cyberattack

Is Ransomware a Notifiable Data Breach Event?

There is no doubt that companies face unprecedented volume and variation in both disruptive and intrusive cyberattacks on their networks.  Among the different attack methodologies today, ransomware is quickly becoming a major concern for CISOs and security professionals.  According to Interagency Guidance from the U.S. Government, there are currently over 4,000 daily ransomware attacks – up over 300% from the 1,000 daily ransomware attacks experienced in 2015.

Ransomware can potentially hold hostage critical corporate, customer and employee data, but in-house legal and communications teams are also concerned about whether these attacks trigger notification rules.  The Department of Health and Human Services Office of Civil Rights (“HHS OCR”), which enforces the HIPAA Security and Breach Notification Rules, stated in recently issued guidance that ransomware incidents may be considered a breach that require notification.  The guidance is a poignant reminder to all companies, whether regulated by HIPAA or not, to carefully consider how evolving attack methodologies can directly implicate incident response strategies and compliance obligations.

READ MORE

Cyber Insurance: An Overview of an Evolving Coverage

Cyber Insurance

Cyber insurance has reached a tipping point. The rising costs faced by data breach victims, which can exceed $100 million for the largest breaches, have spurred an increasing number of companies across industries to turn to cyber insurance in an effort to transfer at least some of those costs to an insurer. But cyber insurance is still relatively new, at least as a mass-market insurance product, and it is evolving quickly, although not as quickly as the threat itself. The policies are complex and not standardized, and courts have yet to provide any guidance about what will be covered and what will not. This state of affairs leaves many companies that have or are considering buying cyber insurance uncertain—not only whether they will be a victim of a data breach but also whether insurance will provide them with the coverage they need if they do become a victim.

READ MORE

FTC and Wyndham Call a Truce

data breach

Following the Third Circuit’s ruling upholding the FTC’s authority to regulate unfair and deceptive cybersecurity practices under Section 5 of the FTC Act, Wyndham Worldwide Corporation and the FTC have agreed to settle.  This marks the end to a hotly-contested and closely-watched case at the cross-roads of data security and regulatory enforcement.

As reported in our previous posts on this topic, Wyndham experienced three breaches of its systems in 2008 and 2009 resulting in the exposure of approximately 619,000 consumers’ credit card numbers.  The FTC initiated an enforcement action in 2012 alleging that Wyndham engaged in unfair and deceptive cybersecurity practices in violation of Section 5 of the FTC Act.  The FTC asserted that Wyndham’s cybersecurity practices were deficient in myriad ways that placed consumer data at risk of theft, for example, by storing payment card information in clear text, using weak and default passwords across networks, failing to install or misconfiguring firewalls, failing to adequately restrict vendor access to corporate networks, and failing to follow appropriate incident response procedures after successive cyberattacks.

READ MORE

The Cybersecurity Playbook: Building Effective Attack and Breach Preparedness

inside the minds

With the most significant of cyberattacks resulting in millions of dollars in costs, irreparable damage to a company’s brand, and key executives getting fired, organizations must begin to prepare for what most experts think is the inevitable breach. And yet, when it comes to cybersecurity, many still think of it like physical security: a matter for professionals to handle by fencing in a campus perimeter, putting the most important entry points under lock and key, and assigning someone to monitor the video surveillance.

But cybersecurity does not work like physical security. In the “The Cybersecurity Playbook: Building Effective Attack and Breach Preparedness” chapter of “Understanding Developments in Cyberspace Law: Leading Lawyers on Analyzing Recent Trends, Case Laws, and Legal Strategies Affecting the Internet Landscape” we explore strategies to reduce the likelihood of a breach but more importantly mitigate the harm whether it be reputational, legal, or key job losses that can all too often arrive in the wake of a data breach.

When a Cyber Attack Has Physical Impact

cyber attack

October ordinarily brings the return of crisp air, fall foliage, and Halloween.  This year, for the first time, it also brings National Cyber Security Awareness Month.  Yet designating a month to increase cybersecurity awareness seems redundant.  We are reminded almost daily of the importance of cybersecurity, as media reports of cyber breaches have become commonplace.  Of course, the most widely reported cyber incidents have been data privacy breaches that have affected tens of millions of consumers nationwide.  These are the sorts of incidents that have spawned a growing market for so-called “cyber policies” (although as we wrote recently, the CEO of one of the largest insurers has acknowledged that cyber insurance capacity remains relatively small).

READ MORE

Notifying Parties In Username/Password Breaches . . . It’s Not Just the Law

username password breach

As we head into the end of 2015, state legislators across the country continue to strengthen, update and, in some instances, broaden the scope of their respective state data breach notification laws.  Specifically, many legislators are expanding the definition of “personal information” that triggers a company’s breach notification obligations beyond traditional data fields such as Social Security Numbers, financial account numbers, and payment card data.

READ MORE

International Hacking and Insider Trading Scheme Exposes Cybersecurity Vulnerabilities at Third-Party Vendors

On August 11, 2015, the SEC announced that it was bringing fraud charges against 32 defendants for their alleged participation in a five-year, international hacking and insider trading scheme.  According to the SEC, two Ukrainian men hacked into at least two major newswire services, stole non-public copies of embargoed corporate announcements containing quarterly and annual earnings data, and provided the announcements to 30 other defendants, who traded off the information.  In parallel actions, the U.S. Attorney’s Offices for the District of New Jersey and the Eastern District of New York also announced criminal charges against some defendants named in the SEC’s action.  The SEC’s enforcement action may be a harbinger of events to come.  As we have written, cybersecurity is emerging as the SEC’s newest area of focus for enforcement actions.

READ MORE

Going for Brokerage: SEC Report Highlights Best (and Worst) Practices in Cybersecurity Preparedness

On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts.  FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.

READ MORE