Archives: Data Security

Subscribe to Data Security RSS Feed

Update: Case Involving Sharing of Passwords May Be Headed to the Supreme Court

Last August, we reported on a Ninth Circuit case in which a former employee was convicted of a crime under the Computer Fraud and Abuse Act (“CFAA”) for accessing and downloading information from his former company’s database “without authorization.”  The former employee has now asked that the U.S. Supreme review the Ninth Circuit’s decision. The … Continue Reading

Global Cyberattack Exploits Known Vulnerabilities

As you likely know by now, international cybercriminals launched a worldwide ransomware attack last Friday with the European law enforcement agency Europol reporting over 100,000 affected organizations in 150 countries, including the U.S. Reports indicate that health care providers, universities, and other large companies were all targeted. The Department of Health and Human Services also … Continue Reading

Law Firms: Updated Cybersecurity Primer and Other Resources

Several years ago, we published a short primer for law firms intending to provide a brief discussion of key cybersecurity issues, including some helpful steps for safeguarding the client personal and confidential information they maintain. Since then, attacks against firms have increased, ethical rules are tightening, and clients are growing concerned.  In at least one … Continue Reading

President Trump’s Executive Order on Cybersecurity…

On May 11, 2017 – after weeks of anticipation – the White House released an Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.  There could not be better timing with a global cyberattack unleashing ransomware against governments and companies in nearly 100 countries around the globe. This newly released Executive Order … Continue Reading

Company Awarded Damages After Former Employee Hacks Its Systems and Hijacks Its Website

A company can recover damages from its former employee in connection with his hacking into its payroll system to inflate his pay, accessing its proprietary files without authorization and hijacking its website, a federal court ruled. Tyan, Inc. v. Yovan Garcia, Case No. CV 15-05443- MWF (JPRx) (C.D. Cali. May 2, 2017). The Defendant worked … Continue Reading

Small Healthcare Provider Pays $31,000 for Failing to Have a Business Associate Agreement With File Storage Vendor

Disclosing protected health information (PHI) to a business associate without a compliant business associate agreement (BAA) is an improper disclosure under the HIPAA privacy and security regulations. According to the HHS Office for Civil Rights (OCR), an error like that can cost a small healthcare provider $31,000. OCR recently announced a resolution agreement (pdf) with … Continue Reading

Six Tips to Consider in Hiring Privacy and Data Security Experts

Facing increasingly pervasive issues relating to privacy and data security companies are faced with what qualifications they should think about when looking to hire experts in these areas, and their role within the company is becoming increasingly vital. Moreover, unlike hiring for other positions it is common that a CEO lacks the knowledge and background … Continue Reading

A New Frontier In Law Firm Cyber Risk: Client Class Actions

That an actual breach of client information could expose your law firm to legal and business risks is unsurprising.  The risks posed by a potential breach, however, may be something your firm has not yet carefully considered – but needs to.  As we discussed during our recent webinar, law firms face a variety of cybersecurity-related … Continue Reading

Association of Corporate Counsel Develops Model Information Protection and Security Controls for Outside Vendors, Including Outside Counsel

The Association of Corporate Counsel (ACC), which represents over 42,000 in-house counsel across 85 countries, recently released its ACC Chief Legal Officers (CLO) 2017 Survey which found that two-thirds of in-house legal leaders ranked data protection and information privacy as ‘very’ or ‘extremely’ important.  In response to this growing concern, the ACC recently released “first-of-its-kind” … Continue Reading

Virginia Responds to W-2 Phishing Scams with First of Its Kind Notification Requirement

As previously highlighted, in early February, the IRS issued a warning to all employers regarding the resurgence of a W-2 based cyber scam. Since the IRS warning, this type of scam has taken numerous victims.  On February 15, 2017, Virginia Wesleyan College released a notice stating that the 2016 W-2 tax form information of its … Continue Reading

Will More States Follow New York’s Lead?

As you know if you regularly read this blog, the New York State DFS finally finalized its “first-in-the-nation” cybersecurity rules with an effective date of March 1, 2017. And their reach is quite large: DFS-supervised entities from insurers and banks to mortgage brokers and credit unions (and their third-party service providers) will have to begin … Continue Reading

Companies May Soon Have a New Defense Against Cyber-Attacks

Co-author: Devin Rauchwerger  The Active Cyber Defense Certainty Act is a new bill that is gaining positive bipartisan support and significant interest from business communities, lawmakers and academics. The proposed bill amends the Computer Fraud and Abuse Act which does not provide adequate deterrence for criminal hacking. The new bill is aimed at helping businesses … Continue Reading

At Last, the Final DFS Cybersecurity Regulations….

We wanted to keep you informed on the progress of the DFS cybersecurity regulations, as they complete their journey through the approval process. DFS has been working on the regulations since its 2013-2014 studies on cybersecurity risks to financial institutions. As reported in our article, Getting Prepared for the New York Department of Financial Services’ … Continue Reading

$3.2M Fine for Failure to Protect Electronic Records

The Department of Health and Human Services Office of Civil Rights (“OCR”) fined a Texas hospital $3.2 million for its impermissible disclosure of unsecured electronic protected health information (ePHI) and non-compliance over many years with multiple standards of the HIPAA Security Rule. Children’s Medical Center of Dallas filed breach reports with OCR in 2010 and … Continue Reading

Expert Insights on Developing a Physical Security Program

In today’s digital age, security tends to be thought about in terms of firewalls, malware, encryption and other safeguards for electronic systems. But the security of those systems, as well as an organization’s facilities, people and other critical assets depends significantly on physical security as well. We are delighted to share below some thoughts from an ASIS board certified expert … Continue Reading

IRS Issues Warning About W-2 Cyber-Scams, Especially for Schools, Nonprofits and Tribal Organizations

On February 2, 2017, the IRS issued a warning to all employers regarding the resurgence of a W-2 based cyber scam. The scam, which targets the corporate world during tax season, is currently “spreading to other sectors, including school districts, tribal organizations and nonprofits.” (irs.gov/news-events). This cyber-scam is simple, but highly successful. It consists of … Continue Reading

SCOTUS Won’t Slime Viacom in Class Action Challenging Tracking Children Online

A class action alleging Viacom illegally obtained and disclosed personally identifiable information from children under the age of thirteen through the Nickelodeon website recently reached the end of line (almost) when the class’ petition for writ of certiorari was denied by the Supreme Court this month. The high court chose not to further define the … Continue Reading

Maureen K. Ohlhausen Appointed as Acting FTC Chairwoman

On January 13, current FTC chairwoman Edith Ramirez announced that she would resign from her position effective February 10, 2017. Ramirez was instrumental in increasing the FTC’s cybersecurity enforcement authority, going after a wide range of data security related private offenders and demonstrating the FTC’s cyber “watchdog” status. Last Wednesday, January 25, President Trump’s administration … Continue Reading

NY Attorney General Schneiderman Settles Data Breach Investigation

New York State Attorney General Eric T. Schneiderman announced a settlement with Acer Service Corporation (a Taiwanese computer manufacturer) relating to the NYSAG’s investigation of a breach of Acer’s data. The data breach, first reported in June, 2016, involved data for over 35,000 customers throughout the United States, Canada and Puerto Rico, including 2,250 customers … Continue Reading

Top 10 for 2017 – Happy Data Privacy Day

In honor of Data Privacy Day, we provide the following “Top 10 for 2017.”  While the list is by no means exhaustive, it does provide some hot topics for organizations to consider in 2017. 1.  Phishing Attacks and Ransomware – Phishing, as the name implies, is the attempt, usually via email, to obtain sensitive or personal … Continue Reading

A New Kind of Employee Badge – Monitoring, Analytics and More

It is not uncommon for employers to assign badges to their employees to grant access to certain locations on the employer’s property and parking garages. Many employees have them, use them, lose them and think little of them. But, badges made by Humanyze are so much more, raising concerns from privacy advocates and others. According … Continue Reading

FTC Chairwoman Edith Ramirez Steps Down

The Federal Trade Commission (“FTC”) recently announced that FTC chairwoman Edith Ramirez will be stepping down effective February 10, 2017. Ms. Ramirez guided the agency through a period of significant enforcement activity, particularly in the areas of cybersecurity and consumer privacy. President-elect Donald Trump will now have the opportunity to fill three vacancies at the … Continue Reading

The White House’s Revisions to its Breach Response Policy For Federal Agencies and Departments Also Affect Contractors

On January 3, 2017, the Obama Administration issued a memorandum to all executive departments and agencies setting for a comprehensive policy for handling breaches of personally identifiable information (the “Memorandum”), replacing earlier guidance. Importantly, the Memorandum also affects federal agency contractors as well as grant recipients. The Memorandum is not the first set of guidance … Continue Reading
LexBlog