphasizing best practices when dealing with individuals in connection with corporate wrongdoing.  To quote my colleague, Jackie Bennett, “…now is the time to … Read More

Privacy and Data Security Attorneys Presenting at Three Upcoming Seminars

Northern Kentucky University’s Annual CyberSecurity Symposium
Oct. 9, 2015
NKY Mets Center
Matthew D. Lawless, presenter: “Considering Privacy and Data Security Harms.”

Technology First, 9th Annual Taste of IT Conference
Nov. 18, 2015
Sinclair Ponitz Center, Dayton, Oh
Diane D. Reynolds, panelist and Matthew D. Lawless, panel moderator.
“Cybersecurity Compliance: If it ain’t working for Anthem, Lifelock and Neiman Marcus, What am I Supposed to do for My Company?”

Indiana University Kelley School of Business’ “Indiana Read More

Checklist for Complying with the DoD Contracting for Cloud Services Regulations

*This is the fourth post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)

Today’s post provides a compliance checklist for contracting for cloud services regulations relating to the new DoD cyber security regulations and also details the ramifications for failure to comply … Read More

Checklist to Comply with the Duties and Obligations of the Network Penetration Reporting Regulations

*This is the third post in a four-part series detailing steps to help contractors meet compliance obligations under the new cyber security regulations implemented by the Department of Defense on Network Penetration Reporting and Contracting for Cloud Services. (Defense Federal Acquisition Regulation Supplement (“DFARS”) Parts 202, 204, 212, 239, and 252.)
Today’s post provides a handy compliance checklist relating to the new DoD cyber security regulations.

  1. Acquire a DoD-approved medium assurance certificate to report cyber incidents. (Source: DFARS 252.204-7012(c)(3)Check list
  2. Provide
Read More

Is a U.S. Consumer Privacy Law Coming?

Far-reaching legislation that would establish new privacy and security protections for U.S. consumers has been introduced in Congress by a group of Democratic senators, including Patrick Leahy of Vermont and Elizabeth Warren of Massachusetts.

The Consumer Privacy Protection Act goes further than other federal data protection proposals by establishing stricter standards for notifying customers when their personal information is lost or stolen. It would cover private information beyond financial data that is typically already covered by state laws, such as … Read More

Internet of Things: A huge realm of opportunity — and risk

The Internet of Things goes by a deceptively simple title but includes a vast – and mushrooming – network of physical objects or “things” that connect to the Internet through embedded sensors, electronics and software, allowing them to exchange data with the operator of the object, its manufacturer or other connected devices.

Some are calling it the next stage in the information revolution, a way to make everything in our lives “smart,” from cars, roads and traffic control systems to … Read More

Seventeen Taft Privacy and Data Security Attorneys Listed in Best Lawyers in America 2016

Taft Stettinius & Hollister LLP is pleased to announce that 17 attorneys from its Privacy and Data Security group have been selected for inclusion in Best Lawyers of America® 2016. Responding to data breaches often requires a multi-faceted response approach, drawing from a broad depth of legal experience. The following Privacy and Data Security attorneys are honored by Best Lawyers®:

  1. Gregory W. Bee
  2. Jackie M. Bennett Jr.
  3. Charles A. Bowers
  4. Beth A. Bryan
  5. David J. Butler
  6. Brian G. Dershaw
Read More

Remijas v. Neiman Marcus—Overhyped and Overblown

The Seventh Circuit’s ruling in Remijas v. Neiman Marcus Group, LLC may have removed a substantial hurdle for data-breach class actions (as we previously discussed) by holding that “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” were sufficient to confer Article III standing.  But does that ruling remove all of the major obstacles to data-breach class actions?  Absolutely not.  There are still additional daunting hurdles in a plaintiff’s path to obtaining class certification … Read More

Data Breach Class Actions — Time to Reassess Your Exposure?

The Seventh Circuit may have gone a long way to opening a flood of data-breach class actions when it held that “injuries associated with resolving fraudulent [credit-card] charges and protecting oneself against future identity theft” suffice as injuries to confer Article III standing on the plaintiffs in Remijas v. Neiman Marcus Group, LLC

Standing (whether a plaintiff has suffered an injury the courts will recognize) has historically proven to be a substantial hurdle to plaintiffs seeking to bring class … Read More

Managing the Aftermath of Identity Theft

Despite a company’s best efforts, data security breaches happen.  Now the federal government is making it a little easier for businesses to manage the aftermath of identity theft and mitigate damages.  If your customers and/or employees are at risk or have fallen victim to identity theft, you can now send them to www.IdentifyTheft.gov.

The website is designed to help victims of identity theft manage the process of recovery.  For example, the website addresses what first steps to take, as … Read More

Cyber Insurance or Illusory Coverage: Is the policy worth the price?

One reason why businesses don’t buy cyber insurance is because they don’t believe the insurance will pay benefits in the event of a loss.  A recent lawsuit following a data breach that was brought by a wholly-owned subsidiary of CNA Insurance against a large California hospital network highlights the old adage “buyers beware.”

Could you imagine buying car liability insurance where you promised to continuously obey the rules of the road, so that if you were even partially at fault … Read More

Cyber Insurance: Why you should require certain vendors to have it

One way to protect your business from financial loss, reputational damage, and the expense of regulatory scrutiny in the event of a data breach is to require your vendors, with access to your customer and employee personally identifiable information, to carry cyber insurance.

Many businesses routinely require their vendors to promise to indemnify them from any loss or expense arising out of the vendor’s goods or services. They also routinely require their vendors to maintain certain types and amounts of … Read More

Regulatory Update: DOJ and SEC Issue Privacy and Cybersecurity Recommendations

The Department of Justice Cybersecurity Unit recently issued its “best practices” for cybersecurity incidents, while the SEC recently circulated a cybersecurity “guidance update.”  These publications recommend that companies institute certain policies and procedures for cybersecurity based on each agency’s experience in the area.

The agencies’ suggestions are good ones.  More importantly, like NIST’s Cybersecurity Framework, such recommendations may become de facto standards that regulators, courts, and juries look to when they assess whether your company’s … Read More

Threat Intelligence – What You Should Be Doing

Threat Intelligence is, very simply, network defense techniques that leverage knowledge (i.e. intelligence and counter intelligence) about adversaries so that organizations can build a superior information base which decreases the chances of an attacker compromising their networks. Gartner more specifically defines it as “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to the menace or hazard.”

Vulnerability Read More

Cyber Attacks: Small/Mid Cap Companies Beware

The marquee breaches that have occurred recently (i.e. Anthem, Home Depot, Morgan Stanley, Target, Linked In, and Sony) have helped U.S. Fortune 1000 companies understand that data security must be taken seriously.  Not only must companies invest in their data security, but they must proactively manage and protect it.  Previously, large corporations generally considered hacking attacks and general security breaches as “Force Majeure” events in that they were both unpredictable and unpreventable.  Therefore, many of the Fortune 1000 purchased cyber … Read More

Cyber Insurance: How Do I Determine My Coverage Needs?

*This is the fourth post in a five-part series on cyber insurance, culminating in a webinar entitled “Insurance Coverage for Privacy and Data Breaches, Hot Topics and Critical Issues” on Wednesday, April 22, 2015, at 12:00-1:00 p.m. Eastern. 

Common questions we often hear from CEOs, CFOs, and Directors of businesses and public and private institutions are “How do we determine our cyber insurance coverage needs?  In other words, how do we know that we have enough insurance to protect our … Read More

The Importance of an Incident Response Plan

Many data breaches have been in the news lately across many industries, such as:

  • Retail (e.g., Target, Home Depot)
  • Healthcare (e.g., Anthem, Premera)
  • Technology (e.g., AT&T, Apple)
  • Entertainment (e.g., Sony, Blizzard)
  • And others

While the types of attacks, exposed vulnerabilities, and type and number of records compromised all vary among these breaches, there is one thing in common to all: They all had to respond to the breach.

An Incident Response Plan (IRP) is a best practice that, unfortunately, … Read More

The “Where” of Data Security

When we secure an asset, we usually know where it is and have a series of controls to protect it. For a house or office building, it is the address and we secure it with locks and perhaps a security service. For a car, we have the VIN and maybe a tracking device if the car is valuable as well as keys and alarms to control access. By and large, we have ingrained in our psyches how to protect physical … Read More

Cyber Insurance: What do Cyber Insurance Policies Cover and Cost?

*This is the third post in a five-part series on cyber insurance, culminating in a webinar entitled “Insurance Coverage for Privacy and Data Breaches, Hot Topics and Critical Issues” on Wednesday, April 22, 2015 at 12:00-1:00 p.m. Eastern. 

Common questions we often hear from CEOs and CFOs are “what do cyber insurance policies cover and how much do they cost?”

Cyber risk insurance policies typically offer both first-party coverage (covering the policyholder’s losses) and third-party coverage (covering defense costs and … Read More

The Enemy Abroad: President declares cyber-espionage a national emergency; creates U.S. power to sanction

Following high-profile data breaches, including North Korea’s virtual invasion of Sony Pictures, President Obama declared a national emergency related to malicious cyber-attacks from abroad. In an executive order signed April 1, 2015, Obama created expansive sanctions designed to curb, as he put it, this “unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

The order gives the U.S. Treasury Department discretion to freeze assets of foreign persons or entities who engage in “or … Read More

How To Advise Tech Start-Ups in Practice, Not Theory

What career could possibly be more exciting than serving as a privacy lawyer for tech start-up companies? This is a question I asked myself a few years back, right after I finished clerking for a couple of terrific federal judges and right as I was considering starting the privacy practice I had envisioned as a law student sitting in Prof. Fred Cate’s classes at the Indiana University Maurer School of Law several years earlier. At that time, my answer was … Read More

LexBlog